Skip to content
Business Term

Tool Use

ツール呼び出し

Tool use lets an AI model call external capabilities such as search, databases, calculators, APIs, or workflow actions. It expands capability, but permissions and confirmation become central design issues.

Formula
Correct tool choices / tool-choice decisions
Use when
Teams can decide when the model should answer directly versus retrieve or compute through a tool.
Watch out
Search, calculation, database lookup, API calls, file reading, draft creation
Updated: 07/04/2026Quality: ReviewedPage tier: Reviewed articleSources: 3

What it means

Tool use is the mechanism by which an AI model invokes external systems or functions to retrieve information, compute results, or take actions the model cannot perform by itself. Examples include search, file retrieval, database lookup, calculators, ticket creation, email drafting, and MCP tools. In AI agents, tool use is a core part of execution. Production design needs tool names, descriptions, input schemas, returned fields, permissions, confirmation requirements, error handling, and logs to reduce wrong tool selection and unsafe operations.

How to calculate it

Evaluate tool use by tool-selection accuracy, call success, and action safety. Selection accuracy | Correct tool choices / tool-choice decisions | Measures model routing quality Execution success rate | Successful calls / calls | Measures schema and integration reliability Approval compliance | Approved high-impact calls / high-impact calls | Checks safe operation

LensFormula / treatmentWhen to use it
Selection accuracyCorrect tool choices / tool-choice decisionsMeasures model routing quality
Execution success rateSuccessful calls / callsMeasures schema and integration reliability
Approval complianceApproved high-impact calls / high-impact callsChecks safe operation

What counts / what does not

Tool use lets AI call external capabilities; it does not automatically provide business approval or safe authorization. Include | Search, calculation, database lookup, API calls, file reading, draft creation | External capability use Exclude | Unlimited permissions, ownerless sending, unapproved deletion or purchase | Needs safety design Make explicit | Tool description, input schema, permissions, confirmation, logs | Reduces misoperation

ItemTreatmentWhy it matters
IncludeSearch, calculation, database lookup, API calls, file reading, draft creationExternal capability use
ExcludeUnlimited permissions, ownerless sending, unapproved deletion or purchaseNeeds safety design
Make explicitTool description, input schema, permissions, confirmation, logsReduces misoperation

What moves the number

Quality depends on tool granularity, descriptions, schemas, permissions, and error design. Granularity | Narrow tools are safer but too many tools complicate choice Description | The model needs clear when-to-use guidance Schema | Input constraints reduce execution failures Permissions | Separating read and write rights limits impact

DriverMetric impact
GranularityNarrow tools are safer but too many tools complicate choice
DescriptionThe model needs clear when-to-use guidance
SchemaInput constraints reduce execution failures
PermissionsSeparating read and write rights limits impact

When it helps

Teams can decide when the model should answer directly versus retrieve or compute through a tool. Agent toolsets can be classified into read, draft, execute, and send categories. High-impact tools can require human confirmation while low-risk tools remain fast.

  • Teams can decide when the model should answer directly versus retrieve or compute through a tool.
  • Agent toolsets can be classified into read, draft, execute, and send categories.
  • High-impact tools can require human confirmation while low-risk tools remain fast.

How to use it

  • Tool use is the AI's ability to call external capabilities.
  • AI agent execution quality depends heavily on tool design.
  • Descriptions, schemas, returned fields, permissions, and logs matter.
  • High-impact actions need confirmation and rollback.
  • MCP is one way to standardize tool and resource exposure.

Decision cautions

More tools can increase wrong-tool and permission risk. Expose tools with least privilege, and separate write or external-send actions. Define stop conditions so the model does not improvise dangerous alternatives after errors. Do not execute high-impact actions without showing the user the evidence and action.

  • Expose tools with least privilege, and separate write or external-send actions.
  • Define stop conditions so the model does not improvise dangerous alternatives after errors.
  • Do not execute high-impact actions without showing the user the evidence and action.

Read with

Tool use should be read with AI agents, MCP, and prompt injection. AI Agent | Uses tools to do work | Defines execution scope MCP | Standardizes tool exposure | Reduces custom integration work Prompt Injection | Untrusted input can redirect tool use | Requires safety design

MetricRoleWhy read together
AI AgentUses tools to do workDefines execution scope
MCPStandardizes tool exposureReduces custom integration work
Prompt InjectionUntrusted input can redirect tool useRequires safety design

Example

An internal AI answers billing questions by using an invoice database lookup tool. The first version is read-only; it cannot resend invoices or edit amounts. The tool accepts customer ID and billing month, and returns only invoice number, amount, and payment state. The pilot works, but some users ask by customer name and the tool fails, so the team improves input guidance and error handling. Later, an invoice-resend draft tool is added, but sending still requires human confirmation.

Compare with

Tool Use | Model calls external capabilities | Extends AI capability API | System interface | Often sits behind a tool RPA | Executes predefined steps | Can run without AI reasoning

MetricDifferenceWhy read together
Tool UseModel calls external capabilitiesExtends AI capability
APISystem interfaceOften sits behind a tool
RPAExecutes predefined stepsCan run without AI reasoning

Common mistakes

  • More tools do not automatically make a system smarter. They can make selection and safety harder.
  • Read and write tools should not be treated the same. Their impact differs.
  • Tool calls should not be fully delegated to the model for high-impact operations.

Frequently asked questions

Is tool use the same as an API?

No. An API is a system interface; tool use is the AI-facing design for when and how the model invokes that interface.

Should every tool be available to the AI?

No. Start with least privilege and separate read, draft, execute, and send actions.

How does MCP relate?

MCP is one standard way to expose tools and resources to AI applications.

Sources

SourcesKindLink
Model Context Protocol: Toolstier_sOpen
Model Context Protocol: Specificationtier_sOpen
NIST: AI RMFtier_sOpen
Tool Use | YogoQ Core