diff --git a/lib/auth/init.go b/lib/auth/init.go
index 2ebfbf87bf2f2..bccb24e0ddec0 100644
--- a/lib/auth/init.go
+++ b/lib/auth/init.go
@@ -755,7 +755,7 @@ type PresetRoleManager interface {
 // GetPresetRoles returns a list of all preset roles expected to be available on
 // this cluster.
 func GetPresetRoles() []types.Role {
-	return []types.Role{
+	presets := []types.Role{
 		services.NewPresetGroupAccessRole(),
 		services.NewPresetEditorRole(),
 		services.NewPresetAccessRole(),
@@ -767,6 +767,11 @@ func GetPresetRoles() []types.Role {
 		services.NewPresetDeviceEnrollRole(),
 		services.NewPresetRequireTrustedDeviceRole(),
 	}
+
+	// Certain `New$FooRole()` functions will return a nil role if the
+	// corresponding feature is disabled. They should be filtered out as they
+	// are not actually made available on the cluster.
+	return slices.DeleteFunc(presets, func(r types.Role) bool { return r == nil })
 }
 
 // createPresetRoles creates preset role resources