diff --git a/ddtrace/appsec/track_user_sdk.py b/ddtrace/appsec/track_user_sdk.py
index c42ef5ea1bf..cff592984d6 100644
--- a/ddtrace/appsec/track_user_sdk.py
+++ b/ddtrace/appsec/track_user_sdk.py
@@ -74,10 +74,10 @@ def track_user(
     if login:
         span.set_tag_str(_constants.APPSEC.USER_LOGIN_USERNAME, str(login))
     meta = metadata or {}
-    usr_name = meta.get("name") or meta.get("usr.name")
-    usr_email = meta.get("email") or meta.get("usr.email")
-    usr_scope = meta.get("scope") or meta.get("usr.scope")
-    usr_role = meta.get("role") or meta.get("usr.role")
+    usr_name = meta.pop("name", None) or meta.pop("usr.name", None)
+    usr_email = meta.pop("email", None) or meta.pop("usr.email", None)
+    usr_scope = meta.pop("scope", None) or meta.pop("usr.scope", None)
+    usr_role = meta.pop("role", None) or meta.pop("usr.role", None)
     _trace_utils.set_user(
         None,
         user_id,
@@ -88,8 +88,8 @@ def track_user(
         session_id=session_id,
         may_block=False,
     )
-    if metadata:
-        _trace_utils.track_custom_event(None, "auth_sdk", metadata=metadata)
+    if meta:
+        _trace_utils.track_custom_event(None, "auth_sdk", metadata=meta)
     span.set_tag_str(_constants.APPSEC.AUTO_LOGIN_EVENTS_COLLECTION_MODE, _constants.LOGIN_EVENTS_MODE.SDK)
     if _asm_request_context.in_asm_context():
         custom_data = {
diff --git a/releasenotes/notes/ato_sdk2_track_user_fix_no_keep-b6b5206a81da6b36.yaml b/releasenotes/notes/ato_sdk2_track_user_fix_no_keep-b6b5206a81da6b36.yaml
new file mode 100644
index 00000000000..09bb5be4f86
--- /dev/null
+++ b/releasenotes/notes/ato_sdk2_track_user_fix_no_keep-b6b5206a81da6b36.yaml
@@ -0,0 +1,4 @@
+---
+fixes:
+  - |
+    AAP: This fix resolves an issue where track_user was generating additional unexpected security activity for customers.
diff --git a/tests/appsec/appsec/test_appsec_trace_utils.py b/tests/appsec/appsec/test_appsec_trace_utils.py
index 09f3ebb8ac1..49822c9a4f4 100644
--- a/tests/appsec/appsec/test_appsec_trace_utils.py
+++ b/tests/appsec/appsec/test_appsec_trace_utils.py
@@ -261,16 +261,16 @@ def test_set_user_blocked(self):
                 role="usr.role",
                 scope="usr.scope",
             )
-            assert span.get_tag(user.ID)
-            assert span.get_tag(user.EMAIL)
-            assert span.get_tag(user.SESSION_ID)
-            assert span.get_tag(user.NAME)
-            assert span.get_tag(user.ROLE)
-            assert span.get_tag(user.SCOPE)
-            assert span.get_tag(user.SESSION_ID)
-            assert span.get_tag(APPSEC.AUTO_LOGIN_EVENTS_COLLECTION_MODE) == LOGIN_EVENTS_MODE.SDK
-            assert span.get_tag("usr.id") == str(self._BLOCKED_USER)
-            assert is_blocked(span)
+        assert span.get_tag(user.ID)
+        assert span.get_tag(user.EMAIL)
+        assert span.get_tag(user.SESSION_ID)
+        assert span.get_tag(user.NAME)
+        assert span.get_tag(user.ROLE)
+        assert span.get_tag(user.SCOPE)
+        assert span.get_tag(user.SESSION_ID)
+        assert span.get_tag(APPSEC.AUTO_LOGIN_EVENTS_COLLECTION_MODE) == LOGIN_EVENTS_MODE.SDK
+        assert span.get_tag("usr.id") == str(self._BLOCKED_USER)
+        assert is_blocked(span)
 
     def test_track_user_blocked(self):
         with asm_context(tracer=self.tracer, span_name="fake_span", config=config_good_rules) as span:
@@ -281,21 +281,22 @@ def test_track_user_blocked(self):
                 metadata={
                     "email": "usr.email",
                     "name": "usr.name",
-                    "session_id": "usr.session_id",
                     "role": "usr.role",
                     "scope": "usr.scope",
                 },
             )
-            assert span.get_tag(user.ID)
-            assert span.get_tag(user.EMAIL)
-            assert span.get_tag(user.SESSION_ID)
-            assert span.get_tag(user.NAME)
-            assert span.get_tag(user.ROLE)
-            assert span.get_tag(user.SCOPE)
-            assert span.get_tag(user.SESSION_ID)
-            assert span.get_tag(APPSEC.AUTO_LOGIN_EVENTS_COLLECTION_MODE) == LOGIN_EVENTS_MODE.SDK
-            assert span.get_tag("usr.id") == str(self._BLOCKED_USER)
-            assert is_blocked(span)
+        assert span.get_tag(user.ID)
+        assert span.get_tag(user.EMAIL)
+        assert span.get_tag(user.SESSION_ID)
+        assert span.get_tag(user.NAME)
+        assert span.get_tag(user.ROLE)
+        assert span.get_tag(user.SCOPE)
+        assert span.get_tag(user.SESSION_ID)
+        assert span.get_tag(APPSEC.AUTO_LOGIN_EVENTS_COLLECTION_MODE) == LOGIN_EVENTS_MODE.SDK
+        # assert metadata tags are not set for usual data
+        assert span.get_tag("appsec.events.auth_sdk.track") is None
+        assert span.get_tag("usr.id") == str(self._BLOCKED_USER)
+        assert is_blocked(span)
 
     def test_no_span_doesnt_raise(self):
         from ddtrace.trace import tracer