diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 80ba6816f..d65be3b7c 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,4 +1,5 @@
 stages:
+  - moderator
   - unit-tests
   - deploy-gce-part1
   - deploy-gce-part2
@@ -506,15 +507,21 @@ ubuntu-rkt-sep:
   only: ['master', /^pr-.*$/]
 
 # Premoderated with manual actions
-syntax-check:
+ci-authorized:
   <<: *job
-  stage: unit-tests
+  stage: moderator
   before_script:
     - apt-get -y install jq
   script:
-    - ansible-playbook -i inventory/local-tests.cfg -u root -e ansible_ssh_user=root  -b --become-user=root cluster.yml -vvv  --syntax-check
     - /bin/sh scripts/premoderator.sh
   except: ['triggers', 'master']
+  
+syntax-check:
+  <<: *job
+  stage: unit-tests
+  script:
+    - ansible-playbook -i inventory/local-tests.cfg -u root -e ansible_ssh_user=root  -b --become-user=root cluster.yml -vvv  --syntax-check
+  except: ['triggers', 'master']
 
 tox-inventory-builder:
   stage: unit-tests
diff --git a/scripts/.premoderator.sh.swp b/scripts/.premoderator.sh.swp
new file mode 100644
index 000000000..064764e5b
Binary files /dev/null and b/scripts/.premoderator.sh.swp differ
diff --git a/scripts/premoderator.sh b/scripts/premoderator.sh
index 2e730df7b..4b35af8d2 100644
--- a/scripts/premoderator.sh
+++ b/scripts/premoderator.sh
@@ -11,5 +11,8 @@ issue=$(echo ${CI_BUILD_REF_NAME} | perl -ne '/^pr-(\d+)-\S+$/ && print $1')
 user=$(curl ${CURL_ARGS} "https://api.github.com/repos/kubernetes-incubator/kargo/issues/${issue}/comments" \
   | jq -M "map(select(.body | contains (\"$MAGIC\"))) | .[0] .user.login" | tr -d '"')
 # Check for the required user group membership to allow (exit 0) or decline (exit >0) the pipeline
-[ "$user" != "null" ] || exit 1
+if [ "$user" = "null" ]; then
+	echo "User does not have permissions to start CI run"
+	exit 1
+fi
 curl ${CURL_ARGS} "https://api.github.com/orgs/kubernetes-incubator/members/${user}"