diff --git a/pkg/webhook/immutable_fields_validator.go b/pkg/webhook/immutable_fields_validator.go
index 2f87d41772..94d3376358 100644
--- a/pkg/webhook/immutable_fields_validator.go
+++ b/pkg/webhook/immutable_fields_validator.go
@@ -122,9 +122,6 @@ func (a *immutableFieldsValidatorHandler) Handle(_ context.Context, req admissio
 		return validateImmutableFieldsForLoggingLogMetricResource(oldSpec, spec)
 	case schema.GroupKind{Group: "gkehub.cnrm.cloud.google.com", Kind: "GKEHubFeatureMembership"}:
 		return validateImmutableFieldsForGKEHubFeatureMembershipResource(oldSpec, spec)
-	case schema.GroupKind{Group: "privilegedaccessmanager.cnrm.cloud.google.com", Kind: "PrivilegedAccessManagerEntitlement"}:
-		// TODO: The immutability checks for direct resources should be managed under each resource package.
-		return allowedResponse
 	}
 
 	if dclmetadata.IsDCLBasedResourceKind(obj.GroupVersionKind(), a.serviceMetadataLoader) {
@@ -297,6 +294,9 @@ func validateImmutableFieldsForTFBasedResource(obj, oldObj *unstructured.Unstruc
 		return admission.Errored(http.StatusBadRequest,
 			fmt.Errorf("couldn't get ResourceConfig for kind %v: %w", obj.GetKind(), err))
 	}
+	if rc.Direct && rc.Name != "google_sql_database_instance" {
+		return allowedResponse
+	}
 
 	if err := validateContainerAnnotationsForResource(obj.GetKind(), obj.GetAnnotations(), oldObj.GetAnnotations(), rc.Containers, rc.HierarchicalReferences); err != nil {
 		return admission.Errored(http.StatusBadRequest,