diff --git a/src/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer/Security/RoleCarryingUserIdentity.cs b/src/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer/Security/RoleCarryingUserIdentity.cs
index c46b69f5..29d85fd1 100644
--- a/src/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer/Security/RoleCarryingUserIdentity.cs
+++ b/src/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer/Security/RoleCarryingUserIdentity.cs
@@ -23,7 +23,11 @@ public sealed class RoleCarryingUserIdentity : UserIdentity
     public RoleCarryingUserIdentity(UserIdentityToken token, IReadOnlyList<string> roles)
         : base(token)
     {
-        Roles = roles ?? throw new ArgumentNullException(nameof(roles));
+        ArgumentNullException.ThrowIfNull(roles);
+        // Freeze to a defensive copy so a caller mutating the source list can never retroactively
+        // alter this session's granted roles, and so the gate's per-ack `.Contains(...)` runs over a
+        // known-small frozen array.
+        Roles = [.. roles];
     }
 
     /// <summary>The roles the authenticator granted this session, used by downstream permission gates.</summary>