diff --git a/docs/pages/reference/access-controls/access-lists.mdx b/docs/pages/reference/access-controls/access-lists.mdx
index d66225075443b..de4f5293046a4 100644
--- a/docs/pages/reference/access-controls/access-lists.mdx
+++ b/docs/pages/reference/access-controls/access-lists.mdx
@@ -168,6 +168,14 @@ spec:
       - required_value1
 ```
 
+## Access Lists and Deny Rules
+
+Teleport strives to be resilient to misconfiguration in Access Lists.
+If a user's membership or ownership in an Access List cannot be resolved at login,
+the user will not receive its grants. Therefore, granting roles with
+[`deny` rules](../../reference/roles.mdx) in Access Lists is discouraged.
+Prefer directly assigning roles containing `deny` rules to users.
+
 ## Managing Access Lists from the CLI
 
 In addition to using the web UI, Access Lists can be created and managed from the CLI
diff --git a/docs/pages/reference/access-controls/roles.mdx b/docs/pages/reference/access-controls/roles.mdx
index 10989cd5b2484..405891c3863ba 100644
--- a/docs/pages/reference/access-controls/roles.mdx
+++ b/docs/pages/reference/access-controls/roles.mdx
@@ -12,6 +12,7 @@ A Teleport role manages access by having two lists of rules: `allow` rules and
 
 - Nothing is allowed by default.
 - Deny rules get evaluated first and take priority.
+- Deny rules should be avoided on roles granted through Access Lists.
 
 You can use any of the following to manage Teleport roles and other dynamic
 resources:
@@ -570,7 +571,7 @@ attribute or OIDC claim called `trait`.
 
 You can specify an external trait in dot syntax if it begins with a letter and
 contains only letters, numbers, and underscores. Otherwise, you must use bracket
-syntax to specify a trait. 
+syntax to specify a trait.
 
 When using Azure AD or ADFS as your IdP, you must use bracket notation, as these
 IdPs assign attribute keys to URLs such as the following: