diff --git a/vault/identity_store.go b/vault/identity_store.go
index 64f56e5da0..c297549fce 100644
--- a/vault/identity_store.go
+++ b/vault/identity_store.go
@@ -51,6 +51,9 @@ func (i *IdentityStore) GetDisableLowerCasedNames() bool {
 	return i.disableLowerCasedNames
 }
 
+// resetDB callers must hold the write lock on i.lock before calling, to ensure
+// that no other goroutine is reading from or writing to the database while it
+// gets reset.
 func (i *IdentityStore) resetDB() error {
 	var err error
 
diff --git a/vault/identity_store_test.go b/vault/identity_store_test.go
index ffc1c799c5..bfbd0a40ed 100644
--- a/vault/identity_store_test.go
+++ b/vault/identity_store_test.go
@@ -1506,6 +1506,9 @@ func identityStoreLoadingIsDeterministic(t *testing.T, flags *determinismTestFla
 		CredentialBackends: map[string]logical.Factory{
 			"userpass": credUserpass.Factory,
 		},
+		ActivityLogConfig: ActivityLogCoreConfig{
+			DisableTimers: true,
+		},
 	}
 
 	c, sealKeys, rootToken := TestCoreUnsealedWithConfig(t, cfg)
@@ -1681,13 +1684,15 @@ func identityStoreLoadingIsDeterministic(t *testing.T, flags *determinismTestFla
 	var prevErr error
 
 	for i := 0; i < 10; i++ {
+		c.identityStore.lock.Lock()
 		err := c.identityStore.resetDB()
+		if err == nil {
+			logger.Info(" ==> BEGIN LOAD ARTIFACTS", "i", i)
+			err = c.identityStore.loadArtifacts(ctx, true)
+		}
+		c.identityStore.lock.Unlock()
 		require.NoError(t, err)
 
-		logger.Info(" ==> BEGIN LOAD ARTIFACTS", "i", i)
-
-		err = c.identityStore.loadArtifacts(ctx, true)
-
 		if i > 0 {
 			require.Equal(t, prevErr, err)
 		}
@@ -1833,7 +1838,9 @@ func TestIdentityStoreLoadingDuplicateReporting(t *testing.T) {
 	// Setup a logger we can use to capture unseal logs
 	logBuf, stopCapture := startLogCapture(t, logger)
 
+	c.identityStore.lock.Lock()
 	err = c.identityStore.loadArtifacts(ctx, true)
+	c.identityStore.lock.Unlock()
 	stopCapture()
 
 	require.NoError(t, err)
diff --git a/vault/identity_store_util.go b/vault/identity_store_util.go
index bd72445270..bfdc17fcca 100644
--- a/vault/identity_store_util.go
+++ b/vault/identity_store_util.go
@@ -40,7 +40,7 @@ var (
 )
 
 // loadArtifacts is responsible for loading entities, groups, and aliases from
-// storage into MemDB.
+// storage into MemDB. The caller should hold the identity store lock.
 func (i *IdentityStore) loadArtifacts(ctx context.Context, isActive bool) error {
 	if i == nil {
 		return nil