The terms that keep coming up on an enterprise AI programme, defined in plain English. Written for boards, security teams, and builders alike.
An AI system that plans and executes multi-step actions by calling external tools, rather than producing a single response to a single prompt.
Agents pair a language model with function-calling capability and run in a loop: read the goal, choose a tool, read the result, decide what to do next. The trade-off is capability against cascading failure risk, which is why blast-radius design matters so much at the agent layer.
A design pattern in which the AI decides what to do next, not the human.
The model selects tools, reads intermediate results, and chooses further actions in a loop until a goal is reached or a budget is exhausted. Agentic AI shifts the governance conversation from prompt review to scope review: what is the agent allowed to touch, and how reversible are its actions?
The scope of systems, data, and external actions an agentic AI can affect when something goes wrong.
Minimising blast radius is the core of safe agent design: narrow tool scopes, reversible actions, human-in-the-loop on high-impact steps, and hard limits on cost, time, and out-of-scope domains. It is our preferred framing for discussing agent risk with a security or compliance audience.
The European Union regulation that classifies AI systems by risk tier and imposes obligations on providers and deployers.
Most enterprise AI in regulated sectors falls into the high-risk tier, triggering requirements around documentation, monitoring, human oversight, and post-market surveillance. Non-compliance carries turnover-based fines comparable in scale to GDPR.
A structured review of an organisation’s AI usage, risks, and controls.
Typically covers inventory (what is in use), data flows, vendor posture, and compliance gaps against frameworks such as the EU AI Act, ISO/IEC 42001, or the NIST AI Risk Management Framework. Output is usually a scored report with prioritised remediation steps.
The set of policies, roles, and review processes that decide what AI can be used, by whom, on which data, and under which controls.
Governance is the bridge between ad-hoc AI adoption and a managed programme with auditability. Good governance is boring on purpose: clear ownership, versioned policies, repeatable reviews, evidence trails.
A measure of whether an organisation has the data quality, infrastructure, skills, and governance needed to deploy AI safely and repeatably.
Low readiness is the root cause of most failed AI pilots: the model is not the problem, the operating environment is. Readiness assessments score across dimensions (data, infra, process, people, risk) rather than giving a single number.
A structured evaluation of likelihood and impact for harms linked to an AI system (bias, data leakage, over-reliance, hallucination, third-party exposure).
Outputs feed into mitigation plans, vendor decisions, and compliance documentation. In regulated sectors the assessment is itself an audit artefact, not a private internal document.
The degree to which an AI system’s behaviour matches the intent of its operators and the expectations of its users.
Alignment breaks down through prompt injection, distribution shift, or goal mis-specification. Production alignment is an operational problem as much as a research one: monitoring, evaluation, and rollback pathways matter more than clever prompts.
The pattern where employees use personal AI tools (ChatGPT, Claude, Gemini, and others) on work data without IT approval.
BYOAI is the usage pattern behind most Shadow AI inventories. The data exposure risk is real, but heavy-handed bans typically drive the behaviour underground rather than stopping it; sanctioned alternatives work better.
The physical or legal jurisdiction in which data is stored and processed.
For European customers, data residency in the EU is frequently a contractual and regulatory requirement, and is independently audited. Residency clauses should cover logs, embeddings, and backups, not just primary records.
Related
A GDPR-mandated analysis for processing that is likely to produce high risks to the rights of data subjects.
AI systems handling personal data typically trigger a DPIA. A good DPIA documents purpose, legal basis, risks, safeguards, and the residual risk the organisation is willing to carry.
Related
A numeric vector representation of text, produced by a model, such that similar meanings sit close together in vector space.
Embeddings power semantic search, retrieval-augmented generation, clustering, and classification. Choice of embedding model affects retrieval quality as much as any other component of a RAG pipeline.
A curated collection of inputs and expected behaviours used to score an AI system.
Good evals catch regressions across model updates, prompt changes, and data drift. Bad evals lull teams into confidence: they are narrow, stale, or measure the wrong thing. Treat the eval set as product code, not a quality-assurance afterthought.
Further training of a pre-trained model on a smaller, task-specific dataset to specialise its behaviour.
Often used for tone, format, or proprietary terminology, and rarely the right tool for injecting new factual knowledge (use RAG for that). Fine-tuned weights are an operational asset: version, evaluate, and back them up.
The EU General Data Protection Regulation, the primary legal framework governing personal data in Europe.
GDPR constrains AI training, inference on personal data, cross-border transfers, and subject rights (access, erasure, portability). AI features routinely trigger DPIAs and contractual data-residency requirements.
A curated, validated, version-controlled knowledge base used for retrieval or evaluation.
Unlike an open crawl, a golden corpus has known provenance, expert sign-off, and immutable snapshots that make reports reproducible. 01 uses golden corpora to pin AuditSonar outputs to a signed snapshot so the same inputs reliably produce the same report.
Related
Programmatic checks wrapped around an LLM to block prohibited content, reject out-of-scope requests, or enforce format.
Guardrails are necessary but insufficient. They catch the obvious cases; they do not substitute for careful prompt design, retrieval hygiene, monitoring, or evaluation.
