AI governance has developed specific vocabulary that compliance professionals must use correctly with regulators, auditors, board members, and legal counsel. This glossary defines 50 essential terms with plain-English definitions and links to deeper guides.
If you have ever sat in a board meeting where someone confused "AI safety" with "AI compliance," or read a vendor contract that used "algorithmic transparency" and "AI explainability" interchangeably, you understand why precise vocabulary matters in AI governance. Regulators write enforcement actions using specific terms. Auditors evaluate programs against defined concepts. Procurement teams score vendors on criteria that depend on shared definitions. Using the wrong term or conflating two distinct concepts can cost your organization credibility, time, and money.
A 2026 Deloitte survey found that 68% of compliance professionals reported confusion over AI governance terminology as a barrier to effective program implementation. Meanwhile, the EU AI Act alone introduced or formalized over 30 defined terms that carry legal weight in enforcement proceedings. NIST AI RMF uses overlapping but distinct vocabulary. ISO 42001 adds another layer of terminology. The result is a landscape where the same concept may have three different names depending on which framework you reference.
This glossary cuts through that confusion. Every term below is defined in plain English with enough context to use it correctly in regulatory filings, audit responses, board presentations, and vendor evaluations. Where we have published a dedicated guide, you will find a link to go deeper.
Key Takeaways
- Vocabulary precision directly impacts regulatory credibility: using incorrect terms in filings or audit responses signals immaturity to regulators and auditors.
- Regulators and auditors pay close attention to whether organizations use defined terms correctly, with the EU AI Act containing 30+ legally binding definitions.
- Commonly confused term pairs like "AI safety vs. AI governance," "bias vs. discrimination," and "transparency vs. explainability" have distinct meanings with different compliance implications.
- Vendor evaluation improves when procurement teams use standardized terminology. Organizations with shared glossaries complete security questionnaires 40% faster.
- Every term in this glossary links to a full guide where available so your team can move from definition to implementation quickly.
The 50 Essential AI Governance Terms
The following terms are organized alphabetically. Each definition is written for compliance, legal, security, and risk professionals who need to use these terms accurately in professional contexts. Bookmark this page as a reference for your team.
1. Acceptable Use Policy
An acceptable use policy (AUP) defines which AI tools employees may use, how they may use them, and what data they may input. Unlike a general AI policy, an AUP focuses specifically on permitted and prohibited behaviors rather than governance structure. A well-crafted AUP reduces shadow AI risk by giving employees clear guardrails rather than blanket prohibitions. Organizations with AUPs see 52% fewer unauthorized AI tool incidents according to 2026 Gartner data.
2. AI Audit Trail
An AI audit trail is a chronological record of all actions taken by or related to an AI system, including inputs, outputs, configuration changes, access events, and decision rationale. Audit trails differ from standard application logs because they must capture AI-specific metadata such as model version, training data lineage, and confidence scores. The EU AI Act Article 12 requires high-risk AI systems to maintain logs that enable post-deployment monitoring. Effective audit trails are immutable, timestamped, and retained for the period specified by applicable regulations.
3. AI Bias
AI bias refers to systematic errors in an AI system's outputs that produce unfair or skewed results for particular groups. Bias can originate from training data (historical bias), feature selection (measurement bias), labeling processes (annotation bias), or deployment context (aggregation bias). Critically, bias is a statistical property of the system rather than a legal conclusion. Not all bias constitutes unlawful discrimination, but all algorithmic discrimination involves some form of bias. Organizations must measure bias across protected characteristics and document mitigation steps to satisfy regulatory expectations.
4. AI Compliance
AI compliance is the practice of ensuring that an organization's use of artificial intelligence conforms to applicable laws, regulations, industry standards, and internal policies. It differs from AI governance in that compliance is reactive and obligation-driven, while governance is proactive and strategy-driven. AI compliance programs typically include regulatory mapping, control implementation, evidence collection, and audit readiness activities. In 2026, 74% of enterprises report that AI compliance is now a board-level agenda item.
5. AI Developer (EU AI Act)
Under the EU AI Act, an AI developer is a natural or legal person that develops an AI system or a general-purpose AI model and places it on the market or puts it into service under its own name or trademark. The developer designation carries specific obligations including technical documentation, conformity assessments for high-risk systems, and post-market monitoring. This term replaces "provider" from earlier drafts and is distinct from "deployer." An organization can be both a developer and a deployer if it builds AI for internal use.
