diff --git a/coderd/rbac/policy.rego b/coderd/rbac/policy.rego
index e8844a22bd..5879a9e8b2 100644
--- a/coderd/rbac/policy.rego
+++ b/coderd/rbac/policy.rego
@@ -330,7 +330,7 @@ object_is_included_in_scope_allow_list if {
 
 # ACL for users
 acl_allow if {
-	# TODO: Should you have to be a member of the org too?
+	is_org_member
 	perms := input.object.acl_user_list[input.subject.id]
 
 	# Check if either the action or * is allowed