Free reference · glossary
AI Governance Glossary
80 operator-friendly definitions across NIST AI RMF, ISO 42001, EU AI Act, GDPR, and adjacent regulations. Each term carries the canonical framework reference so you can trace it back to the source.
80 of 80 terms
AI Bill of Materials (AIBOM)
Compliance + audit
An emerging standard for documenting the components of an AI system: training datasets, model weights, libraries, dependencies, license terms. Analogous to SBOM (Software Bill of Materials) in cybersecurity. Required by some procurement processes; not yet a mature standardised format.
NIST AI 600-1CISA SBOM guidance (extended)
AI Ethics Committee
Governance role
A cross-functional standing body within an organisation that reviews proposed + active AI deployments against the organisation's ethics policy. Typically includes representation from legal, risk, business, and (where applicable) affected-stakeholder groups. Distinct from the AI Risk Owner — the committee approves direction; the Risk Owner is accountable for execution.
ISO 42001 §5.3NIST AI RMF Govern 2.1
AI Incident
Compliance + audit
An event where an AI system causes (or risks causing) harm to individuals, property, or the environment. EU AI Act Article 73 requires providers of high-risk AI to report serious incidents to market surveillance authorities. The OECD AI Incidents Monitor catalogues public incidents.
EU AI Act Art. 73OECD AI Incidents Monitor
AI Management System (AIMS)
Framework + standard
The formal organisational structure required by ISO 42001 — policies, roles, processes, and records that govern how an organisation develops, deploys, and operates AI systems. Modelled on ISO 27001's ISMS pattern; certifiable by a third-party auditor.
ISO 42001 §4–§10
AI Office
Regulation + law
The European Commission body established under EU AI Act Article 64 to coordinate enforcement, develop secondary legislation, supervise general-purpose AI providers, and provide guidance to national market surveillance authorities. Operational since February 2024.
EU AI Act Art. 64
AI Operator (NIST AI RMF)
Governance role
NIST AI RMF actor type — the entity that operates an AI system after it has been deployed by another actor. Sits between AI Provider + AI User + AI Subject in NIST's actor model. Practical example: a hospital running a vendor-supplied diagnostic AI is the Operator; the vendor is the Provider; the patient is the Subject.
NIST AI RMF actor model
AI Risk Owner
Governance role
The named individual accountable for a specific AI system's risk profile — typically the business owner of the use case, not the technical lead. Risk owners approve risk-treatment decisions, escalate residual risk, and own the audit trail for that system.
NIST AI RMF Govern 2.2ISO 42001 §5.3
AIDA + CPPA (Canada, lapsed)
Regulation + law
Bill C-27, including the Artificial Intelligence and Data Act (AIDA) and Consumer Privacy Protection Act (CPPA). Lapsed on 6 January 2025 when Parliament prorogued. Do NOT cite as in force. Treat as policy signal only. Canadian federal AI governance currently relies on PIPEDA + provincial laws (Quebec Law 25, etc.); a re-tabled C-27 successor is expected but its scope + timing are uncertain.
Bill C-27 (lapsed 2025-01-06)
Algorithmic Impact Assessment (AIA)
Compliance + audit
Pre-deployment assessment of an algorithmic system's risks, typically required for public-sector AI. Canada's Directive on Automated Decision-Making mandates one; New Zealand's Algorithm Charter recommends one; the Colorado AI Act effectively requires one for high-risk systems. Distinct from DPIA (privacy-only scope) and FRIA (fundamental rights scope).
Canada Directive on ADMColorado SB 24-205
Annex III (EU AI Act)
Regulation + law
The list of high-risk AI use cases that triggers Article 6 obligations — currently covers eight domains including biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, and administration of justice. Updateable by Commission delegated act.
EU AI Act Annex III
Audit Trail
Compliance + audit
An immutable chronological record of events sufficient to reconstruct what happened in an AI system at any point. Required by EU AI Act Article 12 (automatically-generated logs for high-risk systems). The audit trail is the primary evidence base for post-incident investigation and conformity assessment.
