diff --git a/vault/policies/service-chat.hcl b/vault/policies/service-chat.hcl
deleted file mode 100644
index a021006..0000000
--- a/vault/policies/service-chat.hcl
+++ /dev/null
@@ -1,15 +0,0 @@
-# vault/policies/service-chat.hcl
-#
-# Read-only access to shared Chat secrets (OAuth client config, forward auth
-# secret). Attached to the Chat Nomad job via workload identity (S5.2).
-#
-# Scope: kv/disinto/shared/chat — entries owned by the operator and
-# shared between the chat service and edge proxy.
-
-path "kv/data/disinto/shared/chat" {
-  capabilities = ["read"]
-}
-
-path "kv/metadata/disinto/shared/chat" {
-  capabilities = ["list", "read"]
-}
diff --git a/vault/roles.yaml b/vault/roles.yaml
index 1e01be8..d3b1892 100644
--- a/vault/roles.yaml
+++ b/vault/roles.yaml
@@ -70,11 +70,6 @@ roles:
     namespace: default
     job_id:    agents
 
-  - name:      service-chat
-    policy:    service-chat
-    namespace: default
-    job_id:    chat
-
   # ── Per-agent bots (nomad/jobs/bot-<role>.hcl — land in later steps) ───────
   # job_id placeholders match the policy name 1:1 until each bot's jobspec
   # lands. When a bot's jobspec is added under nomad/jobs/, update the