diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 66c409c8..c3b80b86 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -8,6 +8,7 @@
 * Comments should be used sparingly.
 * Empty lines should be used sparingly.
 * No code should call `die()` or `exit()`, instead `UnitySite::die()`. This will avoid the premature death of our automated testing processes.
+* Instead of `assert`, use `\ensure`. This will enforce conditions even in production.
 
 This repository will automatically check PRs for linting compliance.
 
diff --git a/resources/autoload.php b/resources/autoload.php
index 48965f77..02054293 100644
--- a/resources/autoload.php
+++ b/resources/autoload.php
@@ -28,6 +28,7 @@
 require_once __DIR__ . "/lib/exceptions/NoDieException.php";
 require_once __DIR__ . "/lib/exceptions/SSOException.php";
 require_once __DIR__ . "/lib/exceptions/ArrayKeyException.php";
+require_once __DIR__ . "/lib/exceptions/EnsureException.php";
 
 require_once __DIR__ . "/config.php";
 require __DIR__ . "/init.php";
diff --git a/resources/lib/UnityGroup.php b/resources/lib/UnityGroup.php
index 7dcc3ef9..eb59faee 100644
--- a/resources/lib/UnityGroup.php
+++ b/resources/lib/UnityGroup.php
@@ -229,7 +229,7 @@ public function cancelGroupJoinRequest($user, $send_mail = true)
     //     $users = $this->getGroupMembers();
 
     //     // now we delete the ldap entry
-    //     assert($this->entry->exists());
+    //     \ensure($this->entry->exists());
     //     $this->entry->delete();
     //     $this->REDIS->removeCacheArray("sorted_groups", "", $this->gid);
     //     foreach ($users as $user) {
@@ -463,7 +463,7 @@ public function requestExists($user)
     private function init()
     {
         $owner = $this->getOwner();
-        assert(!$this->entry->exists());
+        \ensure(!$this->entry->exists());
         $nextGID = $this->LDAP->getNextPIGIDNumber();
         $this->entry->setAttribute("objectclass", UnityLDAP::POSIX_GROUP_CLASS);
         $this->entry->setAttribute("gidnumber", strval($nextGID));
diff --git a/resources/lib/UnityOrg.php b/resources/lib/UnityOrg.php
index 94ef7ce9..eef5f76c 100644
--- a/resources/lib/UnityOrg.php
+++ b/resources/lib/UnityOrg.php
@@ -30,7 +30,7 @@ public function __construct($gid, $LDAP, $SQL, $MAILER, $REDIS, $WEBHOOK)
 
     public function init()
     {
-        assert(!$this->entry->exists());
+        \ensure(!$this->entry->exists());
         $nextGID = $this->LDAP->getNextOrgGIDNumber($this->SQL);
         $this->entry->setAttribute("objectclass", UnityLDAP::POSIX_GROUP_CLASS);
         $this->entry->setAttribute("gidnumber", strval($nextGID));
diff --git a/resources/lib/UnityUser.php b/resources/lib/UnityUser.php
index 0a0b3088..e910087d 100644
--- a/resources/lib/UnityUser.php
+++ b/resources/lib/UnityUser.php
@@ -61,12 +61,12 @@ public function init($firstname, $lastname, $email, $org, $send_mail = true)
     {
         $ldapGroupEntry = $this->getGroupEntry();
         $id = $this->LDAP->getNextUIDGIDNumber($this->uid);
-        assert(!$ldapGroupEntry->exists());
+        \ensure(!$ldapGroupEntry->exists());
         $ldapGroupEntry->setAttribute("objectclass", UnityLDAP::POSIX_GROUP_CLASS);
         $ldapGroupEntry->setAttribute("gidnumber", strval($id));
         $ldapGroupEntry->write();
 
-        assert(!$this->entry->exists());
+        \ensure(!$this->entry->exists());
         $this->entry->setAttribute("objectclass", UnityLDAP::POSIX_ACCOUNT_CLASS);
         $this->entry->setAttribute("uid", $this->uid);
         $this->entry->setAttribute("givenname", $firstname);
@@ -145,7 +145,7 @@ public function setOrg($org)
 
     public function getOrg($ignorecache = false)
     {
-        assert($this->exists());
+        \ensure($this->exists());
         if (!$ignorecache) {
             $cached_val = $this->REDIS->getCache($this->uid, "org");
             if (!is_null($cached_val)) {
@@ -194,7 +194,7 @@ public function setFirstname($firstname, $operator = null)
      */
     public function getFirstname($ignorecache = false)
     {
-        assert($this->exists());
+        \ensure($this->exists());
         if (!$ignorecache) {
             $cached_val = $this->REDIS->getCache($this->uid, "firstname");
             if (!is_null($cached_val)) {
@@ -243,7 +243,7 @@ public function setLastname($lastname, $operator = null)
      */
     public function getLastname($ignorecache = false)
     {
-        assert($this->exists());
+        \ensure($this->exists());
         if (!$ignorecache) {
             $cached_val = $this->REDIS->getCache($this->uid, "lastname");
             if (!is_null($cached_val)) {
@@ -266,7 +266,7 @@ public function getLastname($ignorecache = false)
 
     public function getFullname()
     {
-        assert($this->exists());
+        \ensure($this->exists());
         return $this->getFirstname() . " " . $this->getLastname();
     }
 
