Is it too early in the nac game to start talking about revolution or evolution? The whole of NAC has centered around assessing an endpoint's health and controlling access by granting admission or enforcing quarantine. That's all well and good, but it's not really access control.
The problem with data security today is that access to resources is frequently not well-defined or controlled across a broad range of applications. It's impossible to centrally define a role with all the access controls for all the network applications a user might need because, quite simply, there are no common standards that all vendors--OSs, authentication systems and applications makers--adhere to. Sure, there has been work with SAML, but few systems support it.
Many NAC products do take into account identity information before making an access decision, but the implementation is often coarse-grained--a host is managed or not, or the user is known. This is still not quite access control. The whole idea of "identity-based network access control" comes down to granting access within applications based on who you are. This is still beyond the purview of NAC as it is defined today. --Mike Fratto, firstname.lastname@example.org