Notifications
Clear all
Topic starter
06/06/2026 2:23 am
TL;DR: Agentic apps can misuse legitimate tools in harmful sequences, even when authentication and authorization pass, according to WorkOS. The missing control is not identity alone but invocation policy that validates arguments, tracks chains, and gates risky actions before damage compounds.
NHIMG editorial — based on content published by WorkOS: Securing agentic apps, how to stop your AI agents from misusing their own tools
Questions worth separating out
Q: How should security teams implement tool misuse controls for AI agents?
A: Start by separating entitlement from invocation policy.
Q: Why do valid tool calls still create risk in agentic applications?
A: Because agentic harm often comes from composition, not from any single call.
Q: What do security teams get wrong about agent authorization?
A: They often treat role checks as sufficient because every call appears schema-valid and authorised.
Practitioner guidance
- Implement argument validation at the tool boundary Validate every high-risk parameter before a request reaches the MCP server.
- Map dangerous tool chains and enforce session controls Track sequences such as database read, file write, and external send within a session.
- Add plan review for multi-step agent tasks Require the agent to declare its intended steps before execution when the task can lead to destructive or high-impact actions.
What's in the full article
WorkOS's full article covers the operational detail this post intentionally leaves for the source:
- Policy examples for validating database, file, and email tool arguments before the MCP server executes them.
- A session-level chain analysis model for spotting exfiltration patterns across multiple authorised tool calls.
- An audit-mode rollout sequence for turning on enforcement without breaking legitimate agent workflows.
- Middleware design guidance for logging denied calls, permitted calls, and context signals together.
👉 Read WorkOS's article on securing agentic apps against tool misuse →
Agentic tool misuse: are your controls catching unsafe tool chains?
Explore further
06/06/2026 4:03 am
Tool misuse in agentic systems is a governance failure, not an authorization failure. The vendor’s article is correct that role checks can all pass while the resulting workflow is unsafe. That means the control model has to move from entitlement to invocation policy, where argument shape, call order, and task context are inspected together. Practitioners should treat this as a new runtime governance layer, not a refinement of RBAC alone.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- That same report finds 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so.
A question worth separating out:
Q: Who should approve high-risk agent actions in production?
A: High-risk actions such as destructive writes, deployment changes, and external data transfer should require explicit human approval before the chain completes. The approval should be tied to the task, the plan, and the current session context, not just to the identity of the agent. That preserves accountability when the workflow itself becomes the risk.
👉 Read our full editorial: Tool misuse in agentic apps exposes a missing policy layer
