SecurityContext is often stored in a ThreadLocal. When you switch threads (async/executor), the new thread may not have that context, so auth info is missing. You must propagate context explicitly or use supported async security integration.