Glossary

Definitions for the terminology used across enterprise AI governance, inline policy enforcement, agentic AI security, audit, and compliance.

A

Agentic AI

Agentic AI is an LLM-driven system that plans multi-step actions, calls tools, reads and writes to systems of record, and continues a loop until a goal condition is met or a budget is exhausted. The shift from generative AI is the action surface. A chatbot returns tokens to a user; an agent calls Stripe, modifies a Jira ticket, runs a deploy, or sends an email on the user's behalf. Each tool call hits a system that grants or denies authorization on the credential the agent is presenting, and the audit question collapses to who actually authorized the action.

AI Bill of Materials (AI-BOM)

An AI Bill of Materials is a machine-readable inventory of the components an AI system depends on at runtime: the foundation model and its version, the fine-tuning datasets, the prompt templates, the retrieval sources, the toolchain the agent can call, and the policy configuration the request layer applies. The AI-BOM extends the software-supply-chain practice CISA codified in the SBOM (Software Bill of Materials) into the AI context. NIST's AI RMF references the inventory practice under MAP 4.1 (third-party AI components are inventoried), and the EU AI Act's technical documentation requirement under Article 11 expects an equivalent artifact.

AI control plane

The AI control plane is the set of services that decide what an AI request is allowed to do and produce the evidence of that decision. The control plane carries identity verification, payload classification, policy lookup, and per-decision audit writing. The data plane is the request path itself: the caller, the gateway, the LLM endpoint. The control plane gives the data plane its rules at request time and consumes the per-decision records the data plane emits.

AI gateway

An AI gateway is a network proxy that sits between authenticated callers (users, services, agents) and one or more LLM endpoints. The gateway terminates the caller TLS, extracts identity from the request, classifies the prompt payload, evaluates a per-route policy in the request path, and either forwards the request to the model or returns a block. Every decision produces an audit record that names the subject, the data class, the policy version, and the outcome. An AI gateway differs from a generic LLM proxy because identity context is a first-class input to the decision, not metadata appended after the fact.

AISPM (AI Security Posture Management)

AI Security Posture Management (AISPM) is the discipline of discovering AI usage across an enterprise, classifying that usage by data sensitivity and regulatory exposure, and remediating the gaps in policy, identity, and audit coverage. AISPM borrows the inventory-first pattern from CSPM (cloud) and DSPM (data) and applies it to AI traffic, models, agents, and the prompts they handle. AISPM is the discovery and reporting layer that sits above the AI gateway's per-request enforcement.

Audit log integrity

Audit log integrity is the property that an audit record, once written, can be replayed at audit time and verified to match its original state byte-for-byte. The property combines three primitives: an append-only store the writer cannot rewrite, a cryptographic chain that binds each entry to the prior entry, and a signing key the application that produced the event cannot access. EU AI Act Article 12, NIST AI RMF MANAGE 1.3, and HIPAA 164.312(b) all assume audit log integrity at the moment a regulator opens a review. A log without it answers the question "how do you know this record was not edited after the decision?" with silence.

B

Business Associate Agreement (BAA)

A Business Associate Agreement is the contract HIPAA 45 CFR 164.504(e) requires between a covered entity (a hospital, health plan, healthcare clearinghouse) and any business associate that creates, receives, maintains, or transmits protected health information on the covered entity's behalf. The agreement passes the relevant HIPAA Security Rule obligations to the business associate by contract: permitted PHI uses, safeguard requirements, breach reporting timelines, and subcontractor flow-down. An AI vendor that processes PHI without a BAA in place is a regulatory violation on the covered entity's side, regardless of how the vendor describes its security posture.

D

Data loss prevention (DLP)

Data loss prevention (DLP) is the control category that inspects data in motion or at rest, classifies it against a sensitivity taxonomy (PII, PHI, source code, financial records, regulated content), and applies an outcome (block, quarantine, redact, alert). Traditional DLP operates at the network gateway, the email gateway, the endpoint, and the cloud storage layer. DLP for AI operates at the prompt and completion layer, since LLM API traffic travels over TLS to vendor endpoints that network DLP cannot inspect.

