Detects failed attempts to enable account-level access to Amazon Bedrock foundation models via control-plane actions PutFoundationModelEntitlement, PutUseCaseForModelAccess, or CreateFoundationModelAgreement. Denied attempts indicate credential boundary-testing by a potentially compromised or under-privileged identity seeking to unlock Bedrock model access, which could precede model invocation (LLMJacking) or persistence. This rule surfaces the attempt itself rather than a successful grant, providing a high-signal indicator even when access is not granted. It relies on AWS CloudTrail data from bedrock.amazonaws.com, targeting specific bedrock model-access actions with an outcome of failure and error codes such as AccessDenied or AccessDeniedException. The detection complements the corresponding rule for successful grants and helps identify privilege escalation attempts, misconfigurations, or probing behavior. Investigations should correlate identity, action, and network context to assess risk and determine whether remediation or access control tightening is warranted.