diff --git a/internal/api/oidc/integration_test/token_exchange_test.go b/internal/api/oidc/integration_test/token_exchange_test.go
index 1319eea19a..0844898a2f 100644
--- a/internal/api/oidc/integration_test/token_exchange_test.go
+++ b/internal/api/oidc/integration_test/token_exchange_test.go
@@ -428,6 +428,17 @@ func TestServer_TokenExchangeImpersonation(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		{
+			name: "IMPERSONATION: subject: userID, actor: access token, requested type: JWT, membership not found error",
+			args: args{
+				SubjectToken:       userResp.GetUserId(),
+				SubjectTokenType:   oidc_api.UserIDTokenType,
+				RequestedTokenType: oidc.JWTTokenType,
+				ActorToken:         noPermPAT,
+				ActorTokenType:     oidc.AccessTokenType,
+			},
+			wantErr: true,
+		},
 		{
 			name: "IAM IMPERSONATION: subject: userID, actor: access token, success",
 			args: args{
diff --git a/internal/api/oidc/token_exchange.go b/internal/api/oidc/token_exchange.go
index 3887ff7c51..030066ea1c 100644
--- a/internal/api/oidc/token_exchange.go
+++ b/internal/api/oidc/token_exchange.go
@@ -349,6 +349,9 @@ func (s *Server) createExchangeJWT(
 		"",
 		domain.OIDCResponseTypeUnspecified,
 	)
+	if err != nil {
+		return "", "", 0, err
+	}
 	accessToken, err = s.createJWT(ctx, client, session, getUserInfo, roleAssertion, getSigner)
 	if err != nil {
 		return "", "", 0, err