EU AI Act Art. 12ISO 42001 §9.1
Authorised Representative (EU AI Act)
Governance role
EU AI Act Article 25 role. A natural or legal person established in the EU mandated by a non-EU provider of a high-risk AI system to act on its behalf — receive complaints, hold technical documentation, cooperate with market surveillance authorities. Required for any high-risk AI provider outside the EU placing systems on the EU market.
EU AI Act Art. 25
Automated Decision-Making (ADM)
Compliance + audit
A decision based solely on automated processing of personal data that produces legal or similarly significant effects. Triggers GDPR Article 22 protections: the data subject has the right not to be subject to the decision unless conditions apply, plus the right to human intervention, to express a point of view, and to contest the decision.
GDPR Art. 22CPRA ADM Regs
Bias (statistical / algorithmic)
Technical concept
Systematic deviation in model outputs that disadvantages a protected group or fails to represent population characteristics. Sources include training data sampling, label noise, feature selection, and model architecture. Distinct from variance (random error). Bias and fairness are measured statistically — perfect 'unbiased' is rare; choose the definition that matches the deployment context.
NIST AI 1270 (bias categories)EU AI Act Art. 10
Bias Audit
Compliance + audit
Structured evaluation of an AI system's outputs across protected groups to detect discrimination. NYC Local Law 144 mandates one annually for automated employment decision tools. Methodology varies — common approaches include disparate-impact ratio testing, equal-opportunity analysis, and counterfactual fairness assessment.
NYC LL 144NIST AI 1270
CCPA / CPRA
Regulation + law
California Consumer Privacy Act (2018) + California Privacy Rights Act (2020 amendment). State-level consumer privacy law covering personal information of California residents. The CPRA's automated decision-making regulations (final rules effective 1 January 2026) require pre-use notice, opt-out, and risk assessments for ADM that uses personal information.
CCPACPRACPRA ADM Regs (effective 2026-01-01)
Chief AI Officer (CAIO)
Governance role
Executive accountable for an organisation's AI strategy + governance + investment. Emerging role; not yet standard org-design. Often co-owns with the CISO + CDO. In US federal government, OMB M-24-10 mandates a Chief AI Officer in every covered agency.
US OMB M-24-10 (federal CAIO mandate)
Chief Information Security Officer (CISO)
Governance role
Executive responsible for information security + cybersecurity programmes. In AI governance, the CISO typically owns model-security + data-pipeline-security risks (prompt injection, training-data integrity, inference-API security) and the supporting controls. Distinct from the AI Risk Owner who owns the use-case-level risk.
ISO 27001NIST CSF 2.0
Colorado AI Act (SB 24-205)
Regulation + law
First US state-level AI law of broad scope. Effective 1 February 2026. Requires impact assessments + risk-management programmes for developers and deployers of high-risk AI systems making consequential decisions about Colorado residents (employment, education, financial services, government services, healthcare, housing, insurance, legal services).
Colorado SB 24-205
Conformity Assessment
Compliance + audit
The procedure required by EU AI Act Articles 43–49 to verify a high-risk AI system meets the regulation's requirements before market placement. May be self-assessment (internal control) or third-party assessment by a Notified Body depending on the system type.
EU AI Act Art. 43–49
Council of Europe Framework Convention on AI
Framework + standard
The first legally-binding international treaty on AI (opened for signature September 2024). Imposes obligations on signatory states to ensure AI systems respect human rights, democracy, and the rule of law across the AI lifecycle. Distinct from EU AI Act — the Convention is broader in scope but lighter on detailed obligations.
CoE Framework Convention on AI
DPDPA (India)
Regulation + law
Digital Personal Data Protection Act 2023 — India's first comprehensive data protection law. Enacted August 2023; enforcement rules pending (draft rules published January 2025). Covers personal data of Indian residents + extra-territorial processing tied to offering goods or services in India.