Content generated by an LLM that is fluent and plausible but unsupported by fact.
Retrieval, citation, and constrained decoding reduce hallucination rate, but rarely to zero. Any audit or compliance workflow built on an LLM must assume a non-zero rate and design review steps accordingly.
Related
A retrieval strategy that combines dense vector search (embeddings) with sparse lexical search (BM25 or similar), then fuses the results.
Hybrid retrieval outperforms either method alone for enterprise documents that mix jargon, acronyms, and prose. Fusion is usually Reciprocal Rank Fusion, followed by a cross-encoder reranker for final ordering.
A single forward pass through an AI model to produce an output.
Inference cost (latency, compute, API fees) dominates production budgets far more than training cost for most enterprise deployments. Cost-aware architecture (caching, batching, smaller models for easier tasks) often matters more than model choice.
A deliberate prompt crafted to bypass an LLM’s safety training or an application’s guardrails.
Jailbreaks evolve continuously; defending solely at the prompt layer is a losing strategy. Layer defences across the stack: guardrails, tool scopes, least privilege, human review on high-impact actions.
A neural network trained on massive text corpora to predict the next token.
Modern LLMs (Claude, GPT, Gemini, Llama, Mistral, and others) power most enterprise AI features, from summarisation to agentic workflows. Model choice is increasingly about fit to task and data residency, rather than raw benchmark scores.
The operational discipline of running machine learning systems in production: versioning, deployment, monitoring, retraining, rollback.
Distinct from classic DevOps because models degrade silently as data distributions drift. A working MLOps practice closes the loop between production signals, evaluation, and retraining.
A standardised summary of a model’s intended use, training data, evaluation results, known limitations, and ethical considerations.
Increasingly required under the EU AI Act and procurement frameworks. A usable model card is short, specific, and honest about failure modes; vague marketing cards fail audits.
Related
The Open Web Application Security Project’s ranked list of the most impactful vulnerabilities in LLM-backed applications.
The baseline threat model any team deploying LLMs should have read. It defines the shared vocabulary between security, engineering, and procurement when discussing AI risk.
An attack in which user input manipulates an LLM into ignoring its instructions or exfiltrating data.
Direct (malicious user) and indirect (malicious content fetched by the model) variants both belong in the threat model. Indirect prompt injection in agentic systems is the category that keeps security teams awake.
AI systems trained, fine-tuned, or deployed on infrastructure the client owns, rather than via a third-party API.
Proprietary AI trades convenience for control over data, cost, latency, and vendor lock-in. The right choice depends on sensitivity of the data, inference volume, and how strategic the capability is to the business.
An architecture that fetches relevant documents from a knowledge base and supplies them to an LLM as context.
RAG grounds answers in sourced material and is the dominant pattern for enterprise AI over private data. A RAG system is only as good as its retrieval: bad chunks in, bad answers out.
A simple, robust method for combining ranked result lists from different retrievers, for example dense and sparse.
RRF is the workhorse fusion step in hybrid retrieval pipelines: no training required, no score calibration, and it reliably beats either retriever alone. A single hyper-parameter (k) controls how much the lower ranks contribute.
Related
The unsanctioned use of AI tools inside an organisation, typically through personal accounts, browser extensions, or embedded features of SaaS products.
Shadow AI is the most common source of unreported data exposure in 2025-2026 audits. Inventory is the first step: you cannot govern what you cannot see. AuditSonar is our product for turning that inventory into a reproducible audit artefact.
An audit report assessing a service provider’s controls around security, availability, processing integrity, confidentiality, and privacy.
Widely requested by enterprise procurement when onboarding AI vendors. A Type II report (covering a period of operation) is materially stronger evidence than a Type I (point-in-time design review).
Related
The instructions given to an LLM before user input, setting role, tone, constraints, and tool permissions.
Treat the system prompt as sensitive configuration: it defines behaviour and can be extracted by determined users. Version it, review it, and do not rely on it as a security control on its own.
Related
The process of splitting text into discrete units (tokens) that an LLM processes.
Tokenisation affects cost (most APIs price per token), context-window usage, and cross-language fairness: scripts with richer morphology typically cost more per character of output. Also written as tokenization in US sources.
The capability that lets an LLM invoke structured functions (search, database queries, API calls) and read their outputs.
Tool use converts a chatbot into an agent and widens the security surface proportionally. Treat every tool registration as a permission grant and keep scopes as narrow as the task allows.
A database specialised in storing and searching high-dimensional embeddings.
Typical options include Qdrant, Weaviate, Pinecone, Milvus, and pgvector. Enterprise selection hinges on hybrid search support, metadata filtering, data residency, and operational maturity, not raw recall numbers.
Related
Dependence on a specific AI vendor’s proprietary model, APIs, or data formats such that switching is costly or impractical.
Common lock-in axes: fine-tuned weights, prompt libraries, evaluation pipelines, data egress fees, and embedded agent behaviours. Designing for portability from day one is cheaper than unwinding lock-in two years later.
We keep this glossary short on purpose. If a term you care about is not here, tell us and we will add it.
Suggest a term