Get SecurityDescriptor for objects at PASSIVE_LEVEL

I have a filter and a callback I receive can come in at DPC_LEVEL in any process.

Most of the time it enters as PASSIVE, so FltQuerySecurityObject()/ZwQuerySecurityObject()/ObGetObjectSecurity() etc can succeed, but they all run at <= PASSIVE. Often I will get BSOD, sometimes random (double fault etc), but they really do appear to come from here. As the docs themselves state “ObGetObjectSecurity should only be called at IRQL Level = PASSIVE_LEVEL with APCs enabled, otherwise deadlocks or crashes may occur.”

So is it possible to analyze the SecurityDescriptor of a FileObject at DISPATCH? (All code is synchronous at the moment).
If not what are the options - Worker item (at PASSIVE), thread pool, any other non-async methods preferably?

You already stated the answer: Queue a work item. Dropping IRQL to passive is one of the primary reasons we have Work Items.

Peter