Subscribe to the Non-Human & AI Identity Journal

What breaks when tool calling is not separated from execution?

When tool calling and execution are not separated, the model’s intent can be mistaken for an authorised action. That creates uncontrolled side effects, weak auditability, and a false sense of safety because the system appears conversational while actually performing privileged work.

Why This Matters for Security Teams

When tool calling and execution are fused, the model can blur intent and action. A prompt that merely suggests a lookup, file write, or ticket update may become a live privileged operation with no meaningful human checkpoint. That undermines separation of duties, weakens audit trails, and turns conversational interfaces into covert control planes. NHI Management Group’s research shows only 5.7% of organisations have full visibility into their service accounts, which is exactly the sort of blind spot this design creates NHI Mgmt Group.

The security impact is broader than one bad action. Once a tool can both decide and act, attackers can steer the model into chained operations, hidden state changes, or credential misuse that looks legitimate in logs. That is why runtime governance matters more than static approval logic, and why guidance from the NIST Cybersecurity Framework 2.0 aligns so closely with explicit control boundaries and auditable execution paths. In practice, many security teams encounter destructive side effects only after the agent has already completed the action, rather than through intentional approval.

How It Works in Practice

The safer pattern is to separate tool selection from tool execution. The model may propose an action, but a policy layer, workflow engine, or human approver must translate that proposal into a permitted execution. This creates a clear boundary between intent and authority. In agentic systems, that boundary is especially important because the agent can combine tools, recurse through tasks, and vary its behaviour at runtime in ways traditional role-based IAM does not predict.

Current practice usually includes four steps:

  • The agent drafts a tool call with parameters, but does not execute it directly.
  • A policy decision point evaluates context such as task type, data sensitivity, environment, and user approval.
  • Short-lived credentials or scoped tokens are issued only for the approved action.
  • The execution layer logs the actual tool invocation, inputs, outputs, and revocation event.

This aligns with emerging agent security guidance such as OWASP Top 10 for Large Language Model Applications and agent governance approaches discussed in Ultimate Guide to NHIs. The practical goal is to make every privileged action explicit, reviewable, and revocable, rather than inferred from model output. That also improves incident response, because responders can distinguish suggested actions from executed actions and revoke the right credential set. These controls tend to break down when a single orchestrator has both planning authority and direct write access to production systems because the approval boundary becomes purely ceremonial.

Common Variations and Edge Cases

Tighter separation often increases latency and operational friction, so organisations must balance safety against automation speed. That tradeoff becomes sharper in high-throughput environments, where dozens of tools, queues, or downstream APIs may be involved in one agent workflow.

There is no universal standard for this yet, but current guidance suggests three common edge cases deserve special handling. First, read-only tools can still become dangerous if their outputs feed into later privileged actions. Second, human-in-the-loop approval is not enough if the same session can later reuse standing access. Third, multi-agent systems need separation at each hop, not just at the entry point, because one agent can delegate unsafe work to another. NHI Mgmt Group’s reporting on the Schneider Electric credentials breach reinforces how quickly credential exposure becomes operational impact once access is not tightly bounded.

For that reason, best practice is evolving toward intent-aware authorisation, ephemeral credentials, and immutable logging of the exact execution path. If an environment cannot enforce those boundaries, especially in production automation or shared service accounts, the design should be treated as privileged code execution rather than safe tool use.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10, CSA MAESTRO and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Agentic AI Top 10 A1 Directly addresses agent prompt and tool misuse risks.
CSA MAESTRO GOV-02 Covers governance controls for agent decision and action boundaries.
NIST AI RMF GOVERN Supports accountability and oversight for autonomous AI actions.
OWASP Non-Human Identity Top 10 NHI-04 Relevant to credential abuse when tools execute with standing privileges.
NIST CSF 2.0 PR.AC-4 Least-privilege access is central when execution is separated from intent.

Separate proposed tool use from execution and gate it with policy before any privileged action runs.