diff --git a/.github/workflows/pr-comment-build.yaml b/.github/workflows/pr-comment-build.yaml
index 7b13e799..33fc8399 100644
--- a/.github/workflows/pr-comment-build.yaml
+++ b/.github/workflows/pr-comment-build.yaml
@@ -29,21 +29,29 @@ jobs:
           COMMENT_AUTHOR: ${{ github.event.comment.user.login }}
           COMMENT_SENDER_TYPE: ${{ github.event.sender.type }}
           COMMENT_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
+          COMMENT_AUTHOR_ASSOCIATION: ${{ github.event.comment.author_association }}
         run: |
           set -eu
           if [ "${#COMMENT_BODY}" -gt 1024 ]; then
             echo "Ignoring oversized comment payload."
-            exit 0
+            exit 1
           fi
           case "$COMMENT_BODY" in
             /kernel-bot*) ;;
             *)
               echo "Ignoring non /kernel-bot comment."
-              exit 0
+              exit 1
               ;;
           esac
           if ! printf '%s' "$COMMENT_BODY" | grep -Eq '^/kernel-bot[ A-Za-z0-9_./-]*$'; then
             echo "Ignoring /kernel-bot comment with unsupported characters."
-            exit 0
+            exit 1
           fi
+          case "$COMMENT_AUTHOR_ASSOCIATION" in
+            MEMBER|OWNER|COLLABORATOR) ;;
+            *)
+              echo "Unauthorized: only members, owners, and collaborators can use /kernel-bot."
+              exit 1
+              ;;
+          esac
           python3 .github/scripts/pr_comment_kernel_bot.py