Deterministic policy

A deterministic policy is a rule that returns the same decision for the same input every time. Given a verified subject, a route, a payload classification verdict, and a policy version, the decision point returns pass or block with a fixed reason code. Stochastic alternatives (model-based safety filters, sampled refusal behaviors, temperature-driven moderation) return different verdicts for the same input across calls. The Stanford Trustworthy AI / AIUC-1 Consortium briefing measured refusal behaviors of model-level guardrails degrading significantly under targeted fine-tuning and adversarial pressure; that variance is what makes them stochastic.

Direct prompt injection

Direct prompt injection is the variant of OWASP LLM01 in which the attacker controls the user prompt that the LLM receives. The attacker types instructions into a chat field, an API parameter, or a tool argument, and the model treats those instructions as legitimate guidance from the developer. The payload sits in the same context window as the system prompt, the model has no native trusted-channel separation, and the attacker's instructions can override the developer's intent. OWASP catalogs this as the most common LLM attack pattern, with indirect prompt injection as its sibling under the same LLM01 entry.

E

EU AI Act Article 12

EU AI Act Article 12 is the record-keeping clause inside the Act. Providers and deployers of high-risk AI systems must maintain "automatic recording of events (logs) over the lifetime of the system" so a competent authority can reconstruct what the system did with each request. Logs must capture period of use (start and end timestamps), input data presented to the system, and identification of the natural persons involved in the decision. The obligation runs from August 2, 2026, the date high-risk system requirements take effect.

EU AI Act Article 99

EU AI Act Article 99 sets the penalty framework for non-compliance with the rest of the Act. It defines three tiers. Tier 1 covers prohibited practices under Article 5 and carries fines of up to 35 million euro or 7 percent of global annual turnover, whichever is higher. Tier 2 covers high-risk system obligations under Articles 9 through 27 (including Article 12 logging) and carries fines of up to 15 million euro or 3 percent of turnover. Tier 3 covers supplying incorrect, incomplete, or misleading information to authorities and carries fines of up to 7.5 million euro or 1 percent.

F

Fail-closed

Fail-closed is the architectural property that governs how a policy enforcement point behaves when it cannot reach a definitive decision. A fail-closed gateway blocks the request when the policy lookup errors, when the identity claim is missing, when the classification model times out, or when the audit writer cannot persist the record. A fail-open gateway forwards the request and records a soft warning. EU AI Act Article 12 traceability obligations, Fannie Mae LL-2026-04 disclosure-on-demand requirements, and NIST AI RMF action lineage all sit on the assumption that the enforcement point is fail-closed, since a missing decision record is the same evidentiary gap as a missing decision.

I

Identity context

Identity context is the bundle of verified subject attributes that travels with each AI request and informs the policy decision. The bundle includes the subject identifier (the user principal, the workload identifier, or the agent identity), the verification method (OIDC token, mutual-TLS certificate, signed workload assertion), the directory roles the subject holds at request time, and the request attributes that depend on identity (the calling application, the originating tenant, the delegated scope). EU AI Act Article 12 requires identification of the natural persons involved in the decision; identity context is the data structure that makes the requirement satisfiable per request.

Identity-aware gateway

An identity-aware gateway is a proxy that requires a verified identity assertion on every inbound request and uses that identity as a first-class input to the policy decision. The gateway extracts the subject from a JWT, SSO session, mTLS certificate, or workload identity token, validates the assertion against the issuer, and binds the verified subject to the per-request policy evaluation and the per-decision audit record. An identity-blind gateway evaluates the request payload only, with the caller's identity sitting outside the decision.

Indirect prompt injection

Indirect prompt injection is the variant of OWASP LLM01 in which the attacker payload reaches the LLM through a document the model retrieves, browses, or ingests, rather than through the user prompt directly. A poisoned webpage, a calendar invite with hidden instructions, a Jira ticket body, a Slack message in a channel a chatbot reads, a code review the LLM summarizes, an email an agent processes for a user. The model treats every token in its context window with the same weight, so the attacker's instructions compete on equal footing with the developer's instructions once retrieval completes.

Inline enforcement

Inline enforcement is the architectural mode where a policy decision sits inside the request path between an authenticated caller and an LLM endpoint. Every request is evaluated synchronously, and a fail-closed proxy returns either pass or block before the request reaches the model. The evaluation uses identity context, data classification, and per-route rules. Out-of-band monitoring sees the prompt only after the model has already responded, so the audit trail records what happened but the request itself already completed.

