Tool-Using AI Agents: Models inside Controlled Action Loops
📑 On this page
- A concrete example: planning a trip
- The components of an agent
- Tools are typed capabilities
- Identity and authorization
- Read and write actions differ
- The control loop
- State and memory
- Planning is not execution
- Validate observations
- Retries and idempotency
- Budgets and stopping rules
- Human approval
- Multi-agent systems
- Evaluation
- Audit and incident response
- Knowledge check
- The one idea to remember
A language model can suggest an action in text. An agent system can connect that suggestion to software that searches, calculates, sends, updates, or purchases.
That connection changes the risk.
A tool-using AI agent is a model inside a control loop that selects actions, receives observations, maintains state, and stops under application-defined rules.
The model contributes interpretation and planning. The surrounding system must enforce identity, permissions, validation, budgets, and approval.
A concrete example: planning a trip
A travel agent might:
- ask for dates, airports, budget, and constraints,
- search a flight API,
- compare viable options,
- check a calendar,
- present a proposed itinerary,
- request approval,
- and call the booking tool only after confirmation.
Search is reversible and low consequence. Purchasing is consequential. The system gives those actions different controls.
The components of an agent
An agent usually combines:
- a model,
- instructions,
- tool definitions,
- conversation or task state,
- a controller,
- observations from tool results,
- validation,
- and a stopping condition.
Some agents make one tool call. Others repeat the loop across several steps. More loops increase capability, cost, latency, and opportunities for error.
Tools are typed capabilities
A tool should expose a narrow operation with a clear schema.
Instead of a general “run anything” tool, define capabilities such as:
- search approved flights,
- read one calendar,
- create a draft reservation,
- or cancel a specified reservation.
Validate argument types, ranges, identifiers, and user authorization before execution. Tool descriptions help model selection, but enforcement belongs in code.
Identity and authorization
The agent acts on behalf of someone. Every tool call needs an authenticated principal and an authorization decision.
Do not let the model invent a user ID, tenant, role, or scope. Bind identity outside the prompt and propagate it through each service call.
Use least privilege: a research task should not receive write credentials merely because a later workflow might need them.
Read and write actions differ
Classify tools by consequence:
- read-only lookup,
- reversible draft,
- limited update,
- financial or legal commitment,
- destructive action,
- and external communication.
Require stronger confirmation, authorization, and logging as consequence rises. A user approving “continue” should see the exact recipient, amount, date, or record that will change.
The control loop
A typical loop is:
- assemble current state,
- ask the model for the next action,
- validate the proposed call,
- execute the tool,
- record the observation,
- decide whether to continue,
- and produce a final result.
The controller, not the model, should own maximum steps, timeouts, retry limits, and cancellation.
State and memory
Agent state may include:
- user goal,
- completed steps,
- tool results,
- approvals,
- unresolved questions,
- budget consumed,
- and artifacts produced.
Store important state structurally rather than relying on a growing prose transcript. This supports resumption, auditing, idempotency, and precise validation.
Planning is not execution
A useful design separates a proposed plan from actions.
The model can first list the information and steps it expects to need. The controller can check whether the plan requests forbidden tools, exceeds budget, or requires approval.
Plans may change after observations, so they are guides rather than guarantees.
Validate observations
Tool output can be malformed, stale, incomplete, or malicious. A web page may contain prompt injection. An API may return an error encoded as a successful response.
Parse structured results, enforce size limits, label untrusted content, check freshness, and avoid passing raw secrets or enormous payloads back into context.
Retries and idempotency
Network calls fail. Blind retries can duplicate side effects such as payment or email.
Use idempotency keys, operation identifiers, and read-before-write checks. Distinguish:
- safe retry,
- ambiguous outcome requiring reconciliation,
- and permanent failure.
The agent should not improvise repeated purchases because the first response timed out.
Budgets and stopping rules
Set limits for:
- model calls,
- tool calls,
- elapsed time,
- money,
- retrieved data,
- and repeated failures.
Stop when the goal is complete, a required fact is missing, approval is denied, risk rises, or progress stalls. “Keep trying until it works” is not a safe production policy.
Human approval
Approval should be informed and specific.
Show:
- the exact proposed action,
- important evidence,
- expected effect,
- cost,
- and whether reversal is possible.
After approval, bind execution to that proposal. If the action changes materially, ask again.
Multi-agent systems
Splitting work among planner, researcher, critic, and executor roles can improve modularity, but it also adds messages, cost, coordination errors, and unclear accountability.
Use multiple agents only when evaluation shows a benefit. Many workflows are clearer as one model plus deterministic stages and tools.
Evaluation
Test complete tasks for:
- successful completion,
- unnecessary actions,
- wrong or unauthorized calls,
- argument validity,
- recovery from tool failure,
- approval compliance,
- stopping behavior,
- latency,
- and cost.
Include adversarial documents, ambiguous requests, revoked permissions, duplicate operations, and partial failures.
Audit and incident response
Record model and prompt versions, tool calls, validated arguments, observations, approvals, policy decisions, and final outcomes with appropriate privacy controls.
Provide cancellation, rollback where possible, credential revocation, and a clear owner for incidents. An agent's conversational surface should not hide the ordinary operational responsibilities of an action system.
Knowledge check
- What components turn a model into a tool-using agent?
- Why should identity be bound outside the prompt?
- How should read and consequential write tools differ?
- Why are idempotency keys important?
- Which limits should the controller own?
The one idea to remember
An AI agent is a model embedded in an action system. Its reliability depends less on an impressive plan than on narrow tools, real authorization, validated state, consequence-aware approval, bounded retries, explicit stopping, and auditable execution.