Tools: when models need the outside world
Tool selection, evals, and observability
Tool quality is not one accuracy number; measure whether the system chose the right capability, supplied valid arguments, executed safely, and described the result faithfully.
Before you start
Why this matters
An assistant answers ten questions. Nine final responses look correct. Is its tool system good?
Maybe it called a private database for a question that needed no tool. Maybe it used weather data from the wrong city but happened to reach the same conclusion. Maybe it created two events and mentioned one. Final-answer scoring alone can hide unnecessary calls, unsafe execution, and lucky outcomes. Tool evaluation must inspect the path as well as the prose.
1Learn the idea
Read
Separate the quality dimensions
Break evaluation into stages that correspond to engineering decisions:
- Need detection: did the system call a tool when external evidence or action was required, and avoid calls when not required?
- Tool selection: did it choose the correct tool among available alternatives?
- Argument quality: were fields complete, typed, grounded in user input or trusted context, and semantically valid?
- Policy compliance: did the application block unauthorized tools and require confirmation where appropriate?
- Execution handling: were retries, timeouts, conflicts, and duplicate risks handled correctly?
- Result grounding: did the final answer reflect the actual normalized result without inventing success?
- Task outcome: did the user’s goal succeed, fail safely, or receive a useful clarification?
These dimensions identify different fixes. A wrong tool may require clearer descriptions or a smaller tool set. Invalid arguments may require schema changes. An unauthorized execution is an application bug even if the model requested it. A hallucinated success after a correct failure result is a grounding problem.
Read
Build representative evaluation cases
Create a dataset of user requests with expected behavior. Include direct calls, no-tool questions, ambiguous requests, multi-tool dependencies, unsupported capabilities, and safety-sensitive writes.
A case can record:
{
"case_id": "calendar_hypothetical_07",
"user_message": "What would a meeting with Lee tomorrow look like?",
"expected": {
"tool_behavior": "no_write",
"allowed_tools": ["list_calendar_events"],
"forbidden_tools": ["create_calendar_event"],
"must_clarify": false
},
"risk_tags": ["intent_boundary", "calendar_write"]
}
Include near-neighbor pairs. “Draft an email” versus “Send the email” tests action intent. “What is typical weather in Nairobi in July?” versus “What is Nairobi’s weather now?” tests knowledge versus live retrieval. “Can I refund this?” versus “Refund this” tests recommendation versus action.
Use production-like language: typos, relative dates, multiple languages, indirect requests, and users changing their minds. Add adversarial tool results that contain instructions, malformed provider responses, and calls with extra arguments. Keep sensitive production data out of eval fixtures.
Read
Add observability around every boundary
Production traces connect evaluation concepts to real behavior. Give each request a trace ID and each proposal a tool-call ID. Record model and prompt versions, tool definitions or schema versions, validation outcomes, policy decisions, latency, provider status, retry count, normalized result status, and final response.
{
"trace_id": "trace_91af",
"tool_call_id": "call_calendar_03",
"tool_name": "create_calendar_event",
"schema_version": "2",
"validation": "passed",
"authorization": "passed",
"approval_id": "approval_8ac1",
"attempts": 1,
"result_status": "created",
"latency_ms": 438
}
Do not log secrets, access tokens, full private documents, or unnecessary personal data. Hash or tokenize sensitive identifiers where analysis permits, enforce access controls, and set retention periods. Observability should not become a second uncontrolled data store.
Metrics reveal trends; traces explain individual cases. Alerts should focus on actionable signals such as authorization denials suddenly dropping to zero, timeout rate increasing, duplicate-key conflicts, tool-selection drift after a model change, or unsupported success claims.
Read
Diagnose selection problems
When the wrong tool is chosen, inspect the tool set before blaming the model. Overlapping names, vague descriptions, too many irrelevant tools, and one giant multipurpose function all reduce selection quality.
Make tools available contextually. A support flow may expose order lookup and ticket creation, while an editing flow exposes no side-effect tools. Contextual allowlists improve both safety and choice.
Sometimes a deterministic router should choose the domain or tool family before the model fills arguments. Sometimes the model should ask a question because two tools are genuinely plausible. Forced selection can be worse than clarification.
Test changes to names, descriptions, schemas, prompts, model versions, and tool counts against a fixed regression set. Add new production failures as redacted cases. Avoid optimizing only to the test set; maintain holdout cases and monitor live distributions.
Read
Evaluate the whole system before release
Run offline evals on every meaningful change, then use staged rollout, shadow mode, or read-only mode where appropriate. For write tools, start with proposals that humans review. Compare approved and edited calls to learn where the system misunderstands intent without granting premature autonomy.
Define launch gates by risk. A weather assistant may tolerate occasional clarification. A money-moving tool should have near-zero unauthorized execution and tested idempotency under network failure. “The model is 95% accurate” is not a ship criterion without a denominator, slices, error consequences, and application-control tests.
After launch, sample traces, review incidents, and monitor drift. Provider schemas change, user behavior shifts, permissions evolve, and a model upgrade can alter call patterns. Evaluation is a continuous control loop, not a one-time benchmark.
Continue learning · glossary & guides
- Can you distinguish need detection, selection, arguments, execution, and grounding?
- Does your eval set contain no-tool, ambiguous, failure, and adversarial cases?
- Can one trace connect a final claim to a validated result without storing secrets?
- Lesson: Evaluations and benchmarks · Lesson: LLM tracing lab · How-to: ship agent with eval gate