Add operational key protection note to envelope encryption section

Brief addition to encryption-at-rest envelope encryption section
clarifying that cached DEKs are protected by Azure platform security
controls and that the KEK in Key Vault remains the root of trust.

Co-authored-by: Copilot <[email protected]>

Author: msmbaldwin

articles/security/fundamentals/encryption-atrest.md

@@ -8,8 +8,9 @@ ms.assetid: 9dcb190e-e534-4787-bf82-8ce73bf47dba
 ms.service: security
 ms.subservice: security-fundamentals
 ms.topic: article
-ms.date: 04/02/2026
+ms.date: 04/09/2026
 ms.author: mbaldwin
+ai-usage: ai-assisted
 
 ---
 
@@ -79,6 +80,8 @@ You use more than one encryption key in an encryption at rest implementation. St
 
 Resource providers and application instances store the encrypted Data Encryption Keys as metadata. Only an entity with access to the Key Encryption Key can decrypt these Data Encryption Keys. Different models of key storage are supported. For more information, see [data encryption models](encryption-models.md).
 
+When services cache DEKs locally for active cryptographic operations, the cached keys are protected by Azure platform security controls, including [host-level compute isolation](isolation-choices.md) and process-level protections. Cached operational keys are an availability and performance mechanism — the KEK in Key Vault remains the root of trust, and key revocation governs access to encrypted data.
+
 ## Encryption at rest in Microsoft cloud services
 
 You use Microsoft Cloud services in all three cloud models: IaaS, PaaS, and SaaS. The following examples show how they fit in each model: