Action Space

The action space is the closed set of operations an agent can perform. Concretely, it is the union of every tool the agent has been registered with, every external system it has credentials for, and every operation it is allowed to perform within those systems. Defining the action space precisely is one of the highest-leverage safety controls in agent design. A model cannot do something it has no tool for. By restricting the action space to exactly what the task needs, you eliminate entire categories of failure: an agent with only a "search" tool cannot accidentally delete files, an agent with no email tool cannot accidentally email anyone.

Two patterns are common in production. First, dynamic action spaces, where the agent's available tools change based on context (a customer-service agent gets refund tools only after escalation approval). Second, scoped action spaces, where each tool is parameterized with constraints baked in (a "send_email" tool restricted to a specific domain, a "query_database" tool restricted to read-only). Both patterns shrink the action space relative to what the model could theoretically do, which shrinks the blast radius if the model makes a wrong call. Document the action space alongside the system prompt: it is part of your agent's contract.

Define the action space explicitly for any agent that will run unsupervised. The exercise of writing it down forces you to find tools that should not be exposed and operations that should require human approval.

• Anthropic: Building Effective Agents
• OWASP LLM Top 10 (LLM07: Insecure Plugin Design)

Related Terms