diff --git a/internal/gcs-sidecar/handlers.go b/internal/gcs-sidecar/handlers.go
index 7d7fc718fa..2eee764569 100644
--- a/internal/gcs-sidecar/handlers.go
+++ b/internal/gcs-sidecar/handlers.go
@@ -104,11 +104,13 @@ func (b *Bridge) createContainer(req *request) (err error) {
 			log.G(ctx).Tracef("Container exists in the map.")
 			return err
 		}
-		defer func(err error) {
+		defer func() {
 			if err != nil {
-				b.hostState.RemoveContainer(ctx, containerID)
+				if removeErr := b.hostState.RemoveContainer(ctx, containerID); removeErr != nil {
+					log.G(ctx).WithError(removeErr).Errorf("Failed to remove container: %v", containerID)
+				}
 			}
-		}(err)
+		}()
 
 		if oci.ParseAnnotationsBool(ctx, spec.Annotations, annotations.WCOWSecurityPolicyEnv, true) {
 			if err := b.hostState.securityOptions.WriteSecurityContextDir(&spec); err != nil {
@@ -459,13 +461,11 @@ func (b *Bridge) deleteContainerState(req *request) (err error) {
 	if err := commonutils.UnmarshalJSONWithHresult(req.message, &r); err != nil {
 		return fmt.Errorf("failed to unmarshal deleteContainerState: %w", err)
 	}
-	_, err = b.hostState.GetCreatedContainer(req.ctx, r.ContainerID)
+	err = b.hostState.RemoveContainer(req.ctx, r.ContainerID)
 	if err != nil {
 		log.G(req.ctx).Tracef("Container not found during deleteContainerState: %v", r.ContainerID)
 		return fmt.Errorf("container not found: %w", err)
 	}
-	// remove container state regardless of delete's success
-	defer b.hostState.RemoveContainer(req.ctx, r.ContainerID)
 
 	b.forwardRequestToGcs(req)
 	return nil
diff --git a/internal/gcs-sidecar/host.go b/internal/gcs-sidecar/host.go
index c051682f3a..2c73f34ff3 100644
--- a/internal/gcs-sidecar/host.go
+++ b/internal/gcs-sidecar/host.go
@@ -75,17 +75,18 @@ func (h *Host) AddContainer(ctx context.Context, id string, c *Container) error
 	return nil
 }
 
-func (h *Host) RemoveContainer(ctx context.Context, id string) {
+func (h *Host) RemoveContainer(ctx context.Context, id string) error {
 	h.containersMutex.Lock()
 	defer h.containersMutex.Unlock()
 
 	_, ok := h.containers[id]
 	if !ok {
 		log.G(ctx).Tracef("RemoveContainer: Container not found: ID: %v", id)
-		return
+		return gcserr.NewHresultError(gcserr.HrVmcomputeSystemNotFound)
 	}
 
 	delete(h.containers, id)
+	return nil
 }
 
 func (h *Host) GetCreatedContainer(ctx context.Context, id string) (*Container, error) {
diff --git a/pkg/securitypolicy/securitypolicy_options.go b/pkg/securitypolicy/securitypolicy_options.go
index dbebb58239..35dd755367 100644
--- a/pkg/securitypolicy/securitypolicy_options.go
+++ b/pkg/securitypolicy/securitypolicy_options.go
@@ -86,7 +86,7 @@ func (s *SecurityOptions) SetConfidentialOptions(ctx context.Context, enforcerTy
 	// The other point is on startup where we take a flag to set the default
 	// policy enforcer to use before a policy arrives. After that flag is set,
 	// we use the enforcer in question to set up logging as well.
-	if err = s.PolicyEnforcer.EnforceRuntimeLoggingPolicy(ctx); err == nil {
+	if err = p.EnforceRuntimeLoggingPolicy(ctx); err == nil {
 		logrus.SetOutput(s.logWriter)
 	} else {
 		logrus.SetOutput(io.Discard)