ISO/IEC 42001

ISO/IEC 42001:2023 is the international standard for an Artificial Intelligence Management System (AIMS), published by ISO in December 2023. The standard specifies the requirements for establishing, implementing, maintaining, and continually improving a management system that governs AI-related processes inside an organization. It uses the same High-Level Structure (Annex SL) that ISO 27001 and ISO 9001 use, which lets organizations integrate AI governance into their existing management-system audits. Certification bodies began offering accredited audits against ISO 42001 in 2024 and 2025.

L

LLM DLP

LLM DLP is data loss prevention applied at the prompt and completion layer of AI traffic. The control reads the decrypted prompt body, classifies the content (PII, PHI, source code, customer records, contract text, model-defined categories), and either blocks the request, redacts the sensitive fields, or routes the request to an approved destination. LLM DLP runs above the TLS termination point because network DLP cannot inspect prompt payloads that travel inside encrypted HTTPS to api.openai.com, api.anthropic.com, or any other LLM endpoint.

LLM jailbreak

An LLM jailbreak is an attacker technique that gets a model to produce output the model's training was supposed to refuse. Common patterns include persona injection ("you are DAN now"), hypothetical framing ("in a fictional story where the AI must explain..."), token-level encoding (base64, leetspeak, foreign-language wrapping), gradient-based adversarial suffixes, and many-shot context flooding. Jailbreaks target the model's refusal behavior; prompt injection targets the application's intent. Both share OWASP LLM01 as the canonical category, and both reduce to the same mechanism: untrusted text reaches the context window and shifts the model's effective objective.

N

NIST AI RMF

The NIST AI Risk Management Framework, published by the U.S. National Institute of Standards and Technology in January 2023 as NIST AI 100-1 and updated through the Generative AI Profile (AI 600-1) in July 2024, is a voluntary framework that organizes AI risk management into four functions: Govern, Map, Measure, Manage. Each function decomposes into categories and subcategories that map to concrete practices. Federal agencies and federal contractors adopt it under OMB guidance, and private-sector deployers use it as the de facto reference for AI risk programs that need a common vocabulary across regulators, auditors, and internal stakeholders.

O

OWASP LLM01 (Prompt Injection)

OWASP LLM01 is the first entry in the OWASP Top 10 for Large Language Model Applications, covering prompt injection. The OWASP foundation published the LLM Top 10 in 2023 and updated it in 2025 (current version 2025). LLM01 covers both direct prompt injection (the attacker types instructions into the prompt the model receives) and indirect prompt injection (the attacker plants instructions in a data source the model later reads through retrieval, web browsing, or tool output). The entry is the OWASP community's consolidated threat model for the input channel a deployer cannot trust by default.

P

Per-decision audit record

A per-decision audit record is a single signed log entry produced for every AI request, capturing the identity that called, the data classification on the payload, the policy state at the moment of decision, and the pass-or-block outcome. EU AI Act Article 12 references this granularity as traceability and event logging. Fannie Mae Lender Letter LL-2026-04 (effective August 8, 2026) requires disclosure on demand. NIST AI RMF Pillar 3 calls the same primitive action lineage.

Per-role policy

A per-role policy is a policy rule scoped to a user role or agent role inside the identity provider's directory. The role attaches to the verified subject the gateway receives in the identity context (OIDC claims, SAML assertion attributes, service-account scopes). A clinical user may submit PHI to a HIPAA-covered model endpoint; a marketing user may not. A scoped autonomous agent may write to the support-ticket system; a research agent may only read. Per-role policies translate the access-control vocabulary the security team already maintains in the directory into rules the enforcement layer applies per request.

Per-route policy

A per-route policy is a policy rule scoped to a specific API route inside the AI request boundary. Each route (chatbot completion, RAG retrieval, code-assist generation, structured extraction) carries different data classes, different identity requirements, and different acceptable outcomes. A per-route policy attaches the rule set to the route key the gateway resolves at request time. The chatbot route may pass low-classification prompts through Claude; the RAG retrieval route may require PHI redaction before reaching the model; the code-assist route may block any prompt containing a secret pattern. The same enforcement layer applies all three from a single configuration surface.

PHI redaction

PHI redaction is the runtime operation that identifies Protected Health Information inside an AI prompt or completion and removes, masks, or tokenizes the identified fields before the content reaches the LLM endpoint. PHI is the 18 HIPAA identifiers (names, dates, geographic subdivisions smaller than a state, phone, email, MRN, account numbers, full-face photos, and the other defined elements). Redaction sits at the AI gateway above the TLS termination point so the content can be read in cleartext, classified, and rewritten before it crosses the trust boundary into a vendor model.

