Audit jargon simplified, so you don't have to Google every word

AI Transparency Requirements refer to the set of mandates, ethical principles, and technical standards that compel organizations to disclose information about the design, data sources, and decision-making logic of artificial intelligence systems.

An AI Accountability Framework is the documented, organizational structure of clearly defined roles, responsibilities, processes, and controls that operationalizes the principle of accountability, ensuring that legal, ethical, and operational responsibility for AI systems is assigned, understood, executed, and verifiable at every stage of the lifecycle.

An AI Code of Conduct is a voluntary, principles-based framework (actively promoted under the EU AI Act) through which providers of non-high-risk AI systems can publicly commit to and implement standards for safety, transparency, fairness, and environmental sustainability that exceed the minimum legal requirements.

An AI Ethics Committee (or AI Governance Board) is a senior, cross-functional organizational body mandated to provide strategic oversight, review high-stakes AI projects, resolve ethical dilemmas, and ensure that the development and deployment of AI align with the organization’s ethical principles, legal obligations, and societal commitments.

AI Governance refers to the overarching framework of policies, ethical standards, and operational procedures that an organization uses to ensure its artificial intelligence systems are developed, deployed, and managed responsibly throughout their entire lifecycle.

An AI Impact Assessment (AIIA) is a systematic process designed to identify, evaluate, and mitigate the potential legal, ethical, and societal risks associated with the deployment of an artificial intelligence system before it is put into use.

An AI Impact Audit is an independent, systematic, and evidence-based evaluation of an AI system’s design, development, deployment, or outcomes, conducted to assess its actual or potential effects on individuals, society, and fundamental rights, and to verify its alignment with legal, ethical, and organizational standards.

The AI Lifecycle refers to the iterative, end-to-end process of creating, deploying, and maintaining an artificial intelligence system, from the initial concept and problem definition to its eventual retirement or decommissioning.

An AI Management System (AIMS) is a set of interrelated or interacting elements within an organization to establish policies and objectives and processes to achieve those objectives regarding the responsible development, deployment, or use of artificial intelligence.

AI Red-Teaming is an adversarial testing practice where a dedicated group of ethical hackers and domain experts (the "red team") actively attempts to subvert, trick, or break an AI system to identify vulnerabilities, biases, and safety flaws before deployment.

AI Risk Management is the ongoing process of identifying, assessing, and mitigating the potential adverse impacts of artificial intelligence systems on individuals, organizations, and society.

An AI Risk Profile is a dynamic, consolidated summary document generated through the NIST AI RMF's Map and Measure functions. It provides a holistic view of an organization's exposure to AI-related risks by cataloging identified risks, assessing their likelihood and impact, and documenting the current state of controls and mitigation strategies.

The American Institute of Certified Public Accountants (AICPA) is the national professional organization of Certified Public Accountants in the USA.

Accountability is a foundational legal principle of the EU AI Act that assigns clear, specific responsibilities and liability for the compliance and safe operation of an AI system to defined economic operators in the supply chain, primarily the Provider and the Deployer.

Accountability and Transparency are intrinsically linked Trustworthiness Characteristics in the NIST AI RMF that ensure AI systems are subject to meaningful oversight and scrutiny. Accountability establishes clear ownership and answerability for system outcomes, while Transparency ensures the availability of sufficient information to exercise that accountability effectively.

An Adversarial Example is a specifically crafted input, such as an image, text, or audio clip, containing subtle, often imperceptible perturbations designed to trick a machine learning model into making a confident but incorrect prediction or taking an unintended action.

Adversarial Robustness is a mandatory technical characteristic under the EU AI Act, requiring high-risk AI systems to be designed with an appropriate level of resilience against both unintentional perturbations and deliberate, malicious attempts to manipulate their inputs in order to cause errors, malfunctions, or harmful outputs.

Agentic AI refers to artificial intelligence systems capable of autonomous reasoning, planning, and execution to achieve high-level goals with limited human supervision.

