diff --git a/ee/lib/gitlab/ci/config/security_orchestration_policies/processor.rb b/ee/lib/gitlab/ci/config/security_orchestration_policies/processor.rb
index 4ef52b5681b489948180398881a2acb8f88d59a4..7be6476e8087645da30e1b019f7805cc400e6904 100644
--- a/ee/lib/gitlab/ci/config/security_orchestration_policies/processor.rb
+++ b/ee/lib/gitlab/ci/config/security_orchestration_policies/processor.rb
@@ -26,6 +26,8 @@ def perform
             return @config if valid_security_orchestration_policy_configurations.blank?
             return @config unless extend_configuration?
 
+            @config[:workflow] = { rules: [{ when: 'always' }] } if @config.empty?
+
             merged_config = @config.deep_merge(merged_security_policy_config)
 
             if custom_scan_actions_enabled? && active_scan_custom_actions.any?
diff --git a/ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb b/ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb
index d965c97d539838cef8842a45b5b73d283ee6a114..f44996dd48d1639b8f77a8875691b36c8dedfcc0 100644
--- a/ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb
+++ b/ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb
@@ -186,6 +186,14 @@
     context 'when policy is applicable on branch from the pipeline' do
       let(:ref) { 'refs/heads/master' }
 
+      context 'and the project does not have a CI configuration' do
+        let_it_be(:config) { {} }
+
+        it 'adds a workflow rule' do
+          expect(subject).to include({ workflow: { rules: [when: 'always'] } })
+        end
+      end
+
       context 'when DAST profiles are not found' do
         it 'does not modify the config' do
           expect(subject[:'dast-on-demand-0']).to eq({ allow_failure: true, script: 'echo "Error during On-Demand Scan execution: Dast site profile was not provided" && false' })