diff --git a/content/en/docs/ambient/usage/l4-policy/index.md b/content/en/docs/ambient/usage/l4-policy/index.md
index d3cacc3d75..5d90fdb9d2 100644
--- a/content/en/docs/ambient/usage/l4-policy/index.md
+++ b/content/en/docs/ambient/usage/l4-policy/index.md
@@ -108,10 +108,6 @@ This means that when you have a waypoint installed, **the ideal place to enforce
 
 Istio's [peer authentication policies](/docs/concepts/security/#peer-authentication), which configure mutual TLS (mTLS) modes, are supported by ztunnel.
 
+The default policy for ambient mode is `PERMISSIVE`, which allows pods to accept both mTLS-encrypted traffic (from within the mesh) and plain text traffic (from without). Enabling `STRICT` mode means that pods will only accept mTLS-encrypted traffic.
+
 As ztunnel and {{< gloss >}}HBONE{{< /gloss >}} implies the use of mTLS, it is not possible to use the `DISABLE` mode in a policy. Such policies will be ignored.
-
-If you need to disable mTLS for an entire namespace, you will have to disable ambient mode:
-
-{{< text bash >}}
-$ kubectl label namespace default istio.io/dataplane-mode-
-{{< /text >}}