diff --git a/llama_stack/distribution/access_control/access_control.py b/llama_stack/distribution/access_control/access_control.py
index 6b570fc85..89ae60343 100644
--- a/llama_stack/distribution/access_control/access_control.py
+++ b/llama_stack/distribution/access_control/access_control.py
@@ -105,22 +105,27 @@ def is_action_allowed(
     return False
 
 
+def build_access_denied_message(action: str | None, resource: ProtectedResource | None, user: User | None) -> str:
+    """Build detailed error message for access denied scenarios."""
+    if action and resource and user:
+        resource_info = f"{resource.type}::{resource.identifier}"
+        user_info = f"'{user.principal}'"
+        if user.attributes:
+            attrs = ", ".join([f"{k}={v}" for k, v in user.attributes.items()])
+            user_info += f" (attributes: {attrs})"
+
+        message = f"User {user_info} cannot perform action '{action}' on resource '{resource_info}'"
+    else:
+        message = "Insufficient permissions"
+
+    return message
+
+
 class AccessDeniedError(RuntimeError):
     def __init__(self, action: str | None = None, resource: ProtectedResource | None = None, user: User | None = None):
         self.action = action
         self.resource = resource
         self.user = user
 
-        # Build detailed error message
-        if action and resource and user:
-            resource_info = f"{resource.type}::{resource.identifier}"
-            user_info = f"'{user.principal}'"
-            if user.attributes:
-                attrs = ", ".join([f"{k}={v}" for k, v in user.attributes.items()])
-                user_info += f" (attributes: {attrs})"
-
-            message = f"User {user_info} cannot perform action '{action}' on resource '{resource_info}'"
-        else:
-            message = "Insufficient permissions"
-
+        message = build_access_denied_message(action, resource, user)
         super().__init__(message)