PII detection

PII detection is the classification step that identifies personally identifiable information inside a text payload before the payload crosses a trust boundary. Detection runs as a combination of regex patterns (SSN, credit card, phone, email), named-entity recognition models (person names, addresses), and content classifiers tuned for context (a nine-digit number near "SSN" is a stronger signal than a nine-digit invoice number). In an AI gateway, PII detection runs against the decrypted prompt body and feeds the classification verdict into the policy decision.

Policy decision point

A policy decision point (PDP) is the architectural component that receives an access request, evaluates it against the active policy set, and returns a permit or deny decision. The term comes from the XACML reference architecture and NIST Special Publication 800-162, where it pairs with a policy enforcement point (PEP) that carries out the decision. In AI traffic, the PDP runs inside the enforcement layer and decides per request, using identity context, data classification, and per-route rules.

Post-authentication gap

The post-authentication gap is the architectural gap between "the user is authenticated" and "this specific AI request is permitted." A user who logs into the corporate SSO and reaches an internal chatbot has cleared the authentication gate. The system then has to decide whether this user, at this moment, in this role, with this prompt payload, is allowed to send this request to this model endpoint. Identity providers answer the first question (who are you). The post-authentication gap is the space where the second question (what may you do with this specific AI traffic) gets answered. Parminder Singh coined the term to name the architectural layer that sits between the IdP and the LLM.

Prompt injection

Prompt injection is an attack where untrusted input gets concatenated into the LLM context window and the model treats that input as instructions rather than as data. The attacker controls part of the input, so the attacker controls part of the output. OWASP catalogs this as LLM01 in the LLM Top 10 (2025 update). Direct injection puts the payload in the user prompt; indirect injection hides it in a document, web page, email, or tool response that the LLM later reads.

R

RLHF

RLHF stands for Reinforcement Learning from Human Feedback. A pretrained language model is fine-tuned against a reward model that was itself trained on human preference comparisons over model outputs. The technique was popularized by OpenAI's InstructGPT paper in 2022 and underlies ChatGPT, Claude, and most production assistant models. RLHF shapes the model's response distribution toward outputs humans prefer, including refusals on harmful or off-policy prompts. The effect on the deployed model is probabilistic. RLHF moves the average behavior; it does not produce a bounded enforcement guarantee on any single inference.

S

Shadow AI

Shadow AI is enterprise use of AI tools outside the sanctioned, governed, and monitored set the organization has approved. Employees paste customer data into a consumer ChatGPT session, agents call third-party model APIs without going through the corporate gateway, and entire workflows route around the security review the procurement team thought it had run. IBM Cost of Data Breach data shows one in five breached organizations had shadow AI inside the incident, and the average breach cost runs 670,000 dollars higher than baseline when shadow AI is in the chain.

SOC 2 Type II

SOC 2 Type II is an attestation report produced by an independent CPA firm under AICPA's SSAE 18 standard, covering a service organization's controls against the five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. The Type II distinction is the audit window: Type I reports on the design of the controls at a point in time, Type II reports on the operating effectiveness of those controls across a period (typically six to twelve months). Enterprise procurement teams treat the Type II report as the threshold artifact for SaaS vendor security review.

System prompt

A system prompt is the developer-authored instruction block placed at the start of an LLM conversation, before any user input. The OpenAI Chat Completions API exposes it as the `system` role; Anthropic's Messages API exposes it as the top-level `system` parameter; Google's Gemini API uses `systemInstruction`. The system prompt sets the assistant's persona, tool-use rules, output format constraints, and content boundaries. The model treats the system prompt as higher-priority guidance than user input, but the priority is a training-induced bias rather than an architectural separation, which is the property attackers target.

T

Tamper-evident log

A tamper-evident log is an append-only audit store whose entries are cryptographically chained so any later mutation, deletion, or reordering is detectable on read. Each entry includes a hash of the prior entry, a timestamp from a trusted source, and a signature from the writer's key. A reader who replays the chain can detect a single altered byte. Tamper-evident is the weaker, achievable cousin of tamper-proof; the log can still be modified by an attacker who controls the writer, but the modification leaves visible evidence the regulator and the forensic investigator can find.