A tool is an MCP-exposed action that the model can choose to call at runtime. It is the equivalent of an executable privilege boundary, because its name, description, and schema influence what the agent believes it may do and what backend actions it can trigger.
Expanded Definition
In MCP-based systems, a tool is more than a function call: it is a bounded capability that an Agent may invoke during runtime, subject to the model’s interpretation of its name, description, and schema. That makes the tool a privilege boundary, not just a convenience layer. In practice, tool design shapes what the Agent believes is safe, allowed, or intended, which is why tool exposure belongs in the same governance conversation as secrets, permissions, and backend trust. Definitions vary across vendors, but the security principle is consistent: every tool should map to a clearly scoped action with explicit inputs, predictable outputs, and narrow blast radius. For broader identity context, NHI Mgmt Group’s Ultimate Guide to NHIs treats runtime authority as part of the identity surface, not a separate concern, and that framing aligns with the control logic in NIST Cybersecurity Framework 2.0. The most common misapplication is treating a tool as a harmless UI helper, which occurs when broad backend permissions are exposed through an underspecified schema.
Examples and Use Cases
Implementing tools rigorously often introduces a friction tradeoff, requiring organisations to weigh Agent autonomy and speed against tighter approval, logging, and permission boundaries.
- A ticketing tool lets an Agent create incidents, but only with prevalidated fields and an allowlisted project scope, preventing free-form escalation into unrelated systems.
- A secrets-retrieval tool exposes only short-lived, audited reads, rather than direct vault browsing, so the Agent can complete tasks without inheriting standing access.
- An onboarding tool provisions accounts through a workflow engine, where the tool schema forces manager approval and policy checks before any privileged step executes.
- A cloud-remediation tool can restart a service or rotate a key, but not delete resources, which keeps operational recovery separate from destructive change.
- In agentic workflows, the same action may appear as a different tool to different models, so teams often compare tool exposure against Ultimate Guide to NHIs guidance on lifecycle control and verify that runtime access still reflects NIST Cybersecurity Framework 2.0 expectations for least privilege and traceability.
Why It Matters in NHI Security
Tools become security-critical because they convert model intent into real-world action. If a tool is too broad, too ambiguous, or poorly separated from higher-privilege backend functions, the Agent can trigger outcomes that look authorized to the model but are unacceptable to the platform owner. That is how tool misuse turns into unauthorized access, accidental data exposure, or destructive automation. This is especially important in NHI security because Agent tool access often sits on top of service accounts, API keys, or federated identities that already carry meaningful privilege. NHI Mgmt Group notes that Ultimate Guide to NHIs reports 97% of NHIs carry excessive privileges, which shows how quickly runtime power can exceed operational need. Tool governance should therefore support NIST Cybersecurity Framework 2.0 discipline around access control, monitoring, and recovery, especially when tools can modify infrastructure or retrieve Secrets. Organisations typically encounter tool risk only after a model misfires, a prompt is manipulated, or a routine automation causes an incident, at which point the tool boundary becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A2 | Tools are agent actions that can be abused through prompt or schema manipulation. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Tool exposure expands the effective privilege surface of non-human identities. |
| NIST CSF 2.0 | PR.AC-4 | Tool permissions must follow least-privilege and access enforcement principles. |
Treat each tool as privileged access and review its permissions like any NHI entitlement.
Related resources from NHI Mgmt Group
- When should organizations consider adopting advanced tool discovery for AI agents?
- How can organizations mitigate tool misuse in agentic deployments?
- What is the difference between tool consolidation and governance improvement?
- How can organisations reduce blast radius when an AI tool is compromised?
