Why does cloudtrail not include AccessDeniedExceptions for KMS actions?

Only just starting on my AWS journey but had a refusal at the first fence.

I have a new account that only holds KMS keys. These are eventually going to be under control of a third party. I have successfully allowed users in another account to use those keys for encryption and decryption, with the explicit permission of the KMS account only. (So our customer can 'break glass' and lock us out of their data that we hold if they wish).

I am missing a key requirement though. They wish to be alerted if any attempts to use those keys are made by unknown users or by known users when the key is disabled.

In cloudtrail I have a clear log of successful calls to Encrypt and Decrypt (although not as well integrated as other service logs so the actual Key ID isn't available in the event log list - but that's not really a problem).

Sadly there are no AccessDeniedException entries in the logs at all when I test that scenario. Now I've seen documentation that says they should be there, but they simply aren't. Is there a bit of config that I'm missing? I can see that filtering errors out saves on space if an external party is attempting an attack but we really do want to see when keys are attempted to be used outside the approved "access process" where we have requested permission.