[EAAPL-SEC004] Secure Tool Invocation
Category: Security / Agentic AI Controls
Sub-category: Tool & Function Call Security
Version: 1.1
Maturity: Proven
Tags: agent-security tool-calling function-calling human-in-the-loop permission-scoping audit-logging rate-limiting
Regulatory Relevance: EU AI Act Art. 9 & 14, APRA CPS234, NIST AI RMF GOVERN 6.2, ISO 42001 §8.5
1. Executive Summary
Secure Tool Invocation defines the security architecture for AI agents that can call external tools, APIs, databases, or execute code. As organisations deploy agentic AI systems — coding assistants that run terminal commands, customer service bots that can query and update CRM records, AI workflows that send emails or make financial transactions — the attack surface moves from "what the AI says" to "what the AI does."
A single successful prompt injection in an agent with uncontrolled tool access can result in data exfiltration, financial transactions, communications sent to external parties, or destructive actions on production systems. This is not theoretical: documented incidents have demonstrated that agents with broad tool access can be manipulated to perform actions their operators never intended.
This pattern establishes five core controls: tool allow-listing (only approved tools are callable), permission scoping (each tool call uses the minimum permissions required), input/output validation for tool calls (tools receive only validated inputs and return validated outputs), human approval gates for high-risk operations, and comprehensive audit logging of every tool invocation. Together these controls make agent tool use auditable, reversible, and bounded — transforming agentic AI from an uncontrolled actor to a governed one.
2. Problem Statement
Business Problem
Organisations deploying AI agents with tool access are creating a new category of automated actor that can take real-world actions at machine speed. Without appropriate controls:
- An agent manipulated by prompt injection can exfiltrate customer data by calling a data export tool.
- An agent instructed to "help with finance" can make unintended financial transfers if it has access to payment APIs.
- An agent that can send emails can be manipulated to send phishing messages to customer lists.
- An agent with database write access can modify or delete production records.
Unlike a human employee who can recognise a suspicious instruction, an AI agent will attempt to execute whatever instruction appears most consistent with its current context — including adversarially crafted instructions.
Technical Problem
Modern AI frameworks (LangChain, LlamaIndex, OpenAI Assistants, Anthropic Tool Use) make it trivially easy to give an agent access to many tools. The default security posture is permissive: tools are made available to the agent, and the agent decides which to call and with what arguments. There is typically:
- No allow-listing of which tools can be called in which contexts.
- No input validation on tool arguments generated by the LLM.
- No output validation on data returned by tools (which may itself contain injection content).
- No human approval for high-risk operations.
- Minimal audit logging of tool calls.
- Credentials for tool APIs embedded in agent configuration with excessive permissions.
Symptoms
- Agent making unexpected API calls discovered in application logs.
- Credentials used by agents have broad permissions (admin roles, full database access).
- No centralised record of what actions agents have taken.
- Agents taking irreversible actions (sending emails, deleting records) without human review.
- Tool call arguments not validated — LLM-generated arguments passed directly to tools.
Cost of Inaction
| Dimension | Impact |
|---|---|
| Security | Prompt injection → unauthorised tool calls → data exfiltration, destructive actions |
| Financial | Agent making unintended financial transactions; vendor API abuse costs |
| Regulatory | Agent taking regulated actions (financial advice, medical recommendations, data disclosure) without audit trail |
| Operational | Agent causing production incidents through unconstrained write operations |
| Legal | Agent sending unauthorised communications; creating contractual obligations |
3. Context
When to Apply
- Any AI agent that can call external APIs, execute code, query/modify databases, send communications, or interact with file systems.
- Multi-agent orchestration systems where one agent calls another.
- AI workflows that can take actions in external systems (CRM, ERP, cloud infrastructure).
- Coding assistants with terminal/IDE access.
- AI assistants with email, calendar, or communication platform access.
When NOT to Apply
- Pure read/retrieval agents (RAG-only) with no ability to take actions — apply simplified read-only version of tool validation.
- Agents calling only internal, non-sensitive information retrieval endpoints with no mutation capability.
