MENUCLOSE
Glossary
AI governance, in plain language
Definitions of the terms that show up when boards, auditors, customers, and CFOs start asking about AI. Use them in your own policy and reports: that's the point.
Glossary / Index
- Agent (AI)
- An agent is the autonomous AI actor: a workflow or service that runs unattended, spends, and acts without a person in the loop on every request. Gartner projects Fortune 500 companies will run 150,000+ agents by 2028 while only 13% of organizations feel adequately governed, which is why Tallin gives every agent the same owner, approved model scope, budget, policy, and off switch it gives a human.
- AI actor
- An AI actor is the human, app, or agent using AI through Tallin. Tallin treats every actor as a first-class identity with an owner, an approved model scope, a budget, a policy, an audit trail, and a model-access kill switch, so each request that flows through the gateway can be attributed, governed, and proved.
- AI exposure assessment
- An AI exposure assessment is a 90-day inventory of where employee AI activity intersects with confidential data, sanctioned providers, and the rules your company has already written. It produces a benchmarked baseline that finance, security, and legal can defend together rather than three contradictory spreadsheets.
- AI governance program
- An AI governance program is the operating function that combines an AI policy, the runtime controls to enforce it on every actor, and the evidence pack to demonstrate it to auditors, boards, and customers. Mid-market companies typically reach a defensible program in 90 days by sequencing telemetry, identity, and policy enforcement work.
- AI ledger
- An AI ledger is the per-tenant record of every AI request routed through Tallin: provider, AI actor, team, model, tokens, cost, timestamp, signal source, and coverage state in one queryable view. It is the audit trail that proves what each actor did, so the same data answers board, budget, and policy-enforcement questions without contradiction.
- AI policy
- An AI policy is the written rule set that names which AI models and tools each actor may use, for what data classes, under what budget, and with what controls. A policy without enforcement is paperwork. Tallin turns it into runtime behavior by applying it in the request path and recording the evidence that the rule was actually enforced, not just written.
- Board pack
- A board pack is the one-click export that summarizes a company's AI governance posture for executive readers: total spend, coverage score, per-actor policy and enforcement state, and named gaps. Tallin's board pack pairs the live ledger with an opt-in AI-drafted executive overview that the admin approves before export, so control claims are backed by evidence.
- Coverage score
- A coverage score is the percentage of a company's AI activity that's backed by observed signals (direct telemetry or authoritative billing) rather than inferred or uncovered. A coverage score below 70% means more than a third of the AI picture rests on estimates, important context for any board claim.
- DDQ
- A DDQ (due diligence questionnaire) is the standardized request enterprise customers and sponsor banks send to vendors asking how they use AI, what data they share, and what controls they have. Modern DDQs increasingly include an AI section that vendors fail because they can't produce a usage ledger.
- Enforced
- Enforced is the coverage state for AI usage paths that are governed by a real control: gateway routing, per-actor budget caps and model scopes, a kill switch, access restriction, SSO, CASB rules, or provider admin policy. Enforced is the strongest claim in the honest-coverage taxonomy because the company can prove the rule was applied, not just that the usage existed.
- EU AI Act
- The EU AI Act is a 2024 regulation phasing into effect through 2026 that requires companies operating in the EU to inventory AI systems, classify them by risk, and demonstrate appropriate governance for higher-risk uses. For mid-market SaaS companies, the relevant articles typically map to general-purpose AI deployment, transparency, and the documentation requirements that operationalize them.
- Gateway enforcement
- Gateway enforcement is the policy-application step that runs at request time when an AI actor's traffic flows through a routed gateway. Per-actor budget caps, model-tier and provider allow-lists, rate limits, and the kill switch are checked at the gateway, applied while the request is happening and producing audit-grade evidence that a policy was actually enforced, not just written.
- Honest coverage
- Honest coverage is Tallin's product discipline that separates AI usage into four labeled states (observed, inferred, enforced, and not covered) instead of collapsing everything into a single misleading total. A board claim of 100% AI visibility that can't separate measured signals from estimates is exactly the gap auditors are now trained to look for.
- Inferred
- Inferred is the coverage state for likely AI usage based on secondary signals (Okta SSO logs, credit-card expenses, network logs, manual CSV imports) rather than direct provider telemetry. Inferred signals are weaker than observed but stronger than nothing; the honest-coverage taxonomy keeps them labeled rather than hidden inside a total.
