diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index 5d638c8f..04d56350 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -109,8 +109,8 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
-          # Only specify platforms for push (multi-platform), not for load (single-platform only)
-          platforms: ${{ (github.event_name != 'pull_request' && github.event_name != 'pull_request_target') && 'linux/amd64,linux/arm64' || '' }}
+          # Build amd64 images on pushes; PR builds stay single-platform
+          platforms: ${{ (github.event_name != 'pull_request' && github.event_name != 'pull_request_target') && 'linux/amd64' || '' }}
           # SBOM and provenance create manifest lists, incompatible with load (PRs)
           sbom: ${{ github.event_name != 'pull_request' && github.event_name != 'pull_request_target' }}
           provenance: ${{ github.event_name != 'pull_request' && github.event_name != 'pull_request_target' }}
diff --git a/SECURITY.md b/SECURITY.md
index e8c2bea3..e94c5caf 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -37,7 +37,7 @@ Our CI/CD pipeline implements multiple security layers:
 
 ### Container Security
 
-- Multi-architecture support (amd64, arm64)
+- Verified amd64 image builds
 - Regular base image updates
 - Minimal attack surface
 - Non-root user execution where possible