receiving, by an identity management service, one or more indications of a decision to deny an attempted access of a computing resource by an identity, wherein an evaluation of the decision to deny the attempted access is performed based at least in part on a log analysis that indicates more than a threshold quantity of access denial errors within a given time period;

providing, for display, an interface of an activity monitoring service that shows a relationship between policy changes made by a user and the access denial errors, the interface identifying a first time at which the policy changes are made by the user and a second time at which an increase occurred in an amount of the access denial errors;

determining, by the identity management service, a plurality of relevant access permission policies whose permissions are evaluated as inputs to the decision to deny the attempted access;

determining, by the identity management service, one or more explicit deny policies of the relevant access permission policies that explicitly deny the attempted access;

determining, by the identity management service, one or more implicit deny policies of the relevant access permission policies that implicitly deny the attempted access;

providing, by the identity management service, at least one explicit deny indication of at least one of the one or more explicit deny policies; and

providing, by the identity management service, at least one implicit deny indication of at least one of the one or more implicit deny policies.