Your AI Agent Should Not Be Allowed to Approve Its Own Tool Calls
Tool calls turn language into side effects. That means they need authorization outside the model.
An AI agent with tool access is not just a chatbot.
The moment it can reset a password, update a CRM r
curi0us-dev.hashnode.dev13 min read
This part really stood out to me:
"The agent can request an action. It should not be the authority that approves the action."
I've seen a lot of teams spend weeks hardening prompts while leaving the actual authorization decision inside the agent loop. That's a risky trade because prompts are guidance, not enforcement.
What makes agent systems different from traditional apps is that the blast radius grows with every new tool. The first question shouldn't be "Can the agent call this tool?" but "Who is allowed to approve this action when the agent asks?"
To me, the strongest pattern is treating tool calls exactly like API requests: authentication, authorization, audit trail, then execution. Once you look at it that way, letting the agent approve its own tool call feels as strange as letting an API bypass its own permission checks.
Really enjoyed the focus on architecture over prompt engineering here. The security boundary should live in code and policy, not in the model's reasoning.