Function Calling (Tool Use) — How LLMs Invoke External Operations

Key Takeaway: Function calling is the capability of a large language model to decide that a named external operation should be invoked, structure its parameters, and return a structured call rather than a text response. It is the LLM-side mechanism behind agentic AI. The Model Context Protocol (MCP) is the protocol layer above it that governs which functions are available, how they are authenticated, and how calls are recorded.

What is Function Calling?

Function calling — also called tool use — is a capability in large language models (LLMs) that allows the model to produce a structured output representing a request to invoke an external operation, rather than generating a plain text response. When a user or system prompt describes available tools and a goal, the model can decide that the goal requires calling one of those tools, name the tool, specify its input parameters in a structured format (typically JSON), and return that structured call to the application layer for execution.

The executing application receives the structured call, runs the actual operation (a database query, an API request, a file read, a calculation), and passes the result back to the model. The model then incorporates that result into its next step — either generating a final response or deciding to invoke another tool. This perception-reasoning-action cycle is the core mechanism of agentic AI.

Function calling is what distinguishes a modern LLM deployment from a text-generation endpoint. A model with function calling enabled is not answering questions; it is acting as the reasoning engine in a system that can interact with the world.

Why It Matters

Without function calling, LLMs are bounded by the information in their training data and the text in their input context. Everything they know is either memorized or pasted in. This creates hard limits for business applications: an LLM cannot check a live CRM record, cannot update a database, cannot send an email, cannot retrieve a document that was created after its training cutoff.

Function calling removes those limits. An LLM that can call tools is an LLM that can act. This is the architectural shift that makes practical automation possible: business applications gain a reasoning engine that can orchestrate real operations in real systems, not just generate text about them.

Core Mechanism

The typical function calling flow has three stages:

1. Tool declaration — The calling application provides the model with a list of available tools, each described by a name, a natural-language description, and a typed input schema. The model does not execute tools; it only knows they exist and what their inputs look like.

2. Model decision — Given a goal, the model reasons about whether a tool call is required. If so, it produces a structured tool call object: the tool name and the argument values filled in from context. If multiple sequential tool calls are needed, the model reasons through them in order.

3. Application execution — The application layer receives the tool call, executes the underlying operation, and returns the result to the model. The model incorporates the result and either produces a final answer or calls another tool. This loop continues until the goal is complete or a stopping condition is met.

The quality of function calling behavior depends heavily on tool description quality. Vague descriptions produce unreliable parameter choices. Well-typed, precisely described tools produce consistent, predictable behavior — which is why tool declaration is a governance surface, not just a developer convenience.

Function Calling vs MCP

A common point of confusion: function calling and the Model Context Protocol (MCP) are not the same thing, though they work together.

Function calling is the LLM capability — the model's ability to decide to invoke a named operation and structure its parameters. It is implemented at the model layer.

MCP is the protocol layer above it — the infrastructure that defines which tools are exposed to an agent, how those tools connect to real systems, how authentication is handled, and how every tool call and its result are recorded as structured artifacts. An agent can use function calling without MCP (by having the application directly execute the called function without a protocol intermediary), but then there is no systematic record and no permission enforcement at the protocol level.

In enterprise deployments, function calling without a governance protocol layer is a risk. The model can call any tool the application exposes; if that exposure is poorly controlled, the model can take actions that exceed its intended scope. MCP solves this by making tool availability an explicit, policy-level declaration rather than an implicit runtime capability.

Edge Cases and Governance Implications

In regulated enterprise contexts, function calling governance must address three specific risks:

Scope creep: An agent that can call any tool in a shared tool registry is an agent that may inadvertently access systems it should not. Tool allow-lists per agent — not per deployment — enforce least privilege at the agent level.

Audit trail gaps: Native function calling at the model layer produces the call and the result within the model's context. Without a protocol layer, those calls are not automatically captured as structured, queryable audit artifacts. In an AI Act high-risk deployment, the ability to reconstruct exactly which external operations an agent performed — and with what inputs — is required for Article 9 risk management documentation.

Unvalidated input propagation: When an LLM constructs function call parameters from user-provided text, there is a prompt injection risk: a user input could attempt to shape the function call in a way the application did not intend. Typed input schemas at the tool declaration level (enforced by MCP or similar) mitigate this by constraining what parameter values are structurally valid.

Knowlee Perspective

In Knowlee's governance model, every agent job declares an explicit allow-list of tools. This list controls which tool-orchestration endpoints the agent's function calling capability can reach. A tool not in the list is structurally unreachable — this is not a prompt instruction the model could reason around, it is a protocol-level constraint.

This design means function calling in Knowlee is always scoped, always logged, and always risk-classified. The tool declaration in the orchestration layer carries metadata: which data categories the tool can access, what risk level the operation represents, and whether human approval is required before the call executes. This is how AI Act Article 14 human oversight obligations are operationalized at the tool-use level: not as a general "human reviews the output" check, but as a targeted gate on specific high-risk tool calls.

Related Terms

• What is the Model Context Protocol (MCP)?
• What is Agentic AI?
• What is an AI Agent?
• What is AI Agent Memory?