diff --git a/docs/adr/adr-012-controller-http-return-statuses.md b/docs/adr/adr-012-controller-http-return-statuses.md
new file mode 100644
index 000000000..4f7f4a112
--- /dev/null
+++ b/docs/adr/adr-012-controller-http-return-statuses.md
@@ -0,0 +1,15 @@
+### ADR - 012: Controller HTTP return statuses
+
+Controllers assess authentication by 3 criteria:
+
+1. Are you signed in at all?
+2. Are you signed in and requesting an action that your role/user type has access to?
+3. Are you signed in, requesting an action that your role/user type has access to and requesting a resource that your user has access to.
+
+When these aren't met the fail with the following response types:
+
+1. 401: Unauthorized. Redirect to sign-in page.
+2. 401: Unauthorized
+3. 404: Not found.
+
+This helps make it harder to determine whether a resource exists or not just by enumerating ids.