diff --git a/keps/sig-auth/3926-handling-undecryptable-resources/README.md b/keps/sig-auth/3926-handling-undecryptable-resources/README.md
index 09e53e153194..7e24c03010e2 100644
--- a/keps/sig-auth/3926-handling-undecryptable-resources/README.md
+++ b/keps/sig-auth/3926-handling-undecryptable-resources/README.md
@@ -85,6 +85,7 @@ tags, and then generate with `hack/update-toc.sh`.
 - [Proposal](#proposal)
   - [User Stories (Optional)](#user-stories-optional)
     - [Story 1](#story-1)
+    - [Story 2](#story-2)
   - [Notes/Constraints/Caveats (Optional)](#notesconstraintscaveats-optional)
   - [Risks and Mitigations](#risks-and-mitigations)
 - [Design Details](#design-details)
@@ -136,10 +137,10 @@ Items marked with (R) are required *prior to targeting to a milestone / release*
 - [ ] (R) Design details are appropriately documented
 - [ ] (R) Test plan is in place, giving consideration to SIG Architecture and SIG Testing input (including test refactors)
   - [ ] e2e Tests for all Beta API Operations (endpoints)
-  - [ ] (R) Ensure GA e2e tests meet requirements for [Conformance Tests](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/conformance-tests.md) 
+  - [ ] (R) Ensure GA e2e tests meet requirements for [Conformance Tests](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/conformance-tests.md)
   - [ ] (R) Minimum Two Week Window for GA e2e tests to prove flake free
 - [ ] (R) Graduation criteria is in place
-  - [ ] (R) [all GA Endpoints](https://github.com/kubernetes/community/pull/1806) must be hit by [Conformance Tests](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/conformance-tests.md) 
+  - [ ] (R) [all GA Endpoints](https://github.com/kubernetes/community/pull/1806) must be hit by [Conformance Tests](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/conformance-tests.md)
 - [ ] (R) Production readiness review completed
 - [ ] (R) Production readiness review approved
 - [ ] "Implementation History" section is up-to-date for milestone
@@ -175,8 +176,8 @@ updates.
 
 [documentation style guide]: https://github.com/kubernetes/community/blob/master/contributors/guide/style-guide.md
 -->
-Encryption at rest has been a stable Kubernetes for a long time. Every now and
-then there had been cases where, be it by improper handling or external system
+Encryption at rest for API resources has been a stable part of Kubernetes for a long time.
+Every now and then there had been cases where, be it by improper handling or external system
 failures, the cluster encryption got into a broken state.
 
 If a single object of a resource type cannot be decrypted, listing resources of that
@@ -254,6 +255,12 @@ with it. I know that these will either be recreated by a controller, or I can
 manually recreate them. I would like a simple way to figure out which resources
 fail decryption and I would like a way to remove them via Kubernetes API.
 
+#### Story 2
+
+I would like to remove a namespace I no longer need.  However, some of the resources
+inside of the namespace were encrypted before the encryption at
+rest configuration broke, which blocks a successful namespace delete.
+
 ### Notes/Constraints/Caveats (Optional)
 
 <!--
@@ -323,7 +330,7 @@ a new status should be introduced - `StatusReasonStoreReadError`.
   // Details:
   //   "kind" string - the kind attribute of the resource being acted on.
   //   "name" string - the prefix where the reading error(s) occurred
-  //   "causes" []StatusCause 
+  //   "causes" []StatusCause
   //      - (optional):
   //        - "type" CauseType - CauseTypeUnexpectedServerResponse
   //        - "message" string - the error message from the store backend
@@ -710,10 +717,10 @@ Recall that end users cannot usually observe component logs or access metrics.
 -->
 
 - [ ] Events
-  - Event Reason: 
+  - Event Reason:
 - [ ] API .status
-  - Condition name: 
-  - Other field: 
+  - Condition name:
+  - Other field:
 - [ ] Other (treat as last resort)
   - Details:
 
diff --git a/keps/sig-auth/3926-handling-undecryptable-resources/kep.yaml b/keps/sig-auth/3926-handling-undecryptable-resources/kep.yaml
index d584f04ecb8c..e208ed9c2c4c 100644
--- a/keps/sig-auth/3926-handling-undecryptable-resources/kep.yaml
+++ b/keps/sig-auth/3926-handling-undecryptable-resources/kep.yaml
@@ -1,7 +1,7 @@
 title: Handling undecryptable resources
 kep-number: 3926
 authors:
-  - "@jane.doe"
+  - "@stlaz"
 owning-sig: sig-auth
 participating-sigs:
   - sig-auth
@@ -9,11 +9,10 @@ participating-sigs:
 status: provisional
 creation-date: 2023-03-27
 reviewers:
-  - TBD
-  - "@alice.doe"
+  - "@liggit"
+  - "@deads2k"
 approvers:
   - TBD
-  - "@oscar.doe"
 
 see-also:
   -
@@ -30,9 +29,9 @@ latest-milestone: "v1.28"
 
 # The milestone at which this feature was, or is targeted to be, at each stage.
 milestone:
-  alpha: "v1.28"
-  beta: "v1.29"
-  stable: "v1.30"
+  alpha: "v1.29"
+  beta: "v1.30"
+  stable: "v1.31"
 
 # The following PRR answers are required at alpha release
 # List the feature gate name and the components for which it must be enabled