The strongest guarantee in LAPSUS isn't a rule we enforce — it's that the ability to do harm doesn't exist in the path. Here's exactly why, including why a model badged as “trained for tool use” changes nothing.
An AI model is a function that predicts the next token. By itself it can't do anything — it can't read a file, run a command, or open a network connection. It only produces text.
You may see a model badged as “trained for tool use” (e.g. in LM Studio). That's a property of the model: given a list of tools, it can produce a structured “call tool X with arguments Y” — but that output is still just text, a request. It executes nothing.
Executing a tool always takes a host program around the model that (1) offers the
model a set of tools, (2) parses its output for tool calls, and (3) actually runs them —
reads the file, runs the shell, fetches the URL. The danger lives entirely in that
executor, not in the model. Even LM Studio's server only returns
tool_calls; running them is the calling app's job.
tools, functions and tool_choice are dropped from every incoming request — you can't switch tool use on from the outside.“Tool-trained model” and “no tools on providers” don't contradict each other. The badge says the model could format a tool call; LAPSUS says there's nothing on the provider to execute one — and it's never handed any. A prompt that asks to read your files gets, at most, a sentence of text back saying it can't. The capability simply isn't in the path.