Prerequisites
| Prerequisite | Detail |
|---|---|
| Tool Registry | Centralised catalogue of all tools with security classifications and permission requirements |
| Secrets Management | Per-tool, scoped credentials managed via EAAPL-SEC008 |
| AI Gateway | Tool invocation policy enforcement integrated with EAAPL-SEC001 |
| Human Approval Workflow | ITSM or dedicated approval system for high-risk tool calls |
| Audit Log Infrastructure | Immutable log store for all tool invocation records |
Industry Applicability
| Industry | Applicability | Key Driver |
|---|---|---|
| Financial Services | Critical | Agent-initiated transactions; regulatory audit requirements |
| Healthcare | Critical | Agent-initiated clinical actions; PHI access; safety-critical operations |
| Technology / DevOps | High | Code execution; infrastructure manipulation; CI/CD automation |
| Legal / Professional Services | High | Document generation; communication sending; contractual actions |
| E-commerce | High | Order management; customer communication; payment processing |
| Government | Critical | Citizen data access; regulatory filings; enforcement actions |
4. Architecture Overview
The Secure Tool Invocation pattern wraps every tool call in a security envelope: before the tool is called, the invocation is validated against policy; after the tool returns, the output is validated before being returned to the agent. Between these validation points, the tool executes with the minimum permissions necessary.
Tool Registry and Allow-Listing
The foundation of the pattern is a centralised tool registry that serves as the authoritative source of which tools exist, what they do, and who can call them. The registry stores: tool identifier and schema, security classification (READ / WRITE / DESTRUCTIVE / FINANCIAL / COMMUNICATION), permission requirements (what credentials are needed), allowed callers (which agents/applications may use this tool), rate limits per caller, and whether human approval is required.
When an agent requests a tool call, the invocation control layer checks the registry before forwarding the call. Tools not in the registry are rejected. Tools for which the calling agent is not authorised are rejected. This allow-list approach — as opposed to a deny-list — ensures that new tools cannot be called until explicitly registered and approved.
Permission Scoping
Each tool call uses the minimum credentials required for that specific operation. Rather than giving an agent a single omnibus credential (e.g., a database connection string with full admin access), credentials are scoped per operation:
- A
read_customer_recordtool receives a read-only database token scoped to the customers table. - A
create_support_tickettool receives a write-scoped API key valid only for ticket creation, not ticket deletion. - Credentials are short-lived (15–60 minutes) and generated at invocation time from a vault, not pre-configured in the agent.
This scoping ensures that even if the agent is manipulated into calling a tool with adversarial arguments, the tool's credential limits the damage to what that specific credential permits.
Input Validation for Tool Calls
LLM-generated tool arguments are untrusted. The LLM may produce arguments that are structurally correct (matching the tool's JSON schema) but semantically dangerous (e.g., a SQL query that accesses tables beyond the intended scope, a file path that traverses outside the permitted directory). Input validation applies:
- Schema validation: Tool arguments must conform to the JSON schema registered for the tool. Unexpected fields are stripped; required fields are enforced.
- Content validation: String arguments are inspected for injection patterns (SQL injection, path traversal, command injection) using the same techniques as EAAPL-SEC005.
- Scope validation: For tools that reference specific resources (user IDs, file paths, API endpoints), validation ensures the referenced resource is within the agent's authorised scope.
Human Approval Gates
Tool calls classified as DESTRUCTIVE, FINANCIAL above a threshold, or COMMUNICATION to external parties require synchronous human approval before execution. The approval workflow:
- The invocation control layer intercepts the tool call.
- An approval request is created in the ITSM/approval system with full context: which agent, what tool, what arguments, what triggered this call.
- The agent is paused (tool call result is pending).
- An authorised approver reviews and approves or rejects.
- If approved, the tool call proceeds; if rejected, the agent receives an "operation not approved" result.
- Approval timeouts (e.g., 30 minutes) result in automatic rejection and alert.
Output Validation
Tool outputs returned to the agent are also validated. This is critical for indirect injection: a malicious document retrieved by a search tool may contain instruction text designed to manipulate the agent's subsequent actions. Output validation applies:
- Schema validation: Output conforms to expected structure.
- Content inspection: Output inspected for instruction-like text (prompt injection fragments) before being returned to the agent context.
- Data classification: Output classified and labelled; data above the agent's clearance level is redacted or blocked.
