diff --git a/core/lib/Drupal/Core/Access/AccessInterface.php b/core/lib/Drupal/Core/Access/AccessInterface.php
index f555ecb..f247bbc 100644
--- a/core/lib/Drupal/Core/Access/AccessInterface.php
+++ b/core/lib/Drupal/Core/Access/AccessInterface.php
@@ -21,7 +21,7 @@
    * A checker should return this value to indicate that it grants access to a
    * route.
    */
-  const ALLOW = TRUE;
+  const ALLOW = 'TRUE';
 
   /**
    * Deny access.
@@ -29,7 +29,7 @@
    * A checker should return this value to indicate it does not grant access to
    * a route.
    */
-  const DENY = NULL;
+  const DENY = 'NULL';
 
   /**
    * Block access.
@@ -38,7 +38,7 @@
    * block access to this route, regardless of any other access checkers. Most
    * checkers should prefer DENY.
    */
-  const KILL = FALSE;
+  const KILL = 'FALSE';
 
   /**
    * Checks for access to a route.
diff --git a/core/lib/Drupal/Core/Access/AccessManager.php b/core/lib/Drupal/Core/Access/AccessManager.php
index 5959fd0..86025ac 100644
--- a/core/lib/Drupal/Core/Access/AccessManager.php
+++ b/core/lib/Drupal/Core/Access/AccessManager.php
@@ -259,6 +259,11 @@ protected function checkAll(array $checks, Route $route, Request $request) {
       }
 
       $service_access = $this->checks[$service_id]->access($route, $request);
+
+      if (!in_array($service_access, array(AccessInterface::ALLOW, AccessInterface::DENY, AccessInterface::KILL))) {
+        throw new AccessException('Access services can only return AccessInterface::ALLOW, AccessInterface::DENY, or AccessInterface::KILL constants.');
+      }
+
       if ($service_access === AccessInterface::ALLOW) {
         $access = TRUE;
       }
@@ -295,6 +300,11 @@ protected function checkAny(array $checks, $route, $request) {
       }
 
       $service_access = $this->checks[$service_id]->access($route, $request);
+
+      if (!in_array($service_access, array(AccessInterface::ALLOW, AccessInterface::DENY, AccessInterface::KILL))) {
+        throw new AccessException('Access services can only return AccessInterface::ALLOW, AccessInterface::DENY, or AccessInterface::KILL constants.');
+      }
+
       if ($service_access === AccessInterface::ALLOW) {
         $access = TRUE;
       }
diff --git a/core/tests/Drupal/Tests/Core/Access/AccessManagerTest.php b/core/tests/Drupal/Tests/Core/Access/AccessManagerTest.php
index d12f5c0..aca2dd7 100644
--- a/core/tests/Drupal/Tests/Core/Access/AccessManagerTest.php
+++ b/core/tests/Drupal/Tests/Core/Access/AccessManagerTest.php
@@ -461,6 +461,67 @@ public function testCheckNamedRouteWithNonExistingRoute() {
   }
 
   /**
+   * Tests that an access checker throws an exception for not allowed values.
+   *
+   * @dataProvider testCheckExceptionProvider
+   *
+   * @expectedException \Drupal\Core\Access\AccessException
+   */
+  public function testCheckException($return_value) {
+    $this->routeProvider = $this->getMock('Drupal\Core\Routing\RouteProviderInterface');
+
+    // Setup a test route for each access configuration.
+    $requirements = array(
+      '_test_incorrect_value' => 'TRUE',
+    );
+    $options = array(
+      '_access_checks' => array(
+        'test_incorrect_value',
+      ),
+    );
+    $route = new Route('', array(), $requirements, $options);
+
+    $this->routeProvider->expects($this->any())
+      ->method('getRouteByName')
+      ->will($this->returnValue($route));
+
+    $this->setupAccessChecker();
+
+    $request = new Request();
+
+    // Register a service that will return an incorrect value.
+    $access_check = $this->getMock('Drupal\Core\Access\StaticAccessCheckInterface');
+    $access_check->expects($this->any())
+      ->method('appliesTo')
+      ->will($this->returnValue(array('_test_incorrect_value')));
+    $access_check->expects($this->any())
+      ->method('access')
+      ->will($this->returnValue($return_value));
+    $this->container->register('test_incorrect_value', $access_check);
+    $this->accessManager->addCheckService('test_incorrect_value');
+
+    $this->accessManager->checkNamedRoute('test_incorrect_value', array(), $request);
+  }
+
+  /**
+   * Data provider for testCheckException.
+   *
+   * @return array
+   */
+  public function testCheckExceptionProvider() {
+    return array(
+      array(TRUE),
+      array(FALSE),
+      array(NULL),
+      array(array()),
+      array(array(1)),
+      array('string'),
+      array(0),
+      array(1),
+    );
+  }
+
+  /**
    * Converts AccessCheckInterface constants to a string.
    *
    * @param mixed $constant