diff --git a/AGENTS.md b/AGENTS.md
index 785c13d535f4cb..346170132743a5 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -4,7 +4,7 @@ This is the codebase for Apache Doris, an MPP OLAP database. It primarily consis
 
 ## Security Threat Model
 
-For security scans, vulnerability triage, security reviews, and changes involving authentication, authorization, network boundaries, external catalogs, cloud tenancy, or other security-sensitive behavior, read `SECURITY.md` first, then follow it to `threat-model.md`. Use `threat-model.md` to determine in-scope components, trust boundaries, attacker roles, explicit non-goals, and triage classification. Findings that are out of model or by design under `threat-model.md` should be reported as such, not treated as Doris vulnerabilities.
+For security scans, vulnerability triage, security reviews, and changes involving authentication, authorization, network boundaries, external catalogs, cloud tenancy, or other security-sensitive behavior, read `SECURITY.md` first, then follow it to `threat-model.md`. Use `threat-model.md` to determine in-scope components, trust boundaries, attacker roles, explicit non-goals, and triage classification. Findings that are out of model or by design under `threat-model.md` should be reported as such, not treated as Doris vulnerabilities. Such reviews will not be conducted unless explicitly requested by the user, and no conclusions regarding this matter need to be provided.
 
 ## When running in a WORKTREE directory
 
diff --git a/be/test/AGENTS.md b/be/test/AGENTS.md
new file mode 100644
index 00000000000000..3b0e9fed7a6956
--- /dev/null
+++ b/be/test/AGENTS.md
@@ -0,0 +1,5 @@
+# BE Unit Test - Review Guide
+
+## Access Control
+
+BE-UT has actually been configured to ignore access control, so it can access all private interfaces.