When a tool-calling agent picks the wrong tool, the failure is invisible until execution: the email gets sent, the meeting gets missed. Probing 12 instruction-tuned models across Gemma 3, Qwen 3, Qwen 2.5, and Llama 3.1 (270M to 27B), we find the identity of the chosen tool is linearly readable and steerable inside the model. Adding the mean-difference between two tools' average internal activations switches which tool the model selects at 77-100% accuracy on name-only single-turn prompts (93-100% at 4B+), and the JSON arguments that follow autoregressively match the new tool's schema, so flipping the name is enough. The same per-tool means also flag likely errors before they happen: on Gemma 3 12B and 27B, queries where the gap between the top-1 and top-2 tool is smallest produce 14-21x more wrong calls than queries with the largest gap. The causal effect concentrates along one direction, the row of the output layer that produces the target tool's first token: a unit vector along it at matched magnitude already reaches 93-100%, while what is left over leaves the choice almost untouched. Activation patching localises this to a small set of mid- and late-layer attention heads, and a within-topic probe across 14 same-domain $τ$-bench airline tools reaches top-1 61-89% across five 4B-14B models, ruling out the reading that we are just moving the model along a topic axis. Even base models encode the right tool before they can emit it: cosine readout from the internal state recovers 69-82% on BFCL while base generation reaches only 2-10%, suggesting pretraining forms the representation and instruction tuning later wires it to the output. We measure tool identity selection and JSON schema correctness in single-turn fixed-menu settings; multi-turn agentic transfer is more fragile and is discussed in Limitations.

翻译：当工具调用代理选择了错误的工具时，该失败在工具执行之前是不可见的：邮件已发送，会议已错过。通过对Gemma 3、Qwen 3、Qwen 2.5和Llama 3.1系列（参数量从270M到27B）的12个指令微调模型进行探测，我们发现所选工具的身份在模型内部是线性可读且可引导的。在两个工具的平均内部激活之间添加均值差，能够在仅名称的单轮提示（4B及以上模型达到93-100%）中以77-100%的准确率切换模型所选工具，并且后续自回归生成的JSON参数会自动匹配新工具的Schema，因此仅翻转名称便已足够。相同的每个工具均值还能在错误发生前标记出可能的错误：在Gemma 3 12B和27B上，当top-1与top-2工具之间的差距最小时，查询产生的错误调用次数是差距最大时的14-21倍。因果效应集中于一个方向，即输出层产生目标工具第一个token的那一行：沿该方向的单位向量在匹配幅度下已能达到93-100%的效果，而剩余部分几乎不对选择产生影响。激活修补将此效应定位到少量中层和深层注意力头，且一个针对14个同领域$τ$-bench航空工具的域内探针，在五个4B-14B模型上达到了61-89%的top-1准确率，这排除了我们只是沿主题轴移动模型的解释。即使是基座模型，在能够发出正确工具之前就已对其进行了编码：基于内部状态的余弦读出在BFCL上恢复了69-82%的准确率，而基座模型的生成准确率仅为2-10%，这表明预训练形成了表征，而指令微调随后将其连接到输出。我们在单轮固定菜单设置中衡量了工具身份选择和JSON Schema的正确性；多轮智能体迁移更为脆弱，已在局限性部分讨论。