- ISO 42001
- ISO 42001 is the international management-system standard for AI, published in late 2023, that gives companies a certifiable framework for AI governance program design and evidence. Certification is rare in mid-market today but increasingly cited in enterprise customer DDQs and bank-partner questionnaires.
- Kill switch
- A kill switch disables an AI actor's Tallin-mediated model access: it stops new requests for every gateway key bound to that actor, in one click, with a record of who disabled it, when, and why. It governs the AI routed through Tallin: it does not stop direct provider calls made outside Tallin, undo actions already taken, or halt tool / MCP execution side effects, which Tallin reports as Not covered rather than silencing.
- NIST AI RMF
- The NIST AI Risk Management Framework is a voluntary US-government framework published in January 2023 that organizes AI risk-management activities into Govern, Map, Measure, and Manage functions. Many US mid-market AI policies cite NIST AI RMF as their foundation; auditors increasingly expect the cited framework to map to actual practice.
- Not covered
- Not covered is the coverage state for AI activity Tallin can't measure or govern: direct provider calls made outside Tallin, tool / MCP execution side effects, off-network personal-device usage, unmanaged personal accounts, and providers without telemetry hooks. Tallin governs the AI traffic routed through it, not what happens outside it; naming these gaps explicitly is what makes a coverage claim defensible, and pretending they're zero is what makes a board pack fail an audit.
- Observed
- Observed is the coverage state for AI usage captured through direct telemetry: gateway events, provider usage APIs, admin APIs, or authoritative billing sources. Observed signals are the strongest evidence a company can present because they're traceable to a specific provider record, not inferred from secondary data.
- Shadow AI
- Shadow AI is the AI activity happening inside a company without IT or security visibility: personal ChatGPT accounts, embedded AI features in approved SaaS, AI subscriptions on personal cards. Shadow AI is the gap a credible AI governance program names and shrinks, not one it claims to have already eliminated. (Not to be confused with shadow mode, a Tallin policy-simulation setting.)
- Shadow mode
- Shadow mode is the Tallin setting that evaluates a policy against an AI actor's real traffic and records what would have been blocked, without blocking the request. Turn it on for a new agent to see what it would have violated before enforcement is live, then switch to enforcement mode once the rules are right, so a control is never flipped on blind.
- SOC 2 AI controls
- SOC 2 AI controls are the emerging set of control criteria SOC 2 auditors are using to evaluate how AI tools handle confidential data, even when the SOC 2 framework itself doesn't yet formally require it. Auditors typically probe whether the AI policy is enforced, whether usage is logged, and whether data classes have been classified for AI exposure.
Also: AI agent · Autonomous agent · Agent actor
See also: AI actor · Kill switch · Shadow mode · Gateway enforcement
Also: AI identity · AI consumer
See also: Agent (AI) · Kill switch · AI ledger · Enforced
Also: AI risk assessment
See also: AI ledger · Honest coverage · Shadow AI
See also: AI policy · AI actor · Board pack
Also: AI usage ledger · AI spend ledger
See also: AI actor · Honest coverage · Observed · Inferred
See also: AI actor · Enforced · Gateway enforcement · AI governance program
Also: AI board report
See also: AI actor · AI ledger · DDQ · Honest coverage
See also: Observed · Inferred · Not covered
Also: Due diligence questionnaire · customer DDQ
See also: Board pack · AI policy · Honest coverage
See also: Honest coverage · Observed · Gateway enforcement · Kill switch
See also: NIST AI RMF · ISO 42001 · AI governance program
See also: Enforced · AI actor · Kill switch · Shadow mode · AI policy
See also: Observed · Inferred · Enforced · Not covered
See also: Honest coverage · Observed · Shadow AI
See also: NIST AI RMF · EU AI Act · AI governance program
Also: Model-access kill switch · Disable actor · AI off switch
See also: AI actor · Agent (AI) · Enforced · Not covered
Also: NIST AI Risk Management Framework
See also: Honest coverage · Shadow AI · Coverage score · Kill switch
See also: Honest coverage · Inferred · AI ledger
Also: Shadow AI usage · Unsanctioned AI
See also: Not covered · AI exposure assessment · Inferred · Shadow mode
Also: Policy simulation · Dry-run policy · Would-block mode
See also: AI actor · Agent (AI) · Enforced · Gateway enforcement
See also: DDQ · AI policy · Honest coverage
Want these terms backed by real evidence?
Tallin turns the definitions on this page into measurable signals: observed, inferred, enforced, not covered, across your company's actual AI usage.