Glossary

AI governance, in plain language

Definitions of the terms that show up when boards, auditors, customers, and CFOs start asking about AI. Use them in your own policy and reports: that's the point.

Glossary / Index

Agent (AI)

Also: AI agent · Autonomous agent · Agent actor

An agent is the autonomous AI actor: a workflow or service that runs unattended, spends, and acts without a person in the loop on every request. Gartner projects Fortune 500 companies will run 150,000+ agents by 2028 while only 13% of organizations feel adequately governed, which is why Tallin gives every agent the same owner, approved model scope, budget, policy, and off switch it gives a human.

See also: AI actor · Kill switch · Shadow mode · Gateway enforcement

AI actor

Also: AI identity · AI consumer

An AI actor is the human, app, or agent using AI through Tallin. Tallin treats every actor as a first-class identity with an owner, an approved model scope, a budget, a policy, an audit trail, and a model-access kill switch, so each request that flows through the gateway can be attributed, governed, and proved.

See also: Agent (AI) · Kill switch · AI ledger · Enforced

AI exposure assessment

Also: AI risk assessment

An AI exposure assessment is a 90-day inventory of where employee AI activity intersects with confidential data, sanctioned providers, and the rules your company has already written. It produces a benchmarked baseline that finance, security, and legal can defend together rather than three contradictory spreadsheets.

See also: AI ledger · Honest coverage · Shadow AI

AI governance program
An AI governance program is the operating function that combines an AI policy, the runtime controls to enforce it on every actor, and the evidence pack to demonstrate it to auditors, boards, and customers. Mid-market companies typically reach a defensible program in 90 days by sequencing telemetry, identity, and policy enforcement work.

See also: AI policy · AI actor · Board pack

AI ledger

Also: AI usage ledger · AI spend ledger

An AI ledger is the per-tenant record of every AI request routed through Tallin: provider, AI actor, team, model, tokens, cost, timestamp, signal source, and coverage state in one queryable view. It is the audit trail that proves what each actor did, so the same data answers board, budget, and policy-enforcement questions without contradiction.

See also: AI actor · Honest coverage · Observed · Inferred

AI policy
An AI policy is the written rule set that names which AI models and tools each actor may use, for what data classes, under what budget, and with what controls. A policy without enforcement is paperwork. Tallin turns it into runtime behavior by applying it in the request path and recording the evidence that the rule was actually enforced, not just written.

See also: AI actor · Enforced · Gateway enforcement · AI governance program

Board pack

Also: AI board report

A board pack is the one-click export that summarizes a company's AI governance posture for executive readers: total spend, coverage score, per-actor policy and enforcement state, and named gaps. Tallin's board pack pairs the live ledger with an opt-in AI-drafted executive overview that the admin approves before export, so control claims are backed by evidence.

See also: AI actor · AI ledger · DDQ · Honest coverage

Coverage score
A coverage score is the percentage of a company's AI activity that's backed by observed signals (direct telemetry or authoritative billing) rather than inferred or uncovered. A coverage score below 70% means more than a third of the AI picture rests on estimates, important context for any board claim.

See also: Observed · Inferred · Not covered

DDQ

Also: Due diligence questionnaire · customer DDQ

A DDQ (due diligence questionnaire) is the standardized request enterprise customers and sponsor banks send to vendors asking how they use AI, what data they share, and what controls they have. Modern DDQs increasingly include an AI section that vendors fail because they can't produce a usage ledger.

See also: Board pack · AI policy · Honest coverage

Enforced
Enforced is the coverage state for AI usage paths that are governed by a real control: gateway routing, per-actor budget caps and model scopes, a kill switch, access restriction, SSO, CASB rules, or provider admin policy. Enforced is the strongest claim in the honest-coverage taxonomy because the company can prove the rule was applied, not just that the usage existed.

See also: Honest coverage · Observed · Gateway enforcement · Kill switch

EU AI Act
The EU AI Act is a 2024 regulation phasing into effect through 2026 that requires companies operating in the EU to inventory AI systems, classify them by risk, and demonstrate appropriate governance for higher-risk uses. For mid-market SaaS companies, the relevant articles typically map to general-purpose AI deployment, transparency, and the documentation requirements that operationalize them.

See also: NIST AI RMF · ISO 42001 · AI governance program

Gateway enforcement
Gateway enforcement is the policy-application step that runs at request time when an AI actor's traffic flows through a routed gateway. Per-actor budget caps, model-tier and provider allow-lists, rate limits, and the kill switch are checked at the gateway, applied while the request is happening and producing audit-grade evidence that a policy was actually enforced, not just written.

