Agentic AI

Agentic AI is an LLM-driven system that plans multi-step actions, calls tools, reads and writes to systems of record, and continues a loop until a goal condition is met or a budget is exhausted. The shift from generative AI is the action surface. A chatbot returns tokens to a user; an agent calls Stripe, modifies a Jira ticket, runs a deploy, or sends an email on the user's behalf. Each tool call hits a system that grants or denies authorization on the credential the agent is presenting, and the audit question collapses to who actually authorized the action.

How agentic AI changes the security boundary

A generative AI deployment can be governed by content-moderation policy at the model interface. An agentic deployment cannot, because the model is no longer the surface of harm. Harm lands in the downstream system the agent calls. The orchestrator that runs the agent holds long-lived credentials with broad scopes, executes plans the user never explicitly approved, and produces an audit record that attributes the action to the orchestrator service account rather than to the human who initiated the conversation. NIST's Software and AI Agent Identity and Authorization project framed this in the framework whose comment window closed April 2, 2026.

What enforcement at the agent boundary requires

Every tool call the agent makes is an HTTP request. Per-request identity binding means the request carries a claim that traces back to the human or the upstream agent that originated the chain, not just the service account the orchestrator holds. Per-route policy decides whether that subject can perform the specific action on the specific target. Per-decision audit records capture the full chain so a regulator reviewing the incident can reconstruct delegated authority across every hop. The architecture that worked for chatbot deployments does not scale to agentic deployments because the chatbot architecture never modeled chained authorization in the first place.

Related reading

  • Agentic AI Security: Why Autonomous Agents Need a Policy Layer

    Agentic AI security is the practice of constraining what autonomous agents can request, what data they can include in prompts, and what evidence each decision leaves behind. Static credentials, model guardrails, and application logs fail the test. The enforcement layer has to sit at the HTTP AI request boundary.

  • Agentic AI vs Generative AI: The Security Architecture Diverges

    Generative AI returns a response to a human-issued prompt and waits for the next instruction. Agentic AI issues prompts on its own initiative, applies the response, and chains the next call. The architectural divergence has direct consequences for identity, policy enforcement, and audit trails.

  • The Accountability Gap in Agentic AI Pipelines: Who Owns the Decision When the Agent Acts

    Agentic AI pipelines compose multiple model calls, tool invocations, and external retrievals into a single autonomous workflow. The compositional structure produces an accountability gap: the record series the application keeps shows the workflow outcome, the record series the model provider keeps shows the inference call, and neither shows who authorized the agent to act with whose authority at the moment of action. This piece walks through where the gap appears in production pipelines, the structural reason application logs cannot close it, and the inspection-layer record series that produces a defensible answer.

← Back to glossary