diff --git a/charts/shield/Chart.yaml b/charts/shield/Chart.yaml
index e0f3e079f..b09778f3e 100644
--- a/charts/shield/Chart.yaml
+++ b/charts/shield/Chart.yaml
@@ -13,5 +13,5 @@ maintainers:
   - name: mavimo
     email: marcovito.moscaritolo@sysdig.com
 type: application
-version: 1.36.0
+version: 1.36.1
 appVersion: "1.0.0"
diff --git a/charts/shield/templates/cluster/_config.tpl b/charts/shield/templates/cluster/_config.tpl
index a6b3389a5..246c4c82c 100644
--- a/charts/shield/templates/cluster/_config.tpl
+++ b/charts/shield/templates/cluster/_config.tpl
@@ -224,21 +224,28 @@
 {{- end }}
 
 {{/*
-Generic helper: checks if .Values.features.respond.response_actions.<action>.trigger == "all"
+Generic helper: returns "true" when the response_actions feature is enabled at
+the master level (.Values.features.respond.response_actions.enabled) AND the
+specific per-action trigger is not explicitly set to "none". Returns "false"
+otherwise.
 Usage: {{ include "cluster.response_actions.is_enabled" (dict "Action" "delete_pod" "Context" .) }}
 */}}
 {{- define "cluster.response_actions.is_enabled" -}}
     {{- $action := .Action }}
     {{- $ctx := .Context }}
-    {{- with $ctx.Values.features.respond.response_actions -}}
-        {{- $entry := index . $action }}
-        {{- if and $entry (eq $entry.trigger "none") -}}
-            false
+    {{- if eq "true" (include "cluster.response_actions_enabled" $ctx) -}}
+        {{- with $ctx.Values.features.respond.response_actions -}}
+            {{- $entry := index . $action }}
+            {{- if and $entry (eq $entry.trigger "none") -}}
+                false
+            {{- else -}}
+                true
+            {{- end -}}
         {{- else -}}
             true
         {{- end -}}
     {{- else -}}
-        true
+        false
     {{- end -}}
 {{- end -}}
 
diff --git a/charts/shield/templates/cluster/clusterrole.yaml b/charts/shield/templates/cluster/clusterrole.yaml
index a8cbe9705..e7bf42ea5 100644
--- a/charts/shield/templates/cluster/clusterrole.yaml
+++ b/charts/shield/templates/cluster/clusterrole.yaml
@@ -308,7 +308,6 @@ rules:
     - list
     - watch
 {{- end }}
-{{- end }}
 
 {{- if eq "true" (include "cluster.response_actions_enabled" .) }}
 - apiGroups:
@@ -455,3 +454,4 @@ rules:
     - watch
     - patch # needed to remove finalizers, which could prevent deletion
 {{- end }}
+{{- end }}
diff --git a/charts/shield/tests/cluster/clusterrole_test.yaml b/charts/shield/tests/cluster/clusterrole_test.yaml
index 1c48a1ad1..8c20116de 100644
--- a/charts/shield/tests/cluster/clusterrole_test.yaml
+++ b/charts/shield/tests/cluster/clusterrole_test.yaml
@@ -837,3 +837,119 @@ tests:
             verbs:
               - create
               - patch
+
+  - it: response_actions disabled by default does not leak per-action RBAC
+    asserts:
+      - containsDocument:
+          kind: ClusterRole
+          apiVersion: rbac.authorization.k8s.io/v1
+          name: release-name-shield-cluster
+      - notContains:
+          path: rules
+          content:
+            apiGroups:
+              - ""
+            resources:
+              - pods
+            verbs:
+              - delete
+              - get
+      - notContains:
+          path: rules
+          content:
+            apiGroups:
+              - networking.k8s.io
+            resources:
+              - networkpolicies
+            verbs:
+              - get
+              - delete
+      - notContains:
+          path: rules
+          content:
+            apiGroups:
+              - snapshot.storage.k8s.io
+            resources:
+              - volumesnapshots
+            verbs:
+              - delete
+              - get
+              - watch
+              - patch
+      - notContains:
+          path: rules
+          content:
+            apiGroups:
+              - ""
+            resources:
+              - pods/log
+            verbs:
+              - get
+
+  - it: cluster.rbac.create false renders no ClusterRole
+    set:
+      cluster:
+        rbac:
+          create: false
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: cluster.rbac.create false with response_actions enabled still renders no ClusterRole
+    set:
+      cluster:
+        rbac:
+          create: false
+      features:
+        respond:
+          response_actions:
+            enabled: true
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: response_actions enabled with delete_pod trigger none suppresses only delete_pod rule
+    set:
+      features:
+        respond:
+          response_actions:
+            enabled: true
+            delete_pod:
+              trigger: none
+    asserts:
+      - containsDocument:
+          kind: ClusterRole
+          apiVersion: rbac.authorization.k8s.io/v1
+          name: release-name-shield-cluster
+      - notContains:
+          path: rules
+          content:
+            apiGroups:
+              - ""
+            resources:
+              - pods
+            verbs:
+              - delete
+              - get
+      - contains:
+          path: rules
+          content:
+            apiGroups:
+              - networking.k8s.io
+            resources:
+              - networkpolicies
+            verbs:
+              - get
+              - delete
+      - contains:
+          path: rules
+          content:
+            apiGroups:
+              - snapshot.storage.k8s.io
+            resources:
+              - volumesnapshots
+            verbs:
+              - delete
+              - get
+              - watch
+              - patch