Sensitive AI workflow Ho Bae

Agent Tool-Output Leakage in Agentic AI Workflows

agent tool output leakage thumbnail return path

Agent tool-output leakage is what happens when an agent calls a tool, receives real data such as a database row or an API response, and folds that result into its next reasoning step, sending confidential values to the model that no person ever typed into a prompt.

Enterprises are betting on autonomy, and the bet is fragile. OWASP’s AI Agent Security guidance names data exfiltration through tool calls, API requests, and agent outputs as a first-class risk, and it is the one agents feed quietly, because these systems touch data no one budgeted for governing. Microsoft’s AI Red Team maps the same failure in agents: untrusted content that flows into an agent’s memory can become a pivot point to exfiltrate data. An agent does not wait for a human to paste in the sensitive material. It reads the material itself, at runtime, from whatever tool the task requires, then carries it forward. That is the specific failure this article is about.

What agent tool-output leakage looks like in practice

Picture an agent handed a routine task: reconcile this week’s failed payments and draft the customer emails. It calls a tool to query the billing database. Back come rows of real customer names, card fragments, amounts, and failure codes. The agent passes that result straight into its next reasoning step, which means straight into the model’s context window. Nobody wrote a line of code that says “send customer records to the LLM.” The agent did it on its own, because reasoning over tool results is exactly how agents work.

Most of the attention in agentic systems goes to what the agent is allowed to do: which tools it can call, which actions it can take, which permissions it holds. The quieter risk is what the agent reads back and then carries into its own context. The action is visible in an audit log. The data riding along inside the reasoning trace usually is not.

Why the tool-to-model hand-off is the leak point

A single-shot prompt has one boundary crossing you can reason about: the text goes out, an answer comes back. An agentic AI workflow has many crossings, and they are dynamic. Every tool call can return real data, and the whole design of the agent is to take that return value and reason over it in the following step. Query a database, read a file, hit an internal API: each result becomes context for the model.

The leak is not the tool call itself, and it is not the final answer. It is the moment the tool’s output is folded back into the model’s working memory. That is the crossing teams forget to govern, because it looks like an internal step rather than an egress.

What makes this slippery is that the path is decided at runtime. You cannot enumerate in advance every record an agent will pull, because the agent chooses based on the task in front of it. The usual reflex, locking the agent out of the sensitive tools, produces the same dead end it produces everywhere: the billing database was the point of the task. An agent that cannot read it cannot reconcile the payments, so you have traded a leak for a system that no longer does the work.

Diagram of tool outputs with real data accumulating into an agent's model context across three reasoning steps, showing the leak path

How this differs from a normal prompt leak

The reason agent tool-output leakage slips past controls that catch ordinary prompt exposure is that the sequence is different at several points. A prompt-based check assumes a human author, a single moment, and a readable input. Agentic AI breaks all of those assumptions at once.

Dimension Direct prompt leak Agent tool-output leakage
Who introduces the data A person types or pastes it The agent reads it from a tool
When it happens Once, at the prompt At every tool-to-model hand-off
Where it shows up In the written prompt Inside the reasoning trace
Path known in advance Yes No, decided at runtime
Does blocking the tool fix it Not applicable No, it breaks the task

Because no person types the data in, the leak never appears as a written prompt for a reviewer to flag. It appears as an internal reasoning step, which most monitoring treats as trusted. That is why a team can pass a prompt-hygiene review and still be exposed. The exposure is not theoretical: the AI Incident Database has cataloged more than 1,500 real-world AI failures.

Closing the tool-to-model hand-off

The durable approach treats each tool result as a boundary crossing on the way back into the model, the same way a careful team treats data going out. When a tool returns rows of customer records, those records are substituted before they reach the model’s context: names, card fragments, and identifiers become consistent stand-ins, while the shape of the data stays intact. Which row owes what, which payment failed and why, all of that structure survives. The agent reasons over a faithful structure and never holds the raw values.

When the agent produces its output, the draft emails or the reconciliation report, the result is reconstructed against the real records inside your environment, so the final artifact is complete and correct. The agent keeps its tools and its autonomy. The values simply stop riding along through every step. In this model the middleware does three things in order: it substitutes the tool output before the model sees it, it lets the agent execute over the faithful stand-ins, and it reconstructs the real values into the finished artifact locally.

The component that sits on that hand-off is a Context-Preserving Data Layer for AI, in CUBIG’s case LLM Capsule. It intercepts each tool result, applies the substitution, and rebuilds the output at the end. Because the stand-ins are consistent across steps, an agent can reference in step two the same entity it saw in step one and still reason correctly, without the underlying values ever entering the model.

Diagram of a tool-to-model hand-off where real values are substituted, executed by the model, then reconstructed

A quick self-diagnostic for your agents

Run this check against any agentic AI workflow you already have in production or in a pilot. If you answer no to more than one, the tool-to-model hand-off is likely an open leak path.

  • Can you name every tool your agent can call that returns confidential or regulated data?
  • When a tool returns real records, do those values enter the model’s context unaltered?
  • Could you reconstruct, after the fact, which sensitive records passed through a given run?
  • Does your current control depend on blocking a tool the task actually needs?
  • If a reviewer read only the prompts, would they see the sensitive data the agent handled?

Where it fits in CUBIG’s operating layer

Agent tool-output leakage is the agentic cousin of retrieved-context leakage in RAG workflows, where the carrier is a retrieved chunk rather than a tool result. Both are instances of LLM data egress, the broader point that sending data to a model is a perimeter crossing whether a human or an agent initiates it. Closing the hand-off is what lets multi-step agents run under sensitive AI workflow enablement, which runs on Syntitan, CUBIG’s AI-Ready Data Platform.

Diagram of an agent run inside the enablement layer with a tool-to-model boundary at each step, on the Syntitan platform

LLM Capsule holds the boundary at the tool call, not just the prompt. A tool result is substituted before it flows back to the model, so the agent finishes the task without raw values re-entering the context.


External AI. Originals never leave. CUBIG builds your AI data boundary. Contact CUBIG.

FAQ

What is agent tool-output leakage?

It is when an agent calls a tool, gets back real confidential data, and folds that result into its next reasoning step, sending values to the model that no person ever typed into a prompt.

Why is agent tool-output leakage harder to catch than a normal prompt leak?

Because no human types the data in. The agent reads it from a tool at runtime and forwards it on its own, so the exposure appears as an internal reasoning step rather than a written prompt a reviewer can flag.

Does substituting tool output break the agent's reasoning across steps?

No. The structure and relationships in each result are preserved and the stand-ins stay consistent across steps, so the agent reasons normally and the real values are reconstructed into the final output locally.

Is blocking the agent's tools enough to stop the leak?

No. Blocking a tool either removes the data the task needs or leaves the leak open for the tools the agent must use, so the durable fix is to substitute the tool output before it enters the model's context.