diff --git a/hscontrol/policy/v2/policy.go b/hscontrol/policy/v2/policy.go
index 5852c410..3ef72a16 100644
--- a/hscontrol/policy/v2/policy.go
+++ b/hscontrol/policy/v2/policy.go
@@ -1198,8 +1198,10 @@ func resolveTagOwners(p *Policy, users types.Users, nodes views.Slice[types.Node
 			case Alias:
 				// If it does not resolve, that means the tag is not associated with any IP addresses.
 				resolved, _ := o.Resolve(p, users, nodes)
-				for _, pref := range resolved.Prefixes() {
-					ips.AddPrefix(pref)
+				if resolved != nil {
+					for _, pref := range resolved.Prefixes() {
+						ips.AddPrefix(pref)
+					}
 				}
 
 			default:
diff --git a/hscontrol/policy/v2/types.go b/hscontrol/policy/v2/types.go
index cb20389f..cc194e29 100644
--- a/hscontrol/policy/v2/types.go
+++ b/hscontrol/policy/v2/types.go
@@ -140,15 +140,11 @@ func newResolved(ipb *netipx.IPSetBuilder) (resolved, error) {
 }
 
 func newResolvedAddresses(ips *netipx.IPSet, err error) (ResolvedAddresses, error) {
-	if err != nil {
+	if ips == nil {
 		return nil, err
 	}
 
-	if ips == nil {
-		return nil, nil
-	}
-
-	return resolved{ips: *ips}, nil
+	return resolved{ips: *ips}, err
 }
 
 func ipSetToStrings(ips *netipx.IPSet) []string {
@@ -301,7 +297,7 @@ func (a Asterix) Resolve(p *Policy, u types.Users, n views.Slice[types.NodeView]
 }
 
 func (a Asterix) resolve(p *Policy, _ types.Users, _ views.Slice[types.NodeView]) (*netipx.IPSet, error) {
-	if pfxs := p.AutoApprovers.prefixes(); len(pfxs) > 0 {
+	if p != nil && len(p.AutoApprovers.prefixes()) > 0 {
 		var ipb netipx.IPSetBuilder
 		ipb.AddSet(asterixResolved())