diff --git a/go.mod b/go.mod
index 6e0428e87..e3c5af94e 100644
--- a/go.mod
+++ b/go.mod
@@ -49,7 +49,7 @@ require (
 	gopkg.in/go-jose/go-jose.v2 v2.6.3
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1
 	k8s.io/api v0.0.0-20250503031400-f7e72be095ee
-	k8s.io/apimachinery v0.0.0-20250509073128-f7c43800319c
+	k8s.io/apimachinery v0.0.0-20250509224118-202cba0f14e5
 	k8s.io/client-go v0.0.0-20250508032644-996ce6af9b5e
 	k8s.io/component-base v0.0.0-20250506232724-41c27b0c0716
 	k8s.io/klog/v2 v2.130.1
diff --git a/go.sum b/go.sum
index 6184f5d7f..971b1d772 100644
--- a/go.sum
+++ b/go.sum
@@ -369,8 +369,8 @@ honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 k8s.io/api v0.0.0-20250503031400-f7e72be095ee h1:+YExLdNpiASfnQXQfpyLIGIps0RcJPNt7NdiCVH8Bys=
 k8s.io/api v0.0.0-20250503031400-f7e72be095ee/go.mod h1:AsuSCzGYZszSLf5GB+qx8FBGGirk0I/TZUkQJFsPRAQ=
-k8s.io/apimachinery v0.0.0-20250509073128-f7c43800319c h1:AOgTXCqYQBXL3LukOqiunp3VtlOBvrvoUM9kDvG1kjM=
-k8s.io/apimachinery v0.0.0-20250509073128-f7c43800319c/go.mod h1:b+h1nads2hmyfwvvorkgHUriRTTaJ2p2mk0l03sESn8=
+k8s.io/apimachinery v0.0.0-20250509224118-202cba0f14e5 h1:HUUum3joW/FJUlpYvcEN7n8o9/4qbVx9TNorWUYv9r8=
+k8s.io/apimachinery v0.0.0-20250509224118-202cba0f14e5/go.mod h1:b+h1nads2hmyfwvvorkgHUriRTTaJ2p2mk0l03sESn8=
 k8s.io/client-go v0.0.0-20250508032644-996ce6af9b5e h1:87FD9fyCZ9Bk8dvnl1tNYE03luBomy1GNE55c9jYgxw=
 k8s.io/client-go v0.0.0-20250508032644-996ce6af9b5e/go.mod h1:dvTAhQJ95EC+zjWHIb6bgrSGDNnmsN+CewryqZhfkZY=
 k8s.io/component-base v0.0.0-20250506232724-41c27b0c0716 h1:0LG0V3rheo9y8JjS/ctgwDV7nMwNSDYZrhVsnF14yjE=
diff --git a/pkg/admission/audit_test.go b/pkg/admission/audit_test.go
index dde433d79..8b291244b 100644
--- a/pkg/admission/audit_test.go
+++ b/pkg/admission/audit_test.go
@@ -144,7 +144,10 @@ func TestWithAudit(t *testing.T) {
 		var handler Interface = fakeHandler{tc.admit, tc.admitAnnotations, tc.validate, tc.validateAnnotations, tc.handles}
 		ctx := audit.WithAuditContext(context.Background())
 		ac := audit.AuditContextFrom(ctx)
-		ac.SetEventLevel(auditinternal.LevelMetadata)
+		if err := ac.Init(audit.RequestAuditConfig{Level: auditinternal.LevelMetadata}, nil); err != nil {
+			t.Fatal(err)
+		}
+
 		auditHandler := WithAudit(handler)
 		a := attributes()
 
@@ -186,8 +189,6 @@ func TestWithAuditConcurrency(t *testing.T) {
 	}
 	var handler Interface = fakeHandler{admitAnnotations: admitAnnotations, handles: true}
 	ctx := audit.WithAuditContext(context.Background())
-	ac := audit.AuditContextFrom(ctx)
-	ac.SetEventLevel(auditinternal.LevelMetadata)
 	auditHandler := WithAudit(handler)
 	a := attributes()
 
