diff --git a/changelog/13318.txt b/changelog/13318.txt
new file mode 100644
index 0000000000..79ddb15ec9
--- /dev/null
+++ b/changelog/13318.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+identity: Fix possible nil pointer dereference.
+```
diff --git a/vault/identity_store.go b/vault/identity_store.go
index 7f93431604..f948771fc5 100644
--- a/vault/identity_store.go
+++ b/vault/identity_store.go
@@ -250,8 +250,9 @@ func (i *IdentityStore) Invalidate(ctx context.Context, key string) {
 		// storage entry is non-nil, its an indication of an update. In this
 		// case, entities in the updated bucket needs to be reinserted into
 		// MemDB.
-		entityIDs := make([]string, 0, len(bucket.Items))
+		var entityIDs []string
 		if bucket != nil {
+			entityIDs = make([]string, 0, len(bucket.Items))
 			for _, item := range bucket.Items {
 				entity, err := i.parseEntityFromBucketItem(ctx, item)
 				if err != nil {