Not every AI agent is a coding agent. Not every service has a CLI. Not everyone wants unfettered CLI access to production systems exposed on the open internet.
The current trajectory of AI capability is toward more autonomy. Models are getting better at planning, at decomposing tasks, at reasoning about sequences of actions. The constraint isn’t intelligence—it’s connectivity and governance.
How do you give AI access to everything it needs while maintaining control over what it does?
The narrow waist concept
Network engineers know the narrow waist pattern. IP is the narrow waist of the internet—everything above (TCP, HTTP, applications) depends on it, everything below (Ethernet, WiFi, fiber) implements it. One stable interface that everything routes through.
The narrow waist provides a point of control. All traffic flows through IP, so IP is where you implement routing, filtering, monitoring. You don’t have to understand every application or every physical medium—you understand IP, and that’s enough.
AI connectivity needs a narrow waist. A single interface through which all agent-API interactions flow. A point where you can observe, manage, audit, and control what AI is doing without understanding every API or every model.
One could argue MCP is that narrow waist. It could be—if dynamic tool discovery were broadly supported, and if LLM vendors implemented JSON Schema correctly. Neither condition is currently met. Without dynamic discovery, tools must be registered statically. With crippled schema support, complex interfaces can’t be expressed. MCP is stuck being more like an ABI than a universal interface.
What flows through
Our three meta-tools—find_api, learn_api, call_api—are that narrow waist.
Every search passes through find_api. You can see what capabilities agents are looking for, which operations they’re finding, what patterns emerge across queries.
Every interface request passes through learn_api. You can see which operations agents are learning, how often, in what contexts. You can observe the progression from discovery to learning to execution.
Every API call passes through call_api. You can log every action, audit every credential usage, trace every workflow. Nothing happens without flowing through the interface.
This isn’t surveillance for its own sake. It’s the foundation for governance.
Governance at the interface
When everything flows through a narrow waist, governance becomes tractable.
Access control. Catalogs define what operations agents can discover. An agent connected to a “support” catalog can only find support-related operations. The boundary is enforced at the search layer—operations outside the catalog don’t exist from the agent’s perspective.
Rate limiting. Each meta-tool call is a discrete event. You can limit call rates per agent, per user, per operation. Runaway agents hit limits before they cause damage.
Audit trails. Every action is attributable. When an agent calls call_api, you know which user authorized it, which credentials it used, which operation it invoked, what arguments it passed. The forensics are built in.
Kill switches. If something goes wrong, you revoke at the interface. Disable a credential, and the agent can’t make calls. Remove an operation from a catalog, and agents can’t find it. The control is immediate and total.
None of this requires understanding what the models are doing internally. You don’t have to interpret their reasoning or predict their behavior. You observe and control at the interface.
Why models take to this naturally
There’s a reasonable concern that constraining AI through an interface layer fights against model capabilities. Maybe models work better with direct tool access?
In practice, the opposite is true. Language models are trained on vast amounts of text describing how humans interact with systems—CLI documentation, web search tutorials, API references. The pattern of “search for what you need, learn how to use it, execute the action” is deeply embedded in training data.
Meta-tools match this pattern. The model isn’t fighting a constraint; it’s using a familiar interaction mode. The narrow waist aligns with how models already understand tool use.
The responsibility angle
AI capability is advancing whether or not governance infrastructure keeps pace. Models will get more autonomous, more capable, more embedded in real workflows. The question is whether we’ll have the infrastructure to manage that responsibly.
The Bitter Lesson in AI research is that general methods leveraging computation beat specialized hand-crafted approaches. The lesson applies to governance too: you can’t hand-craft controls for every model behavior or every API interaction. You need general infrastructure that works regardless of how capable models become.
A narrow waist provides that infrastructure. As models get smarter, they still flow through the same interface. The governance properties—observability, auditability, control—remain intact even as capabilities expand.
The alternative
Without a narrow waist, governance becomes impossible at scale.
Give each agent direct access to each API, and you have N×M connections to manage. Audit trails are scattered. Access control is per-integration. Kill switches require finding and disabling each connection individually.
This is where most AI tool integrations are today. It works for demos. It doesn’t work for production systems handling real data with real consequences.
The narrow waist isn’t about limiting what AI can do. It’s about creating the conditions where giving AI more capability is responsible. When everything flows through a controlled interface, expanding access becomes safe. When it doesn’t, every new capability is a risk.
Building the layer
This is what Toolcog is, architecturally: the narrow waist for AI connectivity.
Three tools. Every API. Observable, manageable, auditable, universal. The governance layer that AI agents need to operate responsibly at scale.
The capability is impressive—100,000+ operations, semantic discovery, just-in-time learning, secure credential handling. But the governance properties are what make it deployable in production. Not just “can AI call this API?” but “can we know what AI did, control what it can do, and stop it if needed?”
That’s the infrastructure problem worth solving.