5. Architecture Diagram
ARCHITECTURE DIAGRAM
flowchart TD
subgraph Agent["AI Agent"]
A[Tool Call Request]
end
subgraph Control["Invocation Control Plane"]
B[Tool Registry Check]
C[Input Validator]
D{Human Approval Gate}
E[Output Validator]
end
subgraph Execution["Tool Execution"]
F[Scoped Credential]
G[Tool API]
H[Audit Log]
end
A --> B
B -->|not allowed| I[Reject + Alert]
B -->|allowed| C
C -->|invalid args| I
C -->|valid| D
D -->|approval needed| J[Approver Review]
D -->|auto-approved| F
J -->|approved| F
J -->|rejected| I
F --> G --> E --> A
E --> H
I --> H
style A fill:#dbeafe,stroke:#3b82f6
style B fill:#f0fdf4,stroke:#22c55e
style C fill:#f0fdf4,stroke:#22c55e
style D fill:#f3e8ff,stroke:#a855f7
style E fill:#f0fdf4,stroke:#22c55e
style F fill:#fef9c3,stroke:#eab308
style G fill:#fef9c3,stroke:#eab308
style H fill:#fef9c3,stroke:#eab308
style I fill:#fee2e2,stroke:#ef4444
style J fill:#f3e8ff,stroke:#a855f7
6. Components
| Component | Type | Responsibility | Technology Options | Criticality |
|---|---|---|---|---|
| Invocation Control Plane | Orchestration | Central enforcement point for all tool call security controls | Custom Go/Python middleware, LangChain custom callback, OpenAI function call interceptor | Critical |
| Tool Registry | Configuration | Authoritative catalogue of tools with security metadata and caller ACLs | Git-versioned YAML, OPA data, PostgreSQL, Consul | Critical |
| Input Validator | Security Control | Schema + content validation of LLM-generated tool arguments | JSON Schema validator, Pydantic, custom injection checker | Critical |
| Output Validator | Security Control | Schema validation + injection/classification inspection of tool outputs | JSON Schema validator, content classifier, Microsoft Presidio | High |
| Human Approval Gate | Workflow | Intercepts high-risk tool calls; routes for human approval; manages approval state | PagerDuty, ServiceNow, custom Slack bot, custom approval API | High |
| Vault Integration | Secrets | Dispenses scoped, short-lived credentials per tool call | HashiCorp Vault, AWS Secrets Manager, Azure Key Vault | Critical |
| Rate Limiter | Traffic Control | Per-tool, per-agent rate limits to prevent tool abuse | Redis token bucket, same as AI Gateway rate limiter | High |
| Audit Logger | Compliance | Immutable record of every tool invocation attempt (permitted and denied) | Kafka → immutable log store; same pipeline as AI Gateway audit log | Critical |
| Tool Sandbox | Isolation | For code execution tools: sandboxed execution environment | gVisor, AWS Lambda (isolated), Firecracker MicroVM, E2B | High |
7. Data Flow
Primary Flow
| Step | Actor | Action | Output |
|---|---|---|---|
| 1 | AI Agent | Generates tool call: tool_id + JSON arguments derived from current context | tool_call request to Invocation Control Plane |
| 2 | Invocation Control Plane | Looks up tool_id in registry; checks caller ACL; retrieves security classification | Authorization decision + tool specification |
| 3 | Vault | Invocation Control Plane requests scoped credential for tool_id + calling agent | Short-lived, scoped credential |
| 4 | Input Validator | Validates LLM-generated arguments against tool JSON schema; runs injection pattern checks; checks resource scope | Validated arguments or rejection |
| 5 | Human Approval Gate | If tool classification is DESTRUCTIVE/FINANCIAL/COMMUNICATION: creates approval request; awaits response | APPROVED, REJECTED, or TIMEOUT |
| 6 | Tool / API | Invocation Control Plane calls tool with validated arguments and scoped credential | Raw tool output |
| 7 | Output Validator | Validates output schema; scans for injection content; applies data classification labels | Validated output or content-blocked output |
| 8 | Audit Logger | Records: agent_id, tool_id, arguments_hash, approval_status, output_hash, latency, outcome | Immutable audit record |
| 9 | AI Agent | Receives validated tool output; incorporates into context | Agent continues reasoning |
Error Flow
| Error | Handling | Status | Alert |
|---|---|---|---|
| Tool not in registry | Reject; log DENIED | 403 | Warning: agent attempting unregistered tool |
| Agent not authorised for tool | Reject; log DENIED | 403 | Security: potential prompt injection attempting tool privilege escalation |
| Input validation failure (schema) | Reject; log BLOCKED | 400 | Warning: LLM generating invalid tool arguments |
| Input injection detected | Reject; log BLOCKED | 400 | Security: injection pattern in tool arguments |
| Human approval timeout | Reject; notify agent | 408 | Info: approval timeout — notify agent owner |
| Tool API error | Return error to agent; log ERROR | 502 | Warning: tool reliability issue |
| Output injection detected | Block output; return sanitised error | 502 | Security: injection content in tool output — indirect injection attempt |
8. Security Considerations
Authentication & Authorisation
- Calling agent must authenticate to the Invocation Control Plane (mTLS or JWT from AI Gateway context).
