datum-cloud · joggrbot · Mar 27, 2026
diff --git a/test/iam/user-deletion-garbage-collection/README.md b/test/iam/user-deletion-garbage-collection/README.md
@@ -1,10 +1,7 @@
 # Test: `user-deletion-garbage-collection`
 
 Validates that User resource deletion properly triggers garbage collection of associated
-PolicyBinding and UserPreference resources. This test ensures the webhook creates resources
-with correct owner references and the controller adds them post-creation, allowing
-Kubernetes garbage collector to clean them up when the User is deleted.
-
+PolicyBinding and UserPreference resources. Additionally, as of the current controller logic, the UserController now adds a `iam.miloapis.com/user-membership-cleanup` finalizer to every User. When the User is deleted, the controller explicitly finds and deletes all OrganizationMembership resources referencing that User before completing User deletion. This ensures all related OrganizationMemberships are removed alongside the User, instead of relying solely on Kubernetes garbage collection via owner references.
 
 ## Steps
 
@@ -29,7 +26,10 @@ Create a User resource and verify webhook creates associated resources
 
 ### Step: `delete-user`
 
-Delete the User resource and verify associated resources are garbage collected
+Delete the User resource and verify associated resources are garbage collected or explicitly deleted by the controller
+
+- When the User resource is deleted, the UserController first removes all referenced OrganizationMembership resources via the `user-membership-cleanup` finalizer.
+- PolicyBinding and UserPreference resources with ownerReferences pointing to the User are cleaned up by Kubernetes garbage collection as before.
 
 #### Try
 
@@ -42,4 +42,3 @@ Delete the User resource and verify associated resources are garbage collected
 | 5 | `error` | 0 | 0 | *No description* |
 
 ---
-