We need to ensure that as part of our security context propagation that we're properly handling access control contexts. For example, an async EJB invocation should have the exact same access control profile as a direct EJB invocation.