@@ -298,7 +298,7 @@ public function setMail($email, $operator = null)
      */
     public function getMail($ignorecache = false)
     {
-        assert($this->exists());
+        \ensure($this->exists());
         if (!$ignorecache) {
             $cached_val = $this->REDIS->getCache($this->uid, "mail");
             if (!is_null($cached_val)) {
@@ -328,7 +328,7 @@ public function setSSHKeys($keys, $operator = null, $send_mail = true)
     {
         $operator = is_null($operator) ? $this->uid : $operator->uid;
         $keys_filt = array_values(array_unique($keys));
-        assert($this->entry->exists());
+        \ensure($this->entry->exists());
         $this->entry->setAttribute("sshpublickey", $keys_filt);
         $this->entry->write();
 
@@ -357,7 +357,7 @@ public function setSSHKeys($keys, $operator = null, $send_mail = true)
      */
     public function getSSHKeys($ignorecache = false)
     {
-        assert($this->exists());
+        \ensure($this->exists());
         if (!$ignorecache) {
             $cached_val = $this->REDIS->getCache($this->uid, "sshkeys");
             if (!is_null($cached_val)) {
@@ -400,7 +400,7 @@ public function setLoginShell($shell, $operator = null, $send_mail = true)
         if (empty($shell)) {
             throw new Exception("login shell must not be empty!");
         }
-        assert($this->entry->exists());
+        \ensure($this->entry->exists());
         $this->entry->setAttribute("loginshell", $shell);
         $this->entry->write();
 
@@ -431,7 +431,7 @@ public function setLoginShell($shell, $operator = null, $send_mail = true)
      */
     public function getLoginShell($ignorecache = false)
     {
-        assert($this->exists());
+        \ensure($this->exists());
         if (!$ignorecache) {
             $cached_val = $this->REDIS->getCache($this->uid, "loginshell");
             if (!is_null($cached_val)) {
@@ -454,7 +454,7 @@ public function getLoginShell($ignorecache = false)
 
     public function setHomeDir($home, $operator = null)
     {
-        assert($this->entry->exists());
+        \ensure($this->entry->exists());
         $this->entry->setAttribute("homedirectory", $home);
         $this->entry->write();
         $operator = is_null($operator) ? $this->uid : $operator->uid;
@@ -476,7 +476,7 @@ public function setHomeDir($home, $operator = null)
      */
     public function getHomeDir($ignorecache = false)
     {
-        assert($this->exists());
+        \ensure($this->exists());
         if (!$ignorecache) {
             $cached_val = $this->REDIS->getCache($this->uid, "homedir");
             if (!is_null($cached_val)) {
diff --git a/resources/lib/exceptions/EnsureException.php b/resources/lib/exceptions/EnsureException.php
new file mode 100644
index 00000000..f184f903
--- /dev/null
+++ b/resources/lib/exceptions/EnsureException.php
@@ -0,0 +1,7 @@
+<?php
+
+namespace UnityWebPortal\lib\exceptions;
+
+class EnsureException extends \Exception
+{
+}
diff --git a/resources/lib/utils.php b/resources/lib/utils.php
index 2243317a..b3f311f6 100644
--- a/resources/lib/utils.php
+++ b/resources/lib/utils.php
@@ -1,6 +1,7 @@
 <?php
 
 use UnityWebPortal\lib\exceptions\ArrayKeyException;
+use UnityWebPortal\lib\exceptions\EnsureException;
 
 function arrayGet($array, ...$keys)
 {
@@ -19,3 +20,11 @@ function arrayGet($array, ...$keys)
     }
     return $cursor;
 }
+
+// like assert() but not subject to zend.assertions config
+function ensure(bool $condition, ?string $message = null)
+{
+    if (!$condition) {
+        throw new EnsureException($message ?? "ensure condition is false");
+    }
+}
diff --git a/test/phpunit-bootstrap.php b/test/phpunit-bootstrap.php
index 74864b58..4fc3f1cd 100644
--- a/test/phpunit-bootstrap.php
+++ b/test/phpunit-bootstrap.php
@@ -19,6 +19,7 @@
 require_once __DIR__ . "/../resources/lib/exceptions/NoDieException.php";
 require_once __DIR__ . "/../resources/lib/exceptions/SSOException.php";
 require_once __DIR__ . "/../resources/lib/exceptions/ArrayKeyException.php";
+require_once __DIR__ . "/../resources/lib/exceptions/EnsureException.php";
 
 $_SERVER["HTTP_HOST"] = "phpunit"; // used for config override
 require_once __DIR__ .  "/../resources/config.php";