Tool calling is the pattern where a model selects and invokes an external function during runtime. In agent systems this turns text generation into action execution, so the access decision must be constrained, logged, and governed like any other privileged interaction.
Expanded Definition
Tool calling is the runtime pattern in which an AI model chooses an external function, passes structured inputs, and incorporates the result into the next step of execution. In NHI security, the important shift is that a model is no longer just generating text. It is triggering an action with an identity, a scope, and an audit trail. That makes tool calling a governance problem as much as a technical integration pattern.
Definitions vary across vendors, especially when tool calling is conflated with plugins, function invocation, or agent orchestration. The practical distinction is that tool calling should be treated as a bounded privilege use case with explicit allowlists, input validation, logging, and revocation controls. The control plane matters because every callable tool is effectively an authority boundary. When this pattern is used in enterprise workflows, the model should only be able to reach the minimum set of functions needed for the task, similar to how NIST Cybersecurity Framework 2.0 frames governed access and resilient execution.
The most common misapplication is exposing broad internal APIs to a model and assuming natural-language instructions are a sufficient security boundary, which occurs when tool access is designed for convenience before privilege design.
Examples and Use Cases
Implementing tool calling rigorously often introduces latency, developer overhead, and tighter permission design, requiring organisations to weigh faster automation against greater containment and review cost.
- A support agent calls a ticketing API to open, update, or close cases, but only after policy checks confirm the request matches the approved workflow.
- An internal assistant queries an inventory or CMDB service to retrieve asset data, using a read-only token with scoped access and monitored usage.
- An AI workflow triggers a payment or refund function, but the callable action is wrapped in human approval, rate limits, and transaction logging.
- A security assistant uses a secrets lookup tool to validate whether an application has rotated credentials, referencing governance guidance from the Ultimate Guide to NHIs.
- An agent fetches cloud configuration details through a discovery tool, but the tool is constrained to a narrow read path aligned with NIST Cybersecurity Framework 2.0 governance expectations.
In mature implementations, the model never receives blanket access to a platform. Instead, each tool call is mapped to a specific identity, purpose, and audit requirement so that execution can be bounded even when the model’s reasoning is dynamic.
Why It Matters in NHI Security
Tool calling matters because it turns model output into privileged action. If the model is tricked, over-permissioned, or poorly instrumented, the result can be data exposure, unauthorized transactions, lateral movement, or secrets misuse. NHIMG research shows that 97% of NHIs carry excessive privileges, which is exactly the condition that makes model-triggered misuse dangerous when tool access is broad rather than least-privileged. The same research also shows that 79% of organisations have experienced secrets leaks, with 77% of those incidents causing tangible damage, reinforcing that action-capable identities cannot be treated as benign automation.
This is why tool calling must be governed as part of the broader NHI lifecycle, not only as an application feature. Access scoping, approval boundaries, secret handling, and revocation all matter because the tool itself becomes an execution surface. The governance lesson in Ultimate Guide to NHIs is that visibility and rotation failures compound quickly once an agent is allowed to act on its own. Organisations typically encounter the blast radius only after a model has called the wrong tool, at which point tool calling becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Agentic AI guidance covers tool use, authorization, and unsafe action execution. | |
| OWASP Non-Human Identity Top 10 | NHI-02 | Tool calling depends on secure secret and credential handling for invoked services. |
| NIST CSF 2.0 | PR.AA-1 | Identity proofing and access control principles apply to machine-initiated actions. |
Constrain every tool call with policy, approval, and logging before the model can act.
