diff --git a/lib/auth/auth.go b/lib/auth/auth.go
index 4b4e06db7e4b0..ecf7a3c1455a9 100644
--- a/lib/auth/auth.go
+++ b/lib/auth/auth.go
@@ -1004,6 +1004,13 @@ func (a *Server) SetEmitter(emitter apievents.Emitter) {
 	a.emitter = emitter
 }
 
+// EmitAuditEvent implements [apievents.Emitter] by delegating to its dedicated
+// emitter rather than falling back to the implementation from [Services] (using
+// the audit log directly, which is almost never what you want).
+func (a *Server) EmitAuditEvent(ctx context.Context, e apievents.AuditEvent) error {
+	return trace.Wrap(a.emitter.EmitAuditEvent(ctx, e))
+}
+
 // SetUsageReporter sets the server's usage reporter. Note that this is only
 // safe to use before server start.
 func (a *Server) SetUsageReporter(reporter usagereporter.UsageReporter) {
diff --git a/lib/auth/helpers.go b/lib/auth/helpers.go
index 1dd1418144f60..4e4b9e66915fd 100644
--- a/lib/auth/helpers.go
+++ b/lib/auth/helpers.go
@@ -543,7 +543,7 @@ func (a *TestAuthServer) NewTestTLSServer() (*TestTLSServer, error) {
 		Authorizer:     a.Authorizer,
 		SessionService: a.SessionServer,
 		AuditLog:       a.AuditLog,
-		Emitter:        a.AuthServer.emitter,
+		Emitter:        a.AuthServer,
 	}
 	srv, err := NewTestTLSServer(TestTLSServerConfig{
 		APIConfig:     apiConfig,
diff --git a/lib/service/service.go b/lib/service/service.go
index 225382c32af91..25f107ff4ae94 100644
--- a/lib/service/service.go
+++ b/lib/service/service.go
@@ -1627,7 +1627,7 @@ func (process *TeleportProcess) initAuthService() error {
 		Authorizer:     authorizer,
 		AuditLog:       process.auditLog,
 		PluginRegistry: process.PluginRegistry,
-		Emitter:        checkingEmitter,
+		Emitter:        authServer,
 		MetadataGetter: uploadHandler,
 	}