TL;DR: Agentic AI extends generative AI by chaining model outputs into tool calls and multi-step actions, while still relying on human approval for many decisions; Descope notes 88% of organisations are already using or planning to use it. The governance gap is not the model itself, but the assumption that review-based controls can keep pace with session-scoped orchestration.
At a glance
What this is: This is a comparison of generative AI and agentic AI, with the key finding that agentic systems add orchestration, tool use, and identity risk on top of generation.
Why it matters: It matters because IAM, NHI, and access governance programmes must treat AI agents as identities with scoped permissions, not just as another application layer.
By the numbers:
- 88% of organizations are either already using it or planning to use it.
- Within just two months, ChatGPT reached 100 million users, making it the fastest-growing consumer software application in history.
- About 4 in 10 report using them for work tasks, highlighting how quickly general AI is becoming embedded in both professional and personal life.
👉 Read Descope's analysis of agentic AI versus generative AI
Context
Generative AI creates content from prompts, while agentic AI turns those outputs into steps, tool calls, and downstream actions. That shift matters for AI agent identity governance because the security question moves from output quality to who or what is allowed to act, connect, and persist across systems.
For IAM teams, the practical issue is not whether the model is intelligent enough. It is whether the organisation has defined the identity, scope, approval path, and revocation model for an AI agent before the agent starts chaining actions across tools.
The distinction also clarifies why many AI governance discussions are incomplete. If the programme still treats the agent as a chat interface rather than an acting identity, it will miss the access, orchestration, and lifecycle controls that determine real risk.
Key questions
Q: How should security teams govern AI agents that can call tools on their own?
A: Security teams should govern AI agents as non-human identities with explicit scopes, approvals, and revocation paths. The key is to tie every tool call to a known identity, a limited purpose, and a monitored execution trail. If the agent can act across systems, it needs the same lifecycle discipline as other privileged machine identities.
Q: Why do agentic AI systems create more IAM risk than generative AI chat tools?
A: Agentic AI creates more IAM risk because it can move from producing content to initiating actions in other systems. That changes the problem from output quality to delegated authority, token use, and cross-system access. Generative AI can misstate facts, but agentic AI can also trigger real operational changes if the identity controls are weak.
Q: What do security teams get wrong about AI agent autonomy?
A: Security teams often assume that any AI agent is autonomous, when many are still bounded by human approval and predefined workflows. The mistake is to overstate autonomy and understate the identity controls still needed. Even constrained agents can create real exposure if their permissions are broader than the task requires.
Q: How do organisations decide whether to use human approval or policy automation for AI agents?
A: Use human approval when an agent can affect money, data, production systems, or external communications. Use policy automation only when the action is low risk, tightly scoped, and fully reversible. The decision should be based on impact, not on whether the workflow feels automated or intelligent.
Technical breakdown
Generative AI outputs and prompt-driven execution
Generative AI is a probabilistic content engine. It predicts likely tokens from a prompt and returns text, images, code, or other media without independently selecting objectives or tools. In identity terms, the model itself is not acting across systems. It is producing an output that a human or application may later use. That distinction matters because the security boundary is still around the requester and the consuming system, not the model output alone. The moment those outputs are wired into workflows, the identity problem starts to move from content assurance to execution control.
Practical implication: separate content trust from action authority, and do not grant downstream system access merely because a model response looks plausible.
Agentic AI orchestration and tool-calling identity
Agentic AI adds orchestration on top of generation. The model can turn a goal into a sequence of steps, call tools or APIs, evaluate results, and continue the workflow. In most enterprise deployments this remains bounded, with human approval gates and predefined tool sets. That means the system is not automatically autonomous, but it is acting as a non-human identity with broader blast radius than a plain chatbot. The governance challenge is that the agent is now a runtime actor. Its permissions, token use, and delegation path become part of the security model, not just the application design.
Practical implication: treat tool-enabled agents as governed identities, with explicit scopes, approvals, monitoring, and revocation paths.
Mcp connections expand the trust boundary
Model Context Protocol standardises how an agent connects to tools and data sources. That makes integration easier, but it also widens the trust boundary if identity is not enforced at the connection layer. The protocol does not solve authorisation by itself. It only makes the path between agent and tool more repeatable, which is useful for control if the organisation already has identity-aware policy, and risky if it does not. Once the agent can reach multiple tools through one conversational interface, privilege concentration becomes a design problem rather than a simple application permission issue.
Practical implication: apply identity and access policy at every MCP-connected tool boundary, not only at the user interface.
NHI Mgmt Group analysis
Agentic AI is not a new model class so much as a new identity problem. The article correctly describes agentic systems as generation plus orchestration, but the governance implication is bigger than workflow automation. Once a model can choose the next action through tools and APIs, the organisation is managing a runtime identity, not just a content engine. That shifts the control plane from prompt review to access governance, telemetry, and delegated authority. Practitioners should stop classifying these systems as “just AI features” and treat them as identities with execution rights.
