diff --git a/authorize/evaluator/custom.go b/authorize/evaluator/custom.go
index 17f99caec..bd9ba1fd9 100644
--- a/authorize/evaluator/custom.go
+++ b/authorize/evaluator/custom.go
@@ -8,6 +8,8 @@ import (
 
 	"github.com/open-policy-agent/opa/rego"
 	"github.com/open-policy-agent/opa/storage"
+
+	"github.com/pomerium/pomerium/internal/telemetry/trace"
 )
 
 // A CustomEvaluatorRequest is the data needed to evaluate a custom rego policy.
@@ -42,6 +44,9 @@ func NewCustomEvaluator(store storage.Store) *CustomEvaluator {
 
 // Evaluate evaluates the custom rego policy.
 func (ce *CustomEvaluator) Evaluate(ctx context.Context, req *CustomEvaluatorRequest) (*CustomEvaluatorResponse, error) {
+	_, span := trace.StartSpan(ctx, "authorize.evaluator.custom.Evaluate")
+	defer span.End()
+
 	q, err := ce.getPreparedEvalQuery(ctx, req.RegoPolicy)
 	if err != nil {
 		return nil, err
diff --git a/internal/databroker/config_source.go b/internal/databroker/config_source.go
index 0b49ba0b9..dacc92563 100644
--- a/internal/databroker/config_source.go
+++ b/internal/databroker/config_source.go
@@ -12,6 +12,7 @@ import (
 
 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/log"
+	"github.com/pomerium/pomerium/internal/telemetry/trace"
 	"github.com/pomerium/pomerium/pkg/grpc"
 	configpb "github.com/pomerium/pomerium/pkg/grpc/config"
 	"github.com/pomerium/pomerium/pkg/grpc/databroker"
@@ -70,6 +71,9 @@ func (src *ConfigSource) GetConfig() *config.Config {
 }
 
 func (src *ConfigSource) rebuild(firstTime bool) {
+	_, span := trace.StartSpan(context.Background(), "databroker.config_source.rebuild")
+	defer span.End()
+
 	src.mu.Lock()
 	defer src.mu.Unlock()
 
@@ -83,10 +87,18 @@ func (src *ConfigSource) rebuild(firstTime bool) {
 		seen[policy.RouteID()] = struct{}{}
 	}
 
+	var additionalPolicies []config.Policy
+
 	// add all the config policies to the list
 	for _, cfgpb := range src.dbConfigs {
 		cfg.Options.ApplySettings(cfgpb.Settings)
 
+		err := cfg.Options.Validate()
+		if err != nil {
+			log.Warn().Err(err).Msg("databroker: invalid config detected, ignoring")
+			return
+		}
+
 		for _, routepb := range cfgpb.GetRoutes() {
 			policy, err := config.NewPolicyFromProto(routepb)
 			if err != nil {
@@ -112,16 +124,13 @@ func (src *ConfigSource) rebuild(firstTime bool) {
 			}
 			seen[routeID] = struct{}{}
 
-			cfg.Options.Policies = append(cfg.Options.Policies, *policy)
-		}
-
-		err := cfg.Options.Validate()
-		if err != nil {
-			log.Warn().Err(err).Msg("databroker: invalid config detected, ignoring")
-			return
+			additionalPolicies = append(additionalPolicies, *policy)
 		}
 	}
 
+	// add the additional policies here since calling `Validate` will reset them.
+	cfg.Options.Policies = append(cfg.Options.Policies, additionalPolicies...)
+
 	src.computedConfig = cfg
 	if !firstTime {
 		src.Trigger(cfg)