How are you enforcing runtime policy and trust boundaries in agent systems today?

I agree with the point about SDK level deny lists being too soft. For agent systems, I think policy needs to be enforced at the runtime boundary, not inside the prompt and not only inside the model SDK. The model should never be the authority on whether an action is allowed. A practical setup is: 1. Every tool has an explicit capability definition. 2. Every agent or worker has a scoped permission set. 3. The runtime checks each requested action before execution. 4. The tool layer refuses calls that are outside policy, even if the model asks for them. 5. Tool results are logged with request, caller, input, output, status, and trace id. 6. Success claims are verified against actual tool execution records. The second point matters a lot. It is not enough to ask, “Was this action allowed?” You also need to ask, “Did the action actually happen?” A model can claim it called a tool, skipped a step, or completed a task. The runtime should verify that against the execution trace. So my rule is: Prompts can guide behavior, but runtime policy must enforce behavior. The trust boundary belongs around tools, state mutation, credentials, external actions, and persistent memory writes.