Session-scoped access assumes the actor stays inside one bounded turn, which agentic systems already strain. Access review processes were designed for stable entitlements that can be recertified over time. That assumption fails when an agent chains several actions in one session and may touch multiple systems before a human can observe the sequence. The implication is not merely tighter approval. It is a rethink of how identity evidence is produced when the actor’s behaviour is distributed across steps, tools, and state changes.
Agentic AI creates a privilege concentration problem that conventional application controls do not describe well. The article notes that agents can connect to multiple tools and APIs, and that is where risk accumulates. A single agent identity may inherit permissions that would never be granted to a human operator in one bundle, yet the workflow makes them feel natural. This is exactly where NHI governance, ZT-NIST-207 thinking, and OWASP-NHI controls intersect. Practitioners should interpret every agent connector as a potential privilege amplifier, not a convenience layer.
Model Context Protocol expands interoperability, but interoperability is not governance. Standardising connections between agents and tools helps scale deployment, yet it also normalises more trust paths unless policy is attached to the handshake. The field should be careful not to confuse transport standardisation with control maturity. In practice, the organisations that will manage agentic AI safely are the ones that can bind identity, scope, and revocation to each connection, not the ones that merely connect more things faster.
Named concept: runtime orchestration identity gap. This is the gap between a system that generates text and a system that is allowed to act on it. The article shows that the transition from generation to orchestration is where identity risk becomes material. Practitioners should use this concept to separate AI content governance from AI execution governance in their programme design.
From our research:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
- That gap makes OWASP Agentic Applications Top 10 a useful next reference for teams formalising agent controls.
What this signals
Runtime orchestration identity gap: organisations are now governing a class of identity that can create actions as well as outputs, which means the old separation between AI application oversight and access governance no longer holds. The practical signal is that agent inventories, token ownership, and connector permissions will become board-level audit evidence, not just engineering metadata.
With 92% of organisations saying governing AI agents is critical to enterprise security, but only 44% having implemented policies, the maturity gap is already visible in programme design. Teams that do not define approval boundaries, logging standards, and revocation triggers now will end up retrofitting controls after the first incident.
The next phase of AI governance will be measured by whether organisations can bind identity to action across tool ecosystems. The control question is no longer whether the model is safe to use, but whether the path from prompt to privileged action is contained, observable, and reversible.
For practitioners
- Define the agent identity before deployment Assign every agent a distinct service identity, map its tool access, and document the exact systems it may call without human intervention. Do not reuse shared application credentials for multiple agents.
- Bind tool access to explicit scopes Restrict each agent to the smallest possible set of APIs, databases, and actions needed for the workflow. Revoke broad connector permissions that would let one agent move across unrelated business functions.
- Instrument agent activity at the action layer Log tool calls, delegation changes, approval bypasses, and repeated retries so security teams can reconstruct the full decision chain. Keep these logs separate from generic application telemetry.
- Separate approval from execution Where agent actions are material, require an approval step that is tied to the specific operation, not just the session start. This prevents a trusted session from becoming a blanket authorisation for all follow-on actions.
Key takeaways
- Agentic AI changes the security problem from content generation to delegated execution, which makes identity controls a core part of the design.
- The biggest governance gap is not model accuracy alone, but the lack of clear scope, approval, and revocation for AI agents acting across tools.
- Practitioners should treat every agent connector as a privilege boundary and every agent session as an auditable identity event.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Agent identities and tool access sit squarely in NHI governance scope. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Agent tool calls require continuous authorisation and scoped access decisions. |
| NIST CSF 2.0 | PR.AC-1 | Identity governance for agents depends on defined access control policy and ownership. |
Enforce per-action access checks and continuous verification for every privileged agent call.
Key terms
- Agentic AI: AI systems that can break a goal into steps, choose tools, and carry out actions beyond a single prompt-response exchange. In governance terms, they behave like runtime identities when they are allowed to connect to systems, call APIs, or trigger business operations.
- Generative AI: AI that produces content such as text, images, code, or audio from prompts by predicting likely outputs from its training patterns. It creates information, but by itself it does not decide how that output should be used in downstream systems.
- Model Context Protocol: An open protocol that standardises how AI agents connect to tools and data sources. It improves interoperability, but it does not replace identity, authorisation, or lifecycle controls, so organisations still need policy at the connection and action layers.
- Non-Human Identity: Any machine or software identity used by a system rather than a person, including service accounts, API keys, tokens, certificates, workloads, bots, and AI agents. These identities need governance for issuance, scope, monitoring, rotation, and revocation.
What's in the full article
Descope's full blog covers the operational detail this post intentionally leaves for the source:
- The article's side-by-side examples of generative and agentic workflows for practitioners deciding where the boundary actually sits.
- The use-case breakdown across B2B, eCommerce, and hospitality for teams mapping AI behaviour to business process.
- The discussion of MCP and agent-to-agent communication as a practical integration pattern for teams designing tool access.
- The FAQ section's direct answers about how vendors and practitioners describe agentic AI in real deployments.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM or identity security programme, it is worth exploring.
Published by the NHIMG editorial team on 2026-05-29.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org