See also: Enforced · AI actor · Kill switch · Shadow mode · AI policy

Honest coverage
Honest coverage is Tallin's product discipline that separates AI usage into four labeled states (observed, inferred, enforced, and not covered) instead of collapsing everything into a single misleading total. A board claim of 100% AI visibility that can't separate measured signals from estimates is exactly the gap auditors are now trained to look for.

See also: Observed · Inferred · Enforced · Not covered

Inferred
Inferred is the coverage state for likely AI usage based on secondary signals (Okta SSO logs, credit-card expenses, network logs, manual CSV imports) rather than direct provider telemetry. Inferred signals are weaker than observed but stronger than nothing; the honest-coverage taxonomy keeps them labeled rather than hidden inside a total.

See also: Honest coverage · Observed · Shadow AI

ISO 42001
ISO 42001 is the international management-system standard for AI, published in late 2023, that gives companies a certifiable framework for AI governance program design and evidence. Certification is rare in mid-market today but increasingly cited in enterprise customer DDQs and bank-partner questionnaires.

See also: NIST AI RMF · EU AI Act · AI governance program

Kill switch

Also: Model-access kill switch · Disable actor · AI off switch

A kill switch disables an AI actor's Tallin-mediated model access: it stops new requests for every gateway key bound to that actor, in one click, with a record of who disabled it, when, and why. It governs the AI routed through Tallin: it does not stop direct provider calls made outside Tallin, undo actions already taken, or halt tool / MCP execution side effects, which Tallin reports as Not covered rather than silencing.

See also: AI actor · Agent (AI) · Enforced · Not covered

NIST AI RMF

Also: NIST AI Risk Management Framework

The NIST AI Risk Management Framework is a voluntary US-government framework published in January 2023 that organizes AI risk-management activities into Govern, Map, Measure, and Manage functions. Many US mid-market AI policies cite NIST AI RMF as their foundation; auditors increasingly expect the cited framework to map to actual practice.

See also: EU AI Act · ISO 42001 · AI policy

Not covered
Not covered is the coverage state for AI activity Tallin can't measure or govern: direct provider calls made outside Tallin, tool / MCP execution side effects, off-network personal-device usage, unmanaged personal accounts, and providers without telemetry hooks. Tallin governs the AI traffic routed through it, not what happens outside it; naming these gaps explicitly is what makes a coverage claim defensible, and pretending they're zero is what makes a board pack fail an audit.

See also: Honest coverage · Shadow AI · Coverage score · Kill switch

Observed
Observed is the coverage state for AI usage captured through direct telemetry: gateway events, provider usage APIs, admin APIs, or authoritative billing sources. Observed signals are the strongest evidence a company can present because they're traceable to a specific provider record, not inferred from secondary data.

See also: Honest coverage · Inferred · AI ledger

Shadow AI

Also: Shadow AI usage · Unsanctioned AI

Shadow AI is the AI activity happening inside a company without IT or security visibility: personal ChatGPT accounts, embedded AI features in approved SaaS, AI subscriptions on personal cards. Shadow AI is the gap a credible AI governance program names and shrinks, not one it claims to have already eliminated. (Not to be confused with shadow mode, a Tallin policy-simulation setting.)

See also: Not covered · AI exposure assessment · Inferred · Shadow mode

Shadow mode

Also: Policy simulation · Dry-run policy · Would-block mode

Shadow mode is the Tallin setting that evaluates a policy against an AI actor's real traffic and records what would have been blocked, without blocking the request. Turn it on for a new agent to see what it would have violated before enforcement is live, then switch to enforcement mode once the rules are right, so a control is never flipped on blind.

See also: AI actor · Agent (AI) · Enforced · Gateway enforcement

SOC 2 AI controls
SOC 2 AI controls are the emerging set of control criteria SOC 2 auditors are using to evaluate how AI tools handle confidential data, even when the SOC 2 framework itself doesn't yet formally require it. Auditors typically probe whether the AI policy is enforced, whether usage is logged, and whether data classes have been classified for AI exposure.

See also: DDQ · AI policy · Honest coverage

Want these terms backed by real evidence?

Tallin turns the definitions on this page into measurable signals: observed, inferred, enforced, not covered, across your company's actual AI usage.