diff --git a/authority/config.go b/authority/config.go
index e70eba48..b12d1da5 100644
--- a/authority/config.go
+++ b/authority/config.go
@@ -81,6 +81,17 @@ func (c *AuthConfig) Validate(audiences provisioner.Audiences) error {
 		return errors.New("authority.provisioners cannot be empty")
 	}
 
+	// Check that only one K8sSA is enabled
+	var k8sCount int
+	for _, p := range c.Provisioners {
+		if p.GetType() == provisioner.TypeK8sSA {
+			k8sCount++
+		}
+	}
+	if k8sCount > 1 {
+		return errors.New("cannot have more than one kubernetes service account provisioner")
+	}
+
 	if c.Template == nil {
 		c.Template = &x509util.ASN1DN{}
 	}
diff --git a/authority/provisioner/k8sSA.go b/authority/provisioner/k8sSA.go
index 63f16205..0c90552c 100644
--- a/authority/provisioner/k8sSA.go
+++ b/authority/provisioner/k8sSA.go
@@ -25,9 +25,6 @@ const (
 	k8sSAIssuer = "kubernetes/serviceaccount"
 )
 
-// This number must <= 1. We'll verify this in Init() below.
-var numK8sSAProvisioners = 0
-
 // jwtPayload extends jwt.Claims with step attributes.
 type k8sSAPayload struct {
 	jose.Claims
@@ -85,8 +82,6 @@ func (p *K8sSA) Init(config Config) (err error) {
 		return errors.New("provisioner type cannot be empty")
 	case p.Name == "":
 		return errors.New("provisioner name cannot be empty")
-	case numK8sSAProvisioners >= 1:
-		return errors.New("cannot have more than one kubernetes service account provisioner")
 	}
 
 	if p.PubKeys != nil {
@@ -134,7 +129,6 @@ func (p *K8sSA) Init(config Config) (err error) {
 	}
 
 	p.audiences = config.Audiences
-	numK8sSAProvisioners++
 	return err
 }