# Tool Registry: the new risk map for enterprise agents

> Enterprise agents need a live Tool Registry to track capabilities, ownership, risk, and kill switches, turning tool layers into governance surfaces.

- Author: Viktor Berthelius (BRTHLS)
- Published: 2026-06-29
- Updated: 2026-06-29
- Category: automation aiops
- Tags: tool-registry, mcp, agent-governance, automation-aiops
- Language: en
- Canonical: https://www.brthls.com/magazine/tool-registry-enterprise-agent-risk-en
- Source: BRTHLS Magazine — https://www.brthls.com

---

## Problem

Enterprises talk a lot about models and little about tools. That’s a mistake.

An agent without tools can get a response wrong. An agent with tools can delete, send, purchase, transfer, publish, deploy, edit, or execute. Risk no longer lives only in verbal output and moves to the action surface.

When hundreds of MCP servers, internal APIs, skills, scripts, and connectors appear, the critical question isn’t “what model do we use.” It’s “what can the agent do and who knows it.”

## Thesis

Every company that deploys agents needs a `Tool Registry`.

Not a decorative list of integrations. A living register of capabilities: which tool exists, who the owner is, what permissions it has, what data it touches, what actions it permits, what risk it carries, how it’s tested, and how it’s turned off.

Without a register, the organization has no agents. It has shadow automation.

## Framework

A tool registry must store seven minimum fields:

- **Owner:** team responsible for the tool.
- **Scope:** what it can read, write, or execute.
- **Risk:** low, medium, high or critical according to reversibility and impact.
- **Authorization:** which role, user, or agent may invoke it.
- **Evidence:** logs, traces and expected outputs.
- **Version:** contract, parameter and permission changes.
- **Kill switch:** how to deactivate the tool without breaking everything.

Mini‑case: an operations agent has access to calendar, CRM, billing, and email. Each tool looks innocent in isolation. Combined, they allow sending an incorrect offer, updating deal stage, and firing a invoice. The risk isn’t in a single tool; it’s in the chain.

**Measurable signal:** percentage of tools invocable by agents with owner, scope, risk, and kill switch documented.

**Position:** the new security inventory isn’t just about applications. It’s about agentic capabilities.

## Why it matters now

The AI Security Institute analyzed 177,436 agentic tools published between November 2024 and February 2026 by monitoring public MCP repositories. Its reading is relevant: the ecosystem grows fast, agents move from observing to acting, and action tools in loosely‑restricted environments gain weight.

The Model Context Protocol itself includes specifications and authorization and security guides, focusing on OAuth, secure token storage, scopes, and dangerous patterns such as commands with file‑system, network, or execution access.

The conclusion is simple: the tool layer is already a governance surface.

## Anti‑example

“The agent only uses approved tools.”

That sentence means nothing if you can’t answer which version of the tool, what scopes it has, who approved it, what changes it underwent, what traces it leaves, and how it’s deactivated. Approval without inventory ages poorly.

## Protocol (3 steps)

1. **Classify by action, not by name.** “CRM tool” says nothing; “updates opportunity and sends email” does.
2. **Assign risk to chains.** Two low‑risk tools can form a critical action together.
3. **Audit dormant tools.** If a tool isn’t used, isn’t maintained, or has no owner, it should expire.

| Field | Question | Risk if missing |
| --- | --- | --- |
| owner | who answers | nobody corrects |
| scope | what it can do | excessive permissions |
| version | what changed | invisible regression |
| trace | what it did | no audit |
| kill switch | how to turn off | prolonged incident |

## Related

- [MCP in enterprise: the standard that prevents agent chaos](/magazine/mcp-enterprise-standard-prevents-agent-chaos-en)
- [AWS MCP Server GA: when coding agents enter cloud with guardrails](/magazine/aws-mcp-server-ga-coding-agents-cloud-guardrails-en)
- [Microsoft Agent 365: the control plane that turns shadow AI into inventory](/magazine/microsoft-agent-365-control-plane-en)

## Sources consulted

- [AISI: How are AI Agents used? Evidence from 177,000 AI agent tools](https://www.aisi.gov.uk/blog/how-are-ai-agents-used-evidence-from-177000-ai-agent-tools)
- [Model Context Protocol: Authorization](https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization)
- [Model Context Protocol: Security best practices](https://modelcontextprotocol.io/docs/tutorials/security/security_best_practices)

## Next step

Create an inventory of ten tools that your agents can already call. If you can’t classify owner, scope, risk, and kill switch in an afternoon, the problem isn’t lack of AI; it’s lack of a control plane.

---

*Translated from the Spanish original with AI assistance and reviewed for accuracy. [Read the original in Spanish](/magazine/tool-registry-mapa-riesgos-agentes-enterprise-es).*

---

_Cite as: Berthelius, V. (2026). "Tool Registry: the new risk map for enterprise agents". BRTHLS Magazine. https://www.brthls.com/magazine/tool-registry-enterprise-agent-risk-en_
