diff --git a/priv/repo/seeds.exs b/priv/repo/seeds.exs
index 03a8564..ccc90f5 100644
--- a/priv/repo/seeds.exs
+++ b/priv/repo/seeds.exs
@@ -204,7 +204,8 @@ admin_user_with_role =
 
 # Create system user for systemic operations (email sync, validations, cycle generation)
 # This user is used by Mv.Helpers.SystemActor for operations that must always run
-system_user_email = "system@mila.local"
+# Email is configurable via SYSTEM_ACTOR_EMAIL environment variable
+system_user_email = Mv.Helpers.SystemActor.system_user_email()
 
 case Accounts.User
      |> Ash.Query.filter(email == ^system_user_email)
@@ -218,7 +219,11 @@ case Accounts.User
 
   {:ok, nil} ->
     # System user doesn't exist - create it with admin role
-    # Note: No password is set - this user should never be used for login
+    # SECURITY: System user must NOT be able to log in:
+    # - No password (hashed_password = nil) - prevents password login
+    # - No OIDC ID (oidc_id = nil) - prevents OIDC login
+    # - This user is ONLY for internal system operations via SystemActor
+    # If either hashed_password or oidc_id is set, the user could potentially log in
     Accounts.create_user!(%{email: system_user_email},
       upsert?: true,
       upsert_identity: :unique_email