Two paradigms, one asymmetry, and the field language that earns your seat at the table.
Your buyers are running both. The fraud detection model flagging suspicious logins is predictive AI. The assistant drafting their RFP responses is generative AI. Most enterprise platforms now incorporate both, sometimes in the same product, often without labeling which is which. The distinction matters in a buyer conversation not because you need to lecture anyone, but because the buyer who says "we're evaluating AI vendors" means something specific — and the AE who can name that something specific earns a different kind of trust than the one who nods along.
Generative AI
What it is: A model that produces new content — text, code, images, structured data — by learning the statistical patterns in existing content and generating novel outputs that match those patterns.
What it does: Given a prompt or input, a generative model produces something that didn't exist before: a summary, a policy draft, a code snippet, an answer to a question. The output is open-ended. The model isn't selecting from a fixed set of options; it's constructing a response token by token (for language) or pixel by pixel (for images). This is why generative AI can handle tasks that weren't anticipated at training time. The mechanism is flexible by design.
Who's behind it / where it comes from: The dominant generative AI systems in enterprise use are large language models from OpenAI (GPT-4o, o3), Anthropic (Claude 3.7 Sonnet), Google (Gemini 1.5 Pro), and Meta (Llama 3). Image generation comes primarily from Stability AI, Midjourney, and Adobe Firefly. In the public sector, Microsoft's Azure OpenAI Service is the most common deployment path because it satisfies FedRAMP authorization requirements that direct API access to commercial endpoints does not.
What makes it distinct: Generative models learn a probability distribution over possible outputs. The model has, implicitly, learned to distinguish likely from unlikely outputs across an enormous range of tasks. That's a broader capability than any single-task model carries. The generalist-versus-specialist analogy is useful here, up to a point — we'll get to where it stops holding.
Predictive AI
What it is: A model that classifies inputs or forecasts outcomes by learning the mapping between input features and a target variable — a label, a score, or a value.
What it does: Given an input (a transaction, a user behavior pattern, a network event), a predictive model outputs a single answer: fraud or not fraud, high risk or low risk, likely to churn or likely to stay. The output space is defined and bounded at training time. The model isn't generating anything; it's collapsing a complex input into a specific output that was specified when the model was built. This is why predictive AI excels at high-volume, low-latency decisions where the answer space is known and the cost of being wrong is measurable.
Who's behind it / where it comes from: Predictive models are everywhere, often invisible. Stripe Radar is a predictive model. The anomaly detection in your SIEM is a predictive model. Most are built on gradient boosting frameworks (XGBoost, LightGBM) or neural architectures trained for specific classification tasks. The vendors building them are often not the vendors your buyers think of when they say "AI" — which is exactly the problem.
What makes it distinct: Predictive models learn a mapping, not a distribution. They were trained to answer one question, and they answer it very well. The tradeoff is scope: a fraud detection model cannot write a policy summary. It has no mechanism for that operation. It was trained to score, full stop.
Okta Concept Mapping: ThreatInsight is predictive AI. When Okta ThreatInsight evaluates a login attempt and returns a risk signal, it's running a classification model against a network of behavioral signals, not generating anything. The analog in identity is adaptive MFA: the system is asking "does this context match the pattern of a legitimate authentication?" and returning a risk score. Where the analogy holds: both predictive AI and adaptive MFA are making a bounded decision against a known outcome space. Where it breaks: adaptive MFA policy is rule-based on top of the risk signal; the predictive model is probabilistic underneath. In a buyer conversation, this distinction matters when someone asks "how does Okta's AI work?" — you can say "the risk scoring is a trained classification model, not a generative system" and you'll be right.
Comparison: Organized by Capability Scope
A symmetric feature matrix would obscure the most important thing about this subject pair. This comparison is organized around capability scope — what each paradigm can and cannot do — because that's where the asymmetry lives, and the asymmetry is the thing worth knowing.
What they share:
Both are trained on data. Both improve with more data. Both can be wrong, and wrong in ways that are hard to audit. Both require someone to define what "good" looks like — either through labeled training examples (predictive) or through human feedback on outputs (generative). Neither is magic, and neither is neutral.
Where they diverge:
| Dimension | Generative AI | Predictive AI |
|---|---|---|
| Output type | Open-ended (text, code, images) | Bounded (label, score, value) |
| Output space | Defined at inference time | Defined at training time |
| Latency profile | Higher (constructing output) | Lower (collapsing to answer) |
| Task flexibility | High — handles novel tasks | Low — optimized for one task |
| Failure mode | Confident hallucination | Silent miscalibration |
The failure modes are worth pausing on. Generative AI fails loudly when it fails badly: it produces confident, fluent nonsense. Predictive AI fails quietly. The fraud score drifts as attack patterns evolve, and nobody notices until the false negative rate climbs. Both are serious problems. They just require different mitigations.
The asymmetry:
Generative models can perform predictive tasks reasonably well. Ask GPT-4o to classify a support ticket as high or low urgency, and it will. Ask it to score a piece of text for sentiment, flag anomalous patterns in a log excerpt, or route an incoming request to the right category — it handles all of these. Classification is a special case of the broader capability it already has. A model that learned a distribution over all possible outputs can, as a special case, output the most likely label for a given input. That's classification. The generalist can do the specialist's job, imperfectly but serviceably.
