Tool Over-Broad Scope

Problem

The agent now needs only one wrong argument — a wrong table name, a wrong customer id, a wrong amount — for the call to commit damage that the agent had no business doing. Hallucinated tool arguments become privilege escalations. The audit log shows agent identity calling an in-scope tool with in-scope credentials; no permission check fires because the broad scope made the call legal.

Solution

Narrow tool scope to the smallest unit the task can use: per-resource, per-action, per-tenant. Use just-in-time credential issuance bound to the run id. Prefer many small tools over one configurable mega-tool, so that argument-hallucination cannot widen the blast radius. Pair with tool-loadout-hotswap so the agent sees only the tools relevant to the current sub-task.

When to use

• Never. Cite when reviewing agent tool catalogs.
• Replace fat tools with per-action, per-resource narrow tools.
• Issue short-lived credentials bound to a single run id.