- Each tool call uses a credential scoped to the minimum permission required for that specific operation — not the agent's overall credential.
- Human approvers authenticate through the organisation's IdP before approving tool calls.
Secrets Management
- No long-lived credentials embedded in agent configuration or code.
- All credentials retrieved at invocation time from Vault.
- Credentials expire automatically (15–60 min TTL).
- All credential access logged by Vault.
Data Classification
- Tool outputs are classified before being returned to the agent. If a tool output contains data classified above the agent's authorised level (e.g., CONFIDENTIAL data returned to a PUBLIC-level agent), the output is redacted and the incident is logged.
- Agents should only be granted access to tools that return data at or below their classification level.
Encryption
- All tool call traffic encrypted in transit (TLS 1.3).
- Audit log records encrypted at rest.
- Tool arguments in audit log stored as hashed representations if they may contain sensitive data.
OWASP LLM Top 10 Coverage
| OWASP LLM Risk | Secure Tool Invocation Mitigation | Coverage |
|---|---|---|
| LLM01: Prompt Injection | Output validator checks tool outputs for injection content (indirect injection defence) | High |
| LLM02: Insecure Output Handling | Output validation before returning tool results to agent context | High |
| LLM03: Training Data Poisoning | Not applicable | None |
| LLM04: Model Denial of Service | Tool-level rate limiting prevents agent from abusing tools for DoS | Medium |
| LLM05: Supply Chain Vulnerabilities | Tool registry allow-listing prevents agent from calling unapproved tools | High |
| LLM06: Sensitive Information Disclosure | Output classification enforcement; credential scoping; output redaction | High |
| LLM07: Insecure Plugin Design | Core purpose: this pattern IS the secure plugin design pattern | Critical |
| LLM08: Excessive Agency | Human approval gates for destructive/financial/communication actions directly address this risk | Critical |
| LLM09: Overreliance | Human approval gate creates a human checkpoint on high-risk decisions | Medium |
| LLM10: Model Theft | Tool ACL prevents agents from calling model introspection or extraction tools | Medium |
9. Governance Considerations
Responsible AI
- Every tool call that takes a real-world action is logged in the audit trail, enabling post-hoc accountability for all AI-initiated actions.
- Human approval gates ensure that the most consequential AI actions have a human decision point.
Model Risk Management
- Tool registry changes (adding new tools, expanding permissions) are subject to model risk review: what is the worst-case action the agent can now take? Is that acceptable?
- Regular review of audit logs to identify agents using tools in unexpected patterns.
Human Approval
- The human approval gate is a mandatory control for DESTRUCTIVE, FINANCIAL (above threshold), and COMMUNICATION tool classes.
- Approval decisions are logged with approver identity, timestamp, and stated rationale.
- Approval bypass (emergency override) is available only with break-glass credentials and requires dual approval.
Governance Artefacts
| Artefact | Owner | Frequency | Purpose |
|---|---|---|---|
| Tool Registry | AI Platform + Security | Updated with each new tool onboarding | Authoritative record of approved agent tools |
| Tool Invocation Audit Report | Compliance / AI Governance | Monthly | Summarises tool usage patterns; flags anomalies |
| High-Risk Tool Approval Log | Risk Management | Continuous | Record of all human approval decisions for audit |
| Tool Permission Review | Security Architecture | Quarterly | Reviews all tool credentials for least-privilege compliance |
| Agent Behaviour Review | AI Risk Team | Monthly | Reviews agent tool usage patterns for unexpected behaviour |
10. Operational Considerations
Monitoring
- Tool call rate per agent and per tool; approval queue depth and latency; tool error rates; blocked invocation rate (schema / injection / ACL); credential expiry events.