DPDPA 2023
DSA (Digital Services Act)
Regulation + law
EU Regulation 2022/2065 — covers intermediary services + Very Large Online Platforms (VLOPs) + Very Large Online Search Engines (VLOSEs). Imposes algorithmic transparency, risk assessments, and audit obligations. Distinct from the EU AI Act but overlapping at recommender-system + content-moderation AI use cases.
Regulation (EU) 2022/2065
Data Protection Impact Assessment (DPIA)
Compliance + audit
GDPR Article 35 requirement triggered by data processing 'likely to result in a high risk to the rights and freedoms of natural persons.' AI systems processing personal data at scale typically trigger this. The DPIA must precede the processing and document the necessity, proportionality, and mitigation measures.
GDPR Art. 35EU AI Act Art. 27 (FRIA cross-reference)
Data Protection Officer (DPO)
Governance role
Required under GDPR Article 37 for public authorities + organisations conducting large-scale processing of special-category data. The DPO advises on DPIA scope, monitors compliance, and acts as the contact point with the supervisory authority. In AI deployments, the DPO is typically the first signoff on data-processing aspects of any model.
GDPR Art. 37–39
Datasheet for Datasets
Compliance + audit
Structured documentation describing a dataset's motivation, composition, collection process, preprocessing, uses, distribution, and maintenance. Introduced by Gebru et al. (2018). Increasingly required for high-risk AI training-data documentation under EU AI Act Article 10.
Gebru et al. (2018)EU AI Act Art. 10
Deployer
Regulation + law
Under the EU AI Act, the natural or legal person using an AI system under their authority (other than for personal non-professional activity). Deployers have distinct obligations from providers — including human oversight, monitoring, and (for some high-risk uses) Fundamental Rights Impact Assessment.
EU AI Act Art. 3(4)EU AI Act Art. 26EU AI Act Art. 27
Drift (model)
Technical concept
Degradation in model performance over time, typically caused by shifts in the input data distribution (data drift) or in the relationship between inputs and outputs (concept drift). Detected via ongoing monitoring of model outputs + prediction statistics + business-outcome KPIs. Triggers retraining, recalibration, or retirement.
NIST AI RMF Measure 4.3
EO 14179 (Removing Barriers to American Leadership in AI)
Regulation + law
US Executive Order signed 23 January 2025. Revokes EO 14110 (the prior Biden-era AI EO). Re-orients US federal AI policy around innovation + competitiveness. NIST AI RMF remains the federal de-facto reference for risk management in the post-EO-14179 environment.
EO 14179 (2025-01-23)
EU AI Act
Regulation + law
Regulation (EU) 2024/1689 — the world's first horizontal AI law. Risk-based: prohibited practices (Art. 5, in force 2 Feb 2025), high-risk systems (Art. 6), GPAI obligations (Chapter V), transparency obligations to natural persons (Art. 50). Phased timeline: Phase 1 (prohibited practices) Feb 2025; Phase 2 (high-risk + GPAI) Aug 2026; Phase 3 (Annex I) Aug 2027.
Regulation (EU) 2024/1689
EU AI Act Article 14 (human oversight)
Regulation + law
Requires that high-risk AI systems be designed + developed to allow human oversight during the period in which they are in use. Oversight measures must include the ability to understand the system's capabilities + limitations, identify operational anomalies, and interrupt or override the system.
EU AI Act Art. 14
EU AI Act Article 5 (prohibited practices)
Regulation + law
The eight categories of AI practices banned in the EU since 2 February 2025: subliminal manipulation, exploitation of vulnerabilities, social scoring by public authorities, predictive policing based on profiling, untargeted facial-recognition scraping, emotion recognition in workplaces + schools, biometric categorisation by sensitive attributes, real-time remote biometric identification in publicly accessible spaces for law enforcement.
EU AI Act Art. 5
EU AI Act Article 50 (transparency to natural persons)
Regulation + law
Mandates transparency to end users: AI systems intended to interact directly with natural persons must be designed so users are informed they're interacting with AI (chatbot disclosure). Deepfake content + synthetic media must be marked as artificially generated. Emotion-recognition + biometric-categorisation systems must inform exposed persons.
