Is agentic AI a category or a feature?

Agentic AI is a deployment pattern. Any LLM that can be invoked with tools is agentic the moment a tool call is wired up. Most enterprise AI deployments will be agentic by default within the next twelve to eighteen months because the model providers ship tool-use as a first-class API capability and the frameworks reduce the integration cost to a configuration file. Treating agentic AI as a separate category from generative AI in policy terms is the right framing, because the security questions are different even when the model is the same.

Does an agentic AI system need a different security architecture than a chatbot?

The model layer can be the same. The enforcement layer cannot. A chatbot's enforcement question is whether the response is permitted to leave the model. An agentic system's enforcement question is whether the action the model decided to take is permitted against the resource it is targeting, on behalf of the identity that originated the request. The chatbot's controls are at the response layer. The agent's controls have to be at the request and action layer, evaluated per call, with identity, policy, and resource context.

How does prompt injection apply to agentic AI?

Prompt injection in a generative AI system causes the model to return text the user did not authorize. Prompt injection in an agentic AI system causes the model to take actions the user did not authorize. The attack class is the same. The damage is materially larger. An injection that causes a model to leak a training example is one outcome. An injection that causes an agent to wire money or modify a database is another. Authorization at the AI request layer, evaluated independently of the model, is the deterministic boundary.

Is the NIST framework limited to agentic AI?

NIST's three-pillar framework was developed in the context of agentic AI but the architecture it requires (verified identity, delegated authority, action lineage) applies to any AI deployment where the model has access to enterprise resources. Generative AI deployments that pipe responses into downstream automated systems inherit the same requirements. The pillars are useful as a checklist for any production AI deployment, not just agent frameworks.

What is Agentic AI vs Generative AI: The Authorization Boundary

A generative AI system reads a prompt and returns text. An agentic AI system reads a prompt, plans a sequence of actions, and executes those actions against real systems: APIs, databases, calendars, payment rails, ticketing systems. The shift is architectural. The security question moves from "is this output safe to display" to "is this caller permitted to take this action against this resource right now." Most enterprises buy agentic AI products that integrate with their stack and run them under the same controls they wrote for generative AI. The first time an agent writes to a system of record, the gap shows up.

I want to walk through the architectural distinction, the security boundary that changes with it, and why the answer is identity-bound authorization at the AI request layer.

Generative AI returns text. Agentic AI takes actions.

A generative AI deployment is a prompt-in, text-out pipeline. The model receives an input, returns a response, and the application decides what to do with the response. The security questions are about the content: is the output offensive, is it accurate enough to display, did it leak training data, does it follow brand guidelines. Content moderation libraries and model-level guardrails address some of these questions probabilistically.

An agentic AI deployment is a prompt-in, action-out pipeline. The model receives an input, decides which tools to invoke, and the runtime executes those tools. The tools call internal APIs, read and write databases, issue commands to external systems, and trigger workflows. The security questions are about authorization: which caller, against which resource, under which policy.

The security boundary moves from content to authorization

A content-moderation control inspects text. It cannot inspect an action. When the action is "create a calendar event," "transfer funds," "open a support ticket," or "issue a refund," the question of whether that action is permitted is an authorization question, not a content question. The application has to evaluate, per request, whether the caller has the right to take that action against that resource at this moment.

This is the post-authentication gap extended to AI agents. Authentication answers "who is calling." Authorization at the AI call layer answers "what is this caller permitted to do right now."

What changes for the audit trail

A generative AI audit trail records prompts and responses. An agentic AI audit trail has to record the actions the agent took, the resources those actions touched, the identity context in effect, the policy version that governed the decision, and the outcome. The reconstruction question is no longer "what did the model say." The question is "what did the model do, on whose behalf, under what authority."

NIST's three-pillar framework codifies this. Pillar 1 is verified identity for the agent. Pillar 2 is delegated authority for what the agent can do. Pillar 3 is action lineage that reconstructs what happened. All three become first-class concerns the moment an agent acts.

Why model guardrails do not cover the action layer

Model-level guardrails train the model to refuse certain content patterns. They live inside the inference process. They cannot evaluate whether a tool call is authorized against a resource the model never saw the policy for. I argued this in detail for generative AI. The argument gets stronger for agentic AI because the actions the model decides to take are deterministic operations against real systems, and a probabilistic refusal layer is not the right place to decide whether a wire transfer is permitted.

Regulatory framing

EU AI Act Article 12 requires logs sufficient to reconstruct risk situations. For an agentic deployment, reconstruction includes the action lineage, not just the prompts. Article 19 requires identification of the natural persons involved. Agent identity, delegated authority, and action lineage all become Article 12 evidence requirements when the AI takes actions on behalf of a human.

DeepInspect

This is the architecture DeepInspect was built for. DeepInspect sits inline between agents and any model or tool API they call. Each request carries the identity context the application supplies at the front door. Each call is evaluated against per-route, per-role policies and produces a signed audit record bound to the natural person on whose behalf the agent is acting.

For an agentic deployment, that means every tool call the agent invokes is recorded as a per-decision audit event with the human identity, the policy version, the data classification, and the outcome. The reconstruction the regulator asks for is available from the records alone.