diff --git a/pkg/development/validation.go b/pkg/development/validation.go
index fd45c8c602..6eaa1641a9 100644
--- a/pkg/development/validation.go
+++ b/pkg/development/validation.go
@@ -144,6 +144,10 @@ func validateSubjects(onrKey blocks.ObjectRelation, fs developmentmembership.Fou
 		if isWildcard {
 			expectedExcludedStrings := toExpectedRelationshipsStrings(expectedExcludedSubjects)
 			foundExcludedONRStrings := toFoundRelationshipsStrings(foundExcludedSubjects)
+
+			sort.Strings(expectedExcludedStrings)
+			sort.Strings(foundExcludedONRStrings)
+
 			if !cmp.Equal(expectedExcludedStrings, foundExcludedONRStrings) {
 				failures = append(failures, &devinterface.DeveloperError{
 					Message: fmt.Sprintf("For object and permission/relation `%s`, found different excluded subjects for subject `%s`: Specified: `%s`, Computed: `%s`",
diff --git a/pkg/development/wasm/operations_test.go b/pkg/development/wasm/operations_test.go
index de010f3bcc..7d0a5d6ed3 100644
--- a/pkg/development/wasm/operations_test.go
+++ b/pkg/development/wasm/operations_test.go
@@ -962,6 +962,34 @@ assertFalse:
 			false,
 			`document:somedoc#view:
 - '[user:* - {user:jimmy}] is <document:somedoc#viewer>'
+`,
+		},
+		{
+			"wildcard multiple exclusion",
+			`
+		   			definition user {}
+		   			definition document {
+		   				relation banned: user
+		   				relation viewer: user | user:*
+		   				permission view = viewer - banned
+		   			}
+		   			`,
+			[]*core.RelationTuple{
+				tuple.MustParse("document:somedoc#banned@user:jimmy"),
+				tuple.MustParse("document:somedoc#banned@user:fred"),
+				tuple.MustParse("document:somedoc#viewer@user:*"),
+			},
+			`"document:somedoc#view":
+- "[user:* - {user:fred, user:jimmy}] is <document:somedoc#viewer>"`,
+			`assertTrue:
+- document:somedoc#view@user:somegal
+assertFalse:
+- document:somedoc#view@user:jimmy
+- document:somedoc#view@user:fred`,
+			nil,
+			false,
+			`document:somedoc#view:
+- '[user:* - {user:fred, user:jimmy}] is <document:somedoc#viewer>'
 `,
 		},
 		{