diff --git a/src/Authority/StellaOps.Authority/StellaOps.Authority/Console/Admin/ConsoleAdminEndpointExtensions.cs b/src/Authority/StellaOps.Authority/StellaOps.Authority/Console/Admin/ConsoleAdminEndpointExtensions.cs
index 7d878d5d8..f2b5c0df7 100644
--- a/src/Authority/StellaOps.Authority/StellaOps.Authority/Console/Admin/ConsoleAdminEndpointExtensions.cs
+++ b/src/Authority/StellaOps.Authority/StellaOps.Authority/Console/Admin/ConsoleAdminEndpointExtensions.cs
@@ -702,6 +702,19 @@ internal static class ConsoleAdminEndpointExtensions
             return Results.NotFound(new { error = "user_not_found", userId });
         }
 
+        // Prevent disabling the last enabled user in the tenant — doing so would lock
+        // everyone out with no way to recover without direct database access.
+        var enabledUsers = await userRepository.GetAllAsync(tenantId, enabled: true, limit: 2, offset: 0, cancellationToken).ConfigureAwait(false);
+        if (enabledUsers.Count <= 1)
+        {
+            return Results.BadRequest(new
+            {
+                error = "last_admin_user",
+                message = "Cannot disable the last enabled user. At least one user must remain active.",
+                userId,
+            });
+        }
+
         var updatedUser = new UserEntity
         {
             Id = user.Id,