I feel like this is not a complex problem. You just ensure that someone has `iam:GetDetailedError`. Then you can turn it on for your role/user/whatever and if that doesn't work you can turn it on at the global level temporarily.
After all, if you think about it, if you are unable to determine that you're denying the person for the right reason, you could easily later allow them for the wrong reason.
e.g. A policy that's not meant to be applied to some IAM user is being applied to them but it's documented to be for a different purpose. When that purpose expires, you might remove that policy, and accidentally enable access. If you can get a trace of the denial then you know that it's for the right reasons.
After all, if you think about it, if you are unable to determine that you're denying the person for the right reason, you could easily later allow them for the wrong reason.
e.g. A policy that's not meant to be applied to some IAM user is being applied to them but it's documented to be for a different purpose. When that purpose expires, you might remove that policy, and accidentally enable access. If you can get a trace of the denial then you know that it's for the right reasons.