diff --git a/changelog/october2025/2025-10-15-jobs-changed-serverless-jobs-enforced-cross-product-per.mdx b/changelog/october2025/2025-10-15-jobs-changed-serverless-jobs-enforced-cross-product-per.mdx
new file mode 100644
index 0000000000..164c91e88c
--- /dev/null
+++ b/changelog/october2025/2025-10-15-jobs-changed-serverless-jobs-enforced-cross-product-per.mdx
@@ -0,0 +1,12 @@
+---
+title: Serverless Jobs now enforce cross-product permissions
+status: changed
+date: 2025-10-15
+category: serverless
+product: jobs
+---
+
+When starting a Job definition with `ServerlessJobsFullAccess` permission:
+- If the Job definition uses an image from **Container Registry**, you must now add, at minimum, the `ContainerRegistryReadOnly` permission.
+- If the Job Definition consumes data from **Secret Manager**; you must now add, at minimum, the `SecretManagerSecretAccess` permission.
+