diff --git a/pkg/audit/context.go b/pkg/audit/context.go
index 538b3d956..5b93d594b 100644
--- a/pkg/audit/context.go
+++ b/pkg/audit/context.go
@@ -46,8 +46,6 @@ type AuditContext struct {
 	// initialized indicates whether requestAuditConfig and sink have been populated and are safe to read unguarded.
 	// This should only be set via Init().
 	initialized atomic.Bool
-	// initialize wraps setting requestAuditConfig and sink, and is only called via Init().
-	initialize sync.Once
 	// requestAuditConfig is the audit configuration that applies to the request.
 	// This should only be written via Init(RequestAuditConfig, Sink), and only read when initialized.Load() is true.
 	requestAuditConfig RequestAuditConfig
@@ -81,16 +79,15 @@ func (ac *AuditContext) Enabled() bool {
 }
 
 func (ac *AuditContext) Init(requestAuditConfig RequestAuditConfig, sink Sink) error {
-	initialized := false
-	ac.initialize.Do(func() {
-		ac.requestAuditConfig = requestAuditConfig
-		ac.sink = sink
-		ac.initialized.Store(true)
-		initialized = true
-	})
-	if !initialized {
+	ac.lock.Lock()
+	defer ac.lock.Unlock()
+	if ac.initialized.Load() {
 		return errors.New("audit context was already initialized")
 	}
+	ac.requestAuditConfig = requestAuditConfig
+	ac.sink = sink
+	ac.event.Level = requestAuditConfig.Level
+	ac.initialized.Store(true)
 	return nil
 }
 
@@ -198,12 +195,6 @@ func (ac *AuditContext) GetEventLevel() auditinternal.Level {
 	return level
 }
 
-func (ac *AuditContext) SetEventLevel(level auditinternal.Level) {
-	ac.visitEvent(func(event *auditinternal.Event) {
-		event.Level = level
-	})
-}
-
 func (ac *AuditContext) SetEventStage(stage auditinternal.Stage) {
 	ac.visitEvent(func(event *auditinternal.Event) {
 		event.Stage = stage
diff --git a/pkg/audit/request.go b/pkg/audit/request.go
index d8662e63f..60b69b0b2 100644
--- a/pkg/audit/request.go
+++ b/pkg/audit/request.go
@@ -40,7 +40,7 @@ const (
 	userAgentTruncateSuffix = "...TRUNCATED"
 )
 
-func LogRequestMetadata(ctx context.Context, req *http.Request, requestReceivedTimestamp time.Time, level auditinternal.Level, attribs authorizer.Attributes) {
+func LogRequestMetadata(ctx context.Context, req *http.Request, requestReceivedTimestamp time.Time, attribs authorizer.Attributes) {
 	ac := AuditContextFrom(ctx)
 	if !ac.Enabled() {
 		return
@@ -51,7 +51,6 @@ func LogRequestMetadata(ctx context.Context, req *http.Request, requestReceivedT
 		ev.Verb = attribs.GetVerb()
 		ev.RequestURI = req.URL.RequestURI()
 		ev.UserAgent = maybeTruncateUserAgent(req)
-		ev.Level = level
 
 		ips := utilnet.SourceIPs(req)
 		ev.SourceIPs = make([]string, len(ips))
diff --git a/pkg/authentication/token/cache/cached_token_authenticator.go b/pkg/authentication/token/cache/cached_token_authenticator.go
index 1b448e5d8..9d1556e63 100644
--- a/pkg/authentication/token/cache/cached_token_authenticator.go
+++ b/pkg/authentication/token/cache/cached_token_authenticator.go
@@ -33,7 +33,6 @@ import (
 	"golang.org/x/sync/singleflight"
 
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	auditinternal "k8s.io/apiserver/pkg/apis/audit"
 	"k8s.io/apiserver/pkg/audit"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/warning"
@@ -199,9 +198,6 @@ func (a *cachedTokenAuthenticator) doAuthenticateToken(ctx context.Context, toke
 
 		ctx = audit.WithAuditContext(ctx)
 		ac := audit.AuditContextFrom(ctx)
-		// since this is shared work between multiple requests, we have no way of knowing if any
-		// particular request supports audit annotations.  thus we always attempt to record them.
-		ac.SetEventLevel(auditinternal.LevelMetadata)
 
 		record.resp, record.ok, record.err = a.authenticator.AuthenticateToken(ctx, token)
 		record.annotations = ac.GetEventAnnotations()
diff --git a/pkg/authentication/token/cache/cached_token_authenticator_test.go b/pkg/authentication/token/cache/cached_token_authenticator_test.go
index c4902d808..7913575ce 100644
--- a/pkg/authentication/token/cache/cached_token_authenticator_test.go
+++ b/pkg/authentication/token/cache/cached_token_authenticator_test.go
@@ -35,7 +35,6 @@ import (
 
