Tool routing is the practice of letting an AI agent invoke external capabilities such as search, image generation, transcription, publishing, or code execution. It shifts the governance problem from model selection to delegated action, because the agent now reaches other systems through credentials and connectors.
Expanded Definition
Tool routing describes how an AI agent selects and invokes external tools at runtime, including search, transcription, image generation, code execution, ticket creation, or publishing workflows. In NHI security, the critical issue is not the model itself but the delegated action path: the agent reaches other systems through connectors, service accounts, tokens, and scoped credentials. Definitions vary across vendors, especially when tool routing overlaps with orchestration, function calling, or MCP-based integrations, so no single standard governs this yet. The practical boundary is whether the agent can trigger a side effect outside the model boundary. When that is true, tool routing becomes an identity and access problem as much as an AI design problem, and it should be governed with the same discipline used for NIST Cybersecurity Framework 2.0 controls around access, logging, and recovery.
The most common misapplication is treating routing logic as harmless middleware, which occurs when teams approve broad tool permissions before they define per-action authorization, token scope, and audit requirements.
Examples and Use Cases
Implementing tool routing rigorously often introduces latency, approval overhead, and connector maintenance, requiring organisations to weigh automation speed against the cost of tighter control.
- An internal support agent routes a password reset request to an ITSM system, but only after verifying the requester and limiting the action to a single ticket class.
- A research agent sends queries to search and document-retrieval tools while keeping read-only access separated from publishing or export capabilities.
- An operations agent uses code execution to test a deployment, but the execution environment is isolated and the credentials are short-lived, aligned with Ultimate Guide to NHIs guidance on lifecycle control.
- A media agent generates images and then uploads them to a content system, but the upload connector is restricted to pre-approved destinations and logged for review.
- An integration agent uses MCP-style connectors to pull data from multiple systems, but each tool call is governed as a distinct non-human identity action rather than a generic API request.
These patterns align with the access governance emphasis in NIST Cybersecurity Framework 2.0, especially when routing decisions affect confidentiality or integrity.
Why It Matters in NHI Security
Tool routing becomes risky when teams assume the AI agent is only “deciding” rather than acting. Once the agent can invoke external systems, every tool path inherits NHI concerns: secret storage, privilege scope, revocation, logging, and third-party exposure. NHI Mgmt Group research shows that 97% of NHIs carry excessive privileges, which makes unchecked routing especially dangerous because a single overbroad connector can expand impact across multiple systems. The same pattern appears in secret handling: if routing relies on long-lived API keys or shared tokens, compromise of the agent can become compromise of downstream applications. The issue is closely related to Zero Trust and PAM because the correct control model is not trust in the model output, but verification of each delegated action against policy, identity, and context. That is why the broader NHI lifecycle and rotation discipline described in the Ultimate Guide to NHIs is directly relevant here, especially when routing is embedded in production workflows.
Organisations typically encounter the consequences only after a routed action deletes data, exposes a secret, or publishes unintended content, at which point tool routing becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Agent tool invocation is a core attack surface in agentic AI guidance. | |
| OWASP Non-Human Identity Top 10 | NHI-02 | Routing often depends on secrets and service accounts under NHI controls. |
| NIST Zero Trust (SP 800-207) | AC-4 | Tool calls should be authorized per request under Zero Trust principles. |
Constrain tool permissions, validate outputs, and log every agent action.
Related resources from NHI Mgmt Group
- When should organizations consider adopting advanced tool discovery for AI agents?
- How can organizations mitigate tool misuse in agentic deployments?
- What is the difference between tool consolidation and governance improvement?
- How can organisations reduce blast radius when an AI tool is compromised?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 6, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
