diff --git a/src/hooks/moderation/useModerationQueueManager.ts b/src/hooks/moderation/useModerationQueueManager.ts
index 5f5ad491..c2ed6a41 100644
--- a/src/hooks/moderation/useModerationQueueManager.ts
+++ b/src/hooks/moderation/useModerationQueueManager.ts
@@ -263,6 +263,22 @@ export function useModerationQueueManager(config: ModerationQueueManagerConfig):
 
       setActionLoading(item.id);
 
+      // Check MFA (AAL2) requirement before moderation action
+      const { data: { session } } = await supabase.auth.getSession();
+      
+      // Access AAL from session metadata
+      const aal = session?.user?.app_metadata?.aal || session?.user?.user_metadata?.aal;
+
+      if (aal !== 'aal2') {
+        toast({
+          title: "MFA Verification Required",
+          description: "You must complete multi-factor authentication to perform moderation actions.",
+          variant: "destructive",
+        });
+        setActionLoading(null);
+        return;
+      }
+
       // Optimistic update
       const shouldRemove =
         (filters.statusFilter === "pending" || filters.statusFilter === "flagged") &&
@@ -389,7 +405,7 @@ export function useModerationQueueManager(config: ModerationQueueManagerConfig):
       await queueQuery.refetch();
       } catch (error) {
         const errorMsg = getErrorMessage(error);
-        console.error("Error moderating content:", errorMsg);
+        console.error("Error moderating content:", errorMsg, error);
 
         // Revert optimistic update
         setItems((prev) => {
@@ -401,11 +417,23 @@ export function useModerationQueueManager(config: ModerationQueueManagerConfig):
           }
         });
 
-        toast({
-          title: "Error",
-          description: errorMsg || `Failed to ${action} content`,
-          variant: "destructive",
-        });
+        // Check for RLS/permission errors
+        if (errorMsg.includes('row-level security') || 
+            errorMsg.includes('permission denied') ||
+            errorMsg.includes('policy') ||
+            errorMsg.includes('violates row-level security')) {
+          toast({
+            title: "Permission Denied",
+            description: "You don't have permission to perform this action. MFA verification may be required.",
+            variant: "destructive",
+          });
+        } else {
+          toast({
+            title: "Error",
+            description: errorMsg || `Failed to ${action} content`,
+            variant: "destructive",
+          });
+        }
       } finally {
         setActionLoading(null);
       }