diff --git a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/group/GroupPolicyProviderFactory.java b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/group/GroupPolicyProviderFactory.java
index aa4b47d31b7..71aa36d8331 100644
--- a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/group/GroupPolicyProviderFactory.java
+++ b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/group/GroupPolicyProviderFactory.java
@@ -26,6 +26,8 @@ import java.util.Map;
 import java.util.Set;
 import java.util.stream.Collectors;
 
+import jakarta.ws.rs.BadRequestException;
+
 import org.keycloak.Config;
 import org.keycloak.authorization.AuthorizationProvider;
 import org.keycloak.authorization.model.Policy;
@@ -197,7 +199,14 @@ public class GroupPolicyProviderFactory implements PolicyProviderFactory<GroupPo
         GroupProvider groups = session.groups();
 
         if (definition.getId() != null) {
-            return realm.getGroupById(definition.getId());
+            GroupModel group = realm.getGroupById(definition.getId());
+
+            // Validate that only REALM groups can be used in authorization policies
+            if (group != null && GroupModel.Type.ORGANIZATION.equals(group.getType())) {
+                throw new BadRequestException("Organization groups cannot be used. Only realm groups are allowed.");
+            }
+
+            return group;
         }
 
         GroupModel group = null;
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/organization/group/OrganizationGroupIsolationTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/organization/group/OrganizationGroupIsolationTest.java
index bcbb70a019f..5bf929bc322 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/organization/group/OrganizationGroupIsolationTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/organization/group/OrganizationGroupIsolationTest.java
@@ -22,10 +22,14 @@ import java.util.List;
 import jakarta.ws.rs.core.Response;
 import jakarta.ws.rs.core.Response.Status;
 
+import org.keycloak.admin.client.resource.ClientResource;
 import org.keycloak.admin.client.resource.OrganizationResource;
+import org.keycloak.representations.idm.ClientRepresentation;
 import org.keycloak.representations.idm.GroupRepresentation;
 import org.keycloak.representations.idm.MemberRepresentation;
 import org.keycloak.representations.idm.OrganizationRepresentation;
+import org.keycloak.representations.idm.authorization.GroupPolicyRepresentation;
+import org.keycloak.representations.idm.authorization.Logic;
 import org.keycloak.testsuite.admin.ApiUtil;
 import org.keycloak.testsuite.organization.admin.AbstractOrganizationTest;
 
@@ -274,4 +278,46 @@ public class OrganizationGroupIsolationTest extends AbstractOrganizationTest {
         assertThat(results, hasSize(1));
         assertThat(results.get(0).getName(), is("Engineering"));
     }
+
+    @Test
+    public void testCannotUseOrgGroupInAuthorizationPolicy() {
+        // Organization groups cannot be used in authorization policies - only realm groups are allowed
+        OrganizationRepresentation orgRep = createOrganization();
+        OrganizationResource orgResource = testRealm().organizations().get(orgRep.getId());
+
+        // Create organization group
+        GroupRepresentation orgGroupRep = new GroupRepresentation();
+        orgGroupRep.setName("Engineering");
+        String orgGroupId;
+        try (Response response = orgResource.groups().addTopLevelGroup(orgGroupRep)) {
+            assertThat(response.getStatus(), is(Status.CREATED.getStatusCode()));
+            orgGroupId = ApiUtil.getCreatedId(response);
+        }
+
+        // Create a client with authorization services enabled
+        ClientRepresentation clientRep = new ClientRepresentation();
+        clientRep.setClientId("test-authz-client");
+        clientRep.setSecret("secret");
+        clientRep.setServiceAccountsEnabled(true);
+        clientRep.setAuthorizationServicesEnabled(true);
+        clientRep.setPublicClient(false);
+
+        String clientId;
+        try (Response response = testRealm().clients().create(clientRep)) {
+            clientId = ApiUtil.getCreatedId(response);
+        }
+        getCleanup().addCleanup(() -> testRealm().clients().get(clientId).remove());
+
+        ClientResource clientResource = testRealm().clients().get(clientId);
+
+        // Try to create a group policy using the organization group - should fail
+        GroupPolicyRepresentation policy = new GroupPolicyRepresentation();
+        policy.setName("org-group-policy");
+        policy.addGroup(orgGroupId);
+        policy.setLogic(Logic.POSITIVE);
+
+        try (Response response = clientResource.authorization().policies().group().create(policy)) {
+            assertThat(response.getStatus(), is(Status.BAD_REQUEST.getStatusCode()));
+        }
+    }
 }