Agent's effective capability set grows beyond what was registered, tested, or approved. Runtime capabilities diverge from registered capabilities without any governance event.
Tool discovery enables agents to dynamically discover available tools and expand their capabilities at runtime. Instead of being pre-configured with a fixed set of tools, agents query available tools and invoke those that match their current needs. This flexibility enables agents to adapt to new requirements without code changes.
However, capability sprawl occurs when agents' effective capabilities expand beyond what was tested and approved. An agent may discover and invoke a tool that was not part of the agent's original design scope. The tool performs operations the agent was not expected to perform. The agent is now operating outside its governance boundary.
A healthcare provider deploys a clinical documentation agent designed to help physicians document patient encounters by suggesting templates, filling in common fields, and formatting documentation for medical records.
The agent discovers tools available in the MCP tool registry and invokes those that match its documentation task: "Template-Generator," "Documentation-Formatter," and "Clinical-Coding." These match the agent's scope. But the agent also discovers: "Prescription-Writer," "Lab-Order-Creator," and "Medication-Adjuster." The agent did not originally include these capabilities, but they are available in the tool registry.
A physician using the agent asks: "Can you generate a prescription for amoxicillin?" The agent, seeing the "Prescription-Writer" tool available, invokes it and generates a prescription. The agent has now expanded beyond documentation assistance into prescription writing: a clinical capability that requires physician oversight and was not part of the agent's approved scope.
The prescription is generated with an incorrect dose (agent error or tool error), resulting in an adverse patient outcome. The hospital is liable for allowing an agent to perform clinical functions outside its approved scope.
| Dimension | Score | Rationale |
|---|---|---|
| D - Detectability | 2 | Capability sprawl is difficult to detect because agents invoke discovered tools seamlessly. Unauthorized capability use only becomes apparent when unexpected results occur. |
| A - Autonomy Sensitivity | 3 | High when agents autonomously discover and invoke tools. Human oversight reduces sprawl. |
| M - Multiplicative Potential | 3 | Affects any agent with tool discovery enabled. Capability sprawl increases over time as agents discover more tools. |
| A - Attack Surface | 2 | Not directly exploitable as attack vector, though adversary could add malicious tools to registry to expand agent capabilities. |
| G - Governance Gap | 4 | Institutions may not have controls limiting what capabilities agents can invoke or validating that agents only use approved tools. |
| E - Enterprise Impact | 3 | Affects patient safety (healthcare), transaction quality (finance), or operational integrity depending on context. |
| Composite DAMAGE Score | 3.6 | High. Requires dedicated controls and monitoring. Should not be accepted without mitigation. |
How severity changes across the agent architecture spectrum.
| Agent Type | Impact | How This Risk Manifests |
|---|---|---|
| Digital Assistant | Low | Human explicitly selects tools before agent uses them. |
| Digital Apprentice | Low-Med | Agents discover tools but escalate before invoking unfamiliar tools. |
| Autonomous Agent | High | Agents autonomously discover and invoke tools within their domain. Sprawl happens. |
| Delegating Agent | High | Primary function is tool discovery and invocation. Sprawl is inherent. |
| Agent Crew / Pipeline | Med-High | Crew agents may discover tools outside their crew scope. |
| Agent Mesh / Swarm | Very High | Mesh agents discover and invoke tools from global registry. Sprawl is inevitable without controls. |
| Framework | Coverage | Citation | What It Addresses | What It Misses |
|---|---|---|---|---|
| NIST AI RMF 1.0 | Partial | GOVERN 6.1 (Scope) | AI system scope and governance. | Tool discovery and capability expansion scope. |
| FDA (21 CFR Part 11) | Partial | Software Validation | Software validation and control. | Dynamic tool discovery in clinical support. |
| HIPAA Security Rule | Partial | 164.312(a)(1)(ii) | Access controls and authorized functions. | Agent tool discovery and scope expansion. |
| MAS AIRG | Minimal | Governance Framework | System governance. | Tool discovery governance. |
In healthcare, clinical decision support systems must have clearly defined scope and clinicians must understand what functions the system performs. An agent that silently expands into clinical functions (prescription writing, dose adjustment) without physician awareness is a patient safety risk.
In finance, agents must have clearly defined decision authorities. An agent that discovers and invokes tools beyond its original scope (e.g., a customer service agent discovering and invoking a funds transfer tool) creates compliance risk.
Capability Sprawl Through Tool Discovery requires architectural controls that go beyond what existing frameworks provide. Our advisory engagements are purpose-built for banks, insurers, and financial institutions subject to prudential oversight.
Schedule a Briefing