---

title: "Tool Use" type: concept tags: [#tool-use, #planning, #reasoning] created: 2025-01-01 updated: 2025-07-14 status: complete

Tool Use

Tool use in agentic AI is the capability by which an agent calls external functions, APIs, or resources to extend its native reasoning with real-world data access, computation, and system control.

Overview

Tool use is one of the four core components of AI agent architecture, alongside persona, memory, and the underlying model. While a large language model alone can reason over information present in its context window, tool use extends the agent's reach into the external world: searching the web, querying databases, executing code, calling APIs, reading and writing files, and controlling external systems. Tools transform an agent from a sophisticated text processor into an actor capable of real-world impact.

The concept is simple in principle: the agent is given descriptions of available tools, decides which tool to invoke based on its reasoning, formats a structured call, receives the output, and incorporates the result into its next reasoning step. This is the mechanism underlying the ReAct Framework's Action step. In practice, tool use introduces significant design challenges around tool selection reliability, error handling, and the safety implications of write-capable actions.

Google Cloud's framework describes tools as "functions or external resources that an agent can utilize to interact with its environment and enhance its capabilities," categorized by interface type: physical, graphical, and program-based. Tool learning — teaching agents how to effectively use tools by understanding their functionalities and the context in which they should be applied — is an active research and engineering area. The quality of tool descriptions and the agent's ability to select the right tool for the right situation directly determine the agent's practical effectiveness.

Tool use is fundamental to nearly every production agentic system. Without it, agents are confined to generating text from training-time knowledge; with it, agents can access real-time information, perform precise computation, and take consequential actions in the world.

How It Works

The tool-use execution loop within a ReAct-style agent:

1. TOOL REGISTRATION
   Agent is provided a list of available tools with:
   - Name and description
   - Input schema (parameters and types)
   - Output format
   - Usage instructions / constraints

2. TOOL SELECTION (Reasoning step)
   Agent reads task context and available tools
   Agent selects the appropriate tool and constructs a call:
   Action: search_web(query="current GDP of Germany 2024")

3. TOOL EXECUTION
   The agent runtime parses the action
   Executes the tool call (API request, function call, etc.)
   Receives the tool output

4. OBSERVATION INTEGRATION
   Tool output is appended to the agent's context:
   Observation: "Germany's GDP in 2024 was approximately $4.4 trillion..."

5. REASONING UPDATE
   Agent incorporates the observation into its next Thought step
   Decides whether to call another tool or produce a final answer

Read vs. write risk classification:

• Read-only tools (web search, database queries, file reads): Lower risk; errors produce incorrect information but do not modify external state
• Write-capable tools (sending emails, updating records, executing code, triggering workflows): Higher risk; errors can cause irreversible external side effects requiring additional safety controls

Key Properties / Characteristics

• Interface diversity: Tools span physical, graphical, and program-based interfaces; any callable function or API can serve as a tool
• Schema-driven: Tool inputs and outputs are formally specified so the LLM can generate correctly structured calls
• Context-integrated: Tool outputs become part of the agent's reasoning context (the Observation in ReAct)
• Extensible: New capabilities are added by registering new tools without retraining the model
• Risk-asymmetric: Read tools and write tools carry fundamentally different safety profiles
• Tool learning dependent: Agent effectiveness depends on the quality of tool descriptions and the model's ability to select and invoke tools appropriately
• Composable: Multiple tools can be called in sequence or (in multi-agent systems) in parallel to accomplish complex tasks

Variants & Related Approaches

• Function calling: The specific mechanism by which LLMs like GPT-4 or Gemini format tool invocations as structured JSON, enabling reliable parsing by the agent runtime
• Plugin systems: Tool registries where third-party tools can be published and discovered by agents at runtime (e.g., ChatGPT Plugins, Vertex AI Agent Garden)
• Code execution tools: A special class of tool where the agent writes code and executes it in a sandbox, enabling arbitrary computation
• Retrieval tools: Tools that query vector databases or search engines to retrieve relevant documents for Memory Systems augmentation
• Agent-as-tool: In multi-agent systems, one agent can invoke another as a tool — see Multi-Agent Coordination

Strengths & Limitations

Strengths

• Dramatically expands agent capability beyond training-time knowledge to real-time information and external system control
• Enables precise computation (via code execution tools) that LLMs alone cannot reliably perform
• Extensible: the agent's capability set grows with each new tool without model retraining
• Produces interpretable action traces (especially in ReAct) that make agent behavior auditable
• Supports the full range of enterprise use cases: customer agents, data agents, code agents, security agents

Limitations

• Tool selection errors compound: choosing the wrong tool or passing incorrect parameters can cascade through a multi-step task
• Write-capable tools require careful safety controls to prevent irreversible harmful actions
• Tool descriptions must be precise; ambiguous or incomplete descriptions lead to unreliable invocations
• Latency: each tool call introduces network round-trips and execution time, slowing the overall agent loop
• Context window consumption: tool outputs can be verbose, consuming context that limits subsequent reasoning depth
• Security surface: tools that access external systems create attack vectors (prompt injection, API abuse)

Notable Uses / Applications

• Customer agents: Tools for querying order databases, checking inventory, processing refunds, and sending confirmation emails
• Code agents: Code generation tools, test runners, linters, and version control interfaces
• Data agents: SQL query tools, data visualization generators, statistical analysis functions
• Security agents: Threat intelligence APIs, log analysis tools, incident ticketing systems, and network scanning interfaces
• Employee agents: Calendar APIs, document editors, translation services, and enterprise search tools
• Research agents: Web search, academic paper retrieval, and citation verification tools

Source Material

1. What are AI agents? Definition, examples, and types | Google Cloud — Source for the tool component definition, interface type categorization (physical, graphical, program-based), tool learning concept, and application examples across use case categories.
2. IBM Think — What are AI Agents? — Source for read/write risk distinctions and expanded execution loop description.

Related Pages

Is a type of: Agent Architecture Implements: ReAct Framework Used by: Agentic AI, Multi-Agent Coordination Depends on: Memory Systems Governed by: Agent Orchestration Safety considerations: AI Safety and Alignment

Open Questions

• How should agents be trained or prompted to accurately assess when a write-capable tool action is safe vs. requires human confirmation?
• What standardized tool description formats would most improve tool selection reliability across different LLMs?
• How can tool output verbosity be managed to avoid context window exhaustion in long-running tasks?
• What security controls are necessary to prevent prompt injection attacks through tool outputs?
• Is there a principled way to determine the optimal tool set size for a given task domain?

---

Page type: concept | Status: complete