diff --git a/.server-changes/compute-org-label.md b/.server-changes/compute-org-label.md
new file mode 100644
index 0000000000..9306a0e2dc
--- /dev/null
+++ b/.server-changes/compute-org-label.md
@@ -0,0 +1,8 @@
+---
+area: supervisor
+type: improvement
+---
+
+Compute workload manager now sets an `org` label on every run (create +
+restore) for network-policy selection, instead of a plan-gated label. The
+Kubernetes workload manager is unchanged.
diff --git a/apps/supervisor/src/workloadManager/compute.ts b/apps/supervisor/src/workloadManager/compute.ts
index 3efad7d407..abe9af5a49 100644
--- a/apps/supervisor/src/workloadManager/compute.ts
+++ b/apps/supervisor/src/workloadManager/compute.ts
@@ -133,13 +133,11 @@ export class ComputeWorkloadManager implements WorkloadManager {
     // Strip image digest - resolve by tag, not digest
     const imageRef = stripImageDigest(opts.image);
 
-    // Labels forwarded to the compute provider for network-policy selection;
-    // the provider promotes a configured subset to its network layer. Mirrors
-    // the privatelink label the Kubernetes workload manager sets on the run pod.
-    const labels: Record<string, string> = {};
-    if (opts.hasPrivateLink) {
-      labels.privatelink = opts.orgId;
-    }
+    // Labels forwarded to the compute provider for network-policy selection.
+    // `org` is always set so every run carries its org identity.
+    const labels: Record<string, string> = {
+      org: opts.orgId,
+    };
 
     // Wide event: single canonical log line emitted in finally
     const event: Record<string, unknown> = {
@@ -319,12 +317,11 @@ export class ComputeWorkloadManager implements WorkloadManager {
       TRIGGER_WORKER_INSTANCE_NAME: this.opts.runner.instanceName,
     };
 
-    // Resupply the same labels on restore (mirror of the create path); the
-    // provider doesn't persist them across a snapshot, so without this a
-    // restored run would lose its policy-based network selection.
+    // Resupply labels on restore (the provider doesn't persist them across a
+    // snapshot). orgId is optional on the restore opts type, so guard it.
     const labels: Record<string, string> = {};
-    if (opts.hasPrivateLink && opts.orgId) {
-      labels.privatelink = opts.orgId;
+    if (opts.orgId) {
+      labels.org = opts.orgId;
     }
 
     this.logger.verbose("restore request body", {