Skip to content

AI term · last reviewed 2026-07-07

Tool use (function calling)

Also known as: Function calling

Tool use (function calling) is the mechanism by which a language model invokes external functions instead of only generating text; it is where a language problem becomes a real-world action.

How it works

Tool use (also called function calling) is the mechanism by which a language model invokes external functions instead of only generating text. You describe the available tools and their parameters; the model, when it decides a tool is needed, emits a structured call (a name plus JSON arguments); your code executes it and returns the result, which the model reads to continue. This is what turns a model into an agentic AI system that can search, compute, or act on real systems, often through an MCP server.

When it matters

Tool use matters because it is where a language problem becomes a real-world action, and therefore where security gets real. The tool output the model reads back is untrusted data that can carry injected instructions, and the tools the model can call define its blast radius. Scope each tool narrowly, split read from write, and gate destructive actions behind human approval. See Secure an MCP Server.

Common misconceptions

  • "Tool output is trusted because my tool returned it." The content inside it (an email body, a web page) can be attacker-controlled. Treat it as untrusted (see prompt injection).
  • "A general `run_sql` tool is convenient." It is a shell handed to a persuadable model. Prefer intent-shaped tools.
  • "The model decides safely what to call." Guardrails and least-privilege scopes decide; the model only proposes.
← All terms