diff --git a/authorize/grpc.go b/authorize/grpc.go
index b85e5f3ff..e5a1980b5 100644
--- a/authorize/grpc.go
+++ b/authorize/grpc.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/pem"
 	"errors"
+	"fmt"
 	"io"
 	"net/http"
 	"net/url"
@@ -54,8 +55,11 @@ func (a *Authorize) Check(ctx context.Context, in *envoy_service_auth_v3.CheckRe
 
 	// load the session
 	s, err := a.loadSession(ctx, hreq, req)
-	if err != nil {
-		return nil, err
+	if errors.Is(err, sessions.ErrInvalidSession) {
+		// ENG-2172: if this is an invalid session, don't evaluate policy, return forbidden
+		return a.deniedResponse(ctx, in, int32(http.StatusForbidden), http.StatusText(http.StatusForbidden), nil)
+	} else if err != nil {
+		return nil, fmt.Errorf("error loading session: %w", err)
 	}
 
 	// if there's a session or service account, load the user
@@ -122,6 +126,7 @@ func (a *Authorize) loadSession(
 			Str("request-id", requestID).
 			Err(err).
 			Msg("error creating session for incoming idp token")
+		return nil, err
 	}
 
 	sessionState, _ := a.state.Load().sessionStore.LoadSessionStateAndCheckIDP(hreq)
diff --git a/config/session.go b/config/session.go
index d895f18eb..6270f9872 100644
--- a/config/session.go
+++ b/config/session.go
@@ -202,7 +202,7 @@ func (c *incomingIDPTokenSessionCreator) createSessionAccessToken(
 		if err != nil {
 			return nil, fmt.Errorf("error verifying access token: %w", err)
 		} else if !res.Valid {
-			return nil, fmt.Errorf("invalid access token")
+			return nil, fmt.Errorf("%w: invalid access token", sessions.ErrInvalidSession)
 		}
 
 		s = c.newSessionFromIDPClaims(cfg, sessionID, res.Claims)
@@ -265,7 +265,7 @@ func (c *incomingIDPTokenSessionCreator) createSessionForIdentityToken(
 		if err != nil {
 			return nil, fmt.Errorf("error verifying identity token: %w", err)
 		} else if !res.Valid {
-			return nil, fmt.Errorf("invalid identity token")
+			return nil, fmt.Errorf("%w: invalid identity token", sessions.ErrInvalidSession)
 		}
 
 		s = c.newSessionFromIDPClaims(cfg, sessionID, res.Claims)
diff --git a/internal/sessions/errors.go b/internal/sessions/errors.go
index 7d43ede6a..bcac5bd97 100644
--- a/internal/sessions/errors.go
+++ b/internal/sessions/errors.go
@@ -8,6 +8,9 @@ var (
 	// ErrNoSessionFound is the error for when no session is found.
 	ErrNoSessionFound = errors.New("internal/sessions: session is not found")
 
+	// ErrInvalidSession is the error for when a session is invalid.
+	ErrInvalidSession = errors.New("internal/sessions: invalid session")
+
 	// ErrMalformed is the error for when a session is found but is malformed.
 	ErrMalformed = errors.New("internal/sessions: session is malformed")