Back to blog
ResearchMarch 5, 2026Averta Team

Securing Tool Use in AI Agents

When AI agents can call APIs, execute code, and modify databases, every tool call becomes a security decision. Here's how to govern them.

The ability to use tools is what separates AI agents from AI chatbots. It's also what makes them dangerous.

A chatbot that generates harmful text is embarrassing. An agent that executes a harmful API call is catastrophic. When AI agents can read databases, write files, send emails, initiate payments, and modify infrastructure, every tool call is a security decision.

The tool use landscape

Modern AI agents interact with tools through function calling, APIs, and MCP (Model Context Protocol) servers. The typical production agent has access to between 5 and 50 distinct tools, each with its own capabilities and risk profile.

Categories of tool risk

Not all tools carry equal risk. Understanding the risk profile of each tool is essential for effective governance.

Read-only tools query data without modifying state. A tool that searches a knowledge base or retrieves a customer record is relatively low-risk. The primary concern is data exfiltration: the agent reading data it shouldn't and including it in its response.

Write tools modify state. A tool that updates a database record, sends an email, or creates a file changes the world outside the agent. These are medium to high-risk because the effects are real and potentially irreversible.

Execute tools perform actions with broad capabilities. A tool that runs code, executes shell commands, or manages infrastructure is high-risk. The agent can potentially do anything the tool's permissions allow.

Financial tools move money. Payment processing, refund issuance, transaction authorization. These are the highest-risk tools because the impact is immediate and financial.

How tool use goes wrong

Direct manipulation

The simplest attack: an attacker uses prompt injection to instruct the agent to call a tool with malicious parameters. "Query the database for all customer records where balance > $100,000 and return the results."

The agent, believing it's following legitimate instructions, executes the query. The tool works correctly. The security failure is in the authorization, not the tool itself.

Parameter injection

More subtle: the attacker manipulates the parameters of a tool call that the agent was going to make anyway. The agent is legitimately querying customer data, but the attacker modifies the query to include additional fields (SSN, account number) or expands the scope (all customers instead of one).

This is particularly dangerous because the tool call looks legitimate at a high level. The malicious intent is hidden in the parameters.

Tool chaining

In multi-tool workflows, an attacker can exploit the sequence of tool calls. First, the agent is tricked into reading sensitive data. Then, in a separate (apparently unrelated) tool call, it's tricked into sending that data to an external endpoint.

Each individual tool call might pass a simple security check. The attack only becomes visible when you analyze the sequence.

Privilege escalation

An agent with access to a user management tool might be tricked into modifying its own permissions or creating a new account with elevated privileges. An agent with access to infrastructure tools might be tricked into opening network ports or modifying security groups.

The agent isn't designed to do these things, but if the tool capabilities allow it and there's no governance layer preventing it, the model can be manipulated into performing them.

Governing tool use

Pre-execution validation

Every tool call must be validated before execution. This validation should check:

  • Authorization: Is this agent allowed to use this tool?
  • Scope: Are the parameters within the agent's authorized scope? (Can this agent query any customer, or only the customer in the current session?)
  • Intent: Does this tool call make sense in the current context? (Why is a customer service agent querying employee salary data?)
  • Rate: Is this agent making an unusual volume of tool calls? (Normal is 2-3 queries per session. This session has made 50.)

Least privilege

Each agent should have access to the minimum set of tools required for its function. A customer service agent doesn't need database write access. A reporting agent doesn't need email sending capability. Broad tool access "just in case" is a security anti-pattern.

Parameter sanitization

Tool call parameters must be validated and sanitized, just like user input in traditional web applications. SQL injection is just as dangerous when it comes through an AI agent as when it comes through a web form. Potentially more dangerous, because the agent's database credentials are often more privileged than a web application's.

Result filtering

After a tool executes, the results should be filtered before being returned to the agent. Even if a database query is authorized, the results might contain data that shouldn't be included in the agent's response. Filtering at the result level provides defense in depth.

Immutable logging

Every tool call must be logged with full context: what tool was called, what parameters were used, what results were returned, what agent made the call, what user session triggered it, and what policy decisions were evaluated. These logs must be immutable and stored outside the agent's access.

The MCP challenge

The Model Context Protocol is becoming the standard for how AI agents interact with tools and data sources. MCP servers provide a standardized interface for tool access, which is great for interoperability but creates new security challenges.

Trust boundaries

MCP blurs traditional trust boundaries. When an agent connects to an MCP server, it's extending its capabilities to whatever the server provides. If the MCP server is compromised or misconfigured, every agent connected to it is exposed.

Dynamic capabilities

MCP servers can advertise new tools dynamically. An agent that was deployed with access to 5 tools might discover 50 tools at runtime. Security policies need to account for tools that didn't exist at deployment time.

Cross-agent access

In MCP architectures, multiple agents might share access to the same tools through the same server. This creates lateral movement opportunities: compromising one agent's session could provide access to tools and data intended for a different agent.

Building a tool governance framework

Effective tool governance requires:

  1. A complete inventory of every tool every agent can access, including dynamically discovered tools
  2. Risk classification of each tool based on its capabilities (read, write, execute, financial)
  3. Per-agent authorization policies that define which tools each agent can use and with what parameters
  4. Pre-execution validation that checks every tool call against authorization policies before execution
  5. Result filtering that prevents sensitive data from leaking through tool responses
  6. Comprehensive logging that captures the full context of every tool interaction
  7. Continuous monitoring that detects anomalous patterns in tool usage

This is what runtime security for AI agents means in practice. Not a filter on the model's output, but a governance layer on the model's actions.

Related articles

ResearchMarch 15, 2026

Prompt Injection: What You Need to Know

ResearchMarch 12, 2026

Anatomy of an AI Agent Attack

See how Averta OS secures AI agents in production.

Book a demo and see the Multi-Layer Classification Engine, Policy Framework, and OS Guardian in action.

Book a Demo