EU AI Act Art. 50
Embedding
Technical concept
A numerical vector representation of a piece of content (text, image, audio) that preserves semantic similarity — items with similar meaning land close in vector space. Foundation of retrieval-augmented generation, semantic search, and recommendation. Quality + bias characteristics of the embedding model propagate to every downstream use.
NIST AI 600-1
Fine-tuning
Technical concept
Further training of a pre-trained foundation model on a specific dataset to specialise it for a task or domain. Distinct from prompt engineering (no weight change) and full training (starts from random initialisation). Introduces specific risks: training-data leakage, alignment drift, forgetting of safety properties from the base model.
NIST AI 600-1
Foundation Model
Technical concept
An AI model trained on broad data at scale (typically self-supervised) such that it can be adapted to a wide range of downstream tasks. Examples include GPT-4, Claude, Gemini. Distinct from task-specific models trained for a single use case.
NIST AI RMF Generative AI Profile (NIST AI 600-1)
Fundamental Rights Impact Assessment (FRIA)
Compliance + audit
EU AI Act Article 27 requirement for certain deployers of high-risk AI (public bodies + entities providing services of general interest) to assess impacts on fundamental rights before first deployment. Distinct from a DPIA but overlapping; the FRIA can build on DPIA outputs where applicable.
EU AI Act Art. 27
GDPR
Regulation + law
General Data Protection Regulation (Regulation (EU) 2016/679) — comprehensive EU data protection law in force since May 2018. Article 22 (automated decision-making) is the AI-relevant provision; Article 35 (Data Protection Impact Assessment) is typically triggered by AI processing personal data at scale.
Regulation (EU) 2016/679GDPR Art. 22GDPR Art. 35
General-Purpose AI (GPAI)
Regulation + law
Under EU AI Act Chapter V, an AI model that displays significant generality and can competently perform a wide range of distinct tasks. GPAI providers have transparency obligations (technical documentation, copyright policy, training-data summary) plus stricter obligations when the model presents 'systemic risk' (compute threshold: 10^25 FLOPs).
EU AI Act Art. 51–55EU AI Act Chapter V
Govern (NIST AI RMF function)
Framework + standard
The first of NIST AI RMF's four functions — establishing the organisational culture, processes, and accountability structures that enable AI risk management. Covers risk-management strategy, roles + responsibilities, accountability mechanisms, and third-party considerations.
NIST AI RMF 1.0 Govern 1.1–6.2
HIPAA
Regulation + law
Health Insurance Portability and Accountability Act (US, 1996) — protects health information. The Privacy Rule + Security Rule cover AI that processes protected health information (PHI). HHS guidance + the 21st Century Cures Act + ONC's HTI-1 rule shape AI-specific obligations for covered entities and business associates.
HIPAA Privacy RuleHIPAA Security RuleONC HTI-1
Hallucination
Technical concept
An AI model output that is plausible-sounding but factually incorrect or unsupported by the input context. Common in generative models. Mitigations include retrieval-augmented generation (RAG), source-grounded prompting, output verification, and human review on consequential decisions.
NIST AI 600-1 (Generative AI Profile)
High-Risk AI System
Regulation + law
Under the EU AI Act, an AI system meeting either Article 6(1) (safety component of a product covered by Annex I harmonisation legislation) or Article 6(2) (listed in Annex III). High-risk systems trigger the full conformity assessment + technical documentation + post-market monitoring obligations.
EU AI Act Art. 6EU AI Act Annex I + III
Human Oversight
Compliance + audit
Measures designed to allow natural persons to oversee an AI system's operation, understand its capabilities + limitations, and intervene when necessary. EU AI Act Article 14 specifies what human oversight measures must achieve for high-risk AI systems. Not synonymous with HITL — oversight may be batch review, sampling, or alerting rather than per-decision review.
