diff --git a/CP-CPS.md b/CP-CPS.md
index bdbce8c..6cc91e8 100644
--- a/CP-CPS.md
+++ b/CP-CPS.md
@@ -313,6 +313,8 @@ No stipulation.
 
 At a high level, the following steps are taken during issuance of a Subscriber Certificate. ISRG's automated processes confirm that all requested names have been properly validated to be controlled by the Subscriber requesting the certificate. The to-be-signed certificate is linted, then signed by a Subordinate CA in an HSM. After issuance is complete, the certificate is stored in a database and made available to the Subscriber.
 
+All issuance from ISRG Root CAs requires direct action from a person acting in an appropriate Trusted Role as described in Section 5.2.1.
+
 ### 4.3.2 Notification to subscriber by the CA of issuance of certificate
 
 Subscriber Certificates are made available to Subscribers via the ACME protocol as soon after issuance as reasonably possible. Typically this happens within a few seconds.