diff --git a/pkg/workflow/permissions_operations.go b/pkg/workflow/permissions_operations.go
index 534ea0e113a..95ec7ffc822 100644
--- a/pkg/workflow/permissions_operations.go
+++ b/pkg/workflow/permissions_operations.go
@@ -42,6 +42,13 @@ func filterJobLevelPermissions(rawPermissionsYAML string) string {
 	filtered := NewPermissionsParser(rawPermissionsYAML).ToPermissions()
 	rendered := filtered.RenderToYAML()
 	if rendered == "" {
+		// If the raw permissions YAML was an explicit empty block (permissions: {}), preserve
+		// it at the job level. Without this check, "permissions: {}" would be silently dropped,
+		// leaving the job without any permissions block and causing it to inherit the workflow-
+		// level permissions instead of having its own explicit empty block.
+		if strings.TrimSpace(rawPermissionsYAML) == "permissions: {}" {
+			return "permissions: {}"
+		}
 		return ""
 	}