diff --git a/frontend/src/components/layout/ProtectedRoute.tsx b/frontend/src/components/layout/ProtectedRoute.tsx
index 0b48c97c..92600819 100644
--- a/frontend/src/components/layout/ProtectedRoute.tsx
+++ b/frontend/src/components/layout/ProtectedRoute.tsx
@@ -49,6 +49,17 @@ export function ProtectedRoute({ requiredRole, children }: ProtectedRouteProps)
     return <Navigate to="/l1" replace />
   }
 
+  // L1 users hitting engineer-only AI surfaces (Pilot / Assistant) get pushed
+  // back to /l1 — POST /api/v1/ai-sessions rejects them with 403 anyway, so
+  // this just turns a backend error into a clean route-level redirect.
+  if (
+    effectiveRole === 'l1_tech' &&
+    (location.pathname.startsWith('/pilot') ||
+      location.pathname.startsWith('/assistant'))
+  ) {
+    return <Navigate to="/l1" replace />
+  }
+
   return <>{children}</>
 }