diff --git a/lib/auth/init.go b/lib/auth/init.go
index bd579b777c8d6..52dc80c26015c 100644
--- a/lib/auth/init.go
+++ b/lib/auth/init.go
@@ -753,7 +753,7 @@ type PresetRoleManager interface {
 // GetPresetRoles returns a list of all preset roles expected to be available on
 // this cluster.
 func GetPresetRoles() []types.Role {
-	return []types.Role{
+	presets := []types.Role{
 		services.NewPresetGroupAccessRole(),
 		services.NewPresetEditorRole(),
 		services.NewPresetAccessRole(),
@@ -765,6 +765,11 @@ func GetPresetRoles() []types.Role {
 		services.NewPresetDeviceEnrollRole(),
 		services.NewPresetRequireTrustedDeviceRole(),
 	}
+
+	// Certain `New$FooRole()` functions will return a nil role if the
+	// corresponding feature is disabled. They should be filtered out as they
+	// are not actually made available on the cluster.
+	return slices.DeleteFunc(presets, func(r types.Role) bool { return r == nil })
 }
 
 // createPresetRoles creates preset role resources