diff --git a/migrations/db/migrations/20260130074514_load_disable_pg_safeupdate.sql b/migrations/db/migrations/20260130074514_load_disable_pg_safeupdate.sql
new file mode 100644
index 000000000..3b662c9c5
--- /dev/null
+++ b/migrations/db/migrations/20260130074514_load_disable_pg_safeupdate.sql
@@ -0,0 +1,9 @@
+-- migrate:up
+ALTER ROLE authenticated SET session_preload_libraries = 'safeupdate';
+ALTER ROLE anon SET session_preload_libraries = 'safeupdate';
+load 'safeupdate';
+
+SET safeupdate.enabled=0;
+
+-- migrate:down
+
diff --git a/nix/ext/tests/pg_safeupdate.nix b/nix/ext/tests/pg_safeupdate.nix
index 4f168f8b0..abc34d646 100644
--- a/nix/ext/tests/pg_safeupdate.nix
+++ b/nix/ext/tests/pg_safeupdate.nix
@@ -54,6 +54,12 @@ self.inputs.nixpkgs.lib.nixos.runTest {
         enable = true;
         package = (postgresqlWithExtension psql_15);
         settings = (installedExtension "15").defaultSettings or { };
+        initialScript = pkgs.writeText "init-postgres" ''
+          CREATE ROLE authenticated NOLOGIN NOINHERIT;
+          GRANT USAGE ON SCHEMA public TO authenticated;
+          CREATE ROLE anon NOLOGIN NOINHERIT;
+          GRANT USAGE ON SCHEMA public TO anon;
+        '';
       };
 
       specialisation.postgresql17.configuration = {
diff --git a/nix/tests/expected/pg-safeupdate.out b/nix/tests/expected/pg-safeupdate.out
index f9100116a..0d17924d4 100644
--- a/nix/tests/expected/pg-safeupdate.out
+++ b/nix/tests/expected/pg-safeupdate.out
@@ -8,5 +8,10 @@ create table v.foo(
 update v.foo
   set val = 'bar';
 ERROR:  UPDATE requires a WHERE clause
+grant all on schema v to authenticated;
+set role authenticated;
+delete from v.foo;
+ERROR:  DELETE requires a WHERE clause
+reset role;
 drop schema v cascade;
 NOTICE:  drop cascades to table v.foo
diff --git a/nix/tests/expected/roles.out b/nix/tests/expected/roles.out
index c4e25b61b..f7fe78d3d 100644
--- a/nix/tests/expected/roles.out
+++ b/nix/tests/expected/roles.out
@@ -62,8 +62,8 @@ where rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_
 order by rolname;
           rolname           |                                    rolconfig                                    
 ----------------------------+---------------------------------------------------------------------------------
- anon                       | {statement_timeout=3s}
- authenticated              | {statement_timeout=8s}
+ anon                       | {statement_timeout=3s,session_preload_libraries=safeupdate}
+ authenticated              | {statement_timeout=8s,session_preload_libraries=safeupdate}
  authenticator              | {session_preload_libraries=safeupdate,statement_timeout=8s,lock_timeout=8s}
  dashboard_user             | 
  pg_checkpoint              | 
diff --git a/nix/tests/sql/pg-safeupdate.sql b/nix/tests/sql/pg-safeupdate.sql
index 790ec79fa..6a7946e23 100644
--- a/nix/tests/sql/pg-safeupdate.sql
+++ b/nix/tests/sql/pg-safeupdate.sql
@@ -12,4 +12,12 @@ create table v.foo(
 update v.foo
   set val = 'bar';
 
+grant all on schema v to authenticated;
+set role authenticated;
+
+delete from v.foo;
+reset role;
 drop schema v cascade;
+
+
+