diff --git a/app/Http/Controllers/InvitationController.php b/app/Http/Controllers/InvitationController.php
index fd4d365..39bf9c3 100644
--- a/app/Http/Controllers/InvitationController.php
+++ b/app/Http/Controllers/InvitationController.php
@@ -20,6 +20,8 @@ class InvitationController extends Controller
 {
     public function index()
     {
+        $this->authorize('viewAny', Invitation::class);
+
         return view('dashboard.administration.invites', [
             'invites' => Invitation::all()
         ]);
@@ -28,6 +30,8 @@ class InvitationController extends Controller
     public function requestInvite(InvitationRequest $request)
     {
 
+        $this->authorize('create', Invitation::class);
+
         $guest = Auth::guest();
         $invitation = new Invitation();
 
@@ -65,6 +69,8 @@ class InvitationController extends Controller
 
     public function approveInvite(ApproveInviteRequest $request, Invitation $invitation)
     {
+        $this->authorize('update', $invitation);
+
         $approvableStates = [
             'pending'
         ];
@@ -93,6 +99,8 @@ class InvitationController extends Controller
 
     public function denyInvite(DenyInviteRequest $request, Invitation $invitation)
     {
+        $this->authorize('update', $invitation);
+
         $declinableStates = [
           'pending'
         ];
diff --git a/app/Policies/InvitationPolicy.php b/app/Policies/InvitationPolicy.php
index ce7fc53..cd69770 100644
--- a/app/Policies/InvitationPolicy.php
+++ b/app/Policies/InvitationPolicy.php
@@ -11,14 +11,9 @@ class InvitationPolicy
 {
     use HandlesAuthorization;
 
-    public function viewAny(User $user): bool
+    public function viewAny(User $user): Response
     {
-
-    }
-
-    public function view(User $user, Invitation $invitation): Response
-    {
-        return $user->can('admin.manageInvitations') ? Response::allow() : Response::deny(__('You do not have permission to view invitations.'));
+        return $user->can('admin.manageInvitations') ? Response::allow() : Response::deny(__('You do not have permission to view invitation requests.'));
     }
 
     public function create(?User $user): Response
@@ -27,11 +22,13 @@ class InvitationPolicy
             return Response::allow();
         }
 
-        return $user->can('admin.manageInvitations') ? Response::allow() : Response::deny(__('You do not have permission to request invitations.'));
+        return $user->can('admin.manageInvitations') ? Response::allow() : Response::deny(__('You do not have permission to request privileged invitations.'));
     }
 
-    public function delete(User $user, Invitation $invitation): Response
+    public function update(User $user, Invitation $invitation): Response
     {
-        return $user->can('admin.manageInvitations') ? Response::allow() : Response::deny(__('You do not have permission to revoke invitations.'));
+        return $user->can('admin.manageInvitations') ? Response::allow() : Response::deny(__('You do not have permission to update invitations.'));
     }
+
+    // no delete policy; cleanup is handled by jobs, no users can delete directly
 }