LLMs increasingly exhibit agentic behavior through their ability to use external tools. Instruction-tuned models can alternate between natural language responses and structured tool calls, enabling workflows like retrieval, web search, and code execution.
Once you enable tool calling, the model stops being a text completion engine. It starts orchestrating actions across external systems, then feeding those results back into the conversation loop. That’s the real bridge from “chat” to production agents.
It’s also where many teams get stuck.
Tool calling is the means by which agents connect to high value data and take real actions across systems. It also creates a new data risk surface that can drive projects to a halt. Schemas can reveal workflow logic and internal structure. Tool arguments and outputs often contain the data you most need to protect: identifiers, user records, operational telemetry, and proprietary context pulled from internal services. Put differently, once a model is invoking tools, protecting only the prompt isn’t enough. You need privacy guarantees for the schemas, the calls themselves, and the tool outputs that get appended into the ongoing conversation.
Introducing tool calling support for Stained Glass
The latest Stained Glass release unlocks high-value agentic capabilities with private tool calling. Dive into the full tutorial or read on for an overview of the key features:
-
- Privacy-Preserving Tool Calling: SGT Proxy transforms embeddings before they reach the LLM, protecting sensitive data throughout the agentic workflow.
- End-to-End Protection: Prompt, context, and output protection preserves data privacy from input through tool execution.
- Production-Ready Integration: Works with industry-standard frameworks (Pydantic AI, OpenAI-compatible APIs) without code changes.
- Performance: Preserves model response quality and tool-calling behavior with negligible impact to latency.
How it works
A protected tool-calling loop looks like this:
- Your application sends a prompt plus tool definitions (JSON schema).
- The request is formatted and tokenized using the chat template.
- Stained Glass Proxy generates stochastically transformed embeddings.
- The model returns one or more tool calls (tool_calls).
- Your application executes the tool call(s) and appends tool outputs back into the message stream.
- Your application calls the model again to produce the final response, with SGT protection still in place.
This is the same integration pattern developers already use for tool calling. The simple addition of Stained Glass preserves privacy for content flowing through the loop.
Inspect and verify
The capability includes a direct way to inspect how protection is applied via the /stainedglass endpoint, including:
-
- plain (untransformed) embeddings
- SGT-transformed embeddings
- attempted reconstruction text from protected embeddings
- an obfuscation score
In the example workflow, the reconstructed text from protected embeddings is nonsensical and does not recover the original tool definitions or tool outputs, while the model still completes the tool-calling loop successfully.
*angstromtalya ціка диза найкраџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџuseRalativeImagePath無しさんárníCppI диза Českosloven νεφοκ">
erusformџџџџџџџџџџџџџџџџiếquotelevdrFc назна>();
Toward privacy-preserving agent frameworks
To see the end-to-end pattern in a real agent framework, follow the Pydantic AI agentic workflow with SGT tutorial. It walks through a production-grade agent workflow using OpenAI-compatible APIs, where the agent relies on tool calling to fetch documentation context and return structured outputs. If you are building agents that touch sensitive systems of record, this is the most direct starting point: run the tutorial, validate the protected tool loop in your environment, and use it as the reference architecture for privacy-preserving agentic applications.
