diff --git a/data/deprecations/16-5-ci-job-token-limit-setting.yml b/data/deprecations/16-5-ci-job-token-limit-setting.yml
index 66bf43d13c7bd1bcf5822ddaa716821425c80b50..d4e8c3a5e704caf325acac4835b4d4ce530dd79f 100644
--- a/data/deprecations/16-5-ci-job-token-limit-setting.yml
+++ b/data/deprecations/16-5-ci-job-token-limit-setting.yml
@@ -35,6 +35,12 @@
     To prepare for this change, project maintainers using job tokens for cross-project authentication
     should populate their project's **Authorized groups and projects** allowlists. They should then change
     the setting to **Only this project and any groups and projects in the allowlist**.
+
+    To help identify projects that need access to your project by authenticating with a CI/CD job token, in GitLab 17.6 we also introduced a method to [track job token authentications](https://about.gitlab.com/releases/2024/11/21/gitlab-17-6-released/#track-cicd-job-token-authentications) to your projects. You can use that data to populate your CI/CI job token allowlist.
+
+    In GitLab 17.10, we introduced [migration tooling](https://docs.gitlab.com/ee/ci/jobs/ci_job_token.html#auto-populate-a-projects-allowlist) to automatically populate the CI/CD job token allowlist from the job token authentication log. We encourage you to use this migration tool to populate and use the allowlist before [general enforcement of allowlists in GitLab 18.0](https://docs.gitlab.com/ee/update/deprecations.html#cicd-job-token---authorized-groups-and-projects-allowlist-enforcement). In GitLab 18.0, automatic population and enforcement of the allowlist will occur as previously announced.
+
+    This migration tool will be removed in GitLab 18.3.
   #
   # OPTIONAL END OF SUPPORT FIELDS
   #
diff --git a/doc/update/deprecations.md b/doc/update/deprecations.md
index ec65977e54d4cdf8cc5b7cb0a92ad89c59f24906..a867696489c7cc7de9724e04f1d28327ff592210 100644
--- a/doc/update/deprecations.md
+++ b/doc/update/deprecations.md
@@ -535,6 +535,12 @@ To prepare for this change, project maintainers using job tokens for cross-proje
 should populate their project's **Authorized groups and projects** allowlists. They should then change
 the setting to **Only this project and any groups and projects in the allowlist**.
 
+To help identify projects that need access to your project by authenticating with a CI/CD job token, in GitLab 17.6 we also introduced a method to [track job token authentications](https://about.gitlab.com/releases/2024/11/21/gitlab-17-6-released/#track-cicd-job-token-authentications) to your projects. You can use that data to populate your CI/CI job token allowlist.
+
+In GitLab 17.10, we introduced [migration tooling](https://docs.gitlab.com/ee/ci/jobs/ci_job_token.html#auto-populate-a-projects-allowlist) to automatically populate the CI/CD job token allowlist from the job token authentication log. We encourage you to use this migration tool to populate and use the allowlist before [general enforcement of allowlists in GitLab 18.0](https://docs.gitlab.com/ee/update/deprecations.html#cicd-job-token---authorized-groups-and-projects-allowlist-enforcement). In GitLab 18.0, automatic population and enforcement of the allowlist will occur as previously announced.
+
+This migration tool will be removed in GitLab 18.3.
+
 </div>
 
 <div class="deprecation breaking-change" data-milestone="18.0">