AI agents can follow instructions perfectly and still act on the wrong person, file, or account.
Researchers studying tool-augmented language models identified a class of failure they call "entity binding failures" - cases where an agent picks the correct tool but applies it to the wrong real-world target. A prompt like "email Alex about the launch" might reach the wrong Alex, attach the wrong document, or update the wrong customer record. In a controlled evaluation spanning 60 tasks, five model backends, and six tool-use methods, every method hit 0.0 percent wrong-tool error - but action-oriented baselines still produced wrong-entity actions in 24 to 26 percent of runs. Entity-aware methods - those using preconditions, confidence gating, clarification prompts, and provenance tracking - eliminated wrong-entity errors, but at a cost: they deferred more often and completed fewer tasks directly.
The gap matters because most agent benchmarks grade on tool selection and API validity, not on whether the right real-world entity got acted on. An enterprise agent that flawlessly routes a refund request but processes it against the wrong account is worse than useless - it is a liability. This research draws a formal line between tool correctness and entity correctness, a distinction that current evaluations largely ignore.
The tradeoff the paper surfaces - safer binding reduces task completion rates - is the same tension that dogs every guardrail in AI systems: more caution, fewer autonomous wins. Vendors selling agentic tools as enterprise-ready should be expected to answer how they handle it.
