diff --git a/src/access/AccessControl.cpp b/src/access/AccessControl.cpp
index 244ed21c759292..4527e5fdc97145 100644
--- a/src/access/AccessControl.cpp
+++ b/src/access/AccessControl.cpp
@@ -88,6 +88,9 @@ CHIP_ERROR AccessControl::Check(const SubjectDescriptor & subjectDescriptor, con
     // Don't check if using default delegate (e.g. test code that isn't testing access control)
     ReturnErrorCodeIf(&mDelegate == &mDefaultDelegate, CHIP_NO_ERROR);
 
+    // Operational PASE not supported for v1.0, so PASE implies commissioning, which has highest privilege.
+    ReturnErrorCodeIf(subjectDescriptor.authMode == AuthMode::kPase, CHIP_NO_ERROR);
+
     EntryIterator iterator;
     ReturnErrorOnFailure(Entries(iterator, &subjectDescriptor.fabricIndex));
 
@@ -96,6 +99,8 @@ CHIP_ERROR AccessControl::Check(const SubjectDescriptor & subjectDescriptor, con
     {
         AuthMode authMode = AuthMode::kNone;
         ReturnErrorOnFailure(entry.GetAuthMode(authMode));
+        // Operational PASE not supported for v1.0.
+        VerifyOrReturnError(authMode == AuthMode::kCase || authMode == AuthMode::kGroup, CHIP_ERROR_INCORRECT_STATE);
         if (authMode != subjectDescriptor.authMode)
         {
             continue;
@@ -119,43 +124,35 @@ CHIP_ERROR AccessControl::Check(const SubjectDescriptor & subjectDescriptor, con
                 ReturnErrorOnFailure(entry.GetSubject(i, subject));
                 if (IsOperationalNodeId(subject))
                 {
+                    VerifyOrReturnError(authMode == AuthMode::kCase, CHIP_ERROR_INCORRECT_STATE);
                     if (subject == subjectDescriptor.subject)
                     {
                         subjectMatched = true;
                         break;
                     }
                 }
-                else if (IsGroupId(subject))
+                else if (IsCASEAuthTag(subject))
                 {
-                    VerifyOrReturnError(authMode == AuthMode::kGroup, CHIP_ERROR_INVALID_ARGUMENT);
-                    if (subject == subjectDescriptor.subject)
+                    VerifyOrReturnError(authMode == AuthMode::kCase, CHIP_ERROR_INCORRECT_STATE);
+                    if (subjectDescriptor.cats.CheckSubjectAgainstCATs(subject))
                     {
                         subjectMatched = true;
                         break;
                     }
                 }
-                // TODO: Add the implicit admit for PASE after the spec is updated.
-                else if (IsPAKEKeyId(subject))
+                else if (IsGroupId(subject))
                 {
-                    VerifyOrReturnError(authMode == AuthMode::kPase, CHIP_ERROR_INVALID_ARGUMENT);
+                    VerifyOrReturnError(authMode == AuthMode::kGroup, CHIP_ERROR_INCORRECT_STATE);
                     if (subject == subjectDescriptor.subject)
                     {
                         subjectMatched = true;
                         break;
                     }
                 }
-                else if (IsCASEAuthTag(subject))
-                {
-                    VerifyOrReturnError(authMode == AuthMode::kCase, CHIP_ERROR_INVALID_ARGUMENT);
-                    if (subjectDescriptor.cats.CheckSubjectAgainstCATs(subject))
-                    {
-                        subjectMatched = true;
-                        break;
-                    }
-                }
                 else
                 {
-                    return CHIP_ERROR_INVALID_ARGUMENT;
+                    // Operational PASE not supported for v1.0.
+                    return CHIP_ERROR_INCORRECT_STATE;
                 }
             }
             if (!subjectMatched)