ModeShape does not currently implement this feature, but we've been asked a few times about it. At this time most of the committer's plates are full with other features/enhancements/improvements/fixes, but we'd absolutely welcome any help to add the feature.
It's been a while since I spent any time in that portion of the spec, but IIRC part of the challenge is that the spec does not define how the policies are actually defined/managed. Yes, if there is a policy, you can assign/use them. But the API to manage policies is likely to be a non-standard API anyway.
If someone is interested in contributing, one of the first steps would be discuss/decide what ModeShape policies would look like. Would they be based upon ACLs or something else? We'd probably want to consider if it's possible to leverage an existing authorization framework (e.g., PicketBox/PicketLink), and if that would somehow inform the policy requirements.