The reverse is not true. A fraud detection model cannot write a policy summary. A churn prediction model cannot answer a question about its own output. A risk scoring model cannot explain its reasoning in natural language. The restrictions are architectural, not policy. The model was trained to produce one kind of output, and it has no mechanism for any other kind.
This asymmetry explains something real happening in enterprise AI procurement right now. Organizations that deployed specialized predictive models for tasks like document classification, intent routing, and anomaly summarization are finding that a well-prompted generative model handles those tasks well enough to retire the specialist — with the added benefit of a single API, a single vendor relationship, and a single security review. "Just use GPT-4 for everything" is not a rigorous architecture. But it's winning in more categories than the predictive AI vendors expected, and the reason is structural, not hype.
The place where predictive AI holds its ground is where latency and volume are non-negotiable. A generative model evaluating millions of transactions per second is not a real architecture. A gradient boosting model doing it is. High-frequency, high-stakes, bounded-output decisions — fraud scoring, real-time anomaly detection, authentication risk signals — remain predictive AI territory, and will for the foreseeable future.
Okta Concept Mapping: Access certification is where generative AI is entering identity. Traditional access review is a predictive problem: given a user's role and access history, should this entitlement be certified or revoked? Okta Identity Governance applies rules and risk signals to surface recommendations — that's predictive logic. Generative AI can now produce a natural-language summary of why an entitlement looks anomalous, which is a different operation entirely. The model is explaining, not classifying. Where the analogy holds: both operations are trying to help a reviewer make a faster, better decision. Where it breaks: the explanation is generated, not retrieved, which means it can be wrong in ways the classification score cannot. In a buyer conversation, this is the right frame for "how does AI help with access reviews?" — the scoring is predictive, the explanation is generative, and they're doing different jobs.
How to Say This in the Field
Every "Do say" below is usable verbatim. The goal is credibility. A buyer who hears you use these terms correctly will treat the rest of the conversation differently.
| Situation | Don't say | Do say | Why it matters |
|---|---|---|---|
| Buyer mentions their fraud detection system | "That's a generative AI system" | "That sounds like a predictive model — classification or scoring, right?" | Fraud detection is never generative; calling it that signals you're pattern-matching on "AI" |
| Buyer asks what AI Okta uses | "Okta uses AI like ChatGPT" | "Okta uses trained classification models for risk scoring — ThreatInsight is a good example — and is integrating generative capabilities for things like access review summaries" | ChatGPT is one product from one vendor; conflating it with all AI is the fastest way to lose a technical buyer |
| Buyer says "we're an AI-first company" | "Great, so you're using ChatGPT?" | "What kinds of AI are you running — predictive models, generative, or both?" | Most enterprises run both; the question opens the conversation instead of closing it |
| Buyer asks if generative AI can replace their anomaly detection | "Yes, AI can do everything now" | "For real-time, high-volume scoring, predictive models still have the edge on latency. Generative AI handles that kind of task well at lower volumes or when you need the reasoning explained" | The asymmetry is real but bounded; overstating it loses credibility |
| Buyer asks how Okta's "AI" makes decisions | "The AI learns from your users" | "The risk scoring uses a classification model trained on behavioral signals across Okta's network — it's returning a probability, not generating a response" | Precision here builds trust; vagueness sounds like marketing |
| Buyer conflates all AI with LLMs | "Right, it's all basically the same" | "LLMs are one type — generative. But a lot of the AI already running in your stack is predictive: fraud scores, anomaly detection, spam filters" | Correcting this gently positions you as the person who actually knows the difference |
| Buyer asks if their SIEM's AI is "like ChatGPT" | "Kind of, yeah" | "Different paradigm — your SIEM is running classification models to flag anomalies. ChatGPT generates responses. They're both AI, but they work differently" | "Kind of" trains the buyer to stop asking you technical questions |
| Buyer asks why they'd need both types | "For different use cases" | "Predictive AI is faster and more precise for bounded decisions at scale. Generative AI handles open-ended tasks and can explain its reasoning. Most platforms run both because they're solving different problems" | "Different use cases" is a non-answer; this version gives the buyer something to repeat |
| Buyer says "AI is just hype" | "I understand the skepticism" | "The predictive AI in your stack has been running for years — fraud scoring, spam filters, risk signals. The hype is mostly around generative AI, which is newer and less proven at scale" | Separating the two defuses the dismissal and anchors the conversation in something the buyer already trusts |
| Buyer asks if generative AI can do what their classification model does | "Probably, AI is getting really capable" | "For most classification tasks, yes — a well-prompted generative model handles them serviceably. Where predictive models still win is high-frequency, low-latency decisions at scale" | This is the asymmetry stated correctly; it's honest and it's accurate |
Okta Concept Mapping: The policy engine is a useful boundary marker. Okta's policy engine — the logic that evaluates conditions and enforces access decisions — is deterministic, not AI at all. It's rule-based. The predictive AI (ThreatInsight risk scoring) feeds signals into the policy engine; the generative AI (access review summaries, AI-assisted policy authoring) operates around it. When a buyer asks "where does AI fit in your architecture?", this layering is the honest answer: AI generates signals and explanations; policy enforces decisions. The buyer who understands this layering is harder to oversell and easier to close, because they know what they're actually buying.