diff --git a/security/v1/peer_authentication_alias.gen.go b/security/v1/peer_authentication_alias.gen.go
index 8591e45250f..6c570ac3694 100644
--- a/security/v1/peer_authentication_alias.gen.go
+++ b/security/v1/peer_authentication_alias.gen.go
@@ -3,14 +3,19 @@ package v1
 
 import "istio.io/api/security/v1beta1"
 
-// {{< warning >}}
-// Development of PeerAuthentication is currently frozen and likely to be replaced in Ambient.
-// {{< /warning >}}
-// PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar.
+// PeerAuthentication defines mutual TLS (mTLS) requirements for incoming connections.
+//
+// In sidecar mode, PeerAuthentication determines whether or not mTLS is allowed or required
+// for connections to an Envoy proxy sidecar.
+//
+// In ambient mode, security is transparently enabled for a pod by the ztunnel node agent.
+// (Traffic between proxies uses the HBONE protocol, which includes encryption with mTLS.)
+// Because of this, `DISABLE` mode is not supported.
+// `STRICT` mode is useful to ensure that connections that bypass the mesh are not possible.
 //
 // Examples:
 //
-// Policy to allow mTLS traffic for all workloads under namespace `foo`:
+// Policy to require mTLS traffic for all workloads under namespace `foo`:
 // ```yaml
 // apiVersion: security.istio.io/v1
 // kind: PeerAuthentication
diff --git a/security/v1beta1/peer_authentication.pb.go b/security/v1beta1/peer_authentication.pb.go
index 91340986ea3..3042b659b3c 100644
--- a/security/v1beta1/peer_authentication.pb.go
+++ b/security/v1beta1/peer_authentication.pb.go
@@ -97,14 +97,19 @@ func (PeerAuthentication_MutualTLS_Mode) EnumDescriptor() ([]byte, []int) {
 	return file_security_v1beta1_peer_authentication_proto_rawDescGZIP(), []int{0, 0, 0}
 }
 
-// {{< warning >}}
-// Development of PeerAuthentication is currently frozen and likely to be replaced in Ambient.
-// {{< /warning >}}
-// PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar.
+// PeerAuthentication defines mutual TLS (mTLS) requirements for incoming connections.
+//
+// In sidecar mode, PeerAuthentication determines whether or not mTLS is allowed or required
+// for connections to an Envoy proxy sidecar.
+//
+// In ambient mode, security is transparently enabled for a pod by the ztunnel node agent.
+// (Traffic between proxies uses the HBONE protocol, which includes encryption with mTLS.)
+// Because of this, `DISABLE` mode is not supported.
+// `STRICT` mode is useful to ensure that connections that bypass the mesh are not possible.
 //
 // Examples:
 //
-// Policy to allow mTLS traffic for all workloads under namespace `foo`:
+// Policy to require mTLS traffic for all workloads under namespace `foo`:
 // ```yaml
 // apiVersion: security.istio.io/v1
 // kind: PeerAuthentication
diff --git a/security/v1beta1/peer_authentication.pb.html b/security/v1beta1/peer_authentication.pb.html
index 0c04a3643e4..7859bf03c7e 100644
--- a/security/v1beta1/peer_authentication.pb.html
+++ b/security/v1beta1/peer_authentication.pb.html
@@ -10,12 +10,15 @@
 ---
 <h2 id="PeerAuthentication">PeerAuthentication</h2>
 <section>
-<p>{{&lt; warning &gt;}}
-Development of PeerAuthentication is currently frozen and likely to be replaced in Ambient.
-{{&lt; /warning &gt;}}
-PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar.</p>
+<p>PeerAuthentication defines mutual TLS (mTLS) requirements for incoming connections.</p>
+<p>In sidecar mode, PeerAuthentication determines whether or not mTLS is allowed or required
+for connections to an Envoy proxy sidecar.</p>
+<p>In ambient mode, security is transparently enabled for a pod by the ztunnel node agent.
+(Traffic between proxies uses the HBONE protocol, which includes encryption with mTLS.)
+Because of this, <code>DISABLE</code> mode is not supported.
+<code>STRICT</code> mode is useful to ensure that connections that bypass the mesh are not possible.</p>
 <p>Examples:</p>
-<p>Policy to allow mTLS traffic for all workloads under namespace <code>foo</code>:</p>
+<p>Policy to require mTLS traffic for all workloads under namespace <code>foo</code>:</p>
 <pre><code class="language-yaml">apiVersion: security.istio.io/v1
 kind: PeerAuthentication
 metadata:
diff --git a/security/v1beta1/peer_authentication.proto b/security/v1beta1/peer_authentication.proto
index 08b370bc5f2..04269e8be29 100644
--- a/security/v1beta1/peer_authentication.proto
+++ b/security/v1beta1/peer_authentication.proto
@@ -25,14 +25,19 @@ package istio.security.v1beta1;
 
 option go_package="istio.io/api/security/v1beta1";
 
-// {{< warning >}}
-// Development of PeerAuthentication is currently frozen and likely to be replaced in Ambient.
-// {{< /warning >}}
-// PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar.
+// PeerAuthentication defines mutual TLS (mTLS) requirements for incoming connections.
+//
+// In sidecar mode, PeerAuthentication determines whether or not mTLS is allowed or required
+// for connections to an Envoy proxy sidecar.
+//
+// In ambient mode, security is transparently enabled for a pod by the ztunnel node agent.
+// (Traffic between proxies uses the HBONE protocol, which includes encryption with mTLS.)
+// Because of this, `DISABLE` mode is not supported.
+// `STRICT` mode is useful to ensure that connections that bypass the mesh are not possible.
 //
 // Examples:
 //
-// Policy to allow mTLS traffic for all workloads under namespace `foo`:
+// Policy to require mTLS traffic for all workloads under namespace `foo`:
 // ```yaml
 // apiVersion: security.istio.io/v1
 // kind: PeerAuthentication