SLOs
| SLO | Target | Measurement |
|---|---|---|
| Tool ACL check latency | <5ms | Registry lookup span |
| Input validation latency | <20ms | Validator span |
| Human approval response time (business hours) | <15min | Approval request to decision time |
| Audit log write latency | <100ms async | Log pipeline latency |
| Tool call audit record durability | 100% | Dead-letter queue monitoring |
Incident Management
- Agent calling unregistered tool → P2 security incident (possible prompt injection escalation attempt).
- Injection detected in tool output → P1 security incident (confirmed indirect injection attack).
- High-risk tool called without approval (bypass) → P1 security incident.
- Vault credential unavailable → P1 (all tool calls blocked until resolved).
DR
| Scenario | RTO | Recovery |
|---|---|---|
| Tool registry unavailable | 0 (fail-closed; all tool calls blocked) | Cache last-known-good registry; restore service |
| Human approval system unavailable | 5min | Escalate to backup approval channel (Signal/email + manual log); restore system |
| Vault unavailable | 0 (fail-closed) | Vault HA cluster; emergency cached credential (time-limited) |
11. Cost Considerations
Cost Drivers
| Cost Driver | Description | Relative Impact |
|---|---|---|
| Invocation Control Plane compute | Additional latency layer adds compute; typically small relative to tool call cost | Low |
| Human approval operations | Analyst time to review and approve high-risk tool calls | Medium (scales with agent autonomy) |
| Vault credential generation | Per-invocation vault calls for scoped credentials | Low–Medium at scale |
| Audit log storage | Every tool call logged; grows with agent usage | Low–Medium |
| Tool sandbox compute | For code execution tools: Firecracker or Lambda sandbox overhead | High (if code execution is frequent) |
Indicative Cost Range
| Scale | Monthly Cost (USD) | Notes |
|---|---|---|
| Small (< 10K tool calls/day) | $200–$500 | Minimal compute; human approval cost dominates |
| Medium (10K–1M tool calls/day) | $1,000–$5,000 | Invocation plane autoscaling; vault cluster |
| Large (> 1M tool calls/day) | $5,000–$20,000 | Dedicated invocation infrastructure; high-availability vault |
12. Trade-Off Analysis
Option Comparison
| Option | Description | Pros | Cons | Best For |
|---|---|---|---|---|
| A: Framework-native tool security | Rely on LangChain/OpenAI Assistants built-in tool permissions | Fast to implement; no custom code | Framework-specific; limited auditability; no cross-agent policy; no human approval | PoC only; low-risk read-only tools |
| B: Centralised invocation control plane (this pattern) | Dedicated security layer with registry, validation, approval, audit | Comprehensive security; cross-agent policy; full audit trail | Engineering overhead; additional latency per tool call | Production agentic systems; regulated use cases |
| C: Policy-as-code only (OPA) | OPA evaluates tool calls against policies; no separate validation or approval workflow | Low latency; infrastructure-as-code policies | No human approval workflow; no output validation | Internal tools; low-risk operations only |
Architectural Tensions
| Tension | Trade-Off |
|---|---|
| Agent Autonomy vs Security | Every approval gate reduces agent autonomy and adds latency. Resolution: classify tools carefully — only DESTRUCTIVE/FINANCIAL/COMMUNICATION require approval; READ operations flow without human review. |
| Latency vs Completeness | Schema validation and injection checks add 10–20ms per tool call. At high agent throughput, this compounds. Resolution: async audit logging; caching of registry lookups; lightweight validation for low-risk READ tools. |
| Credential Freshness vs Performance | Per-invocation vault calls ensure fresh credentials but add latency. Resolution: short-lived credential cache in the invocation plane (5-minute TTL); async rotation for long-running agents. |
13. Failure Modes
| Failure | Likelihood | Impact | Detection | Recovery |
|---|---|---|---|---|
| Tool registry stale (caching bug) | Low | High (outdated ACLs; previously revoked tools become callable) | Registry cache age metric | Reduce cache TTL; forced refresh on registry change event |
| Human approval queue overflow | Medium | Medium (legitimate high-risk calls delayed) | Approval queue depth > threshold | Scale approval capacity; escalate to secondary approvers |
| Indirect injection in tool output (LLM context contamination) | Medium | High (agent takes unintended action on next tool call) | Anomalous subsequent tool calls; output injection detection rate | Output validator triggers; agent session terminated; investigation |