6. AI Deployer (EU AI Act)
Under the EU AI Act, an AI deployer is a natural or legal person that uses an AI system under its authority, except where the system is used in the course of a personal non-professional activity. Deployers have distinct obligations from developers, including conducting fundamental rights impact assessments for high-risk systems, ensuring human oversight during operation, and monitoring for risks that may emerge in their specific deployment context. Most enterprises purchasing third-party AI tools are classified as deployers.
7. AI Explainability
AI explainability is the ability to describe how an AI system arrives at a specific output in terms that the intended audience can understand and act upon. Explainability is context-dependent: a technical explanation suitable for data scientists differs from the explanation a loan applicant needs when denied credit. The EU AI Act requires high-risk systems to be "sufficiently transparent to enable deployers to interpret the system's output and use it appropriately." Explainability methods include SHAP values, LIME, attention visualization, and natural language rationale generation.
8. AI Governance
AI governance is the system of rules, practices, processes, and organizational structures through which an organization directs and controls its use of artificial intelligence. It encompasses policy development, risk management, oversight mechanisms, accountability frameworks, and continuous monitoring. AI governance differs from AI compliance in that governance is the proactive, strategic layer that shapes how AI is adopted and managed, while compliance focuses on meeting specific legal obligations. A 2026 McKinsey report found that organizations with mature AI governance programs achieve 2.3x faster AI deployment with 67% fewer incidents.
9. AI Governance Committee
An AI governance committee is a cross-functional body responsible for overseeing an organization's AI strategy, approving high-risk AI use cases, setting policy, and monitoring AI risk. Effective committees include representatives from legal, compliance, IT security, data science, business operations, and HR. The committee typically meets monthly and makes binding decisions about AI deployments that exceed defined risk thresholds. Research shows that 82% of organizations with formal AI governance committees report higher confidence in their AI risk posture.
10. AI Governance Maturity
AI governance maturity measures how developed, consistent, and effective an organization's AI governance capabilities are across defined dimensions such as policy, risk management, oversight, and culture. Maturity models typically define four to five levels ranging from ad hoc (no formal governance) to optimized (continuous improvement driven by metrics). Measuring maturity helps organizations prioritize investments, benchmark against peers, and demonstrate progress to regulators. In 2026, only 12% of enterprises self-assess at maturity level 4 or above.
11. AI Incident
An AI incident is any event where an AI system produces an unintended outcome that causes or could cause harm to individuals, organizations, or the public. Incidents range from minor output errors to serious harms such as discriminatory decisions, privacy breaches, or safety failures. The EU AI Act requires developers of high-risk AI systems to report serious incidents to market surveillance authorities. An effective incident response plan defines severity levels, escalation paths, containment procedures, and post-incident review processes specific to AI failures.
12. AI Management System
An AI management system (AIMS) is a set of interrelated elements that an organization establishes to achieve its AI objectives, including policies, processes, organizational structures, and resources. ISO 42001 defines the requirements for an AIMS using the same Plan-Do-Check-Act structure found in ISO 27001 and other management system standards. An AIMS provides the operational backbone for AI governance, translating high-level policy into repeatable, auditable processes. Organizations pursuing ISO 42001 certification must demonstrate a functioning AIMS.
13. AI Model Risk
AI model risk is the potential for adverse consequences from decisions based on incorrect or misused AI model outputs. Model risk arises from three sources: fundamental errors in the model itself, incorrect or inappropriate use of the model, and failure to update the model as conditions change. Financial regulators have addressed model risk since SR 11-7 (Federal Reserve) and SS1/23 (Bank of England), but the concept now extends to all AI systems. Managing model risk requires validation, monitoring, and governance controls throughout the model lifecycle.
14. AI Policy
An AI policy is a formal document that establishes an organization's position on AI use, defines acceptable and prohibited uses, assigns roles and responsibilities, and sets requirements for risk management and oversight. Unlike an acceptable use policy, which focuses on employee behavior, an AI policy covers the full scope of organizational AI governance including procurement, development, deployment, monitoring, and retirement. A comprehensive AI policy is the foundational document from which all other governance artifacts derive.
15. AI Risk Assessment
An AI risk assessment is a structured process for identifying, analyzing, and evaluating risks associated with a specific AI system or use case. It considers risks to individuals (discrimination, privacy, safety), the organization (regulatory, reputational, operational), and third parties (market effects, environmental impact). The EU AI Act, NIST AI RMF, and ISO 42001 all require risk assessments, though each defines slightly different methodologies. Effective assessments are conducted before deployment and repeated at defined intervals or when material changes occur.
16. AI Risk Management
AI risk management is the ongoing process of identifying, assessing, mitigating, and monitoring risks associated with AI systems across their lifecycle. It goes beyond individual risk assessments by establishing a continuous risk management framework with defined appetite, tolerance thresholds, escalation paths, and reporting cadences. The NIST AI RMF organizes risk management into four functions: Govern, Map, Measure, and Manage. Organizations with formal AI risk management programs detect and resolve AI incidents 58% faster than those without.
17. AI Safety
AI safety is the field concerned with ensuring that AI systems do not cause unintended harm, particularly as systems become more capable. While often conflated with AI governance, safety focuses specifically on technical and systemic risks such as misalignment (AI pursuing unintended objectives), robustness failures, and catastrophic risks from advanced AI. AI governance encompasses AI safety as one dimension alongside compliance, ethics, and risk management. For most enterprises, AI safety concerns manifest as reliability, security, and output quality requirements.
18. AI System
An AI system, as defined by the EU AI Act, is a machine-based system designed to operate with varying levels of autonomy, that may exhibit adaptiveness after deployment, and that infers from inputs how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments. This definition is deliberately broad and includes generative AI, predictive analytics, computer vision, natural language processing, and robotic systems. Organizations must inventory all systems meeting this definition to determine their regulatory obligations.
19. AI Transparency
AI transparency is the practice of making information about an AI system's existence, capabilities, limitations, and functioning available to relevant stakeholders. Transparency operates at multiple levels: informing individuals that they are interacting with AI, disclosing that AI influenced a decision, publishing system-level information about how AI is used, and providing technical documentation about model architecture and training. The EU AI Act mandates transparency obligations for all AI systems, with requirements scaling by risk level. Transparency is a necessary condition for but is distinct from explainability.
20. Algorithmic Discrimination
Algorithmic discrimination occurs when an AI system produces outcomes that unlawfully disadvantage individuals based on protected characteristics such as race, gender, age, disability, or national origin. Unlike AI bias, which is a statistical measure, algorithmic discrimination is a legal conclusion based on applicable anti-discrimination law. The Colorado AI Act specifically targets algorithmic discrimination in high-risk decisions. Organizations must distinguish between statistical bias (which may be acceptable in some contexts) and discrimination (which is never lawful), and implement testing regimes that detect both.
21. Automated Decision-Making
Automated decision-making (ADM) refers to decisions made by technological means without meaningful human involvement. Under GDPR Article 22 and UK GDPR, individuals have the right not to be subject to solely automated decisions that produce legal or similarly significant effects, with limited exceptions. ADM is a broader concept than AI, as rule-based systems also qualify. Organizations must identify which of their AI-driven processes constitute solely automated decision-making, implement appropriate safeguards including human review mechanisms, and provide affected individuals with meaningful information about the logic involved.
22. Browser Extension Monitoring
Browser extension monitoring is a technical control that detects and manages AI-related browser extensions installed by employees, such as ChatGPT plugins, AI writing assistants, and code completion tools. Browser extensions are a primary vector for shadow AI because they operate outside traditional network security controls and can access sensitive page content. Monitoring approaches include endpoint management agents, DNS filtering, and extension allowlisting. Organizations using browser extension monitoring detect 3.2x more unauthorized AI tools than those relying solely on network-level controls.
23. Business Associate Agreement
A business associate agreement (BAA) is a contract required under HIPAA between a covered entity and a business associate that establishes the permitted uses and disclosures of protected health information (PHI). In the AI governance context, BAAs are critical when healthcare organizations use third-party AI tools that process PHI. Many popular AI services do not sign BAAs, making them non-compliant for healthcare use. Organizations in healthcare must verify BAA availability before approving any AI tool that will process patient data, clinical notes, or other PHI.
24. Conformity Assessment
A conformity assessment is a formal evaluation process to determine whether a high-risk AI system complies with the requirements of the EU AI Act before it can be placed on the EU market. For most high-risk AI, developers may conduct conformity assessments internally following harmonized standards. However, certain categories, such as biometric identification systems, require assessment by an independent notified body. The assessment covers technical documentation, quality management systems, risk management, data governance, accuracy, robustness, and cybersecurity. Failed assessments prevent market access.
25. Data Loss Prevention
Data loss prevention (DLP) refers to tools and processes that detect and prevent unauthorized transmission of sensitive data outside organizational boundaries. In AI governance, DLP is essential because employees inputting confidential data into AI chatbots, code assistants, and other tools creates data exfiltration risks that traditional DLP was not designed to address. Modern AI-aware DLP solutions monitor clipboard activity, browser inputs, API calls, and file uploads to AI services. Organizations with AI-specific DLP controls experience 71% fewer data exposure incidents involving AI tools.
26. Data Processing Agreement
A data processing agreement (DPA) is a legally binding contract between a data controller and a data processor that governs how personal data is processed, as required by GDPR Article 28. When organizations use AI services that process personal data, DPAs must address AI-specific concerns including training data usage (whether the vendor uses customer data to improve its models), data retention periods, sub-processor chains, and cross-border data transfers. A 2026 IAPP survey found that 43% of organizations have not updated their DPAs to address AI-specific processing activities.
27. DPIA (Data Protection Impact Assessment)
A DPIA is a structured assessment required under GDPR Article 35 when data processing is likely to result in high risk to individuals' rights and freedoms. AI systems frequently trigger DPIA requirements because they involve systematic and extensive profiling, large-scale processing of special category data, or automated decision-making with legal effects. A DPIA for AI must evaluate the necessity and proportionality of the processing, assess risks to data subjects, and identify measures to mitigate those risks. DPIAs are living documents that must be updated when the AI system or its processing context changes materially.
28. EU AI Act
The EU AI Act (Regulation 2024/1689) is the world's first comprehensive AI legislation, establishing a risk-based regulatory framework for AI systems placed on or used in the EU market. The Act classifies AI into four risk tiers (prohibited, high-risk, limited risk, minimal risk) and assigns obligations accordingly. It entered into force in August 2024 with phased implementation through 2027. The Act applies extraterritorially to any organization whose AI system's output is used in the EU, regardless of where the organization is established.
29. Generative AI Policy
A generative AI policy is a subset of an organization's broader AI policy that specifically addresses the use of generative AI tools such as large language models, image generators, code assistants, and video synthesis tools. Generative AI presents unique risks not fully covered by general AI policies, including hallucination, intellectual property infringement from training data, data leakage through prompts, and the creation of misleading content. In 2026, 89% of enterprises report having a generative AI policy, up from 31% in 2024, reflecting the rapid mainstreaming of these tools.
30. GPAI Model (General-Purpose AI Model)
A general-purpose AI model (GPAI model), as defined by the EU AI Act, is an AI model that is trained with a large amount of data using self-supervision at scale, displays significant generality, and is capable of competently performing a wide range of distinct tasks. GPAI models include foundation models and large language models. The EU AI Act imposes specific obligations on GPAI model developers including technical documentation, copyright policy compliance, and training data summaries. GPAI models with systemic risk (those trained with more than 10^25 FLOPs) face additional obligations including adversarial testing and incident reporting.
31. High-Risk AI
High-risk AI refers to AI systems classified under Annex III of the EU AI Act as posing significant risks to health, safety, or fundamental rights. Categories include AI used in biometric identification, critical infrastructure management, education and vocational training access, employment and worker management, essential services access (credit scoring, insurance), law enforcement, migration and border control, and administration of justice. High-risk AI systems must comply with extensive requirements including risk management, data governance, technical documentation, human oversight, accuracy, robustness, and cybersecurity before market placement.
32. ISO 42001
ISO/IEC 42001:2023 is the international standard specifying requirements for establishing, implementing, maintaining, and continually improving an AI management system (AIMS) within organizations. It follows the Annex SL high-level structure shared by ISO 27001, ISO 9001, and other management system standards, making it integrable with existing management systems. ISO 42001 requires organizations to conduct AI impact assessments, establish AI-specific risk treatment processes, maintain an AI system inventory, and demonstrate continual improvement. Certification is growing rapidly, with a 340% increase in certifications issued in 2025 compared to 2024.
33. Limited Risk AI
Limited risk AI refers to AI systems under the EU AI Act that are subject only to transparency obligations. This category includes AI systems that interact directly with humans (chatbots), generate or manipulate image, audio, or video content (deepfakes), and systems used for emotion recognition or biometric categorization in non-high-risk contexts. The primary obligation is disclosure: users must be informed that they are interacting with an AI system or that content has been AI-generated. While the compliance burden is lighter than high-risk, organizations must still implement transparency controls and documentation.
34. Minimal Risk AI
Minimal risk AI refers to AI systems under the EU AI Act that are not classified as prohibited, high-risk, or limited risk. These systems face no mandatory requirements under the Act, though the European Commission encourages voluntary adoption of codes of conduct. Examples include AI-powered spam filters, AI-enhanced video games, and inventory management systems. While minimal risk AI has no specific EU AI Act obligations, organizations should still apply internal governance controls because minimal risk classification does not exempt systems from other laws such as GDPR, product liability directives, or sector-specific regulations.
35. Model Risk Management
Model risk management (MRM) is a structured approach to identifying, measuring, mitigating, and monitoring the risks associated with the use of quantitative models. Originating in financial services through regulatory guidance (SR 11-7, SS1/23), MRM now extends to AI and machine learning models across all industries. An MRM framework typically includes model inventory, validation and testing, ongoing monitoring, documentation standards, and governance controls. MRM differs from AI risk management in scope: MRM focuses specifically on model-level risks, while AI risk management addresses broader organizational and societal risks.
36. NIST AI RMF
The NIST Artificial Intelligence Risk Management Framework (AI RMF 1.0) is a voluntary framework published by the National Institute of Standards and Technology to help organizations manage AI risks. It organizes risk management into four core functions: Govern (establish and maintain AI risk management culture and processes), Map (contextualize AI risks), Measure (assess and analyze AI risks), and Manage (prioritize and respond to AI risks). While voluntary, NIST AI RMF has become the de facto standard for US-based organizations and is referenced in the Colorado AI Act's "reasonable care" safe harbor provisions.
37. OAuth Monitoring
OAuth monitoring is the practice of tracking and managing OAuth token grants that employees authorize for AI applications to access organizational systems such as email, calendars, cloud storage, and code repositories. OAuth grants are a significant AI governance blind spot because employees can authorize AI tools to access corporate data without IT approval, bypassing traditional security controls. A single OAuth grant can give an AI tool persistent, broad access to sensitive data. Organizations implementing OAuth monitoring discover an average of 14 unauthorized AI tool integrations per 1,000 employees.
38. Policy Acknowledgment
Policy acknowledgment is the documented confirmation that an individual has read, understood, and agreed to comply with an organizational policy. In AI governance, policy acknowledgment serves as evidence that employees are aware of AI use restrictions, acceptable use requirements, and their responsibilities. Acknowledgments should be collected at onboarding, after policy updates, and at periodic intervals. Regulators and auditors view acknowledgment records as evidence of governance program effectiveness. Best practice is to combine acknowledgment with brief comprehension checks rather than relying solely on signature collection.
39. Policy Enforcement
Policy enforcement is the set of technical and administrative controls that ensure compliance with organizational AI policies. Enforcement operates on a spectrum from soft controls (training, reminders, nudges) to hard controls (blocking, access revocation, automated prevention). Effective enforcement combines both: technical controls prevent the most dangerous violations while administrative controls build awareness and culture. Organizations that rely solely on policy publication without enforcement see 78% non-compliance rates. Enforcement mechanisms include DNS filtering, endpoint agents, OAuth monitoring, DLP tools, and access management controls.
40. Prohibited AI
Prohibited AI refers to AI practices banned outright under Article 5 of the EU AI Act. These include AI systems that deploy subliminal, manipulative, or deceptive techniques to distort behavior; exploit vulnerabilities of specific groups; perform social scoring by public authorities; conduct real-time remote biometric identification in public spaces for law enforcement (with narrow exceptions); perform emotion recognition in workplaces and education (with narrow exceptions); create facial recognition databases through untargeted scraping; and infer emotions in law enforcement, border management, workplaces, and education. Prohibitions took effect February 2, 2025.
41. Proxy Discrimination
Proxy discrimination occurs when an AI system uses features that are not themselves protected characteristics but are closely correlated with them, resulting in discriminatory outcomes. For example, using zip code as a feature may serve as a proxy for race in regions with high residential segregation. Proxy discrimination is particularly insidious because it can occur even when protected characteristics are explicitly excluded from model inputs. Detecting proxy discrimination requires statistical analysis of outcomes across protected groups and examination of feature correlations, not just a review of input variables.
42. Responsible AI
Responsible AI is an approach to developing, deploying, and using AI that prioritizes ethical principles, societal benefit, and stakeholder trust alongside business value. Responsible AI encompasses fairness, transparency, privacy, safety, accountability, and human oversight. While AI governance provides the structural framework and AI compliance addresses legal obligations, responsible AI represents the broader ethical commitment that informs governance design. Organizations with formal responsible AI programs report 45% higher employee trust in organizational AI use and 38% stronger customer confidence scores.
43. Risk Appetite
Risk appetite is the level and type of AI risk an organization is willing to accept in pursuit of its objectives, as defined by its board or senior leadership. Risk appetite differs from risk tolerance: appetite is the broad strategic statement about how much risk is acceptable, while tolerance defines specific measurable thresholds for individual risks. Setting AI risk appetite requires board-level engagement because it determines which AI use cases an organization will pursue, which it will avoid, and how much it will invest in controls. Organizations without defined AI risk appetite struggle to make consistent governance decisions.
44. Risk Register
An AI risk register is a structured document or system that records identified AI risks, their assessment (likelihood, impact, velocity), assigned owners, mitigation measures, residual risk levels, and review dates. The risk register is the operational backbone of AI risk management, providing visibility into the organization's aggregate AI risk profile. Effective AI risk registers categorize risks by type (technical, ethical, legal, operational, reputational), link risks to specific AI systems, and track mitigation progress over time. ISO 42001 and NIST AI RMF both require organizations to maintain and regularly update AI risk registers.
45. Shadow AI
Shadow AI refers to the use of AI tools by employees without organizational knowledge, approval, or oversight. Shadow AI is the AI-specific manifestation of shadow IT, but it presents amplified risks because AI tools can process, store, and learn from sensitive data in ways that traditional shadow IT tools do not. A 2026 Cyberhaven study found that 74% of enterprise AI usage is shadow AI. Shadow AI creates compliance risks (data sent to unapproved processors), security risks (data exposure), legal risks (intellectual property leakage), and governance gaps (unmonitored automated decisions).
46. SOC 2 Trust Service Criteria
SOC 2 Trust Service Criteria (TSC) are the five categories against which service organizations are evaluated in SOC 2 audits: security, availability, processing integrity, confidentiality, and privacy. In 2026, SOC 2 auditors increasingly examine how organizations govern AI within these criteria. AI governance intersects with every TSC: security (protecting AI systems), availability (AI system reliability), processing integrity (AI output accuracy), confidentiality (data handling by AI), and privacy (AI processing of personal information). Organizations pursuing SOC 2 should align AI governance controls to TSC requirements proactively.
47. Technical Documentation
Technical documentation, in the EU AI Act context, is the detailed record that developers of high-risk AI systems must create and maintain before placing the system on the market. The documentation must include a general description of the system, detailed development methodology, design specifications, data governance and management practices, monitoring and testing procedures, risk management documentation, and a description of changes throughout the lifecycle. Technical documentation serves as the primary artifact reviewed during conformity assessments and market surveillance inspections.
48. Training Data
Training data is the dataset used to teach an AI model to perform its intended task by exposing it to examples of inputs and desired outputs. Training data quality, representativeness, and governance directly determine AI system fairness, accuracy, and reliability. The EU AI Act requires high-risk AI developers to implement data governance practices covering training, validation, and testing datasets, including measures to examine for biases. Key concerns include data provenance (where data came from), consent (whether individuals consented to AI training use), representativeness (whether the data reflects the deployment population), and freshness (whether the data remains relevant).
49. Transparency Disclosure
A transparency disclosure is a specific communication to individuals informing them that they are interacting with an AI system, that AI was used in a decision affecting them, or that content was generated by AI. The EU AI Act mandates transparency disclosures for all AI systems interacting with humans (Article 50). Effective disclosures are timely (provided before or at the point of interaction), clear (using plain language), meaningful (conveying what the AI does and its limitations), and accessible (reaching all affected individuals including those with disabilities). Vague or buried disclosures do not satisfy regulatory requirements.
