Agentic AI vs Generative AI: The Security Architecture Diverges
Generative AI returns a response to a human-issued prompt and waits for the next instruction. Agentic AI issues prompts on its own initiative, applies the response, and chains the next call. The architectural divergence has direct consequences for identity, policy enforcement, and audit trails.
A generative AI deployment serves a human-issued prompt and returns a response. The human reads it, decides what to do next, and issues another prompt. An agentic AI deployment runs on its own initiative. The agent issues prompts based on a goal, applies each response, and chains the next call. Most descriptions of "agentic" focus on what the agent can accomplish. I want to walk through what changes at the request layer when the human stops being in the loop, because that is where the security architecture diverges.
The Mandiant M-Trends 2026 report measured median attack handoff at 22 seconds. Agentic AI runs on the same clock. A control plane that depends on a human reviewing the request before the model sees it is not viable at that tempo.
The two patterns at the request layer
Generative AI: one prompt, one response
A user types a prompt. The application sends it to the model. The model returns a response. The user reads it. The cadence is human. Identity is the authenticated user. The data in the prompt is whatever the user typed. The decision boundary is the user's keyboard.
The security problem is well-understood: classify the prompt before it leaves, redact or block sensitive fields, log the decision, return the response. Most of the existing AI security category, from Lakera-style guardrails to Bedrock-style content filters, was built for this pattern.
Agentic AI: looped initiative
An agent runs as a process with a goal. The agent decomposes the goal into steps, issues a prompt for the first step, applies the response, and issues the next prompt based on what came back. The loop continues until the goal is reached or a failure condition trips. The identity is the agent's identity, scoped to the delegated authority granted by the authorizing user. The data in each prompt may be drawn from prior responses, tool calls, or context that the agent assembled. The decision boundary moves into the agent's process.
The cadence is machine speed. Thousands of prompts per minute from a single agent are routine. Each prompt is composed at runtime from prior context. There is no human reading the prompt before it is sent.
What this changes for security
Five architectural properties shift between the two patterns.
Identity context becomes ambiguous
In the generative pattern, the identity is the user. In the agentic pattern, the identity has two parts: the natural person who authorized the agent, and the agent itself. NIST's framework codifies this under Pillar 1 (agent identity) and Pillar 2 (delegated authority). A shared service credential collapses both parts into a single role that does not represent who authorized what.
Policy must be per-request, not per-session
In the generative pattern, a session-level policy works because the user types each prompt deliberately. In the agentic pattern, the agent assembles prompts from many sources, and the data classification of any given prompt depends on what was retrieved or returned in prior steps. Policy has to be evaluated per request, against the actual content of that request, not against a session-level setting.
Speed of failure compounds
In the generative pattern, a misclassification produces a single bad outcome. In the agentic pattern, a misclassification compounds across the loop. The agent applies the response, the response feeds into the next prompt, and the negative outcome spreads. Inline enforcement prevents the first misclassification from reaching the model and stops the loop before it amplifies.
Audit evidence requires action lineage
In the generative pattern, a log entry per request is sufficient. In the agentic pattern, the auditor wants the lineage: which user authorized this agent, which goal did the agent receive, which prompt did the agent issue, what classification applied, what policy governed the decision, what outcome resulted, and what did the agent do next. NIST Pillar 3 names this action lineage. The record must be structured and committed at the moment of decision.
Vendor SaaS embedding hides the agent
A material share of agentic AI in enterprises runs inside vendor SaaS products that embed model calls under the hood. The vendor's customer-service tool, pricing engine, or marketing platform may issue agentic calls without surfacing the prompt, response, or classification to the deployer. The lender, healthcare provider, or B2B SaaS customer never sees the loop. The deployer's audit obligation persists regardless of where the agent ran. The architectural answer is the same: identity-aware policy and an independent audit record at the AI request boundary.
Compliance pressure runs on the same clock
EU AI Act Article 12 requires automatic recording of events over the system lifetime for high-risk AI systems. The mandate does not distinguish between generative and agentic deployments. The agentic deployment produces more events at higher cadence, which means the record-keeping infrastructure has to handle agent throughput and still satisfy the disclosure obligation. Penalties under Article 99 reach €15 million or 3% of global annual turnover.
NIST's framework, with the comment window closed April 2, 2026, was published partly to anticipate this divergence. The three-pillar split (agent identity, delegated authority, action lineage) is the canonical breakdown for agentic deployments. Application architecture owns Pillar 1. An enforcement layer owns Pillars 2 and 3.
DeepInspect
This is the gap DeepInspect closes. DeepInspect sits at the AI request boundary as an external enforcement layer: deterministic, identity-aware, and independent of model behavior. Every request, whether issued by a human-facing chat UI or by an autonomous agent, is evaluated against who is asking, what role they hold, what data is involved, and what policy is in effect. Enforcement happens inline and fails closed.
The per-decision audit record is signed at the moment of evaluation and committed before the response returns to the application. For agentic deployments, the record set is the action lineage NIST Pillar 3 requires. The proxy is model-agnostic and works in front of OpenAI, Anthropic, Bedrock, Azure OpenAI, Vertex, and on-prem inference endpoints.
Frequently asked questions
- Is agentic AI just generative AI in a loop?
Mechanically, yes. The architectural consequences are different because the loop runs without a human reading each prompt. Identity becomes a two-part construct (user plus agent), policy has to evaluate per request rather than per session, and audit evidence has to support action lineage at machine speed. The same set of model APIs powers both patterns. The control plane is what diverges.
- Does inline enforcement add too much latency for agent workflows?
End-to-end enforcement overhead measures under 50 ms in production tests. LLM inference takes 500 ms to 5 seconds. The enforcement overhead is invisible relative to model response time even when the agent is issuing thousands of calls per minute. The overhead does not compound across the loop because each call goes through the same proxy independently.
- How do we authenticate agents under NIST Pillar 1?
Pillar 1 requires verified identity context for every request. For agents, that means an identity object with the agent's own identifier, the natural person who authorized it, the scope of delegated authority, and the policy context the application supplies. The enforcement layer evaluates what the application provides. Issuance, rotation, and revocation of agent identities sits with the application's identity system. This is the architectural division that NIST codifies.
- Can we use the same DeepInspect deployment for generative and agentic traffic?
Yes. The proxy evaluates each request against the policies and identity context attached to it. A chat UI sends a request with the user's verified identity. An agent sends a request with the user-plus-agent identity object. The proxy applies the policy that matches the identity and the classification of the prompt. Both patterns share the same enforcement and audit infrastructure.
- What if the agent is calling an open-source model on our own infrastructure?
The proxy sits in front of the inference endpoint regardless of where the model runs. Self-hosted Llama, Mistral, or any HTTP-based inference endpoint is treated the same as a vendor API. The policy and audit obligations apply equally because the regulatory mandates apply to the deployer's use of the model, not the model's hosting location.