The Glossary

54 AI governance terms. Canonical definitions, real-world disasters, academic references, and the Urban Dictionary treatment. From the AI Enterprise Control Index v6.0.

54 Terms
150+ Case Studies
350+ Academic References
v6.0 June 2026
54 terms
Framework Architecture
Control
the thing between your AI system and the regulator's enforcement letter
Layer
floors in a building — if one has no fire exits, the whole building has a problem
Shield
the controls that cut through every layer because some problems don't respect org chart boundaries
Component
the smallest unit in the framework — the thing inside a layer that does one specific job
Plane
layers grouped by what they're for — intent plane is where the board makes promises, production plane is where engineers discover they don't work
System
the whole thing — model, data, pipeline, humans, and the organisational decisions that connect them
Severity
how bad it gets when the thing you didn't test finally breaks
Boundary Rule
when two teams both think the other team owns the problem, and nobody owns the problem
Posture
are you building AI or buying AI? the answer determines which regulations apply
AI Models & Engineering
LLM
the autocomplete that got so good people started asking it for legal advice — and it answered, confidently, incorrectly
Model
the bit that actually does the thinking — not the app, not the chatbot, not the agent — the weights
Foundation Model / GPAI Model
trained on the whole internet, everyone builds on it — when it breaks, everything breaks
Fine-Tuning
training the model on your own data — except sometimes it learns the wrong lessons entirely
Hallucination
when AI lies to your face with a bibliography and a confidence score of 0.97
Model Drift
when your model slowly gets worse but all the dashboards say it's fine — silent failure as a service
RAG
teaching your AI to read the manual before answering — except 40% of the time it reads the wrong manual
AI SBOM
the ingredients list for your AI — most organisations don't have one
Agents & Autonomy
Agent
giving AI a to-do list and a credit card and hoping for the best
Application
the thing the user actually touches — the one that shows up in the screenshot when it goes wrong
Orchestrator
like a manager who delegates everything but at least this one tracks who's doing what
Multi-Agent Orchestration
what happens when your AI agents start delegating to each other and nobody told them about each other's budgets
Autonomy Level
every team says their agent is "supervised" but nobody can explain who's supervising it
HITL (Human-in-the-Loop)
the human who reviews 200 AI decisions per hour and agrees with all of them because lunch is in 20 minutes
Human Oversight Pattern
ticking the "human oversight" box without specifying which human, what they review, or how often
Security & Risk
Prompt Injection
when a stranger tells your AI to forget its instructions and it just... does it
Default-Deny
when your AI agent has admin access to production because nobody ever set up permissions
Exfiltration
when your employees paste trade secrets into ChatGPT three times in three weeks
Blast Radius
the total damage when one thing fails and takes everything connected to it down too
Circuit Breaker
the automatic off-switch your AI agent doesn't have
Classification Ceiling
the data sensitivity cap nobody set, so the RAG pipeline retrieves board minutes for anyone who asks
Risk Appetite
the number your board should have but replaced with a feeling
Forensic Exposure
the view of your governance that shows you what a regulator or journalist would find
Regulation & Standards
EU AI Act
the regulation everyone claims to be ready for and nobody has actually read all 144 pages of
GDPR
the regulation your AI team thinks only applies to the privacy team
DPIA
the assessment everyone says they'll do "before launch" and then launches without
FRIA
like a DPIA but it also asks whether your AI might violate someone's human rights
AI Actor Classification
the moment you realise fine-tuning a vendor model made you a provider with obligations nobody knew about
CSRD
when your GPU bill has a carbon footprint the sustainability team doesn't know about
ISO/IEC 42001
the standard that says "manage your AI" in 42 pages of Annex SL prose and a certification fee
NIST AI RMF
the U.S. government's polite suggestion that you manage your AI risks, with no consequences if you don't
OWASP LLM Top 10
ten ways your chatbot can ruin your week, ranked by how confidently you'll ignore each one
OWASP Agentic Top 10
the sequel where AI agents get tools, talk to each other, and the threat model gets exponentially worse
GPAI Code of Practice
the rulebook for foundation model providers, published after most of them already shipped
Governance & Evidence
GRC
the department that asks uncomfortable questions nobody else wants to ask
Evidence
the difference between saying you have governance and being able to prove it
Evidence Factory
the place where "we have governance" becomes "here's the proof" — or doesn't
Mandatory Artifact (ART)
the eight documents you need to produce — not "should" — need
Gate
a gate without enforcement is just a sign that says "please don't" and everyone walks past it
Maturity Level
most organisations say they're at level 3 — most are at level 1 with a nice slide deck
AI System Inventory
you can't govern what you can't see, and you can't see most of it
Contestability
the right to ask your AI overlord "why?" and get a real answer
Post-Market Monitoring
the part of AI governance that happens after you ship, which most teams forget exists
Data Lineage
when someone asks "where did the model get that data?" and nobody can answer
i-DEPOT
like a git commit but for intellectual property and it holds up in court
Related Concepts
Runtime Governance
governing AI systems while they run — boundaries, circuit breakers, and oversight in production
Decision Defensibility
making AI decisions you can stand behind — evidence, controls, and the proof an auditor asks for
AI Governance Decision Support
knowing where your governance stands and what to do next — maturity, posture, and the decisions ahead
Adversarial Strategic Testing
finding what a regulator or attacker would find first — adversarial testing of your AI governance