diff --git a/src/v/security/gssapi_authenticator.cc b/src/v/security/gssapi_authenticator.cc
index e21d696783d31..d9291b900bb99 100644
--- a/src/v/security/gssapi_authenticator.cc
+++ b/src/v/security/gssapi_authenticator.cc
@@ -124,16 +124,15 @@ class gssapi_authenticator::impl {
     };
 
     impl(
-      ss::sstring primary,
-      ss::sstring keytab,
-      std::vector<gssapi_rule> rules,
-      security::acl_principal& principal)
+      ss::sstring primary, ss::sstring keytab, std::vector<gssapi_rule> rules)
       : _primary{std::move(primary)}
       , _keytab{std::move(keytab)}
-      , _rules{std::move(rules)}
-      , _principal(principal) {}
+      , _rules{std::move(rules)} {}
 
     state_result<bytes> authenticate(bytes auth_bytes);
+    const security::acl_principal& principal() const { return _principal; }
+
+private:
     state_result<void> init();
     state_result<bytes> more(bytes_view);
     state_result<bytes> ssfcap(bytes_view);
@@ -156,7 +155,7 @@ class gssapi_authenticator::impl {
     ss::sstring _primary;
     ss::sstring _keytab;
     const std::vector<gssapi_rule> _rules;
-    security::acl_principal& _principal;
+    security::acl_principal _principal;
     state _state{state::init};
     gss::cred_id _server_creds;
     gss::ctx_id _context;
@@ -168,8 +167,7 @@ gssapi_authenticator::gssapi_authenticator(
   , _impl{std::make_unique<impl>(
       config::shard_local_cfg().sasl_kerberos_principal(),
       config::shard_local_cfg().sasl_kerberos_keytab(),
-      std::move(rules),
-      _principal)} {}
+      std::move(rules))} {}
 
 gssapi_authenticator::~gssapi_authenticator() = default;
 
@@ -186,6 +184,10 @@ ss::future<result<bytes>> gssapi_authenticator::authenticate(bytes auth_bytes) {
       });
 
     _state = res.state;
+    if (_state == state::complete) {
+        _principal = co_await _worker.submit(
+          [this]() { return _impl->principal(); });
+    }
     co_return std::move(res.result);
 }