An Algorithmic Impact Assessment (AIA) is a mandatory, ex-ante due diligence process required by the EU AI Act for deployers—particularly public authorities and bodies—to systematically identify, evaluate, and mitigate the potential impacts and risks to fundamental rights before putting a high-risk AI system into operational use.

Annex A is a part of the ISO 27001 security standard. It consists of a list of security controls that organizations can utilize according to their needs to improve the security of their information assets.

An Approved Scanning Vendor (ASV) is a company approved by the PCI DSS to conduct external vulnerability scanning services.

An Artificial Intelligence (AI) System is an engineered system that, for a given set of human-defined objectives, can generate outputs such as content, predictions, recommendations, or decisions influencing real or virtual environments.

The formal validation document known as the Attestation of Compliance is used to show an entity's compliance status to interested outside parties (Banks, Acquirers, customers). A Qualified Security Assessor or an entity officer may approve the AOC (for self-assessment) (for a Report on Compliance).

An Audit Trail for AI Systems is the mandated technical capability under the EU AI Act for high-risk AI systems to automatically, reliably, and securely log a chronological sequence of events documenting the system's operation, inputs, internal processes, outputs, and any human interactions.

The CE Marking for AI is the mandatory legal symbol that must be affixed to a high-risk AI system to attest that it has undergone the required conformity assessment and fully complies with all applicable EU legislation, including the stringent requirements of the EU AI Act.

Cybersecurity Maturity Model Certification (CMMC) is a standard for implementing cybersecurity across the Defense Industrial Base (DIB).

Cloud Security Posture Management (CSPM) refers to a category of automated security tools and strategies designed to identify, assess, and remediate risks associated with misconfigurations and compliance violations within cloud infrastructure.

Cloud Workload Protection Platform (CWPP) refers to a security solution designed to provide unified visibility and control for physical machines, virtual machines (VMs), containers, and serverless workloads across hybrid and multi-cloud environments.

The California Consumer Privacy Act (CCPA) is a state-wide data privacy law regulating how businesses worldwide are allowed to handle California residents' personal information (PI).

Primary Account Number (PAN), the 15 or sometimes 16-digit account number on a credit or branded debit card, is the minimal need for cardholder data. Sensitive Authentication Data (SAD), such as the 3 or 4 digit code printed on a card, magnetic stripe data, PIN, or chip data, may also be included in cardholder data, along with the cardholder's name, expiration date, and/or service code.

The term "cardholder data environment" means any individuals, groups, and systems that handle, transmit, store, or have the potential to handle cardholder data securely.

Change Management (AI) is the formalized, documented process mandated under the EU AI Act's Quality Management System (QMS) requirement, through which providers and deployers of high-risk AI systems control, evaluate, approve, and document all modifications to the system, its data sources, and its operational environment.

By automating the time-consuming manual procedures generally involved in compliance management, compliance automation software keeps track of a company's internal systems and controls to help guarantee it conforms with the necessary standards and regulations.

Compliance risk management describes the process of identifying, assessing, and monitoring the risks to your organization using regulations and industry standards and checks if the system's internal controls are in place to ensure your organization is infosec compliant.

Compliance software monitors an organization’s internal systems and controls, helping ensure it complies with required infosec standards and regulations while saving time and automating the manual tasks typically associated with compliance management.

Conformity Assessment is the formal, evidence-driven procedure mandated by the EU AI Act through which a provider demonstrates that a high-risk AI system complies with all applicable legal requirements before it can be placed on the market or put into service.

Contextualization of AI Risk is the essential activity within the NIST AI RMF's Map function that involves deeply understanding the specific operational, organizational, social, and environmental circumstances in which an AI system is developed and deployed, as these factors fundamentally determine the nature and severity of its potential impacts.

