diff --git a/changelog/21925.txt b/changelog/21925.txt
new file mode 100644
index 000000000..ca89ff75a
--- /dev/null
+++ b/changelog/21925.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+kmip (enterprise): Add namespace lock and unlock support
+```
diff --git a/sdk/logical/system_view.go b/sdk/logical/system_view.go
index 7301c752a..a4ec6483d 100644
--- a/sdk/logical/system_view.go
+++ b/sdk/logical/system_view.go
@@ -107,27 +107,32 @@ type PasswordPolicy interface {
 type ExtendedSystemView interface {
 	Auditor() Auditor
 	ForwardGenericRequest(context.Context, *Request) (*Response, error)
+
+	// APILockShouldBlockRequest returns whether a namespace for the requested
+	// mount is locked and should be blocked
+	APILockShouldBlockRequest() (bool, error)
 }
 
 type PasswordGenerator func() (password string, err error)
 
 type StaticSystemView struct {
-	DefaultLeaseTTLVal  time.Duration
-	MaxLeaseTTLVal      time.Duration
-	SudoPrivilegeVal    bool
-	TaintedVal          bool
-	CachingDisabledVal  bool
-	Primary             bool
-	EnableMlock         bool
-	LocalMountVal       bool
-	ReplicationStateVal consts.ReplicationState
-	EntityVal           *Entity
-	GroupsVal           []*Group
-	Features            license.Features
-	PluginEnvironment   *PluginEnvironment
-	PasswordPolicies    map[string]PasswordGenerator
-	VersionString       string
-	ClusterUUID         string
+	DefaultLeaseTTLVal           time.Duration
+	MaxLeaseTTLVal               time.Duration
+	SudoPrivilegeVal             bool
+	TaintedVal                   bool
+	CachingDisabledVal           bool
+	Primary                      bool
+	EnableMlock                  bool
+	LocalMountVal                bool
+	ReplicationStateVal          consts.ReplicationState
+	EntityVal                    *Entity
+	GroupsVal                    []*Group
+	Features                     license.Features
+	PluginEnvironment            *PluginEnvironment
+	PasswordPolicies             map[string]PasswordGenerator
+	VersionString                string
+	ClusterUUID                  string
+	APILockShouldBlockRequestVal bool
 }
 
 type noopAuditor struct{}
@@ -253,3 +258,7 @@ func (d *StaticSystemView) DeletePasswordPolicy(name string) (existed bool) {
 func (d StaticSystemView) ClusterID(ctx context.Context) (string, error) {
 	return d.ClusterUUID, nil
 }
+
+func (d StaticSystemView) APILockShouldBlockRequest() (bool, error) {
+	return d.APILockShouldBlockRequestVal, nil
+}
diff --git a/vault/dynamic_system_view.go b/vault/dynamic_system_view.go
index 8c547b671..a33596a1e 100644
--- a/vault/dynamic_system_view.go
+++ b/vault/dynamic_system_view.go
@@ -136,6 +136,20 @@ func (e extendedSystemViewImpl) SudoPrivilege(ctx context.Context, path string,
 	return authResults.RootPrivs
 }
 
+func (e extendedSystemViewImpl) APILockShouldBlockRequest() (bool, error) {
+	mountEntry := e.mountEntry
+	if mountEntry == nil {
+		return false, fmt.Errorf("no mount entry")
+	}
+	ns := mountEntry.Namespace()
+
+	if err := enterpriseBlockRequestIfError(e.core, ns.Path, mountEntry.Path); err != nil {
+		return true, nil
+	}
+
+	return false, nil
+}
+
 func (d dynamicSystemView) DefaultLeaseTTL() time.Duration {
 	def, _ := d.fetchTTLs()
 	return def