diff --git a/vault/policy_store.go b/vault/policy_store.go
index 45439ebd60..f8422f5a17 100644
--- a/vault/policy_store.go
+++ b/vault/policy_store.go
@@ -36,6 +36,9 @@ var (
 		"root",
 		cubbyholeResponseWrappingPolicyName,
 	}
+	nonAssignablePolicies = []string{
+		cubbyholeResponseWrappingPolicyName,
+	}
 )
 
 // PolicyStore is used to provide durable storage of policy, and to
@@ -89,7 +92,7 @@ func (c *Core) setupPolicyStore() error {
 	// Ensure that the cubbyhole response wrapping policy exists
 	policy, err = c.policyStore.GetPolicy(cubbyholeResponseWrappingPolicyName)
 	if err != nil {
-		return errwrap.Wrapf("error fetching default policy from store: {{err}}", err)
+		return errwrap.Wrapf("error fetching cubbyhole response wrapping policy from store: {{err}}", err)
 	}
 	if policy == nil || policy.Raw != cubbyholeResponseWrappingPolicy {
 		err := c.policyStore.createCubbyholeResponseWrappingPolicy()
@@ -114,7 +117,7 @@ func (ps *PolicyStore) SetPolicy(p *Policy) error {
 	if p.Name == "" {
 		return fmt.Errorf("policy name missing")
 	}
-	if strutil.StrListContains(immutablePolicies, p.Name) {
+	if strutil.StrListContains(immutablePolicies, p.Name) || strutil.StrListContains(nonAssignablePolicies, p.Name) {
 		return fmt.Errorf("cannot update %s policy", p.Name)
 	}
 
@@ -210,13 +213,31 @@ func (ps *PolicyStore) ListPolicies() ([]string, error) {
 	defer metrics.MeasureSince([]string{"policy", "list_policies"}, time.Now())
 	// Scan the view, since the policy names are the same as the
 	// key names.
-	return CollectKeys(ps.view)
+	keys, err = CollectKeys(ps.view)
+
+	for _, nonAssignable := range nonAssignablePolicies {
+		deleteIndex := -1
+		//Find indices of non-assignable policies in keys
+		for index, key := range keys {
+			if key == nonAssignable {
+				// Delete collection outside the loop
+				deleteIndex = index
+				break
+			}
+		}
+		// Remove non-assignable policies when found
+		if deleteIndex != -1 {
+			keys = append(keys[:deleteIndex], keys[deleteIndex+1:]...)
+		}
+	}
+
+	return keys, err
 }
 
 // DeletePolicy is used to delete the named policy
 func (ps *PolicyStore) DeletePolicy(name string) error {
 	defer metrics.MeasureSince([]string{"policy", "delete_policy"}, time.Now())
-	if strutil.StrListContains(immutablePolicies, name) {
+	if strutil.StrListContains(immutablePolicies, name) || strutil.StrListContains(nonAssignablePolicies, name) {
 		return fmt.Errorf("cannot delete %s policy", name)
 	}
 	if name == "default" {
diff --git a/vault/token_store.go b/vault/token_store.go
index c628bc279b..3986855b55 100644
--- a/vault/token_store.go
+++ b/vault/token_store.go
@@ -1193,6 +1193,13 @@ func (ts *TokenStore) handleCreateCommon(
 		return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
 	}
 
+	// Prevent internasl policies from being assigned to tokens
+	for _, policy := range te.Policies {
+		if strutil.StrListContains(nonAssignablePolicies, policy) {
+			return logical.ErrorResponse(fmt.Sprintf("cannot assign %s policy", policy)), nil
+		}
+	}
+
 	// Generate the response
 	resp.Auth = &logical.Auth{
 		DisplayName: te.DisplayName,