Handing a third-party tool to your AI agent is the same problem as handing a third-party binary to cron . The tool's author may be a good actor or not. The agent may misuse the tool or not. The operator — you — wants a floor on how bad either outcome can get. ACT's policy layer is about installing that floor. This post walks through how it works, from the wasmtime VM up to the DNS resolver. Three layers, explicit ┌─────────────────────────────────────────────────────┐ │ ACT policy (declaration × operator intent) │ ← what this post is about ├─────────────────────────────────────────────────────┤ │ WASI capabilities (wasi:filesystem, wasi:http, …) │ ← capability imports ├─────────────────────────────────────────────────────┤ │ wasmtime VM (JIT, linear memory, no host syscalls) │ ← isolation └─────────────────────────────────────────────────────┘ Enter fullscreen mode Exit fullscreen mode Confusing the bottom two layers is a common trap.…