EU AI Act Art. 14
Human-in-the-Loop (HITL)
Compliance + audit
An AI system design where a human reviews + can override automated outputs before they affect a real-world decision. Distinct from human-on-the-loop (human monitors but doesn't review every decision) and human-out-of-the-loop (fully autonomous). EU AI Act Article 14 effectively mandates HITL or human-on-the-loop for high-risk AI.
EU AI Act Art. 14NIST AI RMF Manage 2.3
ICO (Information Commissioner's Office)
Regulation + law
The UK independent authority for data-protection and information-rights law. Enforces UK GDPR + Data Protection Act 2018. The ICO's AI + data-protection guidance is the de facto reference for UK AI governance in the absence of a UK AI Act.
UK Data Protection Act 2018UK GDPR
ISO 42001
Framework + standard
ISO/IEC 42001:2023 — the international standard specifying requirements for an AI Management System (AIMS). Published December 2023. The first certifiable horizontal AI standard. Pairs with ISO/IEC 23894 (AI risk management guidance) and ISO/IEC 5338 (AI lifecycle).
ISO/IEC 42001:2023
ISO/IEC 23894
Framework + standard
ISO/IEC 23894:2023 — guidance on AI risk management. Companion document to ISO 42001 but not certifiable. Provides risk-treatment patterns that the AIMS Statement of Applicability can reference. Generally used as the practical risk-treatment layer beneath the management-system clauses.
ISO/IEC 23894:2023
Inference
Technical concept
The phase in an AI system's lifecycle where the trained model is applied to new inputs to produce outputs. Distinct from training (where weights are learned). Inference is the runtime-facing surface where most user-visible risks (latency, cost, hallucination, prompt injection) manifest.
NIST AI RMF lifecycle
LGPD (Brazil)
Regulation + law
Lei Geral de Proteção de Dados (Law 13,709/2018) — Brazil's comprehensive data protection law, in force since 2020. Modelled closely on GDPR. ANPD (the Brazilian DPA) enforces it. Articles 20 + 22 cover automated decision-making and rights to human review.
LGPD Lei 13,709/2018
Large Language Model (LLM)
Technical concept
A foundation model trained on text data (and increasingly multimodal data) using the transformer architecture, with parameter counts typically in the billions. Examples: GPT-4, Claude 3+, Gemini, Llama. Generates output token-by-token autoregressively.
NIST AI 600-1
Manage (NIST AI RMF function)
Framework + standard
NIST AI RMF's fourth function — allocating resources to address mapped + measured risks, prioritising, and responding. Covers risk-response planning, communication with affected actors, third-party risk allocation, and continuous improvement of the risk-management programme.
NIST AI RMF 1.0 Manage 1.1–4.3
Map (NIST AI RMF function)
Framework + standard
NIST AI RMF's second function — establishing the context for an AI system + identifying its risks. Covers context-of-use definition, AI system categorisation, capability-impact characterisation, risk tolerance, and impacts to individuals + groups + organisations + society.
NIST AI RMF 1.0 Map 1.1–5.2
Measure (NIST AI RMF function)
Framework + standard
NIST AI RMF's third function — analysing, assessing, benchmarking, and monitoring AI risk-related characteristics. Covers test-and-evaluation methods, tracking identified + emergent risks, ongoing monitoring, and feedback loops to the Govern function.
NIST AI RMF 1.0 Measure 1.1–4.3
Model Card
Compliance + audit
Structured documentation describing a model's intended use, training data, evaluation metrics, ethical considerations, and known limitations. Introduced by Mitchell et al. (2018). Increasingly mandated — GPAI providers must publish equivalent information under EU AI Act Article 53; many procurement processes require one.
Mitchell et al. (2018)EU AI Act Art. 53
Model Owner
Governance role
Technical or business individual accountable for a specific model's lifecycle — training, validation, deployment, monitoring, retirement. Distinct from the AI Risk Owner (who owns the use-case-level decision) and the data scientist (who builds the model). Maintains the model card + lineage record.
