Ultra13
Learn · Tool-Call Security

How do you secure AI agent tool calls?

AI agent tool calls should be inspected before execution. The control point should check the tool name, arguments, target resource, tenant, identity, data class, side effects, destination, and the trust level of the context that influenced the call. High-risk sinks such as exports, writes, shell execution, browser actions, payments, and webhooks should require policy approval or human approval.

By the Ultra13 teamPublished Updated
TL;DR
  • Inspect every tool call before it executes, not after.
  • Check name, args, resource, tenant, identity, data class, and side effects.
  • Weight the decision by the trust of the context that triggered the call.
  • Gate high-risk sinks — exports, writes, shell, payments, webhooks — with approval.

What to check before execution

A tool call is a sink. Before it runs, evaluate the tool name, arguments, target resource, tenant, caller identity, data classification, and side effects — and whether the context that produced the call was trusted enough to authorize it. See MCP security for the tool-discovery angle.

Excessive agency and least privilege

Most agent incidents are excessive agency: the agent could do more than the situation warranted. Scope tool permissions tightly, require approval for high-blast-radius actions, and prevent untrusted context from expanding what the agent may do — the core of a context firewall.

FAQ

Frequently asked questions

How do you stop AI agents from executing unsafe code?
Treat shell and code execution as high-risk sinks: inspect the command, require approval, and never let untrusted context authorize execution. Fail closed on uncertainty.
How do you prevent confused deputy attacks in tool calls?
Bind each call to an identity and tenant, and enforce source-to-sink policy so an untrusted source cannot borrow the agent's privileges to act.

See where the firewall stops the path.

Give us one agent workflow. We’ll map the context boundary, replay the abuse paths, and show where the Context Firewall blocks them.