The pattern where an AI agent moves from one tool or system to another within a single workflow, carrying context and authority across boundaries. This creates a broader attack surface than isolated application calls because one manipulated step can trigger a sequence of connected actions.
Expanded Definition
Cross-system tool chaining describes an AI agent executing a sequence of actions across multiple tools, APIs, and enterprise systems while preserving context, state, and often effective authority from one step to the next. In NHI security, the risk is not the individual tool call alone, but the trust that accumulates as the workflow moves across boundaries.
This pattern is especially important where an agent can read from one system, transform data, and write to another without a human checkpoint. Definitions vary across vendors on where “tool chaining” ends and “agentic orchestration” begins, but the security concern is consistent: the agent may inherit permissions, tokens, or session context that were never intended to span the entire chain. That makes boundary design, step-level authorization, and tool-scoped secrets more important than broad workflow trust. NIST guidance on risk and control mapping in the NIST Cybersecurity Framework 2.0 is useful for framing the governance layer, even though no single standard governs cross-system tool chaining yet.
The most common misapplication is treating a multi-tool agent workflow as a single authenticated session, which occurs when teams reuse the same token or privilege set across every hop.
Examples and Use Cases
Implementing cross-system tool chaining rigorously often introduces latency and permission overhead, requiring organisations to weigh automation speed against tighter step-by-step controls.
- An agent pulls a ticket from a service desk, queries a knowledge base, then opens a change request in an infrastructure platform using the same delegated context.
- A support agent searches a CRM, retrieves a customer record, and updates a billing system after interpreting the result from the first tool.
- An incident-response agent reads alerts, enriches them with logs, and triggers a containment action in a cloud platform, creating a long trust chain.
- A content-generation workflow moves from a repository to a secret scanner, then into deployment tooling, where a compromised upstream step can affect downstream release actions.
- The DeepSeek breach shows how exposed data and embedded secrets can amplify downstream risk when systems are connected through automated workflows.
In practice, cross-system tool chaining should be designed so each hop has its own policy check, logging boundary, and least-privilege credential. This is where the NIST Cybersecurity Framework 2.0 helps teams translate workflow risk into control expectations, rather than assuming a single approved agent can safely traverse every connected system.
Why It Matters in NHI Security
Cross-system tool chaining expands the blast radius of compromised NHIs because one abused tool call can become a write action in a different system. That is a major concern when secrets, tokens, or delegated service accounts are reused across tools, since the attacker does not need to defeat every boundary independently. The security problem becomes sharper when workflow context includes sensitive records, because downstream systems often trust the upstream agent more than they should.
NHIMG research on LLMjacking: How Attackers Hijack AI Using Compromised NHIs shows that when AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases. That speed matters because chained workflows can turn a brief credential exposure into rapid lateral movement across multiple systems. The same risk pattern appears in the The State of Secrets in AppSec research, where secret leakage and fragmented controls make downstream compromise easier to operationalise. Organisationally, the control gap is amplified by poor alignment with identity and access governance, which is why the NIST Cybersecurity Framework 2.0 remains relevant for mapping authorization and monitoring expectations.
Organisations typically encounter the consequences only after a chained workflow has approved an unintended action, at which point cross-system tool chaining becomes operationally unavoidable to investigate and contain.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Addresses agent workflows that chain tool use and inherit context across actions. | |
| OWASP Non-Human Identity Top 10 | NHI-05 | Cross-system chaining increases exposure from overprivileged NHIs and shared credentials. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access control is central when authority moves across multiple systems. |
Limit each tool hop, require step-level checks, and constrain agent authority before chaining actions.
