The Agent Stack - Part 6: Tools, MCP, and Capability Surfaces

· Source: The Agent Stack · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Software Development & Engineering, Cybersecurity & Data Privacy · Depth: Advanced, long

Summary

The article clarifies that "tools" in AI systems are not merely function calls but "capability surfaces" that define the actions and context an AI model can access. It emphasizes the critical distinction between a model's request and the system's decision to act, highlighting the complex layer of considerations like tool visibility, identity, scope, context, user approval, and execution environment. The Model Context Protocol (MCP) is introduced as a standard for exchanging these capabilities and context, separating primitives like resources, prompts, and tools. The author stresses that while schemas define request shapes, they do not grant authority, and tool output should be treated as context with provenance, not inherent truth, due to potential for staleness, untrusted sources, or malicious content. Different types of tools, such as hosted, local, and computer-use tools, carry varying operational responsibilities and risk profiles.

Key takeaway

For AI Architects designing agentic systems, you must prioritize robust capability surface design over simple function calling. Your architecture needs to explicitly separate schema definition from authorization and approval workflows, ensuring that tool visibility, identity, and scope are tightly controlled. Treat all tool output as untrusted context until its provenance and validity are confirmed, and implement granular approval paths for high-impact actions to mitigate risks like excessive agency and indirect prompt injection.

Key insights

AI tools are capability surfaces, not just function calls, requiring careful boundary design for security and control.

Principles

Method

Design capability surfaces by filtering tools per run, keeping them narrow, separating schema from authority, binding identity explicitly, and treating tool output as untrusted context until validated.

In practice

Topics

Best for: AI Engineer, AI Architect, AI Security Engineer

Related on AIssential

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by The Agent Stack.