What's the difference between agentic AI and generative AI?

Generative AI produces a response to a prompt and stops. Agentic AI uses an LLM as the reasoning engine in a loop that decomposes a goal, calls tools, observes results, and iterates. The agent can take multiple actions in a single user-initiated session. The control-plane implications are distinct: identity at the agent level, scoped permissions per tool call, and audit records per step in the loop.

Do existing IAM systems handle agent identity?

Most IAM systems today represent the agent as a service principal with a shared credential. The representation does not capture the user on whose behalf the agent is acting, the delegation that scopes the agent's authority, or the version of the agent at the moment of the action. The NIST framework introduces agent identity as a distinct concept that the IAM system must model alongside human and machine identities.

How does the EU AI Act treat agentic AI?

The Act does not single out agentic AI by name, but the obligations on high-risk systems apply to agentic systems whose use case lands in Annex III. The Article 12 record-keeping mandate covers the agent loop. The Article 14 human oversight obligation interacts with agent autonomy and is the area where deployers face the most operational design choices.

What about agent-to-agent calls?

Agent-to-agent calls compound the control-plane complexity. Each agent in the chain carries an identity. The delegation must propagate through the chain. The audit record must capture the agent that initiated the call and the agent that received it. The inspection layer must see the calls between agents, not only the agent's call to the LLM endpoint.

What's the largest current operational risk in agentic AI?

The largest risk is the post-authentication gap: the agent is authenticated, but no per-action authorization exists. The agent can take actions outside the scope the user intended, and the audit log shows the action but not the upstream authorization. The risk is operational, not theoretical: a single agent that writes to the wrong external system can cause customer-facing harm before the loop completes.

What Is Agentic AI: The Architectural Definition, the Control-Plane Implications, and the Audit Record It Requires

Agentic AI is the software pattern where an LLM-driven agent decomposes a goal, calls tools, observes the results, and iterates until the goal completes or the agent stops. The pattern differs from generative AI by the loop, the tool calls, and the autonomy. A generative AI use case produces a single response to a prompt. An agentic AI use case spawns a sequence of decisions, each of which can call an external tool, modify external state, or escalate to a different agent. The control-plane implications are distinct from generative AI: identity must exist at the agent level, permissions must be scoped per tool call, audit records must cover each step in the loop, and the liability for the resulting actions sits with the deployer. The NIST AI agent identity and authorization framework took comments through April 2, 2026 and set the operational baseline that regulators and enterprise architects are now using to scope controls.

I want to walk through the architectural definition, how the loop differs from a single-prompt model call, where the control plane has to attach, and what the audit record for an agent step must contain.

Agentic AI as an architectural pattern

The defining components of an agentic AI system are an LLM, a planning function, a set of tools the agent can call, and a loop. The planning function takes the user goal and produces a sequence of steps. Each step is a tool call: a function invocation, an API request, a database query, a file write, a message send. The LLM observes the tool result and decides whether to continue the loop or stop. The autonomy comes from the loop: the agent can take multiple actions without returning to the user for each step.

The loop introduces multi-step exposure

A single-prompt LLM call exposes the data in the prompt and the data in the response. An agent loop exposes the data in each step. A finance agent decomposing a back-office workflow may read a contract, query a database, compute a value, write to a ledger, and send a notification, all in a single user-initiated session. Each step is a separate decision against the enterprise's policy boundary. The exposure surface is the union of all steps, not the union of the first prompt and the last response.

Tool calls bridge to external systems

The tool the agent calls is typically an enterprise system: a CRM, an ERP, an internal database, an HR system, a cloud resource. The tool call carries the agent's intent into the external system through an API or an SDK. The external system's access control sees the agent's service credential, not the underlying user's identity. Without identity propagation, the external system cannot apply user-scoped policy.

Autonomy raises the post-authentication gap

The post-authentication gap is the difference between "the user is authenticated" and "this specific action is permitted." In a single-prompt LLM use case, the gap is narrow because the user reviews the response before acting on it. In an agentic use case, the gap is the entire loop: each step is an action the agent takes without explicit user authorization. The control plane must close the gap per step, not per session.

Where the control plane attaches

The NIST AI agent identity and authorization framework, which closed its comment period on April 2, 2026, articulates three architectural pillars: agent identity, delegated authority, and action lineage. Each pillar maps to a control-plane component the enterprise must put in place.

Pillar 1: agent identity

Every agent has a verified identity. The identity is not the user's identity, and it is not the application's service credential. The agent identity is a first-class principal in the IAM system, with attributes that describe the agent type, the agent owner, the agent version, and the user (or system) on whose behalf the agent is acting. The identity travels with each tool call as a request-level attribute.

Pillar 2: delegated authority

Each tool call is scoped to the authority the user has delegated to the agent. Delegation is explicit, time-bounded, and per-resource. An agent that is delegated authority to read CRM records is not authorized to write to the CRM unless the delegation explicitly includes write authority. The delegation is verified at each tool call, not at the session start.

Pillar 3: action lineage

Every action the agent takes is logged with a contemporaneous record that ties the action to the agent, the user, the delegation, the tool, and the data. The lineage record supports both operational debugging and the audit requirement that regulators are starting to impose. The record is committed by an inspection layer that sees the tool call before the call reaches the external system.

Why current handling falls short

Most agentic AI deployments today rely on the LLM provider's audit logs, the application's tool-call logs, and the external system's API logs as three separate sources of partial truth.

LLM provider logs lack the user identity and the delegation context

The LLM provider's audit log shows the API call that the application made to the model, including the prompt and the response. The log does not contain the user identity that initiated the workflow or the delegation that scoped the agent's authority. The log identifies the application, not the workflow.

Application tool-call logs are self-attested

The application that runs the agent loop also writes the tool-call logs. Self-attested logs fail the write-path independence test. The application can write what it wants, omit what it wants, and modify the records after the fact. A regulator does not accept self-attested records as the system of record.

External system API logs lack the agent context

The CRM, the ERP, the database, and the cloud APIs log the request they received. The log identifies the calling service credential and contains the API call. The log does not contain the agent that initiated the call, the user on whose behalf the agent was acting, or the delegation that authorized the call. The downstream log records the action but not the upstream authorization.

The three logs together can reconstruct part of the action lineage, but the reconstruction is forensic, not contemporaneous, and the records are not bound to identity at the moment of the decision.

Governing agentic AI

The architecture that closes the gap is an inspection layer on the path between the agent and both the LLM endpoint and the tool APIs the agent calls. The layer attaches the verified agent identity, evaluates the delegation against the per-route policy, writes the per-call audit record with the identity, the delegation, the data classification, the policy version, and the decision outcome, and forwards the request only when the policy permits.

The architecture treats the agent as a first-class principal in the policy decision and the audit log, which closes the post-authentication gap that exposes the deployer to liability.

DeepInspect

This is the gap DeepInspect closes for agentic AI. DeepInspect sits at the AI request boundary as an external enforcement layer that operates as a stateless proxy between authenticated agents and the LLM endpoint and tool APIs the agent calls. Every HTTP request is evaluated against per-route, per-role, identity-bound policies. The per-decision audit record is committed by the proxy, independent of the application that runs the agent loop and independent of the external system the agent calls.

The record contains a verified identity for the agent and the underlying user, the delegation that scoped the agent's authority, the data classification applied to the prompt or the tool call, the policy version that governed the decision, the decision outcome, and a cryptographic signature that prevents post-hoc modification. The action lineage that the NIST framework expects emerges from the contiguous sequence of per-decision records.

Book a demo today.