diff --git a/releasenotes/notes/policy-refactor-xena-0cddb7f2d492cb3a.yaml b/releasenotes/notes/policy-refactor-xena-0cddb7f2d492cb3a.yaml
new file mode 100644
index 0000000000..080e2459d0
--- /dev/null
+++ b/releasenotes/notes/policy-refactor-xena-0cddb7f2d492cb3a.yaml
@@ -0,0 +1,14 @@
+---
+security:
+  - |
+    The Xena release of Glance is a midpoint in the process of
+    refactoring how our policies are applied to API operations. The
+    goal of applying policy enforcement in the API will ultimately
+    increase the flexibility operators have over which users can do
+    what operations to which images, and provides a path for compliant
+    Secure RBAC and scoped tokens. In Xena, some policies are more
+    flexible than they once were, allowing for more fine-grained
+    assignment of responsibilities, but not all things are possible
+    yet. If `enforce_secure_rbac` is not enabled, most things are
+    still enforcing the legacy behavior of hard and fast
+    admin-or-owner requirements.