diff --git a/lib/guardian/permissions.ex b/lib/guardian/permissions.ex
index 848edcbe5..ab465a5f9 100644
--- a/lib/guardian/permissions.ex
+++ b/lib/guardian/permissions.ex
@@ -239,7 +239,7 @@ defmodule Guardian.Permissions do
         test_perms_bits = decode_permissions(test_perms)
 
         Enum.all?(test_perms_bits, fn {k, needs} ->
-          has = Map.get(has_perms_bits, k, 0)
+          has = Map.get(has_perms_bits, k, [])
           MapSet.subset?(MapSet.new(needs), MapSet.new(has))
         end)
       end
diff --git a/test/guardian/permissions/permissions_test.exs b/test/guardian/permissions/permissions_test.exs
index 416de7d75..cf683aaa5 100644
--- a/test/guardian/permissions/permissions_test.exs
+++ b/test/guardian/permissions/permissions_test.exs
@@ -130,6 +130,28 @@ defmodule Guardian.PermissionsTest do
     end
   end
 
+  describe "when used as a plug with no permissions" do
+    setup do
+      claims = Impl.build_claims(%{"sub" => "user:1"}, nil, permissions: %{})
+
+      conn =
+        :get
+        |> conn("/")
+        |> Pipeline.call(module: Impl, error_handler: Handler)
+        |> Guardian.Plug.put_current_claims(claims)
+
+      {:ok, %{conn: conn, claims: claims}}
+    end
+
+    test "it does not allow when permissions are missing from ensure", %{conn: conn} do
+      opts = Guardian.Permissions.init(ensure: %{user: [:write, :read], profile: [:read, :write]})
+      conn = Guardian.Permissions.call(conn, opts)
+
+      assert {403, _headers, "{:unauthorized, :insufficient_permission}"} = sent_resp(conn)
+      assert conn.halted
+    end
+  end
+
   describe "when used as a plug" do
     setup do
       claims = Impl.build_claims(%{"sub" => "user:1"}, nil, permissions: %{user: [:read, :write], profile: [:read]})