 	utilrand "k8s.io/apimachinery/pkg/util/rand"
 	"k8s.io/apimachinery/pkg/util/uuid"
-	auditinternal "k8s.io/apiserver/pkg/apis/audit"
 	"k8s.io/apiserver/pkg/audit"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authentication/user"
@@ -546,8 +545,6 @@ func (s *singleBenchmark) bench(b *testing.B) {
 // extraction.
 func withAudit(ctx context.Context) context.Context {
 	ctx = audit.WithAuditContext(ctx)
-	ac := audit.AuditContextFrom(ctx)
-	ac.SetEventLevel(auditinternal.LevelMetadata)
 	return ctx
 }
 
diff --git a/pkg/endpoints/filters/audit.go b/pkg/endpoints/filters/audit.go
index 5f992fd9c..d25bf35ae 100644
--- a/pkg/endpoints/filters/audit.go
+++ b/pkg/endpoints/filters/audit.go
@@ -142,7 +142,7 @@ func evaluatePolicyAndCreateAuditEvent(req *http.Request, policy audit.PolicyRul
 	if !ok {
 		requestReceivedTimestamp = time.Now()
 	}
-	audit.LogRequestMetadata(ctx, req, requestReceivedTimestamp, rac.Level, attribs)
+	audit.LogRequestMetadata(ctx, req, requestReceivedTimestamp, attribs)
 
 	return ac, nil
 }
diff --git a/pkg/endpoints/handlers/delete_test.go b/pkg/endpoints/handlers/delete_test.go
index a317e43ab..e6c5082f4 100644
--- a/pkg/endpoints/handlers/delete_test.go
+++ b/pkg/endpoints/handlers/delete_test.go
@@ -34,7 +34,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/runtime/serializer"
 	"k8s.io/apiserver/pkg/admission"
-	auditapis "k8s.io/apiserver/pkg/apis/audit"
+	auditinternal "k8s.io/apiserver/pkg/apis/audit"
 	"k8s.io/apiserver/pkg/audit"
 	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
@@ -74,7 +74,9 @@ func TestDeleteResourceAuditLogRequestObject(t *testing.T) {
 
 	ctx := audit.WithAuditContext(context.TODO())
 	ac := audit.AuditContextFrom(ctx)
-	ac.SetEventLevel(auditapis.LevelRequestResponse)
+	if err := ac.Init(audit.RequestAuditConfig{Level: auditinternal.LevelRequestResponse}, nil); err != nil {
+		t.Fatal(err)
+	}
 
 	policy := metav1.DeletePropagationBackground
 	deleteOption := &metav1.DeleteOptions{
diff --git a/pkg/util/x509metrics/server_cert_deprecations_test.go b/pkg/util/x509metrics/server_cert_deprecations_test.go
index d9d16c4c8..eaa17bcf8 100644
--- a/pkg/util/x509metrics/server_cert_deprecations_test.go
+++ b/pkg/util/x509metrics/server_cert_deprecations_test.go
@@ -30,7 +30,6 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/require"
-	auditapi "k8s.io/apiserver/pkg/apis/audit"
 	"k8s.io/apiserver/pkg/audit"
 	"k8s.io/component-base/metrics"
 	"k8s.io/component-base/metrics/testutil"
@@ -247,7 +246,6 @@ func TestCheckForHostnameError(t *testing.T) {
 			}
 			req = req.WithContext(audit.WithAuditContext(req.Context()))
 			auditCtx := audit.AuditContextFrom(req.Context())
-			auditCtx.SetEventLevel(auditapi.LevelMetadata)
 
 			_, err = client.Transport.RoundTrip(req)
 
@@ -390,7 +388,6 @@ func TestCheckForInsecureAlgorithmError(t *testing.T) {
 			}
 			req = req.WithContext(audit.WithAuditContext(req.Context()))
 			auditCtx := audit.AuditContextFrom(req.Context())
-			auditCtx.SetEventLevel(auditapi.LevelMetadata)
 
 			// can't use tlsServer.Client() as it contains the server certificate
 			// in tls.Config.Certificates. The signatures are, however, only checked