diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTree.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTree.java
index da1e42dd53c8a..ecfc5c03a7df7 100644
--- a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTree.java
+++ b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTree.java
@@ -256,6 +256,15 @@ private FileAccessTree(FilesEntitlement filesEntitlement, PathLookup pathLookup,
         this.exclusivePaths = sortedExclusivePaths;
         this.readPaths = pruneSortedPaths(readPaths).toArray(new String[0]);
         this.writePaths = pruneSortedPaths(writePaths).toArray(new String[0]);
+
+        logger.debug(
+            () -> Strings.format(
+                "Created FileAccessTree with paths: exclusive [%s], read [%s], write [%s]",
+                String.join(",", this.exclusivePaths),
+                String.join(",", this.readPaths),
+                String.join(",", this.writePaths)
+            )
+        );
     }
 
     // package private for testing
@@ -303,11 +312,17 @@ public static FileAccessTree withoutExclusivePaths(
     }
 
     public boolean canRead(Path path) {
-        return checkPath(normalizePath(path), readPaths);
+        var normalizedPath = normalizePath(path);
+        var canRead = checkPath(normalizedPath, readPaths);
+        logger.trace(() -> Strings.format("checking [%s] (normalized to [%s]) for read: %b", path, normalizedPath, canRead));
+        return canRead;
     }
 
     public boolean canWrite(Path path) {
-        return checkPath(normalizePath(path), writePaths);
+        var normalizedPath = normalizePath(path);
+        var canWrite = checkPath(normalizedPath, writePaths);
+        logger.trace(() -> Strings.format("checking [%s] (normalized to [%s]) for write: %b", path, normalizedPath, canWrite));
+        return canWrite;
     }
 
     /**
@@ -325,7 +340,6 @@ static String normalizePath(Path path) {
     }
 
     private boolean checkPath(String path, String[] paths) {
-        logger.trace(() -> Strings.format("checking [%s] against [%s]", path, String.join(",", paths)));
         if (paths.length == 0) {
             return false;
         }
@@ -343,8 +357,9 @@ private boolean checkPath(String path, String[] paths) {
     }
 
     private static boolean isParent(String maybeParent, String path) {
-        logger.trace(() -> Strings.format("checking isParent [%s] for [%s]", maybeParent, path));
-        return path.startsWith(maybeParent) && path.startsWith(FILE_SEPARATOR, maybeParent.length());
+        var isParent = path.startsWith(maybeParent) && path.startsWith(FILE_SEPARATOR, maybeParent.length());
+        logger.trace(() -> Strings.format("checking isParent [%s] for [%s]: %b", maybeParent, path, isParent));
+        return isParent;
     }
 
     @Override