Tool Use
ツール呼び出し
Tool use lets an AI model call external capabilities such as search, databases, calculators, APIs, or workflow actions. It expands capability, but permissions and confirmation become central design issues.
What it means
Tool use is the mechanism by which an AI model invokes external systems or functions to retrieve information, compute results, or take actions the model cannot perform by itself. Examples include search, file retrieval, database lookup, calculators, ticket creation, email drafting, and MCP tools. In AI agents, tool use is a core part of execution. Production design needs tool names, descriptions, input schemas, returned fields, permissions, confirmation requirements, error handling, and logs to reduce wrong tool selection and unsafe operations.
How to calculate it
Evaluate tool use by tool-selection accuracy, call success, and action safety. Selection accuracy | Correct tool choices / tool-choice decisions | Measures model routing quality Execution success rate | Successful calls / calls | Measures schema and integration reliability Approval compliance | Approved high-impact calls / high-impact calls | Checks safe operation
| Lens | Formula / treatment | When to use it |
|---|---|---|
| Selection accuracy | Correct tool choices / tool-choice decisions | Measures model routing quality |
| Execution success rate | Successful calls / calls | Measures schema and integration reliability |
| Approval compliance | Approved high-impact calls / high-impact calls | Checks safe operation |
What counts / what does not
Tool use lets AI call external capabilities; it does not automatically provide business approval or safe authorization. Include | Search, calculation, database lookup, API calls, file reading, draft creation | External capability use Exclude | Unlimited permissions, ownerless sending, unapproved deletion or purchase | Needs safety design Make explicit | Tool description, input schema, permissions, confirmation, logs | Reduces misoperation
| Item | Treatment | Why it matters |
|---|---|---|
| Include | Search, calculation, database lookup, API calls, file reading, draft creation | External capability use |
| Exclude | Unlimited permissions, ownerless sending, unapproved deletion or purchase | Needs safety design |
| Make explicit | Tool description, input schema, permissions, confirmation, logs | Reduces misoperation |
What moves the number
Quality depends on tool granularity, descriptions, schemas, permissions, and error design. Granularity | Narrow tools are safer but too many tools complicate choice Description | The model needs clear when-to-use guidance Schema | Input constraints reduce execution failures Permissions | Separating read and write rights limits impact
| Driver | Metric impact |
|---|---|
| Granularity | Narrow tools are safer but too many tools complicate choice |
| Description | The model needs clear when-to-use guidance |
| Schema | Input constraints reduce execution failures |
| Permissions | Separating read and write rights limits impact |
When it helps
Teams can decide when the model should answer directly versus retrieve or compute through a tool. Agent toolsets can be classified into read, draft, execute, and send categories. High-impact tools can require human confirmation while low-risk tools remain fast.
- Teams can decide when the model should answer directly versus retrieve or compute through a tool.
- Agent toolsets can be classified into read, draft, execute, and send categories.
- High-impact tools can require human confirmation while low-risk tools remain fast.
How to use it
- Tool use is the AI's ability to call external capabilities.
- AI agent execution quality depends heavily on tool design.
- Descriptions, schemas, returned fields, permissions, and logs matter.
- High-impact actions need confirmation and rollback.
- MCP is one way to standardize tool and resource exposure.
Decision cautions
More tools can increase wrong-tool and permission risk. Expose tools with least privilege, and separate write or external-send actions. Define stop conditions so the model does not improvise dangerous alternatives after errors. Do not execute high-impact actions without showing the user the evidence and action.
- Expose tools with least privilege, and separate write or external-send actions.
- Define stop conditions so the model does not improvise dangerous alternatives after errors.
- Do not execute high-impact actions without showing the user the evidence and action.
Read with
Tool use should be read with AI agents, MCP, and prompt injection. AI Agent | Uses tools to do work | Defines execution scope MCP | Standardizes tool exposure | Reduces custom integration work Prompt Injection | Untrusted input can redirect tool use | Requires safety design
| Metric | Role | Why read together |
|---|---|---|
| AI Agent | Uses tools to do work | Defines execution scope |
| MCP | Standardizes tool exposure | Reduces custom integration work |
| Prompt Injection | Untrusted input can redirect tool use | Requires safety design |
Example
An internal AI answers billing questions by using an invoice database lookup tool. The first version is read-only; it cannot resend invoices or edit amounts. The tool accepts customer ID and billing month, and returns only invoice number, amount, and payment state. The pilot works, but some users ask by customer name and the tool fails, so the team improves input guidance and error handling. Later, an invoice-resend draft tool is added, but sending still requires human confirmation.
Compare with
Tool Use | Model calls external capabilities | Extends AI capability API | System interface | Often sits behind a tool RPA | Executes predefined steps | Can run without AI reasoning
| Metric | Difference | Why read together |
|---|---|---|
| Tool Use | Model calls external capabilities | Extends AI capability |
| API | System interface | Often sits behind a tool |
| RPA | Executes predefined steps | Can run without AI reasoning |
Common mistakes
- More tools do not automatically make a system smarter. They can make selection and safety harder.
- Read and write tools should not be treated the same. Their impact differs.
- Tool calls should not be fully delegated to the model for high-impact operations.
Frequently asked questions
Is tool use the same as an API?
No. An API is a system interface; tool use is the AI-facing design for when and how the model invokes that interface.
Should every tool be available to the AI?
No. Start with least privilege and separate read, draft, execute, and send actions.
How does MCP relate?
MCP is one standard way to expose tools and resources to AI applications.