diff --git a/internal/api/search_handlers.go b/internal/api/search_handlers.go
index f4611e0..a9a7fba 100644
--- a/internal/api/search_handlers.go
+++ b/internal/api/search_handlers.go
@@ -94,10 +94,12 @@ func (s *Server) handleSearch(w http.ResponseWriter, r *http.Request) {
 
 	// PROJ-21 Phase 4: Use per-tenant index when available; fall back to
 	// global index + post-filter when the tenant index manager is not wired.
+	// auditor always uses the global index — they see no-tenant mails only,
+	// regardless of any tenant_id on their user record.
 	tenantID := tenantFromCtx(r.Context())
 	searchIdx := s.idx
 	usedTenantIndex := false
-	if s.idxMgr != nil && tenantID != nil {
+	if s.idxMgr != nil && tenantID != nil && sess.Role != userstore.RoleAuditor {
 		searchIdx = s.idxMgr.ForTenant(tenantID)
 		usedTenantIndex = true
 	}
@@ -111,7 +113,7 @@ func (s *Server) handleSearch(w http.ResponseWriter, r *http.Request) {
 	// Fallback tenant isolation: post-filter when we used the global index
 	// but the user belongs to a tenant. This is the legacy path; the per-tenant
 	// index path above makes this unnecessary.
-	if tenantID != nil && !usedTenantIndex && len(result.Hits) > 0 {
+	if tenantID != nil && !usedTenantIndex && len(result.Hits) > 0 && sess.Role != userstore.RoleAuditor {
 		allowedIDs, idErr := s.store.GetAllIDsByTenant(r.Context(), tenantID)
 		if idErr == nil {
 			allowed := make(map[string]struct{}, len(allowedIDs))