diff --git a/backend/internal/bootstrap/sync_admin.go b/backend/internal/bootstrap/sync_admin.go
new file mode 100644
index 00000000..129f91f5
--- /dev/null
+++ b/backend/internal/bootstrap/sync_admin.go
@@ -0,0 +1,77 @@
+package bootstrap
+
+import (
+	"baron-sso-backend/internal/domain"
+	"log/slog"
+	"os"
+	"strings"
+	"time"
+
+	"gorm.io/gorm"
+)
+
+// SyncAdminRole updates the role of the admin user in the local DB.
+// It ensures the admin user exists in the local DB with the correct Kratos ID.
+func SyncAdminRole(db *gorm.DB, kratosID string) error {
+	adminEmail := strings.TrimSpace(os.Getenv("ADMIN_EMAIL"))
+	if adminEmail == "" {
+		slog.Warn("[Bootstrap] ADMIN_EMAIL not set. Skipping admin role sync.")
+		return nil
+	}
+
+	adminName := strings.TrimSpace(os.Getenv("ADMIN_NAME"))
+	if adminName == "" {
+		adminName = "System Admin"
+	}
+
+	// Find user by email
+	var user domain.User
+	if err := db.Where("email = ?", adminEmail).First(&user).Error; err != nil {
+		if err == gorm.ErrRecordNotFound {
+			if kratosID == "" {
+				slog.Warn("[Bootstrap] Admin user not found in local DB and Kratos ID is missing. Cannot create local user.", "email", adminEmail)
+				return nil
+			}
+
+			// Create new admin user in local DB
+			newUser := domain.User{
+				ID:        kratosID,
+				Email:     adminEmail,
+				Name:      adminName,
+				Role:      domain.RoleSuperAdmin,
+				Status:    "active",
+				CreatedAt: time.Now(),
+				UpdatedAt: time.Now(),
+				Metadata:  domain.JSONMap{"source": "bootstrap_seed"},
+			}
+			if err := db.Create(&newUser).Error; err != nil {
+				return err
+			}
+			slog.Info("[Bootstrap] Created admin user in local DB", "email", adminEmail, "id", kratosID)
+			return nil
+		}
+		return err
+	}
+
+	// Update role if needed
+	updates := map[string]interface{}{}
+	if user.Role != domain.RoleSuperAdmin {
+		updates["role"] = domain.RoleSuperAdmin
+	}
+	// Also ensure ID matches if it was somehow different (though changing PK is hard, at least log it)
+	if kratosID != "" && user.ID != kratosID {
+		slog.Warn("[Bootstrap] Admin user exists but ID mismatch with Kratos", "local_id", user.ID, "kratos_id", kratosID)
+		// We generally don't change UUID PKs, just warn.
+	}
+
+	if len(updates) > 0 {
+		if err := db.Model(&user).Updates(updates).Error; err != nil {
+			return err
+		}
+		slog.Info("[Bootstrap] Updated admin user role to super_admin", "email", adminEmail)
+	} else {
+		slog.Info("[Bootstrap] Admin user already has super_admin role", "email", adminEmail)
+	}
+
+	return nil
+}