TL;DR: AI systems are often grouped into causal, predictive, generative, and agentic types, but the operational difference matters most when they start using tools and acting on behalf of systems, according to WorkOS. The real governance problem is that agentic behaviour changes identity assumptions, so IAM teams need to separate automation from autonomy before they overstate control coverage.
At a glance
What this is: This is a visual overview of four AI paradigms and the key finding that agentic systems change the identity and governance assumptions behind access, tools, and execution.
Why it matters: It matters because IAM, NHI, and human identity programmes all have to decide whether an AI system is just producing output or actually taking action with independently governed access.
👉 Read WorkOS's overview of causal, predictive, generative and agentic AI
Context
Causal, predictive, generative, and agentic AI are not interchangeable labels. The governance gap appears when a system stops informing decisions and starts executing them, because access control, accountability, and review assumptions change with the actor type.
For identity teams, the practical issue is not model sophistication but runtime authority. Once an AI system can select actions and use tools, the question shifts from model quality to who or what is being granted access, how that access is constrained, and whether existing IAM controls still fit.
Key questions
Q: How should security teams govern AI systems that can act on their own?
A: Treat them as identity subjects only when they can independently choose actions, select tools, and execute without a human approval gate. At that point, conventional model governance is not enough. Teams need lifecycle ownership, scoped privileges, logging, and offboarding controls that match the system’s runtime authority.
Q: What is the difference between generative AI and agentic AI for IAM teams?
A: Generative AI produces content, such as text or code, but does not necessarily act. Agentic AI goes further by taking sequential actions in a runtime environment, often through tools and workflows. IAM teams should govern the second category like an identity subject with delegated authority, not just a content engine.
Q: When does an AI system become a non-human identity risk?
A: An AI system becomes an NHI risk when it can access credentials, invoke tools, or complete workflows that affect systems outside the model itself. The risk is not the model output alone. The risk appears when outputs connect to privileged execution paths, secrets, or service accounts.
Q: Why do existing access review processes fall short for autonomous AI?
A: Access reviews assume privileges persist long enough to be observed, recertified, and removed later. Autonomous systems can acquire, use, and discard access within the same session or workflow, so the review cycle may never see the meaningful event. Governance needs runtime controls, not just periodic certification.
Technical breakdown
Causal AI vs predictive AI in governance terms
Causal AI is built to explain why outcomes happen by modelling cause and effect, counterfactuals, and interventions. Predictive AI estimates what is likely to happen from historical patterns. In identity and security operations, that distinction matters because causal outputs are useful for decision support, while predictive outputs are useful for triage and forecasting. Neither one implies execution authority. They are analytical systems, not identity subjects with their own access lifecycle.
Practical implication: Treat causal and predictive models as decision-support components, not identities that need autonomous access governance.
Generative AI and the boundary between content and action
Generative AI creates text, images, code, or other artefacts by sampling from learned distributions. It can draft a response, write code, or propose a workflow, but generation alone is not autonomy. The governance question changes only when the generated output is connected to downstream execution, such as tool calls, repository actions, or infrastructure changes. At that point, the model is no longer just producing content. It is participating in an identity chain that can affect privilege, change control, and auditability.
Practical implication: Separate content generation from execution rights so that generated output cannot directly trigger privileged actions without oversight.
Agentic AI and runtime decision-making
Agentic AI is the category that matters most to identity governance because it can perceive, decide, and act in sequence. The article frames this as autonomous execution, which means the system is no longer only analysing or generating. It is choosing steps in runtime and using tools to complete them. That makes access review, least privilege, and accountability harder because the relevant question is not just what the model can do, but what it can decide to do without a human gate.
Practical implication: Classify any system that can independently decide and execute as an identity subject that needs lifecycle, privilege, and logging controls.
Breaches seen in the wild
- Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
- AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Agentic AI is the first AI category that turns identity from a static permission model into a runtime decision problem. Causal, predictive, and generative systems can inform or produce, but they do not inherently create execution risk. Agentic systems do, because they move from output to action through tool use and sequential decisions. The practitioner implication is that governance must be tied to actor behaviour, not model branding.
