admission controller intercepts requests after authentication and authorization, but it result in permit or deny the request. From my point of view, it can control in more detail. what's the design consideration about admission controller?
An example that might clarify the difference is the resource quota admission controller: http://kubernetes.io/v1.0/docs/design/admission_control_resource_quota.html. A user might have the authority to read pods in a particular namespace, but not the quota to create new ones.