diff --git a/agent/xds/delta_test.go b/agent/xds/delta_test.go
index a61050f845..20ee2887dd 100644
--- a/agent/xds/delta_test.go
+++ b/agent/xds/delta_test.go
@@ -4,6 +4,7 @@ import (
 	"errors"
 	"strconv"
 	"strings"
+	"sync"
 	"sync/atomic"
 	"testing"
 	"time"
@@ -1058,6 +1059,15 @@ func TestServer_DeltaAggregatedResources_v3_ACLEnforcement(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
+			var stopped bool
+			lock := &sync.RWMutex{}
+
+			defer func() {
+				lock.Lock()
+				stopped = true
+				lock.Unlock()
+			}()
+
 			// aclResolve may be called in a goroutine even after a
 			// testcase tt returns. Capture the variable as tc so the
 			// values don't swap in the next iteration.
@@ -1071,6 +1081,14 @@ func TestServer_DeltaAggregatedResources_v3_ACLEnforcement(t *testing.T) {
 					// No token and defaultDeny is denied
 					return acl.RootAuthorizer("deny"), nil
 				}
+
+				lock.RLock()
+				defer lock.RUnlock()
+
+				if stopped {
+					return acl.DenyAll().ToAllowAuthorizer(), nil
+				}
+
 				// Ensure the correct token was passed
 				require.Equal(t, tc.token, id)
 				// Parse the ACL and enforce it