diff --git a/changelog/8141-domain-validation-default-enabled.yaml b/changelog/8141-domain-validation-default-enabled.yaml
new file mode 100644
index 00000000000..c61f91b866f
--- /dev/null
+++ b/changelog/8141-domain-validation-default-enabled.yaml
@@ -0,0 +1,4 @@
+type: Changed
+description: Default enforcement level for domain validation (`FIDES__SECURITY__DOMAIN_VALIDATION_MODE`) changed from `monitor` to `enabled`. Disallowed domains will now be blocked instead of only logged.
+pr: 8141
+labels: ["high-risk"]
diff --git a/src/fides/api/util/domain_util.py b/src/fides/api/util/domain_util.py
index 86e540eb813..57dd8f7808a 100644
--- a/src/fides/api/util/domain_util.py
+++ b/src/fides/api/util/domain_util.py
@@ -44,7 +44,7 @@ def validate_value_against_allowed_list(
     value: str,
     allowed_values: List[str],
     param_name: str,
-    mode: DomainValidationMode = DomainValidationMode.monitor,
+    mode: DomainValidationMode = DomainValidationMode.enabled,
 ) -> None:
     """
     Validate that a value matches at least one of the allowed patterns.
diff --git a/src/fides/config/security_settings.py b/src/fides/config/security_settings.py
index 4fd0ec2c09d..a7b4310d432 100644
--- a/src/fides/config/security_settings.py
+++ b/src/fides/config/security_settings.py
@@ -161,7 +161,7 @@ class SecuritySettings(FidesSettings):
         description="The number of seconds that a pre-signed download URL when using S3 storage will be valid. The default is equal to 5 days.",
     )
     domain_validation_mode: DomainValidationMode = Field(
-        default=DomainValidationMode.monitor,
+        default=DomainValidationMode.enabled,
         description="Controls domain validation for SaaS connector params globally. "
         "'enabled' enforces validation and blocks disallowed domains. "
         "'monitor' validates but only logs warnings instead of blocking. "