diff --git a/keystoneauth1/extras/_saml2/v3/saml2.py b/keystoneauth1/extras/_saml2/v3/saml2.py
index b336645a..62d8754f 100644
--- a/keystoneauth1/extras/_saml2/v3/saml2.py
+++ b/keystoneauth1/extras/_saml2/v3/saml2.py
@@ -143,7 +143,7 @@ class _SamlAuth(requests.auth.AuthBase):
             request.headers['Accept'] = ','.join([accept, _PAOS_HEADER])
 
         request.headers['PAOS'] = _PAOS_VER
-        request.register_hook('response', self._handle_response)
+        request.register_hook('response', self._handle_response)  # type: ignore[no-untyped-call]
         return request
 
     def _handle_response(
diff --git a/keystoneauth1/session.py b/keystoneauth1/session.py
index 570239ca..fc1e77c4 100644
--- a/keystoneauth1/session.py
+++ b/keystoneauth1/session.py
@@ -1689,4 +1689,4 @@ class TCPKeepAliveAdapter(requests.adapters.HTTPAdapter):
             # hands for no longer than 2 minutes before a ConnectionError is
             # raised.
             kwargs['socket_options'] = socket_options
-        super().init_poolmanager(*args, **kwargs)
+        super().init_poolmanager(*args, **kwargs)  # type: ignore[no-untyped-call]
diff --git a/setup.cfg b/setup.cfg
index baa6cafd..f29f87fe 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -85,9 +85,8 @@ strict_equality = true
 strict_concatenate = true
 disallow_untyped_decorators = true
 disallow_any_generics = true
-# the following are false while we incrementally add typing
-disallow_subclassing_any = false
-disallow_untyped_calls = false
+disallow_subclassing_any = true
+disallow_untyped_calls = true
 disallow_incomplete_defs = true
 disallow_untyped_defs = true
 no_implicit_reexport = true
@@ -103,7 +102,11 @@ exclude = (?x)(
 ignore_errors = true
 
 [mypy-keystoneauth1.hacking.*]
+disallow_subclassing_any = false
 disallow_untyped_defs = false
+disallow_untyped_calls = false
 
 [mypy-keystoneauth1.fixture.*]
+disallow_subclassing_any = false
 disallow_untyped_defs = false
+disallow_untyped_calls = false