diff --git a/policy/tpa-rfc-7-root.md b/policy/tpa-rfc-7-root.md
index a7e1494e5787fc2866f13db824c07cc3c40b2eed..9e3100e38f159a77e524dd06199efd80942d7f6b 100644
--- a/policy/tpa-rfc-7-root.md
+++ b/policy/tpa-rfc-7-root.md
@@ -18,9 +18,10 @@ There are multiple possible access levels, often conflated:
     their SSH keys authorized to the root user (through Puppet, in the
     `profile::admins::keys` Hiera field)
  2. `sudo` to root: user has access to the `root` user through `sudo`,
-    using their `sudoPassword` defined in LDAP3. Puppet access: by virtue of being able to push to the Puppet git
-    repository, an admin necessarily gets `root` access everywhere,
-    because Puppet runs as root everywhere
+    using their `sudoPassword` defined in LDAP3. Puppet access: by
+    virtue of being able to push to the Puppet git repository, an
+    admin necessarily gets `root` access everywhere, because Puppet
+    runs as root everywhere
  4. LDAP admin: a user member of the `adm` group in LDAP also gets
     access everywhere through `sudo`, but also through being able to
     impersonate or modify other users in LDAP