AI security review — the vocabulary.
Definitions for the terminology of structured AI security review. Each term has its own page with a short definition, a longer explanation, and links to the hubs, resources, and blog posts that use it.
AI Security Clearance
A structured decision, supported by evidence, on whether an AI system can reach production and under what controls.
AI Risk Disposition
The structured memo recording the AI Committee's decision about an AI system, the rationale, the required controls, the residual risks accepted, the evidence gaps, and the re-assessment triggers.
Evidence Pack
The structured bundle of artefacts that supports an AI system's security clearance decision — threat model, control plan, evidence gaps, framework mapping, and disposition.
Clearance Decision
The specific outcome of an AI security review: one of proceed, conditional, restricted pilot only, hold, or decline.
Control Gap
An identified, named difference between a required control and the evidence on file — a control that should be in place but is not yet evidenced, implemented, or both.
Delegation Chain
The sequence of authorisations that allows an orchestrator agent to spawn sub-agents and each sub-agent to invoke tools or call other systems.
Agent Blast Radius
The set of resources, actions, and identities that an agent can reach through its tools, delegation chain, and memory — and therefore the maximum possible impact if the agent is compromised.
Vendor AI Assessment
A security review of a third-party AI feature or SaaS AI product, performed without runtime access to the vendor's source — based on documented architecture, declared data flows, and contractual control claims.
AI Go-Live Review
The structured security review that runs before an AI system passes the production-readiness gate — verifying that pre-pilot and pilot controls are in place and that production-readiness controls are operational.
Audit-Ready Dossier
A versioned, sign-off-bearing record of an AI system's security review — exportable for auditor or regulator review, structured so each stakeholder can find their part without reading the whole.