NIST AI RMF Govern 2.2ISO 42001 §5.3
Model Risk Management (MRM)
Compliance + audit
Discipline originating in financial-services regulation (US Federal Reserve SR 11-7, 2011) covering model development + validation + ongoing monitoring + governance. Increasingly applied to AI/ML models in regulated sectors. EU AI Act + ISO 42001 align with MRM patterns at the principle level.
US Fed SR 11-7OCC 2011-12PRA SS1/23 (UK FCA)
NIST AI Risk Management Framework
Framework + standard
Voluntary US-origin framework (NIST AI RMF 1.0, January 2023) for managing AI risks across the AI lifecycle. Organised around four functions: Govern, Map, Measure, Manage. Companion documents include the AI 600-1 Generative AI Profile (July 2024) and AI 800 series identity profiles.
NIST AI RMF 1.0NIST AI 600-1
NYC Local Law 144 (bias audit)
Regulation + law
New York City law in force since 2023 — automated employment decision tools (AEDTs) used to screen candidates or employees must undergo an independent bias audit annually. Audit summary must be publicly posted at least 10 business days before tool use. Candidates must be notified.
NYC Local Law 144 of 2021
Notified Body
Regulation + law
An accredited conformity-assessment organisation designated by an EU Member State to perform third-party conformity assessments under the EU AI Act for high-risk AI systems that require external review (Articles 31–39). Listed in the EU NANDO database.
EU AI Act Art. 31–39
OECD AI Principles
Framework + standard
Five values-based principles (inclusive growth, human-centred values, transparency, robustness/security, accountability) + five policy recommendations adopted by the OECD Council in 2019 and revised in May 2024. The cross-jurisdiction baseline for AI governance; many national AI strategies cite this directly.
OECD AI Principles (revised 2024)
PIPL (China)
Regulation + law
Personal Information Protection Law (effective 1 November 2021) — China's comprehensive personal information law. Establishes cross-border transfer requirements + automated decision-making restrictions. Pairs with the Cybersecurity Law (2017) + Data Security Law (2021) as China's three-pillar data regime.
PIPL (2021)
Post-Market Monitoring
Compliance + audit
EU AI Act Article 72 obligation on high-risk AI providers — collect + analyse data on the system's performance in real-world use, and feed findings back into the quality management system. Triggers corrective action when performance degrades or new risks emerge. Conceptually similar to medical-device vigilance.
EU AI Act Art. 72
Prompt Injection
Technical concept
A class of attack where user input contains instructions that override or manipulate the model's intended behaviour. Two flavours: direct injection (user types adversarial instructions) and indirect injection (instructions hidden in retrieved content the model processes). Mitigations include input filtering, instruction hierarchy enforcement, and output validation.
OWASP Top 10 for LLMs (LLM01)NIST AI 600-1
Provenance
Compliance + audit
The verifiable origin + history of a piece of data, model, or AI output. Provenance underpins copyright defence (where did the training data come from?), incident investigation (which model version produced this output?), and regulatory disclosure (Art. 50 deepfake marking depends on synthetic-media provenance signals).
EU AI Act Art. 50C2PA standard
Provider
Regulation + law
Under the EU AI Act, the natural or legal person who develops an AI system or has an AI system developed and places it on the market under their own name or trademark, whether for payment or free of charge. Providers carry the heaviest compliance burden under the AI Act.
EU AI Act Art. 3(3)EU AI Act Art. 16
Quebec Law 25
Regulation + law
Quebec's Act to modernize legislative provisions as regards the protection of personal information. Phased enforcement 2022–2024. Stricter than PIPEDA (federal Canadian law). Article 12.1 covers automated decisions; requires DPIA-equivalent assessments (évaluation des facteurs relatifs à la vie privée).
Quebec Law 25 (Bill 64)
RLHF (Reinforcement Learning from Human Feedback)
Technical concept
A fine-tuning technique where human evaluators rank model outputs and the model is then trained to produce outputs that rank higher. Used heavily in modern LLM alignment. Introduces dependencies on rater quality, rater demographics, and the rater pool's biases — alignment is only as good as the feedback signal.
