How are you enforcing runtime policy and trust boundaries in agent systems today?

The thing that bit me hardest is the gap between SDK-level deny semantics and protocol-level enforcement. SDK deny lists for MCP tools turn out to be soft boundaries — the model still discovers the tool from the subprocess and invokes it anyway, even when the tool name is explicitly listed as disallowed. The only reliable approach was physical exclusion: the MCP server isn’t part of the agent’s option set at all, so the tool genuinely isn’t there. The other thing worth governing for is hallucinated success — agent claims it called a tool, actually skipped it, output looks plausible. Most runtime governance I see focuses on “did you allow this action,” but the symmetric problem is “did the action you allowed actually happen.” Worth asking whether the Microsoft toolkit handles tool-call attestation, because that side of trust boundaries tends to get neglected.