diff --git a/app/controllers/assets_controller.rb b/app/controllers/assets_controller.rb
index 8630474b..a8814fc4 100644
--- a/app/controllers/assets_controller.rb
+++ b/app/controllers/assets_controller.rb
@@ -38,8 +38,8 @@ def restrict_request_format
   end
 
   def asset_params
-    exclude_blank_redirect_url(
-      params
+    normalize_redirect_url(
+      normalize_access_limited(params)
         .require(:asset)
         .permit(:file, :draft, :redirect_url, :replacement_id, :parent_document_url, access_limited: [])
     )
diff --git a/app/controllers/base_assets_controller.rb b/app/controllers/base_assets_controller.rb
index f2bd2dc2..700055c4 100644
--- a/app/controllers/base_assets_controller.rb
+++ b/app/controllers/base_assets_controller.rb
@@ -18,10 +18,17 @@ def create
 
 protected
 
-  def exclude_blank_redirect_url(params)
+  def normalize_redirect_url(params)
     params.reject { |k, v| (k.to_sym == :redirect_url) && v.blank? }
   end
 
+  def normalize_access_limited(params)
+    if params.has_key?(:asset) && params[:asset].has_key?(:access_limited) && params[:asset][:access_limited].empty?
+      params[:asset][:access_limited] = []
+    end
+    params
+  end
+
   def cache_control
     AssetManager.cache_control
   end
diff --git a/app/controllers/whitehall_assets_controller.rb b/app/controllers/whitehall_assets_controller.rb
index 5d119d19..1580bbbf 100644
--- a/app/controllers/whitehall_assets_controller.rb
+++ b/app/controllers/whitehall_assets_controller.rb
@@ -10,7 +10,7 @@ def create
 private
 
   def asset_params
-    exclude_blank_redirect_url(
+    normalize_redirect_url(
       params
         .require(:asset)
         .permit(
diff --git a/spec/controllers/assets_controller_spec.rb b/spec/controllers/assets_controller_spec.rb
index 1b0904fb..494b5058 100644
--- a/spec/controllers/assets_controller_spec.rb
+++ b/spec/controllers/assets_controller_spec.rb
@@ -195,6 +195,17 @@
         expect(assigns(:asset).access_limited).to eq(['user-id'])
       end
 
+      it 'resets access_limited to an empty array for an existing asset with an access_limited array' do
+        asset.update_attributes!(access_limited: ['user-uid'])
+
+        # We have to use an empty string as that is what gds-api-adapters/rest-client
+        # will generate instead of an empty array
+        attributes = valid_attributes.merge(access_limited: '')
+        put :update, params: { id: asset.id, asset: attributes }
+
+        expect(assigns(:asset).access_limited).to eq([])
+      end
+
       it 'stores redirect_url on existing asset' do
         redirect_url = 'https://example.com/path/file.ext'
         attributes = valid_attributes.merge(redirect_url: redirect_url)