NIST AI 600-1
Red Teaming
Compliance + audit
Structured adversarial evaluation of an AI system — testers deliberately try to elicit harmful, biased, or policy-violating outputs. Standard practice for foundation-model providers pre-release. NIST AI 600-1 recommends red teaming for generative AI; EU AI Act Article 55 effectively requires it for GPAI models with systemic risk.
NIST AI 600-1EU AI Act Art. 55
Residual Risk
Compliance + audit
The risk remaining after risk-treatment measures have been applied. Distinct from inherent risk (before treatment). Residual risk must be formally accepted by the appropriate authority (typically the AI Risk Owner or AI Ethics Committee) before deployment can proceed.
ISO 42001 §6.1NIST AI RMF Manage 1.3
Retrieval-Augmented Generation (RAG)
Technical concept
An architecture that augments a generative model's output by retrieving relevant context from an external corpus at inference time. Reduces hallucination by grounding the model in verifiable sources but introduces its own risks (corpus poisoning, retrieval bias, source-citation correctness).
NIST AI 600-1
Right of Explanation
Compliance + audit
The right of a person subject to an automated decision to receive meaningful information about the logic involved + significance + envisaged consequences. Implied by GDPR Articles 13–15 + 22 (the legal extent is contested). The EU AI Act Article 86 grants a clearer right of explanation for affected persons of high-risk AI decisions.
GDPR Art. 13–15, 22EU AI Act Art. 86
Risk Appetite
Compliance + audit
The level of risk an organisation is prepared to accept in pursuit of its objectives. Articulated as quantitative thresholds + qualitative statements. The AI risk-management programme treats risks within the appetite as acceptable; risks outside require treatment, transfer, or avoidance.
ISO 42001 §6.1NIST AI RMF Govern 1.3
Statement of Applicability (SoA)
Compliance + audit
ISO 42001 deliverable documenting which Annex A controls apply to the organisation's AIMS, which are excluded, and the justification for each. The SoA is a primary audit artefact and the most common source of certification non-conformities when poorly maintained.
ISO 42001 §6.1.3
Substantial Modification
Regulation + law
EU AI Act concept (Article 3(23)) defining a change to an AI system after it has been placed on the market or put into service that affects its compliance with regulation, alters its intended purpose, or affects performance in a way the provider did not foresee. Triggers re-assessment of conformity.
EU AI Act Art. 3(23)EU AI Act Art. 43(4)
Synthetic Data
Technical concept
Data generated by a model rather than collected from real-world sources. Used to augment training data when real samples are scarce, sensitive, or imbalanced. Risks include amplification of biases present in the generating model and loss of realistic edge cases that only exist in genuine data.
NIST AI 600-1
System Card
Compliance + audit
Extension of the model-card pattern to cover an entire AI system in deployment — not just the model, but the input + output handling, deployment context, user interface, and feedback loops. More appropriate than a model card for documenting systems built on multiple models or with significant post-processing.
System-card publications from major AI labs
Token (LLM)
Technical concept
The atomic unit an LLM operates on. Tokenisation converts text into integer ids the model can process; one token is typically ~3-4 characters of English text. Token counts drive both cost (most APIs price per token) and capability bounds (context-window limits are token-denominated).
Training Data
Technical concept
The dataset used to learn model weights. Quality, provenance, and licensing of training data drive downstream risks: copyright infringement, privacy violations, embedded bias, factual incorrectness. EU AI Act Article 10 requires high-risk system providers to maintain detailed documentation of training data characteristics.
EU AI Act Art. 10
Transformer
Technical concept
The neural-network architecture underlying most modern foundation models. Introduced by Vaswani et al. (2017). Key innovation: the attention mechanism that lets every token in a sequence interact with every other token. Transformers underpin LLMs, vision-transformer image models, and most multimodal systems.