Scap should abort/error out (with a clear message of issue) when the Keyholder system is not armed. That will make it more obvious than the "permission denied" lines embedded in some long output (especially in the beta-scap-eqiad CI job).
Can be as simple as running keyholder status according to https://wikitech.wikimedia.org/wiki/Keyholder though it always exit 0. We could use check_keyholder which uses for monitoring and does exit non Zero in case of trouble.
note: Beta Cluster monitoring task is T111064: Monitor keyholder on deployment-prep deployment servers