Core AI governance terms

AI governance

AI governance is the discipline of directing and controlling how an organisation builds, buys, and runs AI so it stays safe, lawful, and accountable. It covers policy, ownership, monitoring, and audit evidence across the whole life of a system, not a single sign-off. It is the broad operating discipline that AI risk management, AI compliance, and AI assurance all serve. See the full explainer on AI governance.

AI assurance

AI assurance is the practice of producing trustworthy, verifiable evidence that an AI system behaves as claimed and meets its obligations. Where governance sets the rules, assurance proves they are being met, with testing, live enforcement, and audit-ready records. It is the new category Disseqt occupies, distinct from GRC, eval tooling, and monitoring alone.

AI compliance

AI compliance is meeting the specific external rules that apply to an AI system, such as the EU AI Act, FCA expectations, SEC rules, or ISO/IEC 42001. It is narrower than governance: governance is how you run AI well, while compliance is clearing the defined bar a regulator or standard sets. Read more on AI compliance and how it differs in AI governance vs AI compliance.

AI risk management

AI risk management is the discipline of identifying, measuring, and controlling the ways an AI system can fail or cause harm, across its entire life in production. The common categories are safety, bias, security, drift, and compliance. It is the technical core of governance: governance decides what good looks like, and risk management stops what can go wrong. See AI risk management.

AI governance framework

An AI governance framework is the structured set of policies, roles, processes, and controls an organisation uses to govern AI consistently. A workable framework operates across four dimensions: inventory (what AI you run), policy (the rules it must follow), monitoring (whether it follows them live), and audit (the evidence to prove it). See the AI governance framework explainer.

Responsible AI

Responsible AI is the set of principles an organisation commits to so its AI is fair, transparent, safe, and accountable. It is the why and the values. Governance is the how: the operating system that turns those principles into enforced controls and evidence. Principles without governance is PowerPoint Governance. Compare the two in AI governance vs responsible AI.

Continuous AI governance

Continuous AI governance is governing AI as an always-on process rather than a point-in-time review. It exists because AI systems change between sign-offs: models drift, agents act on inputs no one tested, and new attack techniques ship daily. A quarterly document cannot reflect today's behaviour, so testing, enforcement, and evidence run continuously. See continuous AI governance.

AI systems and risk terms

Agentic AI

Agentic AI describes AI systems that plan, decide, and act on their own across multiple steps, often calling tools, moving data, or triggering actions without a human in the loop on each one. It raises the governance bar because the unit of risk is no longer a single output but an autonomous decision that has consequences. Governing it is covered in AI agent governance.

Model drift

Model drift is the gradual degradation of an AI system's behaviour over time as real-world inputs diverge from what the model was built and tested on. A system that passed every check at launch can produce unsafe, biased, or off-topic output months later without any code change. Drift is the reason point-in-time approval is not enough and why live monitoring matters.

Topic-adherence drift

Topic-adherence drift is a specific kind of drift where a conversational AI strays from its intended subject or scope, answering questions it was never meant to handle. In a regulated setting, an assistant that wanders off-topic into advice it is not authorised to give is a compliance event, not a quirk. It is detected by scoring live conversations against the system's intended scope.

High-risk AI system

A high-risk AI system is a category defined by the EU AI Act for AI used in sensitive areas such as credit, employment, essential services, and safety components. High-risk systems carry the heaviest obligations: a risk management system across the lifecycle, detailed record-keeping, human oversight, and documented evidence. The classification decides how much governance a system legally needs. See the EU AI Act guide.

Prompt injection

Prompt injection is an attack that smuggles malicious instructions into the text an AI system reads, tricking it into ignoring its rules, leaking data, or taking an action it should refuse. It is one of the most common ways agentic systems are manipulated, because an agent that reads untrusted content can be steered by it. It is defended on the prompt path with input validators and runtime checks.

Testing and detection terms

AI red teaming

AI red teaming is the practice of deliberately attacking an AI system before release to find the ways it can be broken, jailbroken, or manipulated. It probes for unsafe output, data leakage, and prompt injection using known and novel techniques. The principle behind it is simple: find it in private, before someone finds it in public. It maps to the Test and Detect work in Test and Detect.

Jailbreak

A jailbreak is an input crafted to make an AI system bypass its safety rules and produce output it was built to refuse. Jailbreaks range from single-turn tricks to multi-turn conversations that slowly erode the guardrails. Testing against a broad, current library of jailbreak techniques is core to pre-deployment assurance.

Validator

A validator is a check that scores a piece of AI input or output against a specific failure mode, such as toxicity, bias, data leakage, or off-topic drift. Validators can run before deployment in testing and inline in production. Disseqt uses ML-based validators rather than LLM-as-judge, which is what makes continuous, large-scale validation viable. The testing layer is described in Test and Detect.

LLM-as-judge

LLM-as-judge is the practice of using a large language model to score or grade the output of another AI system. It is flexible but slow, costly, and energy-hungry at scale, and it inherits the same unreliability it is meant to catch. ML-based validators are the alternative: faster, cheaper, and lighter, with sub-50ms inline latency, around 99 percent less water, and around 98 percent less CO2 per validation.

