diff --git a/compensating-controls.yaml b/compensating-controls.yaml
index a6dbc56..658c99d 100644
--- a/compensating-controls.yaml
+++ b/compensating-controls.yaml
@@ -129,11 +129,16 @@ controls:
       containers run as non-root (UID 472) with all capabilities
       dropped.
     created: 2026-03-30
-    last-reviewed: 2026-03-30
+    last-reviewed: 2026-05-04
     notes: >-
       Verify by inspecting grafana deployment.yaml securityContext
       for both init and runtime containers. If fsGroup alone can
       handle PVC ownership, remove init-chown-data and this control.
+      Retirement deferred until grafana lands on ringtail's k3s
+      (see [[indri-k8s-migration]]) — storage backend will change,
+      and removing init-chown-data right before that migration
+      trades a real safety net for marginal cleanup. Revisit
+      post-migration.
 
   - id: node-config-automated-verification
     description: >-
diff --git a/docs/changelog.d/+review-cc-init-container-isolation.misc.md b/docs/changelog.d/+review-cc-init-container-isolation.misc.md
new file mode 100644
index 0000000..295e7f8
--- /dev/null
+++ b/docs/changelog.d/+review-cc-init-container-isolation.misc.md
@@ -0,0 +1 @@
+Reviewed compensating control `init-container-isolation` (35 days stale). Grafana's running pod matches the manifest and the CC's claim — only `init-chown-data` runs as root with `CHOWN`; runtime containers all run as UID 472 with all caps dropped. Retirement (replacing init-chown-data with `fsGroup` alone) is plausible given the in-tree minikube-hostpath provisioner, but deferred until grafana lands on ringtail's k3s — note added to the CC.