Detects account-level changes that enable Amazon Bedrock foundation model access by calling PutFoundationModelEntitlement, PutUseCaseForModelAccess, or CreateFoundationModelAgreement, which unlock subsequent InvokeModel/InvokeModelWithResponseStream permissions. It watches CloudTrail-based logs (logs-aws.cloudtrail-*) for bedrock.amazonaws.com with a successful outcome. This activity represents a potential attacker or compromised principal attempting to grant model access at the account level, enabling abuse of high-cost models (LLMjacking) or establishing a durable invocation capability. This rule is distinct from changes to resource-based model invocation policies and focuses on control-plane API calls that grant entitlements, use cases, or EULA agreements. Remember that legitimate onboarding or automation can trigger these actions, so correlate with known provisioning activity before escalation.