diff --git a/internal/cli/security_invariant_test.go b/internal/cli/security_invariant_test.go
index c138fad..824fe20 100644
--- a/internal/cli/security_invariant_test.go
+++ b/internal/cli/security_invariant_test.go
@@ -27,9 +27,18 @@ func TestAgentKeyCannotRunAdminCommands(t *testing.T) {
 	t.Setenv("EMCLI_KEY", b64AgentKey())
 	t.Setenv("EMCLI_DB", db)
 
-	st, _ := store.Open(db)
-	ak, _ := crypto.AdminKeyFromEnv()
-	gk, _ := crypto.AgentKeyFromEnv()
+	st, err := store.Open(db)
+	if err != nil {
+		t.Fatalf("store.Open: %v", err)
+	}
+	ak, err := crypto.AdminKeyFromEnv()
+	if err != nil {
+		t.Fatalf("AdminKeyFromEnv: %v", err)
+	}
+	gk, err := crypto.AgentKeyFromEnv()
+	if err != nil {
+		t.Fatalf("AgentKeyFromEnv: %v", err)
+	}
 	if err := st.InitKeys(ak, gk); err != nil {
 		t.Fatalf("InitKeys: %v", err)
 	}
@@ -47,7 +56,8 @@ func TestAgentKeyCannotRunAdminCommands(t *testing.T) {
 	for _, args := range adminAttempts {
 		code, out, errOut := run(t, args...)
 		if code == 0 {
-			t.Fatalf("admin command %v must be refused with only EMCLI_KEY (out=%q err=%q)", args, out, errOut)
+			t.Errorf("admin command %v must be refused with only EMCLI_KEY (out=%q err=%q)", args, out, errOut)
+			continue
 		}
 	}
 	if !bytes.Equal(before, dbBytes(t, db)) {