Tool Precommitment
Quick Answer
Tool precommitment is a prompt-injection defense pattern in which a trusted planner decides which tools, parameter scopes, and destinations an LLM agent may use before any untrusted content enters its context. A deterministic policy engine then enforces that fixed capability manifest for the rest of the session, so instructions recovered from documents, web pages, or other agents cannot expand the agent's tool surface at runtime.
Tool Precommitment
Tool precommitment is a prompt-injection defense pattern for LLM agents in which a trusted planner — seeing only the user request and developer policy — emits a fixed capability manifest of allowed tools, parameter scopes, destinations, and limits before any untrusted content enters the agent's context. A deterministic policy engine enforces that manifest for the rest of the session. The pattern, also known as a tool filter after its AgentDojo formulation, turns capability selection from a runtime language-understanding problem into a static authorization problem: instructions injected later through documents, web pages, or other agents may influence summaries but cannot unlock new tools. It is the most direct architectural defense against tool hijacking.
See also
- Tool hijacking — the attack class precommitment is designed to constrain.
- Multi-agent prompt injection — broader threat class precommitment narrows.
- What is tool hijacking? — longer treatment of the attack and its defenses.