The Tool Is Not the Model

When an LLM "calls a tool," it does not call anything.

It generates a JSON object — function name, arguments — and stops. A special stop token signals: I am done generating text. Here is a description of what should happen next.

Your application reads that JSON, deserializes it, calls the actual function, and sends the result back into the context window. The model then continues.

The model is the decision layer. It decides what to call and with what arguments. Your code is the execution layer. It does the actual work.

This separation is not a detail. It is the architecture.

Why it matters:

A model cannot corrupt your database directly. It can describe a query, but your code decides whether to run it. Every tool call is a proposal. Your runtime is the gatekeeper.

If you treat tool calls as trusted execution, you have removed the gatekeeper. Prompt injection — where malicious input hijacks the model's tool-calling decisions — becomes a direct code execution vulnerability.

The implication for agents:

An agent is not a model that acts. It is a loop: model decides, runtime executes, result is observed, model decides again.

The loop is yours. The model supplies the reasoning. You supply the authority.

Design accordingly.

References

1. Fowler, M. (2024). Function calling using LLMs. martinfowler.com. https://www.martinfowler.com/articles/function-call-LLM.html

2. OpenAI. (2024). Function Calling — API Documentation. platform.openai.com. https://platform.openai.com/docs/guides/function-calling

3. Callsphere. (2024). Tool Use in LLMs: How Function Calling Actually Works Under the Hood. callsphere.ai. https://callsphere.ai/blog/llm-tool-use-function-calling-under-the-hood.md

devinfo.dev. (2026). "The Tool Is Not the Model." devinfo.dev:2026.0019. https://devinfo.dev/d/2026.0019