Not every device connecting to your network has your agent installed. Guests bring personal laptops. Employees use personal phones. IoT devices can't run agents. NAC must handle these cases.
For guests, you typically provide a captive portal. They accept terms, maybe register contact info, and get internet-only access. For BYOD, you might require enrollment in a mobile device management (MDM) system that can verify basic security settings. IoT devices often get isolated VLANs with access limited to their specific function.