diff --git a/lib/services/local/workload_identity.go b/lib/services/local/workload_identity.go
index f230ee2c2b794..3c9d2c7b6cf1e 100644
--- a/lib/services/local/workload_identity.go
+++ b/lib/services/local/workload_identity.go
@@ -106,7 +106,10 @@ func (b *WorkloadIdentityService) UpsertWorkloadIdentity(
 	return upserted, trace.Wrap(err)
 }
 
-// UpdateWorkloadIdentity updates a specific WorkloadIdentity.
+// UpdateWorkloadIdentity updates a specific WorkloadIdentity. The resource must
+// already exist, and, condition update semantics are used - e.g the submitted
+// resource must have a revision matching the revision of the resource in the
+// backend.
 func (b *WorkloadIdentityService) UpdateWorkloadIdentity(
 	ctx context.Context, resource *workloadidentityv1pb.WorkloadIdentity,
 ) (*workloadidentityv1pb.WorkloadIdentity, error) {
diff --git a/lib/services/workload_identity.go b/lib/services/workload_identity.go
index 8565536f1acf8..89b87ba0d2473 100644
--- a/lib/services/workload_identity.go
+++ b/lib/services/workload_identity.go
@@ -45,8 +45,10 @@ type WorkloadIdentities interface {
 	) (*workloadidentityv1pb.WorkloadIdentity, error)
 	// DeleteWorkloadIdentity deletes a SPIFFE Federation by name.
 	DeleteWorkloadIdentity(ctx context.Context, name string) error
-	// UpdateWorkloadIdentity updates a WorkloadIdentity. It will not act if the
-	// resource is not found or where the revision does not match.
+	// UpdateWorkloadIdentity updates a specific WorkloadIdentity. The resource must
+	// already exist, and, condition update semantics are used - e.g the submitted
+	// resource must have a revision matching the revision of the resource in the
+	// backend.
 	UpdateWorkloadIdentity(
 		ctx context.Context, workloadIdentity *workloadidentityv1pb.WorkloadIdentity,
 	) (*workloadidentityv1pb.WorkloadIdentity, error)