The assumption that access can be safely provisioned in advance breaks once the actor chooses its own action path. Least privilege was designed for conditions where intent is knowable before execution begins. That assumption fails when an autonomous system can decide what to do, which tool to use, and when to do it at runtime. The implication is that identity governance must stop treating autonomy as just another automation layer.
Runtime execution boundary: this is the point where generative output becomes identity risk. A model that drafts code or text can be governed like a productivity tool. A model that can directly invoke systems, commit changes, or move through workflows becomes part of the access-control plane. Practitioners should treat this boundary as a named governance checkpoint, because the control failure is not in generation itself but in unreviewed execution.
Cross-domain governance is now unavoidable because the same AI stack can sit across human, NHI, and autonomous identity models. A developer-facing system may begin as a copilot, rely on service credentials, and end up acting with independent runtime authority. That makes it impossible to confine analysis to one identity silo. The practitioner implication is to map AI behaviour to the correct actor type before deciding whether IAM, NHI, or human identity controls should apply.
From our research:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means many access reviews are working from partial inventory data rather than a complete entitlement picture.
- Forward-looking teams should pair identity discovery with Ultimate Guide to NHIs , 2025 Outlook and Predictions so that AI-driven access growth is assessed against an existing governance baseline.
What this signals
Runtime governance gap: AI systems that move from generation to execution create a boundary problem that most IAM programmes have not modelled explicitly. The practical challenge is not whether the model is advanced, but whether its outputs can become privileged actions without a separate control point.
With 96% of organisations storing secrets outside secrets managers in vulnerable locations including code, config files, and CI/CD tools, per the Ultimate Guide to NHIs, AI systems that touch build or deployment pipelines inherit a weak trust chain by default.
Security teams should expect AI governance to converge with NHI governance, especially where service accounts and tool credentials are used to operationalise model output. The programmes that win early will be the ones that map decision support, content generation, and autonomous execution to different access rules.
For practitioners
- Separate model output from execution authority Allow causal, predictive, and generative systems to inform decisions, but require explicit approval before any tool call, deployment, or privileged change occurs.
- Classify AI systems by runtime behaviour, not label Document whether the system only produces content or can independently select actions, choose tools, and execute without a human approval gate.
- Map autonomous behaviour into lifecycle governance Assign owners, entitlement boundaries, logging requirements, and offboarding steps for systems that can act in their own right, especially when they interact with service accounts or secrets.
- Review privilege boundaries around agent-triggered workflows Identify workflows where generated output can flow into code commits, ticket closures, infrastructure changes, or data access, then require stronger controls on the handoff point.
Key takeaways
- Agentic AI changes the identity problem because it can decide and act, not just predict or generate.
- Identity governance fails when it treats autonomous behaviour like ordinary automation.
- Teams should separate content generation from execution authority and govern the handoff point explicitly.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Agentic systems that choose actions and tools map to agentic AI threat modelling. | |
| OWASP Non-Human Identity Top 10 | NHI-01 | AI systems using credentials or service accounts behave as NHIs. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Zero trust requires continuous verification for tool-using AI systems. |
Inventory AI-linked identities and scope credentials to the minimum required task.
Key terms
- Agentic AI: AI that can decide what to do next and execute those actions through tools or workflows. In identity terms, it behaves like a delegated actor, which means its access, logging, and offboarding need governance that goes beyond model output review.
- Non-Human Identity: A digital identity that is not tied to a person, such as a service account, token, certificate, workload, or AI agent. It represents an actor that can authenticate and access systems, so lifecycle and privilege controls matter as much as they do for human users.
- Runtime authority: The ability to use access during live execution without waiting for a separate human decision. For autonomous and tool-using AI systems, runtime authority is the governance boundary where analysis becomes action and traditional review cycles often stop being sufficient.
Deepen your knowledge
AI systems that move from generative output to autonomous action are covered in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are defining governance for tool-using systems, it is a practical place to build the identity model first.
This post draws on content published by WorkOS: What is the difference between causal, predictive, generative, and agentic AI? Read the original.
Published by the NHIMG editorial team on 2025-07-02.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
