The "deny list is a fool's errand" framing is exactly right. I've been running an AI agent with broad filesystem and SSH access and the failure mode (so far) isn't the agent doing something explicitly forbidden — it's the agent doing something technically allowed but contextually wrong. git checkout on a file you meant to keep is the classic example.

The action taxonomy approach is interesting. Curious whether context policies work well in practice — what does "depends on the target" look like when the target is ambiguous? E.g. a temp file in /opt/myapp/ that happens to be load-bearing.