diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index b3e1b1d9..6d1586e2 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -661,6 +661,9 @@ jobs:
              touch $gampath/enabledasa.txt
              echo "printer model count:"
              $gam print printermodels | wc -l
+             $gam create caalevel "zzz_${newbase}" basic condition ipsubnetworks 1.1.1.1/32,2.2.2.2/32 endcondition
+             $gam print caalevels
+             $gam delete caalevel "zzz_${newbase}"
              #$gam print printers
              #$gam create printer displayname "${newbase}" uri ipp://localhost:631 driverless description "made by $(gam_user)"
              rm -f -v $gampath/enabledasa.txt
diff --git a/src/gam/gapi/caa.py b/src/gam/gapi/caa.py
index d4abd8b8..305a36c9 100644
--- a/src/gam/gapi/caa.py
+++ b/src/gam/gapi/caa.py
@@ -29,13 +29,17 @@ def get_access_policy(caa=None):
                                  'accessPolicies',
                                  throw_reasons=THROW_REASONS,
                                  parent=parent,
-                                 fields='accessPolicies/name')
+                                 fields='accessPolicies(name,title)')
     except googleapiclient.errors.HttpError:
         controlflow.system_error_exit(2, 'Your service account needs the Access Context Manager Reader or Editor role for your organization.')
-    if len(aps) != 1:
-        print(f'expected 1 access policy, got {len(aps)}.')
-        return
-    return aps[0]['name']
+    if not aps:
+        controlflow.system_error_exit(2, 'You don\'t seem to have any access policies. That is odd.')
+    elif len(aps) == 1:
+        return aps[0]['name']
+    for ap in aps:
+        if ap.get('title') == 'Access policy created in Cloud Identity Console':
+            return ap['name']
+    controlflow.system_error_exit(2, ' Could not find a org level access policy. That is odd.')
 
 
 def print_access_levels():