| Tool credential over-permissioned (misconfigured Vault policy) | Medium | High (agent can take actions beyond intended scope) | Quarterly permission audit | Least-privilege audit; immediate remediation |
| Input validation bypass (LLM learns to craft valid-but-dangerous arguments) | Low | High | Output anomaly detection; post-execution audit review | Update input validation rules; add semantic scope checks |
14. Regulatory Considerations
| Regulation | Requirement | Implementation |
|---|---|---|
| EU AI Act Art. 14 (Human Oversight) | High-risk AI systems must enable meaningful human oversight | Human approval gate for destructive/financial/communication actions directly implements this |
| EU AI Act Art. 9 (Risk Management) | Risk management measures for high-risk AI systems | Tool allow-listing and permission scoping are documented risk management controls |
| APRA CPS234 | Controls for third-party dependencies | Tool invocation audit log documents all third-party API calls made by AI agents |
| Australian Privacy Act | Prevent unauthorised disclosure of personal information | Output classification enforcement prevents agent from returning PI to unauthorised callers via tool results |
| NIST AI RMF GOVERN 6.2 | Policies for AI actor accountability | Audit log + human approval creates full accountability chain for every agent action |
| ISO/IEC 42001 §8.5 | Controls for AI system interactions | Tool registry and invocation control plane implement interaction controls |
15. Reference Implementations
AWS
| Component | AWS Service |
|---|---|
| Invocation control plane | Lambda (interceptor) + API Gateway |
| Tool registry | DynamoDB + S3 (versioned JSON schema) |
| Credential scoping | IAM Roles for each tool + assume_role per invocation |
| Human approval | Step Functions (human approval state) + SNS notification |
| Audit logging | CloudTrail + Kinesis → S3 Object Lock |
| Code execution sandbox | AWS Lambda (isolated execution environment) |
Azure
| Component | Azure Service |
|---|---|
| Invocation control plane | Azure Functions interceptor + APIM |
| Tool registry | Azure App Configuration + Cosmos DB |
| Credential scoping | Managed Identity + Azure Key Vault per-tool secret |
| Human approval | Logic Apps approval workflow + Teams notification |
| Audit logging | Azure Monitor + Event Hub → Immutable Blob |
On-Premises
| Component | Technology |
|---|---|
| Invocation control plane | Custom Go service with OPA integration |
| Tool registry | PostgreSQL + Git-versioned YAML (CI/CD sync) |
| Credential scoping | HashiCorp Vault dynamic secrets |
| Human approval | ServiceNow approval workflow + Slack integration |
| Audit logging | Kafka → Elasticsearch with immutable ILM policy |
| Code execution | gVisor or Firecracker MicroVM |
16. Related Patterns
| Pattern | ID | Relationship |
|---|---|---|
| AI Gateway | EAAPL-SEC001 | Tool invocation flows through the gateway; gateway enforces agent-level rate limits |
| Model Isolation | EAAPL-SEC003 | Egress controls in SEC003 complement SEC004 — tool allowlist enforced at both application and network layers |
| LLM Input Sanitisation | EAAPL-SEC005 | Input sanitisation techniques applied to tool arguments in SEC004 |
| AI Output Filtering | EAAPL-SEC006 | Tool output inspection in SEC004 mirrors output filtering techniques in SEC006 |
| Secrets Management for AI | EAAPL-SEC008 | Per-tool credential scoping depends on SEC008 vault infrastructure |
| Zero-Trust AI Pipeline | EAAPL-SEC007 | SEC004 implements zero-trust for the tool-call segment of the AI pipeline |
17. Maturity Assessment
Overall Maturity: Proven
| Dimension | Score (1–5) | Rationale |
|---|---|---|
| Pattern definition clarity | 5 | Well-defined controls; clear security boundaries |
| Technology availability | 3 | Framework-native options exist but lack enterprise features; custom implementation required for full pattern |
| Industry adoption | 3 | Rapidly growing as agentic AI deployments increase; security controls still maturing |
| Human approval tooling | 4 | Mature ITSM platforms support the workflow; AI-specific context in approval requests requires custom work |
| Regulatory alignment | 5 | EU AI Act Art. 14 human oversight requirement maps directly to this pattern |
| Incident response maturity | 3 | Patterns for responding to tool invocation incidents are still emerging |
18. Revision History
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | 2024-04-01 | Security Architecture Team | Initial pattern definition |
| 1.1 | 2024-11-15 | Security Architecture Team | Added indirect injection output validation; expanded human approval gate design; added code execution sandbox guidance |