Skip to main content
TopAIThreats home TOP AI THREATS
AI Capability

Function Calling

A capability of large language models that allows them to generate structured output requesting the invocation of external functions or tools, with specified parameters, rather than producing only natural language text. Function calling is the mechanism through which LLMs interact with APIs, databases, code interpreters, and other external systems.

Agentic Systems Security & Cyber

Definition

Function calling is an LLM capability where the model, instead of generating only free-form text, produces structured output that specifies a function name and parameters to be executed by external code. The host application receives this structured output, executes the requested function, and returns the result to the model for further processing. This enables LLMs to perform actions beyond text generation: querying databases, calling APIs, executing code, sending messages, and manipulating files. Function calling was introduced as a core feature by OpenAI in 2023 and has since been adopted across all major LLM providers. It is the foundational mechanism that makes agentic AI possible — without function calling, LLMs are limited to generating text rather than taking actions in the world.

How It Relates to AI Threats

Function calling is central to the Agentic and Autonomous Threats domain because it is the mechanism through which AI systems gain the ability to affect external systems. Every function call represents a potential action with real-world consequences: a database query can expose sensitive data, an API call can initiate a financial transaction, a code execution call can modify files or run commands. When prompt injection attacks target AI systems with function calling capabilities, the attacker can potentially trigger arbitrary function invocations with attacker-controlled parameters. This transforms prompt injection from an information disclosure issue into a remote code execution or unauthorised action vulnerability.

Why It Occurs

  • LLMs are most useful when they can act on information rather than merely discuss it
  • Structured function calling provides a reliable interface between probabilistic language models and deterministic software systems
  • The pattern mirrors remote procedure call (RPC) architectures familiar to software engineers
  • Competition among AI providers drives the addition of increasingly powerful tool-use capabilities
  • Enterprise adoption of AI depends on integration with existing business systems, which function calling enables

Real-World Context

Function calling is used in virtually all production agentic AI systems, from AI coding assistants (generating and executing code) to customer service bots (querying order databases) to enterprise AI agents (orchestrating business workflows). Security research has demonstrated that prompt injection can redirect function calls to attacker-chosen functions with attacker-controlled parameters. The OWASP Top 10 for LLM Applications addresses function calling risks under LLM07 (Insecure Plugin Design) and LLM08 (Excessive Agency). Secure function calling practices include parameter validation, permission scoping, and human-in-the-loop approval for high-risk functions.

Related Threat Patterns

Prompt Injection Attack Security & Cyber

Related Terms

Model Context Protocol Agent Framework Agentic AI Privilege Escalation
← Back to Glossary → Taxonomy → All Domains

Last updated: 2026-04-03