diff --git a/website/content/docs/enterprise/cluster-design.mdx b/website/content/docs/enterprise/cluster-design.mdx
index 8a9827c4ded6..50094ca2f617 100644
--- a/website/content/docs/enterprise/cluster-design.mdx
+++ b/website/content/docs/enterprise/cluster-design.mdx
@@ -36,7 +36,7 @@ You can help keep your Vault environments healthy by avoiding established
 anti-patterns.
 
 The Hashicorp Well-architected framework documentation provides in-depth
-[Vault anti-patterns](/well-architected-framework/operational-excellence/operational-excellence-managing-vault-with-terraform) guidance based on
+[Vault anti-patterns](/well-architected-framework/operational-excellence/security-vault-anti-patterns) guidance based on
 lessons learned by customers operating Vault in the field.
 
 ## Step 3: Plan for maintenance at scale
diff --git a/website/content/partials/ui/policy-requirements.mdx b/website/content/partials/ui/policy-requirements.mdx
new file mode 100644
index 000000000000..0ccd5b8cbc5b
--- /dev/null
+++ b/website/content/partials/ui/policy-requirements.mdx
@@ -0,0 +1,27 @@
+<Warning title="Set UI policies before enabling the UI"> 
+	
+  You cannot make policy adjustments or overwrites to the <code>ui/mounts</code>&nbsp;
+  and <code>ui/resultant-acl</code> endpoints once you enable the Vault UI. Vault
+  ignores policy updates that target these paths
+  with <a href="/vault/docs/concepts/policies#deny">explicit <code>deny</code></a> capabilities.
+
+</Warning>
+
+Depending on your Vault configuration, you may need to define UI policies
+with different ACL capabilities from the permissions provided by your Vault CLI
+policies.
+
+The `default` UI policy includes two paths, **which cannot be modified with
+additional policies** once you
+[enable](/vault/docs/configuration/ui#activating-the-vault-ui) the UI:
+
+- [/sys/internal/ui/mounts](/vault/api-docs/system/internal-ui-mounts) -
+  provides a list of currently visible mounts based on the
+  [`listing_visibility`](/vault/api-docs/system/mounts#listing_visibility)
+  parameter. `sys/internal/ui/mounts` is an unauthenticated, internal endpoint
+  used for UI and CLI preflight checks. Requests that include an `X-Vault-Token`
+  will return all mounts the token has path capabilities on.
+- [/sys/internal/ui/resultant-acl](/vault/api-docs/system/internal-ui-resultant-acl) -
+  repackages authentication information used by the UI. **If you do not have have
+  permission to call the `ui/resultant-acl` endpoint, you may receive warnings or
+  errors in the UI**.