diff --git a/teps/0091-trusted-resources.md b/teps/0091-trusted-resources.md
index 35bb81911..ac5bde7a6 100644
--- a/teps/0091-trusted-resources.md
+++ b/teps/0091-trusted-resources.md
@@ -2,7 +2,7 @@
 status: implementable
 title: Trusted Resources
 creation-date: '2022-06-22'
-last-updated: '2022-08-16'
+last-updated: '2023-01-31'
 authors:
 - '@squee1945'
 - '@wlynch'
@@ -267,6 +267,8 @@ metadata:
   name: verification-policy-a
   namespace: resource-namespace
 spec:
+  # mode controls whether a failing policy will be rejected
+  mode: "enforce"
   # resources defines a list of patterns
   resources:
     - pattern: "https://github.com/tektoncd/catalog.git"  #git resource pattern
@@ -289,6 +291,8 @@ spec:
 
 `namespace` should be the same of corresponding resources' namespace.
 
+`mode` controls whether a failing policy will be rejected, can be set to `enforce` or `warn`, by default is `enforce`. If set to `enforce` then failing policy will deny the resource, if set to `warn` then failing policy will only log the warning but allow the resource.
+
 `pattern` is used to filter out remote resources by their sources URL. e.g. git resources pattern can be set to https://github.com/tektoncd/catalog.git. The `pattern` should follow regex schema, we use go regex library's [`Match`](https://pkg.go.dev/regexp#Match) to match the pattern from VerificationPolicy to the `ConfigSource` URL resolved by remote resolution. Note that `.*` will match all resources.
 To learn more about regex syntax please refer to [syntax](https://pkg.go.dev/regexp/syntax). `ConfigSource` is also resolved by remote resolvers, e.g. [gitresolver](https://github.com/tektoncd/pipeline/blob/main/docs/git-resolver.md#resolutionrequest-status).
 To learn more about `ConfigSource` please refer to [ConfigSource](https://github.com/tektoncd/pipeline/blob/main/docs/pipeline-api.md#configsource-1) for more context.
@@ -312,6 +316,11 @@ type VerificationPolicySpec struct {
 	Resources []ResourcePattern `json:"resources"`
 	// Authorities defines the rules for validating signatures.
 	Authorities []Authority `json:"authorities"`
+	// Mode controls whether a failing policy will be rejected (not admitted), or if errors are converted to Warnings.
+	// enforce - Reject (default)
+	// warn - allow but warn
+	// +optional
+  Mode string `json:"mode,omitempty"`
 }
 
 type ResourcesPattern struct {
@@ -377,13 +386,34 @@ metadata:
   name: feature-flag
   namespace: tekton-pipelines
 data:
-  verification-policy: enforce
+  enable-trusted-resource: true
+```
+
+`enable-trusted-resource`. (Optional, `true` or `false`, default `false`):
+ * `true`: Failing verification will mark the taskruns/pipelineruns as failed.
+ * `false`: Directly skip the verification.
+
+
+ ```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: config-trusted-resources
+  namespace: tekton-pipelines
+data:
+  no-match-policy: "deny"
 ```
 
-`verification-policy`. (Optional, `enforce`, `warn` or `skip`, default `skip`):
- * `enforce`: Failing verification will mark the taskruns/pipelineruns as failed.
- * `warn`: Log warning but don't fail the taskruns/pipelineruns.
- * `skip`: Directly skip the verification.
+`no-match-policy`. (Optional, `allow`, `deny` or `warn`, default `deny`):
+ * `deny`: when no matching policies found, reject the resource and fail taskrun/pipelinerun.
+ * `allow`: when no matching policies found, allow the resource.
+ * `warn`: when no matching policies found, allow the resource and log warning.
+
+ **Note:** If users want to have both signed resources and unsigned resources. The `enable-trusted-resource` needs to be set to `true` and `no-match-policy` is set to `allow`. So for signed resources, matched policies can be used to verify. For unsigned resources, no policies will be found so they are allowed.
+
+ #### Condition Update
+
+ Trusted resources should also update the taskrun/pipelinerun’s condition to indicate if it passes verification or not. This can be done via knative api.
 
 ### Integrate with Remote Resource Resolution
 
diff --git a/teps/README.md b/teps/README.md
index 0f3cb11d6..d4733a052 100644
--- a/teps/README.md
+++ b/teps/README.md
@@ -260,7 +260,7 @@ This is the complete list of Tekton teps:
 |[TEP-0088](0088-result-summaries.md) | Tekton Results - Record Summaries | proposed | 2021-10-01 |
 |[TEP-0089](0089-nonfalsifiable-provenance-support.md) | Non-falsifiable provenance support | implementable | 2022-01-18 |
 |[TEP-0090](0090-matrix.md) | Matrix | implemented | 2022-06-30 |
-|[TEP-0091](0091-trusted-resources.md) | Trusted Resources | implementable | 2022-08-16 |
+|[TEP-0091](0091-trusted-resources.md) | Trusted Resources | implementable | 2023-01-31 |
 |[TEP-0092](0092-scheduling-timeout.md) | Scheduling Timeout | implementable | 2022-04-11 |
 |[TEP-0093](0093-add-sign-verify-subcommand-to-the-cli.md) | Add sign and verify subcommand to the CLI | proposed | 2022-10-05 |
 |[TEP-0094](0094-configuring-resources-at-runtime.md) | Configuring Resources at Runtime | implemented | 2022-03-11 |