diff --git a/CHANGELOG.md b/CHANGELOG.md
index b97359b24..997a06b13 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,11 @@ CHANGES:
  * Agent no longer automatically reauthenticates when new credentials are
    detected. It's not strictly necessary and in some cases was causing
    reauthentication much more often than intended.
+ * HSM Regenerate Key Support Removed: Vault no longer supports destroying and
+   regenerating encryption keys on an HSM; it only supports creating them.
+   Although this has never been a source of a customer incident, it is simply a
+   code path that is pretty trivial to activate, especially by mistyping
+   `regenerate_key` instead of `generate_key`.
 
 FEATURES: