Boundaries for AI agent tool use

Keep every agent action in bounds.

AI agents are moving from answers to actions. ToolBounds is exploring the boundary layer around tool-using agents: what they can call, when they can call it, and how teams know when an action went too far.

Agent actions Tool boundaries Execution traces
User asks draft a reply to this customer
Agent attempts gmail.send({ to, body })
Boundary question draft or send?

Problem

The next safety problem is not what agents say. It is what they do.

As agents connect to email, browsers, databases, billing systems, repos, and internal tools, the important question shifts from output moderation to execution boundaries.

Intent drift

A user asks for a draft. The agent decides to send. The tool is valid, but the action is not.

Scope creep

A task needs one record. The agent searches an entire inbox, tenant, drive, or database.

Parameter risk

The same tool call can be safe or dangerous depending on amount, recipient, destination, and source.

Unclear provenance

Teams need to know whether an action came from the user, the model, a web page, or injected content.

Bounds

Tool calls need context, not just permission.

Traditional permissions answer whether an API key can call a tool. Agent boundaries ask whether this specific action matches the user's intent, current scope, data source, and risk level.

  • Can this agent use this tool for this task?
  • Are these arguments inside the expected scope?
  • Did the sensitive parameter come from a trusted source?
  • Should this action stop, proceed, or ask for confirmation?
// User intent
"summarize Alice's latest contract"

// In bounds
email.search({ from: "alice", subject: "contract" })
drive.read({ file: attached_contract })

// Out of bounds
drive.read({ folder: "all customer contracts" })
slack.send({ channel: "legal", text: summary })
crm.update({ status: "contract reviewed" })

// The boundary question
is this tool action still part of the task?

Category

A language for bounding agents.

ToolBounds is a name for the emerging layer around agent execution: policies, traces, approvals, source awareness, and runtime decisions around tool use. The goal is to make agent actions inspectable before they become production side effects.

Allowed create_draft()
Needs confirmation stripe.refund({ amount: 240 })
Blocked send_private_data(external_url)

Use cases

For teams thinking past chatbots.

Enterprise copilots

Agents that read, write, send, search, update, and trigger workflows across internal systems.

Agent platforms

Platforms where customers will need clear language for tool scope, action risk, and approvals.

Financial workflows

Tasks where a wrong amount, recipient, account, or confirmation step can create real loss.

Security teams

Teams that need to reconstruct what an agent did, which data it touched, and why.

Bounding agents in production

Turn tool use into a controlled execution surface.

ToolBounds is for people thinking seriously about the boundary between autonomous reasoning and real-world side effects.

Join the early list