Post

Secure Tool Calling for LLM Agents

Posted
By Nathan Berg
1 min read
Secure Tool Calling for LLM Agents

Tool-enabled agents can execute real actions: create users, close tickets, rotate credentials, or query sensitive systems. That is powerful, and it turns prompt quality into an authorization problem.

The model should never be the policy engine. Treat tool calls like API requests from an untrusted client and enforce deterministic policy checks before execution.

Context

Problem: Direct model-to-tool execution allows prompt-level abuse to trigger privileged actions. Approach: Use a policy broker that validates identity, intent, and scope for every tool call. Outcome: Unsafe or out-of-policy tool requests are blocked even when model output is persuasive.

Threat model and failure modes

  • Prompt injection steering the agent toward unauthorized actions.
  • Argument overreach where tool parameters exceed approved scope.
  • Sensitive data exfiltration via diagnostic or export tools.
  • Action chaining that bypasses approval requirements.

Control design

  • Broker all tool requests through a policy service with explicit allow/deny rules.
  • Validate arguments against strict schemas and bounded value ranges.
  • Require step-up approval for state-changing operations.
  • Attach user and session identity to each tool invocation.
  • Log denied calls and feed them into detection analytics.

Implementation pattern

Use an allowlist by role and action. If an analyst asks the agent for enrichment, the agent can call read-only tools. Anything mutating identity, network, or production state should require a higher trust path.

1
2
3
4
5
6
7
8
9

{
  "tool": "disable_user",
  "requested_by": "analyst@corp",
  "resource": "user:jsmith",
  "justification": "suspected token theft",
  "policy_result": "deny",
  "reason": "requires incident_commander role"
}

Research and standards

These controls align well with guidance from OWASP Top 10 for LLM Applications, NIST AI RMF practices, and MITRE ATLAS adversarial behavior patterns.

Validation checklist

  • Attempt out-of-scope arguments and verify schema rejection.
  • Trigger high-impact tools without approval context and verify denial.
  • Review broker logs for complete identity and policy traces.
  • Inject malicious instructions into retrieved context and observe blocked calls.
  • Benchmark latency to ensure policy checks do not break usability.

Takeaways

Secure agents by demoting the model to planner and keeping authorization deterministic. Tool safety should fail closed under ambiguity.

blog
agents llm tooling authorization security
This post is licensed under CC BY 4.0 by the author.