Tool allowlists only gate which tool runs. Argument validation gates what the tool is allowed to do, and it is the missing rail when an allowlisted tool ships harmful inputs.
Imagine giving a junior intern a company credit card and saying 'you can only use it at the coffee shop.' Great rule. Now the intern walks into the coffee shop and buys a hundred laptops on it. The store name was allowed, but you never said anything about how much could be spent or what could be bought. Agent tools work the same way. Saying send_email is allowed is like naming the coffee shop. You also need rules about who the email can be sent to, how big it can be, and what it can contain. Those rules are argument validation. Without them, a model that gets tricked by a prompt injection can still ship damage through a perfectly approved tool name.
Detailed answer & concept explanation~6 min readEverything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
3 min: two-door model (allowlist for verb, argument policy for value); the three layers (schema, policy, blast-radius class); how send_email with no recipient policy becomes an exfiltration channel; how Bedrock Guardrails and NeMo Guardrails express the rails.
Real products, models, and research that use this idea.
- AWS Bedrock Guardrails in 2026 exposes denied topics, content filters, PII filters, and contextual grounding checks that apply to tool inputs and outputs across model providers.
- NVIDIA NeMo Guardrails 0.10 (2026) uses Colang 2 flows to express per-tool input rails declaratively, including value-level checks beyond schema validation.
- Anthropic Claude tool-use docs require a JSON Schema for every tool, and the Anthropic Cookbook patterns wrap each tool in Pydantic validators before any side effect runs.
- Microsoft Azure AI Content Safety adds custom blocklists and prompt shields that gate function-calling arguments in Azure OpenAI deployments.
What an interviewer would ask next. Try answering before peeking at the approach.
QHow would you design an argument policy for a refund tool that allows up to one hundred dollars without approval and requires a human signoff above that?
QWhere would you place argument validation: inside the tool implementation, in the orchestrator wrapper, or in a dedicated input rail?
Don't say thisRed flags and common mistakes that signal junior thinking. Click to expand.
Red flags and common mistakes that signal junior thinking. Click to expand.
Treating the tool allowlist as the whole control. The allowlist only says which tool can fire. What the tool can be asked to do still needs its own per-argument schema and policy check.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.
Same topic, related formats. Practice these next.