diff --git a/Dockerfile b/Dockerfile
index 7d3adf7f1a..69c114b941 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -4,6 +4,6 @@ ARG TARGETARCH
 # 65532 is the UID of the `nonroot` user in chainguard/static.  See: https://edu.chainguard.dev/chainguard/chainguard-images/reference/static/overview/#users
 USER 65532:65532
 
-COPY --chown=65532:65532 "build/zarf-linux-$TARGETARCH" /zarf
+COPY --chown=65532:65532 --chmod=0700 "build/zarf-linux-$TARGETARCH" /zarf
 
 CMD ["/zarf", "internal", "agent", "--log-level=debug", "--log-format=text", "--no-log-file"]
diff --git a/packages/zarf-agent/manifests/deployment.yaml b/packages/zarf-agent/manifests/deployment.yaml
index 61731ada18..bc6781071a 100644
--- a/packages/zarf-agent/manifests/deployment.yaml
+++ b/packages/zarf-agent/manifests/deployment.yaml
@@ -23,9 +23,9 @@ spec:
       serviceAccountName: zarf
       # Security context to comply with restricted PSS
       securityContext:
-        runAsUser: 1000
-        fsGroup: 2000
-        runAsGroup: 2000
+        runAsUser: 65532
+        fsGroup: 65532
+        runAsGroup: 65532
         seccompProfile:
           type: "RuntimeDefault"
       containers: