AI Compliance Glossary
A comprehensive reference of AI compliance, regulatory, and governance terms. Each entry covers what the term means, why it matters for compliance teams, and which frameworks reference it. Updated automatically as new regulations are tracked.
A
Adversarial Machine Learning
Adversarial machine learning is the practice of designing, testing, or exploiting AI models so they perform incorrectly through malicious inputs, poisoned data, or other manipulation. It matters for compliance because it directly affects model security, safety, and the evidentiary basis for claims that an AI system has been tested and controlled.
Adverse Impact Analysis
A structured assessment of whether an AI system may cause unfair, harmful, or disproportionate negative effects on individuals or groups. It is significant because it helps organizations identify discrimination, safety, and rights-based risks before or during deployment.
Age Assurance
Age assurance is the process of estimating, verifying, or confirming a person’s age before allowing access to age-restricted content, products, or services. It is important in compliance because regulators increasingly expect proportionate measures to protect children and to limit unlawful or inappropriate access.
Agentic AI
Agentic AI is AI that can plan and execute multi-step tasks with a degree of autonomy, often by using tools, APIs, or other systems to pursue a goal. It is important in compliance because greater autonomy increases operational, security, and accountability risks when actions are taken without direct human control.
Agentic AI Governance
Agentic AI governance is the set of policies, controls, and oversight mechanisms used to manage AI systems that can plan, decide, and take actions with limited human intervention. It is important because autonomous or semi-autonomous systems can create faster-moving operational, legal, and security risks than standard predictive models.
AI Act Transparency Obligations
AI Act transparency obligations are the EU AI Act requirements that providers and deployers give people clear information when they interact with AI systems, are exposed to synthetic or manipulated content, or are subject to certain AI-supported decisions. They matter because they create explicit disclosure and labeling duties that affect product design, user notices, and compliance evidence.
AI and Data Protection Guidance
AI and data protection guidance is regulatory or supervisory guidance explaining how data protection law applies to AI development and use. It is important because it helps organizations align AI practices with privacy, lawful processing, transparency, and data subject rights requirements.
AI Audit and Certification Body Accreditation
AI audit and certification body accreditation is the formal recognition that an organization is competent and impartial to audit or certify AI systems or AI management systems under a specified scheme. It matters because accreditation is often the gatekeeping mechanism that gives legal, market, or regulatory credibility to an AI certification body’s findings.
AI Certification and Assurance Body Competency
AI certification and assurance body competency is the demonstrated technical, legal, and procedural capability of an organization that audits, certifies, or assures AI systems or AI management systems. It is significant because certification outcomes depend on assessors being able to evaluate AI-specific risks, controls, evidence, and standards consistently and credibly.
AI Claim Substantiation Controls
AI Claim Substantiation Controls are internal checks that require evidence before an organization makes statements about an AI system’s capabilities, performance, compliance, or safety. They are important because unsupported AI marketing or assurance claims can create regulatory, contractual, and consumer-protection risk.
AI Clinical Trial Pilot
An AI clinical trial pilot is a limited, controlled deployment of AI in clinical research to test functionality, safety, workflow integration, and oversight before wider use. It matters for compliance because it creates evidence for risk management, ethics review, data protection, and, where relevant, medical device and clinical research obligations.
AI Companion Chatbot Safety
AI companion chatbot safety is the set of controls, testing, and monitoring practices used to reduce harmful, manipulative, or unsafe behavior in conversational AI designed for sustained personal interaction. It matters because regulators and standards bodies increasingly expect providers to protect users, especially minors and vulnerable users, from foreseeable psychological, privacy, and content-related risks.
AI Companion Chatbots
AI companion chatbots are conversational AI systems designed to provide ongoing social interaction, emotional support, companionship, or personalized engagement to users. They are significant because regulators and standards bodies increasingly focus on their safety, age-appropriate design, disclosure, and misuse risks, especially for vulnerable users.
AI Compulsory Process Record Preservation
AI compulsory process record preservation is the retention and protection of AI-related records that may be needed for subpoenas, court orders, regulatory investigations, or other compulsory legal process. It matters because organizations must be able to produce relevant evidence while also preserving integrity, chain of custody, and defensible retention practices.
AI Controls Matrix
An AI controls matrix is a structured mapping of AI risks, applicable requirements, and the controls used to manage them. It is significant because it helps organizations demonstrate coverage, ownership, and evidence across AI governance and compliance obligations.
AI Enforcement Theme Monitoring
AI enforcement theme monitoring is the ongoing tracking of regulator guidance, investigations, decisions, and enforcement trends to identify the compliance issues most likely to attract scrutiny. It matters because it helps organizations align controls and documentation with the topics regulators are actively prioritizing.
AI Fragility and Deception Risk Assessment
An AI Fragility and Deception Risk Assessment evaluates how an AI system may fail under unusual inputs, context shifts, or adversarial prompting, and whether it may generate misleading, manipulative, or untruthful outputs. It is important because regulators and standards increasingly expect organizations to identify foreseeable failure modes and implement controls before deployment.
AI Frontier Model Cyber Resilience
AI frontier model cyber resilience is the ability of a highly capable or frontier AI model and its surrounding infrastructure to withstand, detect, and recover from cyber threats that could compromise model integrity, confidentiality, availability, or misuse resistance. It matters because frontier systems can amplify the impact of compromise through model theft, prompt injection, data exfiltration, supply-chain attacks, and harmful misuse at scale.
AI Investment and Partnership Competition Review
AI investment and partnership competition review is the assessment of mergers, investments, joint ventures, strategic alliances, and commercial partnerships involving AI businesses for competition, antitrust, and market-concentration risks. It matters because AI collaborations can trigger merger-control filings, information-exchange concerns, exclusivity restrictions, or scrutiny over control of data, compute, and model access.
AI Investment and Partnership Risk Review
A structured review of proposed investments, joint ventures, strategic partnerships, and acquisitions involving AI vendors, models, or AI-enabled business lines to identify legal, operational, security, and reputational risks. It is important because regulators and counterparties increasingly expect firms to assess third-party AI exposure, governance maturity, and compliance obligations before committing capital or strategic dependence.
AI Labor Force Impact Reporting
AI labor force impact reporting is the structured reporting of how AI deployment affects headcount, roles, hours, skills needs, and workforce composition. It is significant because it helps organizations demonstrate oversight of automation-related employment impacts and respond to emerging disclosure expectations.
AI Lending Decision Opt-Out Workflows
AI lending decision opt-out workflows are the processes that allow a consumer to request a human review or otherwise opt out of certain automated lending decisions where applicable. They are significant because lending decisions are a high-impact use case in which legal rights, transparency, and discrimination controls are closely scrutinized.
AI Literacy Measures
AI literacy measures are the policies, training, and awareness activities an organization uses to ensure workers understand how AI systems work, their limitations, and the risks they create. They matter in compliance because several frameworks now expect organizations to build human understanding and oversight into AI governance, not just technical controls.
AI Litigation Hold and Discovery Readiness
AI litigation hold and discovery readiness refers to the processes used to preserve, collect, and produce AI-related records when litigation, investigation, or a regulatory dispute is reasonably anticipated. It is significant because AI systems generate dynamic logs, prompts, outputs, model versions, and training artifacts that can be crucial evidence and are easy to lose if retention is not controlled.
AI Management System
An AI management system is a set of policies, roles, procedures, and controls used to govern the lifecycle of AI systems within an organization. It is significant because it provides the organizational structure needed to assign accountability, manage risk, and demonstrate compliance with AI governance requirements.
AI Misstatement and AI-Related Fraud Controls
AI misstatement and AI-related fraud controls are policies, reviews, and technical safeguards designed to prevent false or misleading statements about AI capabilities, outputs, or usage from being used in fraudulent or deceptive conduct. They matter because regulators and enforcement bodies increasingly treat inaccurate AI claims and manipulated AI outputs as compliance, consumer protection, and fraud risks.
AI Model Development and Deployment under GDPR
AI model development and deployment under GDPR refers to building, training, testing, and operating AI systems in ways that comply with the EU General Data Protection Regulation when personal data is used or affected. It is significant because GDPR governs lawful basis, transparency, data minimization, purpose limitation, security, and data subject rights across the AI lifecycle.
AI Model Memorization
AI model memorization is when a model retains and reproduces specific training examples or sensitive fragments instead of only learning general patterns. It is significant in regulation because memorization can expose personal data, intellectual property, or confidential information and undermine privacy and security controls.
AI Model Memorization Assessment
An AI model memorization assessment is a test or review used to determine whether a model reproduces or reveals training data too closely, including personal data, copyrighted text, or other sensitive content. It is significant because excessive memorization can indicate privacy, confidentiality, and intellectual property risk, especially when models are exposed through prompts or attack techniques.
AI Model Training on Personal Data
The use of personal data to train, fine-tune, or otherwise develop an AI model. It is significant because it can trigger data protection obligations around lawful basis, transparency, purpose limitation, data minimization, and retention under privacy and AI governance regimes.
AI Office Documentation Submissions
AI Office documentation submissions are the formal materials providers and other obligated parties must send to the European Commission’s AI Office to demonstrate compliance with specified obligations under the EU AI Act. They are important because they create a documented supervisory trail for oversight, market surveillance, and enforcement.
AI Office Monitoring and Evidence Requirements
AI Office monitoring and evidence requirements are the reporting, recordkeeping, and cooperation obligations that providers may have to meet when supervised by the EU AI Office. They are significant because they support regulatory oversight of general-purpose AI and systemic-risk models through traceable documentation and ongoing compliance evidence.
AI Pact Voluntary Commitments
AI Pact voluntary commitments are non-binding pledges made by organizations to begin aligning with the EU AI Act before all legal obligations fully apply. They matter because they signal early compliance readiness and help companies build governance practices ahead of enforcement deadlines.
AI Processing Record Retention for Regulatory Investigations
AI processing record retention for regulatory investigations is the practice of preserving logs, documentation, data lineage, and other evidence needed to respond to audits, complaints, litigation holds, or regulator inquiries. It matters because AI compliance often depends on being able to reconstruct how a model was trained, tested, deployed, monitored, and changed over time.
AI Recommendation and Decision Systems
AI recommendation and decision systems are systems that rank, suggest, filter, or automatically select options for users or organizations based on data-driven models. They are significant in regulation because they can affect access to services, opportunities, and rights, making transparency, oversight, and bias controls important.
AI Regulatory Information Request Response Controls
Policies, workflows, and recordkeeping controls used to receive, triage, validate, approve, and respond to requests for information from regulators about an AI system, model, or related compliance program. It matters because incomplete, inconsistent, or delayed responses can create enforcement risk, undermine credibility, and hinder a firm’s ability to demonstrate lawful governance and effective oversight.
AI right of access workflow integrity
AI right of access workflow integrity is the reliability and auditability of the process used to receive, validate, locate, review, and respond to a data subject access request involving AI processing. It matters because defective workflows can lead to incomplete, late, or inaccurate disclosures and therefore privacy compliance failures.
AI system definition
The AI system definition is the legal or policy test used to determine whether a tool, model, or workflow falls within the scope of an AI governance framework. It matters because many obligations, prohibitions, and documentation duties apply only if a system meets that definition.
AI System Impact Assessment
An AI system impact assessment is a structured review of the likely effects, risks, and safeguards associated with developing or deploying an AI system in a specific context. It is significant because regulators and governance frameworks increasingly expect organizations to identify harms, assess proportionality, and document mitigation measures before use.
AI System Subject to GDPR Analysis
An AI system that processes personal data or otherwise falls within the scope of the GDPR and therefore requires assessment of lawful basis, transparency, data protection principles, and related individual rights. It matters because GDPR obligations can apply at multiple stages of AI development and use, including training, inference, profiling, and automated decision-making.
AI Vendor Outsourcing and Third-Party Risk Management
The process of assessing, contracting with, monitoring, and controlling external AI vendors, model providers, and service integrators so their services do not create unacceptable operational, legal, security, or regulatory risk. It matters because organizations remain accountable for AI outcomes even when key components are provided by third parties.
AI-Enabled Early-Phase Clinical Trial Pilot
An AI-enabled early-phase clinical trial pilot is a limited clinical research deployment that uses AI to support or optimize activities in the initial phases of a trial, such as protocol design, recruitment, eligibility screening, monitoring, or analysis. It is significant because even pilot uses can trigger medical-device, research-governance, privacy, and safety obligations before the technology is scaled.
AI-Enabled Medical Device Lifecycle Documentation
This is the documentation that records an AI-enabled medical device from design and validation through deployment, monitoring, updates, and retirement. It matters because medical device regulators expect traceable evidence that the AI performs safely and consistently across its lifecycle.
AI-Enabled Medical Device Predetermined Change Control Plan
An AI-Enabled Medical Device Predetermined Change Control Plan is a pre-approved plan that specifies which future changes to an AI-enabled medical device are permitted without requiring a full new premarket submission. It is significant because it gives manufacturers a structured regulatory path for updating machine-learning devices while maintaining safety and effectiveness oversight.
AI-Generated Content Disclosure
A notice or label indicating that content was created, materially altered, or synthesized by an AI system. It is significant because disclosure requirements help users, regulators, and affected individuals understand when they are interacting with or relying on machine-generated content.
AI-generated content provenance controls
AI-generated content provenance controls are technical and procedural measures used to preserve and verify the origin, transformation history, and authenticity of AI-generated or AI-modified content. They matter for compliance because they support disclosure, fraud prevention, and content integrity obligations under emerging AI transparency rules.
AI-Generated Inferences as Special-Category Data
AI-generated inferences as special-category data are sensitive conclusions about a person that reveal or strongly suggest protected characteristics such as health status, religion, political views, or sexual orientation. They matter for compliance because even if the source data is ordinary, the inferred result can trigger the stricter rules that apply to special-category or sensitive personal data.
AI-Related Fraud Controls
AI-related fraud controls are the policies, technical safeguards, and monitoring measures used to prevent, detect, and respond to fraud that is enabled, assisted, or amplified by AI systems. They matter because regulators increasingly expect firms to manage AI-enabled deception, impersonation, and abuse as part of broader financial crime, consumer protection, and operational risk controls.
AI-Specific SBOM
An AI-specific SBOM is an inventory that identifies the components, dependencies, models, datasets, tools, and other material elements used in an AI system. It matters because compliance teams need traceability over what is inside the system to manage security, update, provenance, and third-party risk obligations.
AI-Supported Automated Individual Decisions
Decisions about a person that are made entirely or partly by AI systems, where the system materially contributes to the outcome or recommendation. It matters because such decisions can trigger heightened legal and governance duties, especially when they produce legal effects or similarly significant effects on individuals.
AI-Supported Processing Purpose, Functionality, and Data Source Disclosure
This is a disclosure requirement that explains when AI is used, what it is used for, how it functions at a high level, and what data sources support the processing. It matters because transparency rules increasingly require organizations to tell users and regulators how AI influences decisions and what inputs it relies on.
AI-Washing
AI-washing is the practice of exaggerating, misrepresenting, or falsely claiming that a product, service, or process uses AI or provides AI capabilities. It matters in compliance because misleading AI claims can create consumer protection, disclosure, contracting, and governance risks.
AI/Health Data Initiatives
AI/health data initiatives are programs or regulatory efforts that promote the safe use, sharing, or governance of health data for AI development and deployment. They matter because health data is highly sensitive and subject to strict legal, security, and ethical controls.
Algorithmic Discrimination
Algorithmic discrimination is the unfair or adverse treatment of individuals or groups caused or amplified by an AI system based on protected or sensitive characteristics. It is a regulatory concern because many AI, privacy, consumer protection, and civil rights frameworks require organizations to detect, prevent, and document discriminatory outcomes.
Algorithmic Trading Governance
Algorithmic trading governance is the set of policies, controls, and oversight processes used to manage automated trading systems across their lifecycle. It is significant because regulators expect firms to control market, operational, and model risks arising from automated order generation and execution.
Anonymisation Assumptions and Documentation
Anonymisation assumptions and documentation are the recorded facts, technical premises, and risk judgments used to support a claim that data has been anonymised and is no longer personal data. They are significant because regulators and courts expect organizations to justify anonymisation claims with evidence, not labels, especially when AI systems could still enable re-identification.
Automated Decision Review and Objection Rights
This is the right or workflow that allows a person to request human review of an automated decision and to object to or challenge that decision where the law provides such a right. It matters because automated decisions affecting people can trigger legal protections under privacy, employment, credit, and consumer-protection regimes.
Automated Decision Systems in Employment
Automated decision systems in employment are AI or algorithmic systems used to screen, rank, evaluate, or make employment-related decisions affecting workers or applicants. They are significant because they can trigger anti-discrimination, transparency, and human oversight obligations in multiple jurisdictions.
Automated Decision-Making Technology
Automated decision-making technology is AI or other software that makes or materially informs decisions about individuals with little or no human intervention. It is significant because many privacy, employment, and consumer-protection regimes impose extra transparency, review, and fairness obligations on such systems.
Automated Lending Decision Tools
Automated lending decision tools are systems that use algorithms or AI to assess creditworthiness, approve or deny loans, set pricing, or determine other credit terms with limited or no human intervention. They are significant because lending decisions are heavily regulated and can trigger obligations related to fairness, explainability, adverse action, and discrimination risk.
B
C
Change-Management and Incident-Response Procedures
Change-management and incident-response procedures are formal processes for approving, testing, documenting, and deploying changes to an AI system, and for detecting, escalating, containing, and recovering from harmful incidents or failures. They matter because regulators increasingly expect organizations to control model updates and respond quickly to incidents that affect safety, security, fairness, or legal compliance.
Cloud Compute and AI Policy Review
Cloud Compute and AI Policy Review is the process of evaluating an organization's cloud usage, AI workloads, and internal policies to ensure they align with legal, security, procurement, and governance requirements. It matters because regulators and assurance frameworks increasingly expect firms to control third-party compute, data handling, and AI deployment risks through documented oversight.
Companion Chatbot
A companion chatbot is an AI conversational system designed to provide ongoing interaction, emotional support, companionship, or personalized engagement rather than purely transactional assistance. It matters for compliance because these systems can create heightened risks for vulnerable users, privacy, safety, and misleading claims about the system’s capabilities.
Conformity Assessment Schemes
Conformity assessment schemes are formal procedures used to verify that a product, system, or process meets specified legal, technical, or standards-based requirements before or after it is placed on the market. In AI regulation, they matter because they provide the evidence base for demonstrating compliance with applicable obligations.
Consumer-Facing AI Chatbot Disclosures
Consumer-Facing AI Chatbot Disclosures are the notices provided to end users that explain they are interacting with an AI system, what the chatbot can and cannot do, and any material limits or risks. They are important because transparency obligations and consumer-protection rules increasingly require clear, non-misleading disclosure when AI is used in public-facing interactions.
Controller or Provider Obligation Determination for AI Models
Controller or provider obligation determination for AI models is the analysis used to decide which legal role a person or organization holds for an AI system and which compliance duties attach to that role. It is significant because under GDPR and the EU AI Act, responsibilities differ depending on whether an actor determines purposes and means, provides a system, deploys a system, or performs another regulated function.
Copyright Compliance Policy
A copyright compliance policy is an internal rule set that governs how an organization sources, uses, stores, and documents copyrighted materials in AI development and deployment. It is significant because AI training, fine-tuning, and content generation can create copyright exposure through unauthorized copying, prohibited ingestion, or unlawful output reuse.
Covered Automated Decision-Making System Governance
This refers to the policies, controls, and oversight processes used to manage an automated decision-making system that falls within a regulated or otherwise covered category. It matters because covered systems typically require stronger governance, testing, documentation, and accountability than general-purpose AI tools.
Critical Infrastructure AI Risk Profile
Critical infrastructure AI risk profile is the documented assessment of how an AI system affects essential services such as energy, transport, water, telecommunications, or health infrastructure. It is significant because failures in these environments can create systemic harm, so regulators and operators require stronger controls, assurance, and oversight.
D
Data Minimisation
Data minimisation is the principle that only personal data that is adequate, relevant, and limited to what is necessary for a specific purpose should be collected and used. In AI compliance, it matters because it reduces privacy risk and helps justify training, inference, and monitoring data choices.
DORA Major ICT Incident Taxonomy
The DORA major ICT incident taxonomy is the classification framework used to determine whether an ICT-related event qualifies as a major incident under the EU Digital Operational Resilience Act. It matters because classification triggers reporting, escalation, governance, and remediation obligations for regulated financial entities and their ICT providers.
Dual-Use Foundation Model Misuse Risk Management
Dual-use foundation model misuse risk management is the set of controls used to identify, assess, and reduce the risk that a foundation model can be used for harmful purposes as well as beneficial ones. It matters because regulators increasingly expect providers to manage misuse pathways such as fraud, malware assistance, biosecurity abuse, and other high-impact harmful uses.
E
Employment AI
Employment AI refers to AI systems used in hiring, promotion, performance evaluation, scheduling, monitoring, workforce management, or termination decisions. It matters because employment use cases are commonly treated as high-risk or highly regulated due to their potential to affect workers’ rights and to create discrimination or transparency obligations.
Employment Automated Decision Systems
Employment automated decision systems are AI or algorithmic systems used to make or materially influence decisions about hiring, promotion, compensation, scheduling, performance, discipline, or termination. They are significant because employment decisions are closely scrutinized for bias, transparency, and human oversight obligations.
ePHI Security Risk Assessment for AI Workflows
An ePHI Security Risk Assessment for AI Workflows is a review of how electronic protected health information is collected, processed, stored, transmitted, and accessed when AI tools are used in healthcare operations. It is significant because healthcare organizations must protect patient data and demonstrate safeguards when AI systems interact with regulated health information.
Evaluation-Ready Documentation
A documentation package that provides enough technical, procedural, and contextual detail for an AI system or model to be independently assessed. It is significant because regulators and auditors expect evidence that testing, governance, and risk controls are complete, consistent, and reviewable.
Explainability and Decision Traceability
Explainability and decision traceability refer to the ability to understand how an AI system produced an output and to reconstruct the key inputs, logic, and human actions involved in a decision. They matter because regulators and auditors often expect organizations to justify outcomes, investigate errors, and demonstrate accountability.
F
Frontier AI Cyber Resilience
Frontier AI cyber resilience is the ability of advanced AI systems and their supporting environments to withstand, detect, and recover from cyber threats, misuse, and operational disruption. It is significant because frontier models can expand attack surfaces, enable harmful automation, and create systemic security risks for developers and deployers.
Frontier Model Training Restrictions
Frontier model training restrictions are legal, contractual, or policy limits placed on the development, access, or deployment conditions of highly capable AI models during training. They matter in the regulatory landscape because they are used to reduce catastrophic, safety, security, and misuse risks from advanced models before those risks reach the market.
G
GDPR Scope Analysis for AI Models
GDPR scope analysis for AI models is the assessment of whether a model, dataset, or deployment falls within the territorial and material scope of the GDPR or UK GDPR. It is important because the answer determines whether privacy obligations such as lawful basis, transparency, data subject rights, and transfer controls apply to the AI activity.
GenAI Risk Categories
GenAI risk categories are the main classes of risk used to organize generative AI controls, such as safety, security, privacy, IP, accuracy, bias, and misuse. They matter because compliance teams need a structured taxonomy to map testing, monitoring, and governance obligations to the actual risks posed by a generative AI system.
General-Purpose AI (GPAI)
General-purpose AI is an AI model designed to perform a broad range of tasks and to be adaptable for many downstream uses, rather than being built for one specific application. In regulation, it matters because such models can trigger additional transparency, documentation, and risk-management duties, especially where they can be integrated into many products and services.
General-Purpose AI Code of Practice
The General-Purpose AI Code of Practice is a voluntary EU framework intended to help providers of general-purpose AI models demonstrate how they will meet EU AI Act obligations. It matters because it provides a practical compliance route for governance, documentation, transparency, and copyright-related controls before and after formal requirements fully apply.
General-Purpose AI Code of Practice Sign-On Strategy
General-purpose AI code of practice sign-on strategy is the plan an organization uses to decide whether, when, and how to sign on to a voluntary or semi-voluntary general-purpose AI code of practice. It matters because sign-on choices can affect regulatory posture, reputational risk, and the organization’s ability to demonstrate preparedness ahead of binding obligations.
Generative AI Profile
A generative AI profile is a documented risk and control profile that describes how a generative AI system is used, what outputs it produces, and what safeguards apply across its lifecycle. It is significant because it helps organizations classify generative AI use cases, assign controls, and demonstrate governance for transparency, safety, and compliance purposes.
GPAI Provider Obligations
GPAI provider obligations are the duties imposed on providers of general-purpose AI models, including documentation, transparency, copyright-related measures, and cooperation obligations for systemic-risk models. These obligations are significant because they extend regulatory responsibilities beyond deployment into model development and distribution.
H
Healthcare AI
Healthcare AI refers to AI systems used for clinical decision support, diagnosis, triage, treatment recommendation, patient monitoring, or healthcare operations. It is regulated closely because errors, bias, security failures, or poor validation can directly affect patient safety and medical outcomes.
High-Risk Automated Decision System Inventory
A high-risk automated decision system inventory is a maintained record of automated decision systems that have been classified as high-risk based on their purpose, impact, data use, or regulatory context. It matters because it helps organizations identify where heightened controls, assessments, documentation, and oversight are required.
HIPAA AI risk analysis scope
HIPAA AI risk analysis scope is the set of AI systems, workflows, data flows, and supporting assets that must be included in a HIPAA security risk analysis when protected health information is used or exposed. It matters because an incomplete scope can leave material ePHI risks unidentified and put the covered entity or business associate out of compliance.
HR AI Bias Testing and Notice Controls
This refers to testing and communication controls used when AI is deployed in hiring, promotion, performance, scheduling, or other employment decisions. It matters because employment AI can create discrimination risk and may require worker or applicant notice, bias testing, and documented safeguards.
Human Checkpoints
Human checkpoints are predefined points in an AI workflow where a human reviews, approves, overrides, or stops the system’s output or action. They are significant because they help satisfy governance expectations for oversight, reduce automated decision errors, and provide an escalation path for higher-risk outcomes.
I
Incident Escalation Procedures
Incident escalation procedures are documented steps for classifying, routing, and reporting AI-related incidents to the appropriate operational, legal, security, and management stakeholders. They are important because regulators expect organizations to detect, contain, investigate, and communicate significant AI incidents within defined timeframes and governance structures.
Interoperability Controls for AI Deployment Models
Interoperability controls are governance and technical requirements that ensure an AI deployment can exchange data, integrate with adjacent systems, and operate consistently across environments and vendors. They matter because regulators and auditors increasingly expect AI systems to be controllable, traceable, and safely integrated into broader business and security architectures.
ISO/IEC 42001 Accredited Certification Path
ISO/IEC 42001 accredited certification path is the route an organization follows to obtain certification of its AI management system from an accredited certification body. It matters because accredited certification provides external assurance that the organization’s AI governance, risk controls, and continual improvement processes meet the standard’s requirements.
ISO/IEC 42005 AI System Impact Assessment
ISO/IEC 42005 AI System Impact Assessment is an assessment method for identifying and documenting the potential effects of an AI system on people, organizations, and society across its lifecycle. It is significant because it provides a structured way to support AI risk governance, accountability, and evidence of due diligence.
ISO/IEC 42006:2025
ISO/IEC 42006:2025 is a certification standard that sets requirements for bodies auditing and certifying artificial intelligence management systems. It is significant because it supports independent certification of AI governance programs and creates a more structured assurance market for organizations seeking to demonstrate conformance.
L
Lawful Basis and Transparency Review for AI Processing
A lawful basis and transparency review for AI processing is an assessment of whether personal data used in an AI system has a valid GDPR lawful basis and whether the people affected have been given the required notice. It is significant because AI projects can create privacy and enforcement risk if training, fine-tuning, or inference data is processed without a lawful basis or adequate transparency.
Legitimate Interest Balancing Test
The legitimate interest balancing test is the assessment used to determine whether processing personal data is justified on the basis of a legitimate interest that is not overridden by the individual’s rights and freedoms. In AI compliance, it matters because it is often relied on for model training, monitoring, fraud detection, and other AI processing activities where consent is not the chosen legal basis.
Legitimate Interests Balancing Test
A legitimate interests balancing test is the assessment required under GDPR to determine whether an organization’s legitimate interest in processing personal data is outweighed by the individual’s rights and freedoms. It is significant because it is one of the main legal bases used for AI processing where consent or contract is not appropriate, but it must be documented and defensible.
Litigation Watch Procedures for AI Precedent
Litigation watch procedures for AI precedent are formal processes for tracking court cases, regulatory disputes, and settlement outcomes that may create legal standards or enforcement expectations for AI use. They matter for compliance because they help organizations update controls, disclosures, contracting, and risk assessments in response to emerging precedent.
Live Testing
Live testing is the evaluation of an AI system in a real or production-like environment using actual workflows, users, or data under controlled conditions. It matters in compliance because it helps verify real-world performance, safety, and security before or during deployment, especially for higher-risk systems.
M
Machine-Readable Marking and Labeling
Machine-readable marking and labeling is the practice of embedding labels or identifiers in content so automated systems can detect that it is AI-generated, synthetic, or otherwise specially categorized. It is significant because it supports transparency, traceability, and downstream compliance controls for users, platforms, and regulators.
Model AI Governance Framework for Agentic AI
A model AI governance framework for agentic AI is a structured set of controls for AI systems that can plan, act, and invoke tools or workflows with limited direct human prompting. It is important because agentic systems can create higher operational, security, and accountability risks than static models, so governance must address autonomy, supervision, and escalation.
Model Change Control
Model change control is the process for reviewing, approving, testing, documenting, and deploying changes to an AI model or its surrounding system. It is important because uncontrolled changes can alter performance, risk profile, compliance status, or legal claims about the system.
P
Personal data in AI recommendation and decision systems
Personal data in AI recommendation and decision systems is any information relating to an identified or identifiable person that is used, inferred, ranked, or acted on by systems that recommend content, products, services, or decisions. It matters because these systems can create privacy, fairness, and explainability risks that trigger data protection and discrimination compliance obligations.
Postmarket Performance Evaluation
Postmarket performance evaluation is the ongoing monitoring and assessment of an AI system’s behavior, outputs, and risk controls after it has been deployed. It is significant because many regulatory frameworks require organizations to detect degradation, bias, safety issues, or cybersecurity problems once the system is in real-world use.
Predetermined Change Control Plan
A predetermined change control plan is a documented plan that describes in advance which future modifications to an AI system are allowed without requiring a full new authorization or re-review. It is significant because regulators may use it to distinguish controlled, pre-approved updates from changes that require fresh compliance assessment.
Predetermined Change Control Plan for ML-Enabled Devices
A predetermined change control plan for ML-enabled devices is a documented plan that specifies which machine-learning changes a medical device manufacturer intends to make after authorization and how those changes will be controlled. It is important because it allows regulators to evaluate certain future updates in advance while still preserving safety, effectiveness, and traceability.
Prohibited-practice screening
Prohibited-practice screening is the process of checking an AI use case against legal bans or policy prohibitions before deployment or procurement. It is significant because prohibited practices are generally not allowed to be placed on the market or used, so early screening prevents regulatory breach.
Public Posts Training Lawful Basis Assessment
A Public Posts Training Lawful Basis Assessment is a documented review of whether an organization has a valid legal basis to use publicly available online posts as training data for an AI system. It is significant because training on public content can still trigger obligations under privacy, data protection, and copyright laws, especially in the EU and UK.
Purpose Limitation for AI Development
The principle that AI systems and their training, testing, and deployment activities should be limited to a specified, explicit, and legitimate purpose. It is significant because regulators use purpose limitation to constrain secondary use, data reuse, and scope creep in AI development.
R
Re-identification Attack Testing
Testing designed to determine whether anonymized, pseudonymized, or otherwise de-identified data can be linked back to an individual. It is important because failed de-identification can expose organizations to privacy, security, and regulatory non-compliance risks.
Regulatory Sandbox
A regulatory sandbox is a controlled environment in which organizations can test an AI system, product, or service under regulator oversight and with temporary or tailored compliance conditions. It matters because it lets supervisors assess risks and evidence before wider deployment while still preserving core legal protections.
S
Safety by Design
Safety by design is the practice of building AI systems with risk controls, testing, oversight, and misuse prevention measures embedded from the start rather than added after deployment. In regulatory contexts, it helps demonstrate that an organization has taken proportionate steps to reduce harm, support accountability, and meet expectations for secure and responsible AI governance.
Scientific Panel
A scientific panel is an expert body established to provide technical review, evidence-based advice, or independent assessment on an AI system, dataset, model, or related risk. In the regulatory context, it supports defensible decision-making by documenting how specialized expertise informed compliance, safety, or conformity judgments.
Scientific Research Purpose Processing
Scientific research purpose processing is the processing of personal data for bona fide scientific research activities, including studies designed to generate new knowledge, validate hypotheses, or improve scientific understanding. It is significant because many privacy frameworks provide tailored rules or exemptions for research, but only when the processing is genuinely research-oriented and accompanied by appropriate safeguards.
Secure AI Infrastructure
Secure AI infrastructure is the hardware, software, networks, and operational controls used to develop, deploy, and run AI systems in a way that protects confidentiality, integrity, and availability. It is significant because insecure infrastructure can undermine model integrity, expose sensitive data, and create compliance failures even when the model itself is well governed.
SOA Control Scope Review for AI Controls
A SOA control scope review for AI controls is the process of determining which AI-related security, privacy, governance, and operational controls are included in an organization’s Statement of Applicability or equivalent control inventory. It is significant because it documents which controls are adopted, justified, or excluded, which is central to audit readiness and regulatory evidence under management-system and security frameworks.
Special Controls
Special controls are additional technical or organizational safeguards applied to an AI system beyond standard baseline controls to reduce specific identified risks. They matter in compliance because regulators and assurance frameworks increasingly expect controls to be proportionate to the system’s risk profile and documented in governance evidence.
Standards Incorporation
Standards incorporation is the practice of making external technical standards, codes, or specifications part of a legal, contractual, or regulatory requirement by reference. It matters because it can turn detailed technical guidance into a binding compliance obligation without restating the full standard in the rule text.
Structured Pre-Deployment Testing
A formal testing process performed before an AI system is released into production to verify safety, performance, security, and compliance requirements. It matters because it provides evidence that foreseeable harms and control failures were examined before the system affects users or regulated decisions.
Synthetic Content Provenance and Machine-Readable Labeling Controls
Synthetic content provenance and machine-readable labeling controls are the technical and procedural measures used to identify AI-generated or manipulated content and preserve metadata about its origin. They matter because they support transparency, help downstream systems detect synthetic media, and reduce the risk of deception or misuse.
Synthetic Data Generation
Synthetic data generation is the creation of artificial data that statistically resembles real data without directly exposing the underlying individuals, records, or events. It matters in compliance because it can support privacy-preserving development, testing, and sharing while still requiring controls to avoid reidentification or misleading claims about data quality.
Systemic Risk GPAI Notification
A systemic risk GPAI notification is a formal notice made by or about a general-purpose AI model when its capabilities, scale, or deployment profile indicate systemic risk. It is significant because such notifications can trigger enhanced regulatory obligations, oversight, and incident reporting expectations.
Systemic-Risk Taxonomy
A systemic-risk taxonomy is a structured classification system used to identify, group, and describe risks that could produce broad, widespread, or cascading harms from an AI model or system. In regulation, it is important because it helps organizations decide when enhanced controls, testing, monitoring, and governance are required.
T
Technological Displacement Notice
A technological displacement notice is a formal disclosure that an AI system or other technology may replace, reduce, or materially change human roles, tasks, or staffing levels. It is significant because it creates a documented notice obligation for workforce, labor, or public-interest compliance regimes that monitor automation impacts.
Training Data Inventory
A training data inventory is a documented record of the data sources, categories, provenance, and key characteristics used to train or fine-tune an AI system. It is important in compliance because regulators and auditors use it to assess data governance, copyright, privacy, bias, and accountability controls.
Training Data Sourcing Safeguards
Controls and review processes used to ensure training data is collected, licensed, authorized, and screened for legal, privacy, and quality risks before model training. They are important because improper sourcing can create regulatory exposure, intellectual property claims, privacy violations, and model performance defects.
Training Data Transparency Disclosure
Training data transparency disclosure is the provision of meaningful information about the sources, types, and handling of data used to train or fine-tune an AI system. It matters because regulators increasingly require disclosure that enables users, rights holders, and oversight bodies to assess legality, provenance, bias, and copyright-related risk.
Transparency-by-Design
Transparency-by-design is the practice of building AI systems, processes, and documentation so that relevant information about the system, its inputs, outputs, limitations, and use can be understood by affected users and oversight functions. It matters because many AI laws and standards require organizations to provide meaningful information, notices, and records rather than add disclosures after deployment.
Transparent AI Decision-Making
Transparent AI decision-making is the practice of making an AI system's role, logic, inputs, outputs, and limitations understandable to affected users, operators, and regulators. It matters because transparency is a recurring legal and governance expectation in AI, especially where automated decisions affect people or high-risk processes.
U
UK GDPR AI Lawfulness, Fairness, Transparency, Accuracy and Security Review
A UK GDPR review that checks whether an AI processing activity has a lawful basis, is fair and transparent to individuals, and is accurate and secure in operation. It matters because these core data protection principles are baseline obligations for AI processing that can drive enforcement risk if the system is poorly designed or documented.
Utility Infrastructure AI Safety Oversight
Utility infrastructure AI safety oversight is the governance process for monitoring, reviewing, and controlling AI used in critical utility operations such as power, water, or grid management. It is significant because failures in these systems can affect public safety, service continuity, and critical-infrastructure compliance obligations.
Utility Infrastructure Workforce Protection
Utility infrastructure workforce protection is the set of controls used to protect employees and contractors who operate, maintain, or work alongside AI-enabled utility systems. It is significant because AI-related operational changes can introduce new safety, supervision, training, and labor compliance risks in critical infrastructure environments.
W
Weekly digest — coming soon
Leave your email to get the first issue when it ships. Free, no account required.
We use your email only for the digest. Privacy policy