diff --git a/main.tf b/main.tf
index ca6b2ef..b0a3d56 100644
--- a/main.tf
+++ b/main.tf
@@ -67,6 +67,11 @@ module "shared_security_group" {
 # Customer API access configuration
 locals {
   api_customer_cidrs = {
+    newco_9 = {
+      cidr = "203.0.113.109/32"
+      name = "NewCo 9"
+    }
+
     newco_8 = {
       cidr = "203.0.113.108/32"
       name = "NewCo 8"
@@ -129,7 +134,7 @@ locals {
     }
   }
 
-  api_internal_cidr = "10.0.0.0/8"
+  api_internal_cidr = "10.0.0.0/16" # SECURITY HARDENING: Narrowed to VPC CIDR per audit findings
   api_domain        = "signals-demo-test.demo"
   api_alert_email   = "alerts@example.com"
 }