diff --git a/docs/installation.md b/docs/installation.md
index 17e52de3bbb4..a4dba6bc0593 100644
--- a/docs/installation.md
+++ b/docs/installation.md
@@ -37,6 +37,7 @@ Determine your base installation option.
 
 Review the following:
 
+* [Workflow RBAC](workflow-rbac.md)
 * [Security](security.md).
 * [Scaling](scaling.md) and [running at massive scale](running-at-massive-scale.md).
 * [High-availability](high-availability.md)
diff --git a/docs/workflow-rbac.md b/docs/workflow-rbac.md
index a553edf5cdc6..10fb7295eaa0 100644
--- a/docs/workflow-rbac.md
+++ b/docs/workflow-rbac.md
@@ -48,3 +48,28 @@ Warning: For many organizations, it may not be acceptable to give a workflow the
 
 If you are not using the emissary, you'll need additional permissions.
 See [executor](https://github.com/argoproj/argo-workflows/tree/main/manifests/quick-start/base/executor) for suitable permissions.
+
+**Note**: Prior to `v3.5.2`, simple workflows such as [hello-world](https://raw.githubusercontent.com/argoproj/argo-workflows/main/examples/hello-world.yaml) may have run successfully without RBAC. As of `v3.5.2`, these workflows will fail without at least the permissions above via associated [Service Accounts](service-accounts.md). For example:
+
+```yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: hello-world
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: hello-world-executor
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: executor
+subjects:
+- kind: ServiceAccount
+  name: hello-world
+```
+
+```bash
+argo submit --serviceaccount hello-world --watch https://raw.githubusercontent.com/argoproj/argo-workflows/main/examples/hello-world.yaml
+```