Live Vulnerability Database

A live vulnerability database is a continuously updated record of known AI attack techniques and failure modes that feeds directly into testing. Because new vulnerabilities ship daily, a static test suite goes stale fast. A live feed keeps red teaming current with the threats that exist today, not last quarter.

Protection and enforcement terms

Runtime guardrails

Runtime guardrails are controls that check an AI system's input and output in real time and block, redact, or flag anything that breaks policy before it reaches a user. They are how a governance policy becomes an enforced rule rather than a stated intention. Guardrails are the heart of the Protect and Enforce layer in Protect and Enforce.

Policy enforcement

Policy enforcement is applying an organisation's AI rules automatically at the moment a system acts, so a decision that breaks policy is stopped rather than reviewed after the fact. For agentic AI, enforcement happens on every agent decision, not just on final output. It is the difference between a policy that lives in the system and one that lives in a slide deck.

Agentic observability

Agentic observability is the ability to see, record, and explain what an autonomous AI agent did at each step: what it read, what it decided, and what it acted on. It extends traditional observability from outputs to decisions, which is what governing agents requires. Without it, an agent can look governed while doing something else, which is Agentic Theatre.

Explainability

Explainability is the ability to give a clear, human-readable reason for why an AI system produced a given output or why a control blocked an action. In regulated settings it is not optional: a supervisor expects to know why a customer was denied or an output was stopped. Explainability turns a blocked action into defensible evidence.

Compliance and standards terms

Audit-ready evidence

Audit-ready evidence is a tamper-evident, time-stamped record of what an AI system did and what controls acted on it, structured so an auditor or regulator can accept it without rework. It is the output that proves governance happened. Producing it is the job of the Prove and Comply layer in Prove and Comply.

EU AI Act

The EU AI Act is the European Union's law governing AI by risk tier, with the heaviest obligations on high-risk systems. It requires a risk management system across the lifecycle (Article 9) and traceable record-keeping (Article 72), among other duties. It expects an operated system, not a written policy. See the EU AI Act guide.

ISO/IEC 42001

ISO/IEC 42001 is the international management-system standard for AI. It sets out how an organisation establishes, runs, and continually improves an AI management system, much as ISO 27001 does for information security. Certification signals that AI governance is operated and audited, not just declared. See the ISO 42001 explainer.

NIST AI RMF

The NIST AI Risk Management Framework is a voluntary US framework that organises AI risk work into four functions: govern, map, measure, and manage. It has become the common language US enterprises and auditors use to structure AI risk programmes. See the NIST AI RMF explainer.

GRC

GRC stands for governance, risk, and compliance: the established discipline and tooling enterprises use to manage organisational risk and regulatory obligations. Legacy GRC platforms were built for documents and workflows, not for the real-time behaviour of AI systems, which is why AI assurance is a distinct layer. Compare them in AI governance vs GRC.

Observability

Observability is the ability to monitor an AI system's behaviour and performance in production through logs, metrics, and traces. It tells you what happened. It does not, on its own, enforce policy or produce audit evidence, which is where assurance goes further. The boundary is explained in AI governance vs observability.

Disseqt vocabulary

The AI Assurance Layer

The AI Assurance Layer is the distinct layer where enterprise AI is tested, protected, and proven, sitting between the application layer and the enterprise governance function. It is not a feature of GRC or observability but a layer in its own right, because governing live AI behaviour needs controls neither was built to provide. It is the brand-defining idea behind Disseqt. See the Assurance Layer.

The AI Assurance Lifecycle

The AI Assurance Lifecycle is the connected flow of three stages that govern an AI system across its life: Test and Detect, Protect and Enforce, and Prove and Comply. Each stage hands off to the next, so a vulnerability found in testing becomes a guardrail in production and a record in the audit trail. It is why a lifecycle, not a set of point tools, is what enterprise AI needs. See the AI Assurance Lifecycle.

Agentic Theatre

Agentic Theatre is an AI agent that looks governed while doing something else: it has the dashboards, the policy document, and the demo, but no enforcement on its actual decisions. It is the performance of control without the control. The cure is enforcement on every agent decision plus the agentic observability to prove it.

PowerPoint Governance

PowerPoint Governance is AI governance that lives in a slide deck rather than in the system: a policy that has been written, presented, and approved but never enforced on a single live output. It passes the board meeting and fails the audit. Real governance is operated in the platform, where every rule is enforced and every action is recorded.

How these terms fit together

The terms in this glossary describe one stack, not a list of options. Responsible AI sets the principles. AI governance turns them into an operating discipline. AI risk management handles the concrete failures, and AI compliance clears the defined external bars.

Underneath, the work happens in three stages. Testing and AI red teaming find problems in private. Runtime guardrails and policy enforcement stop them in production. Audit-ready evidence proves it to a regulator.

Disseqt is the only unified assurance platform covering all of this in one place: testing, monitoring, policy, audit, and compliance. Buyers do not have to choose between observability and governance, or stitch point tools together to cover the gaps.