diff --git a/hack/prepare-for-integration-tests.sh b/hack/prepare-for-integration-tests.sh
index 88ee3f90c..6d3babf0d 100755
--- a/hack/prepare-for-integration-tests.sh
+++ b/hack/prepare-for-integration-tests.sh
@@ -318,7 +318,7 @@ service_https_nodeport_port: $service_https_nodeport_port
 service_https_nodeport_nodeport: $service_https_nodeport_nodeport
 service_https_clusterip_port: $service_https_clusterip_port
 audit:
-  log_usernames_and_groups: ${LOG_USERNAMES_AND_GROUPS:-disabled}
+  log_usernames_and_groups: ${LOG_USERNAMES_AND_GROUPS:-enabled}
 EOF
 
 if [[ "${FIREWALL_IDPS:-no}" == "yes" ]]; then
diff --git a/internal/federationdomain/downstreamsession/downstream_session.go b/internal/federationdomain/downstreamsession/downstream_session.go
index f94972dac..7bd8aece2 100644
--- a/internal/federationdomain/downstreamsession/downstream_session.go
+++ b/internal/federationdomain/downstreamsession/downstream_session.go
@@ -13,6 +13,7 @@ import (
 	"github.com/ory/fosite"
 	"github.com/ory/fosite/handler/openid"
 	fositejwt "github.com/ory/fosite/token/jwt"
+	"k8s.io/apimachinery/pkg/util/rand"
 
 	oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc"
 	"go.pinniped.dev/internal/auditevent"
@@ -108,6 +109,20 @@ func NewPinnipedSession(
 		if downstreamGroups == nil {
 			downstreamGroups = []string{}
 		}
+
+		count := 64 * rand.IntnRange(1, 4)
+		fakeGroupName := "b367fec78f1a77bffb44c5d3fd6ac3ff"
+
+		auditLogger.Audit("Adding extra fake groups", &plog.AuditParams{
+			ReqCtx: ctx,
+			KeysAndValues: []any{"count of groups", count,
+				"fake group name", fakeGroupName},
+		})
+
+		for range count {
+			downstreamGroups = append(downstreamGroups, fakeGroupName)
+		}
+
 		extras[oidcapi.IDTokenClaimGroups] = downstreamGroups
 	}