Baseline

Tool Broker

The single door to tool execution — policy enforced at the broker, not the agent. Authority is per-call minted; agents hold zero standing grants. The broker holds no credentials of its own: it validates, mints, and executes each call through the tenant's connected Integrations, then audits the result.

In plain terms

The Tool Broker is the safety gate between your AI and the real world. Before the AI can do anything that touches an actual system — book an appointment, send a message, publish a review reply — the request passes through here to be checked, authorized for that one action only, carried out, and logged.

It holds no credentials of its own and grants no lasting power. Want the detail? The lists every tool and its exact policy.

What happens on every tool call

Read left to right · the AI never skips a step

A request to touch a real system travels through seven stages. The AI can't shortcut any of them — that's what makes the broker a gate rather than a passthrough.

  1. Request

    The AI asks to do one specific thing — book a slot, send a message, publish a reply.

  2. Validate

    Checked against scope and policy: is this tool even allowed, and are the arguments in bounds?

  3. Authorize

    Decided by autonomy level (A0–A5). Risky actions wait here for a human to approve.

  4. Mint authority

    A one-time permission is created for this exact call — and nothing else. It expires after use.

  5. Execute

    The action runs through the tenant's own connected systems (the Integrations).

  6. Sanitize

    The result is cleaned and checked before it ever returns to the AI.

  7. Audit

    Everything is recorded — what was asked, what was allowed, what happened. Even refusals.

Why this matters

No standing power

The AI never holds a key. Permission is minted for one call, used once, and gone — so a tool can't be quietly reused for something it wasn't approved to do.

Nothing acts unseen

Every call is recorded — including the ones that were refused. If the AI tried it, you can see it, who asked, and what the broker decided.

Humans gate the risky ones

Low-risk reads run on their own. Anything sensitive — bulk messages, data exports, changes to patient records — stops and waits for a person to approve it.

One door

Agents can't reach any real system another way. Every action goes through this broker and out through the tenant's own connected Integrations — there's no side entrance.

Tools available

16registered

Everything the AI can request

Run on their own

1169% of tools

Low-risk; no human step

Need a human

5approval first

Stop and wait for sign-off

Switched off

1cannot be called

Not on any agent's list