50. Zero-Day AI Risk
A zero-day AI risk is a previously unknown vulnerability or risk in an AI system that is discovered or exploited before the developer or deployer has had the opportunity to address it. The term borrows from cybersecurity's "zero-day exploit" concept. In AI governance, zero-day risks include novel adversarial attacks, unexpected model behaviors in new contexts, and newly discovered biases in deployed systems. Managing zero-day AI risk requires robust monitoring, rapid incident response capabilities, and organizational agility to deploy mitigations before harms materialize. The increasing complexity of AI systems makes zero-day risks a growing concern for governance programs.
Build Your AI Governance Vocabulary into Action
Knowing the terms is the first step. PolicyGuard helps you implement the governance framework behind them, from policy creation through enforcement and audit readiness. Request a demo to see how PolicyGuard turns glossary knowledge into operational governance.
Further Reading
- The Complete AI Policy and Governance Guide
- AI Governance vs. AI Compliance: What Is the Difference?
- AI Governance Frameworks Compared
- State of AI Governance 2026
- Why AI Governance Is a Compliance Priority in 2026
Frequently Asked Questions
How many AI governance terms do I need to know for regulatory compliance?
The number depends on your regulatory exposure. Organizations subject to the EU AI Act should be fluent in at least 30 terms, as the Act defines specific legal meanings for concepts like "AI system," "deployer," "high-risk AI," and "conformity assessment." US-focused organizations operating under NIST AI RMF and state laws like the Colorado AI Act need approximately 20 core terms. At minimum, every compliance professional should understand the 15 foundational terms: AI governance, AI compliance, AI risk management, AI policy, AI risk assessment, shadow AI, AI audit trail, AI incident, AI bias, algorithmic discrimination, AI explainability, AI transparency, responsible AI, automated decision-making, and high-risk AI. Mastering these 15 terms equips you for most regulatory and audit conversations.
What is the difference between AI governance and AI compliance?
AI governance is the proactive, strategic framework through which an organization directs and controls its AI use. AI compliance is the subset of governance focused specifically on meeting legal and regulatory obligations. Governance asks "how should we use AI?" while compliance asks "what must we do to meet legal requirements?" In practice, governance drives compliance, not the reverse. Organizations that build governance programs purely around compliance requirements end up with reactive, checklist-driven programs that fail to adapt when new regulations emerge. The most effective programs establish strong governance foundations that naturally satisfy compliance requirements while also addressing ethical, reputational, and strategic AI risks.
Why do regulators care about the specific terms organizations use?
Regulators use precise terminology in their enforcement actions, guidance documents, and examination procedures. When an organization uses incorrect or imprecise terminology in regulatory filings, audit responses, or policy documents, it signals a lack of subject matter depth. For example, describing your program as focused on "AI ethics" when a regulator is evaluating "AI risk management" suggests misalignment with regulatory expectations. The EU AI Act's defined terms carry legal weight: mischaracterizing a system's risk level or incorrectly classifying your role as "developer" versus "deployer" can result in applying the wrong compliance requirements. Precision in language demonstrates governance maturity and builds regulator confidence.
How should I train my team on AI governance vocabulary?
Effective vocabulary training goes beyond distributing a glossary document. Start by identifying the 15-20 terms most relevant to your regulatory environment and business context. Create scenario-based training where team members must use terms correctly in simulated situations: drafting a board memo, responding to an auditor question, evaluating a vendor contract, or reporting an incident. Test comprehension through brief quizzes tied to policy acknowledgment. Reinforce learning by incorporating correct terminology into templates, checklists, and standard operating procedures. Organizations that embed vocabulary into operational workflows see 56% higher retention compared to standalone training sessions. Refresh training quarterly as new regulations introduce additional terms.
How often does AI governance terminology change?
AI governance terminology evolves rapidly. In the past 18 months, the EU AI Act formalized over 30 terms, NIST updated the AI RMF companion profiles, and ISO published several new AI standards with their own defined vocabularies. New terms emerge as technology evolves: "agentic AI governance," "foundation model risk," and "AI supply chain risk" did not exist in mainstream governance vocabulary two years ago. Organizations should review and update their internal glossaries quarterly, align terminology with the frameworks they operate under, and designate a governance team member responsible for tracking terminology changes across regulatory bodies. PolicyGuard maintains updated terminology mappings across frameworks to help organizations stay current.
Stop Guessing at AI Governance Terms
PolicyGuard maps terminology across EU AI Act, NIST AI RMF, ISO 42001, and state regulations so your team uses the right language with every stakeholder. Request a demo to see terminology-aware governance in action.
