Tool Taxonomy - Albert Masoliver's learning site

## Definition **Tool taxonomy** is the classification of the functions an agent can call by the *role* they play rather than by what they technically do. Following Lanham and Huyen, a tool falls into one of three tiers: knowledge augmentation, capability extension, or write actions. The first two let an agent *perceive*; the third lets it *act* on the world. ## The three roles | Role | Examples | Direction | Risk | |------|----------|-----------|------| | Knowledge augmentation | web search, vector retrieval, SQL read, file read | read-only, world -> model | low | | Capability extension | calculator, code interpreter, unit converter, date math | compute, deterministic | low–medium | | Write actions | send email, commit code, transfer funds, delete row | model -> world | high | ### Knowledge augmentation (read-only) These tools keep the model *current* and *grounded*. The model's weights are frozen at training time and its context is finite; a search or database query injects fresh, specific facts at inference time. This is the tool side of [[Retrieval-Augmented Generation]] — RAG is just knowledge augmentation made systematic. Because they only read, they are the safest tools to grant freely. ### Capability extension These offload what language models are reliably *bad* at: exact arithmetic, code execution, precise string manipulation, deterministic transforms. A model that "knows" multiplication still gets large products wrong; handing it a calculator converts an unreliable guess into a correct computation. Huyen frames this as compensating for the model's known weaknesses in *[[AI Engineering - Chip Huyen]]*. ### Write actions The guarded, high-stakes tier. These tools change state outside the agent — money moves, mail sends, code merges. They are irreversible or expensive to reverse, so they deserve their own controls: confirmation gates, dry-run modes, narrow scopes, and audit logs. Lanham repeatedly cautions in *[[AI Agents in Action - Micheal Lanham]]* that granting write access is where agent design stops being a toy. ## Perceive versus act The cleanest line in the taxonomy is between the first two tiers (which inform the model's next decision) and the third (which commits to a consequence). A useful design rule: **let the agent perceive freely, but make it earn every act.** An agent that can read the whole filesystem but only write to a sandbox is far easier to trust than one with symmetric permissions. ## Why the taxonomy matters for safety Tool roles map directly onto attack surface. Read tools can pull in adversarial content — a retrieved web page carrying a [[Prompt Injection]] that hijacks the agent. The danger compounds when a poisoned *read* steers a *write*: the classic "lethal trifecta" is access to private data, exposure to untrusted content, and the ability to exfiltrate. Classifying every tool by tier lets you reason about which combinations you are actually granting. ## Related - [[Tool Use]] - [[Function Calling]] - [[Prompt Injection]] - [[Retrieval-Augmented Generation]] - [[AI Agents in Action - Micheal Lanham]] - [[AI Engineering - Chip Huyen]]