diff --git a/pkg/controller/certificates/approver/sarapprove.go b/pkg/controller/certificates/approver/sarapprove.go
index 3e79d624165..d2eb5ac5efc 100644
--- a/pkg/controller/certificates/approver/sarapprove.go
+++ b/pkg/controller/certificates/approver/sarapprove.go
@@ -91,10 +91,15 @@ func (a *sarApprover) handle(csr *capi.CertificateSigningRequest) error {
 		return fmt.Errorf("unable to parse csr %q: %v", csr.Name, err)
 	}
 
+	tried := []string{}
+
 	for _, r := range a.recognizers {
 		if !r.recognize(csr, x509cr) {
 			continue
 		}
+
+		tried = append(tried, r.permission.Subresource)
+
 		approved, err := a.authorize(csr, r.permission)
 		if err != nil {
 			return err
@@ -108,6 +113,11 @@ func (a *sarApprover) handle(csr *capi.CertificateSigningRequest) error {
 			return nil
 		}
 	}
+
+	if len(tried) != 0 {
+		return fmt.Errorf("recognized csr %q as %v but subject access review was not approved", csr.Name, tried)
+	}
+
 	return nil
 }
 
diff --git a/pkg/controller/certificates/approver/sarapprove_test.go b/pkg/controller/certificates/approver/sarapprove_test.go
index 3dcc1d044fa..f17b9cebec4 100644
--- a/pkg/controller/certificates/approver/sarapprove_test.go
+++ b/pkg/controller/certificates/approver/sarapprove_test.go
@@ -89,6 +89,7 @@ func TestHandle(t *testing.T) {
 		message    string
 		allowed    bool
 		recognized bool
+		err        bool
 		verify     func(*testing.T, []testclient.Action)
 	}{
 		{
@@ -119,6 +120,7 @@ func TestHandle(t *testing.T) {
 				}
 				_ = as[0].(testclient.CreateActionImpl)
 			},
+			err: true,
 		},
 		{
 			recognized: true,
@@ -155,7 +157,7 @@ func TestHandle(t *testing.T) {
 	}
 
 	for _, c := range cases {
-		t.Run(fmt.Sprintf("recognized:%v,allowed: %v", c.recognized, c.allowed), func(t *testing.T) {
+		t.Run(fmt.Sprintf("recognized:%v,allowed: %v,err: %v", c.recognized, c.allowed, c.err), func(t *testing.T) {
 			client := &fake.Clientset{}
 			client.AddReactor("create", "subjectaccessreviews", func(action testclient.Action) (handled bool, ret runtime.Object, err error) {
 				return true, &authorization.SubjectAccessReview{
@@ -177,7 +179,7 @@ func TestHandle(t *testing.T) {
 				},
 			}
 			csr := makeTestCsr()
-			if err := approver.handle(csr); err != nil {
+			if err := approver.handle(csr); err != nil && !c.err {
 				t.Errorf("unexpected err: %v", err)
 			}
 			c.verify(t, client.Actions())