Tool calling is where a language model gains the ability to affect the world outside its context window. That's why security gets treated as its own category, not a subset of model risk.
The OWASP GenAI Security Project published its Top 10 for Agentic Applications for 2026, developed with over 100 contributing organisations. It exists because agentic systems break assumptions. The LLM Top 10 was built on. An agent plans, stores memory, invokes tools, and acts using real credentials. That's different.
Two entries sit directly on the tool call.
ASI02, Tool Misuse and Exploitation: Agents use connected tools in unsafe ways, or attackers exploit tool interfaces to gain access.
ASI03, Identity and Privilege Abuse: Agents misuse credentials or inherited permissions to reach data beyond intended limits.
The pattern behind both is over-permissioning. An agent gets a service account with broad access because scoping it properly was tedious during the pilot. That scope never gets tightened. The pilot becomes production.
Indirect prompt injection through tool results is the failure mode that catches people off guard.
Tool results enter the model's context as text, and the model has no reliable way to tell data from instructions. An attacker who can influence what a tool returns can influence what the agent does next. A poisoned document. A crafted support ticket. A comment field in a record the agent reads. Any of these can carry instructions.
OWASP ranks prompt injection as the top risk. The indirect variant is the one that matters for tool-using agents. In a chatbot, successful injection produces bad text. An agent with the right tools can move money.
The security community's reading is lopsided. CIO reported that fewer than 4% of MCP-related RSA Conference submissions framed the protocol as an opportunity. The rest focused on exposure: over-permissioned tooling, untrusted servers, and tool impersonation. The exposure isn't theoretical.
The controls that actually hold are controls that stack.
Least privilege per tool. Scope credentials to the specific operation, not the service. Read tools get read tokens.
Approval gates on state changes. Any tool that moves money, sends external communication, or deletes data routes through a human or a deterministic policy check. This isn't a maturity phase you graduate from. It stays.
Treat every tool result as untrusted input. Validate the structure and content before they reach the model's context, just as you'd validate user input.
Validate output before execution. The model's tool request is a suggestion. Check it against a schema and a policy layer before your code acts.
Log at the tool-call level. Arguments, results, and selection on every call. This is the only way silent success becomes visible.