Continuous Improvement, within the context of an AI Management System (AIMS), is the mandated, iterative process under the EU AI Act by which providers of high-risk AI systems must systematically monitor, evaluate, and enhance the effectiveness of their governance processes and the compliance of their AI systems throughout the entire lifecycle.

Continuous Monitoring and Improvement is the overarching, cyclical practice mandated throughout all four functions of the NIST AI RMF, ensuring that AI risk management is not a one-time project but an enduring, adaptive organizational process that evolves with the system, the threat landscape, and the operating environment.

The Cost of Compliance Ownership (CoCO) refers to the total financial and operational investment required for an organization to achieve and sustain adherence to regulatory frameworks, industry standards, and internal governance policies.

Cross-Framework Alignment is the strategic practice of systematically mapping, correlating, and harmonizing the control requirements, processes, and documentation across multiple AI governance frameworks and regulations—such as the EU AI Act, ISO/IEC 42001, and the NIST AI RMF, to create a unified, efficient, and non-redundant compliance program.

Cybersecurity is the practice of protecting data, information, programs, systems, devices, and networks from unauthorized or malicious access and use by external sources on the internet.

Data Governance for AI is the mandatory, systematic framework under the EU AI Act through which providers of high-risk AI systems manage, document, and ensure the quality, relevance, and integrity of all data used throughout the AI system's lifecycle, from initial training and validation through to post-market monitoring.

Under the EU AI Act, a Deployer (previously referred to as the "User" in early drafts) is defined as any natural or legal person, public authority, agency, or other body using an AI system under its authority, except where the AI system is used in the course of a personal non-professional activity.

Under the EU AI Act, a Distributor is defined as any natural or legal person in the supply chain, other than the provider or the importer, that makes an AI system available on the Union market.

The EU AI Act is the world's first comprehensive legal framework designed to regulate the development, deployment, and use of artificial intelligence systems within the European Union.

Ethical AI Governance is the establishment of a comprehensive organizational framework, extending beyond strict legal compliance, that integrates ethical principles into the entire AI lifecycle, fostering a culture of responsible innovation and proactive risk stewardship as encouraged by the EU AI Act.

Explainability (XAI, or Explainable Artificial Intelligence) is a mandatory technical requirement under the EU AI Act that obliges providers of high-risk AI systems to design their systems in a way that enables human deployers to understand the rationale behind individual outputs, decisions, or recommendations.

Explainability and Interpretability are critical Trustworthiness Characteristics in the NIST AI RMF that address the comprehensibility of an AI system's internal logic and outputs. They enable users, developers, and affected individuals to understand not just what decision an AI system made, but how and why it arrived at that result.

Fairness and Bias Mitigation constitute a core set of mandatory requirements under the EU AI Act, obliging providers of high-risk systems to proactively address risks of discrimination by employing appropriate data governance and technical measures throughout the system's lifecycle.

Fairness and Bias are central Trustworthiness Characteristics in the NIST AI RMF that address the imperative for AI systems to produce equitable, just outcomes and to avoid creating, perpetuating, or amplifying unjust discrimination against individuals or groups, particularly those defined by protected characteristics.

The "Federal Risk and Authorization Management Program" is known as FedRAMP. Federal agencies in the United States use cloud goods and services, and FedRAMP standardizes security evaluation and authorization.

A Foundation Model (FM) is a large-scale artificial intelligence model trained on a vast amount of data (often using self-supervision at scale) that can be adapted to a wide range of downstream tasks.

GRC is an acronym for governance, risk, and compliance. It refers to the strategy undertaken by a company for managing the overall governance, enterprise risk management, and regulations compliance.

The EU or European Union established the General Data Protection Regulation (GDPR) in 2018 to protect the clients' and customers' personal data. This GDPR came into succession after the digital reform launched in 2012 by the European Union (EU) to create new standards for internet and technology advancements.

Generative AI (GenAI) refers to a subset of artificial intelligence that focuses on creating new, original content, including text, images, audio, video, and computer code, in response to user prompts.

The Govern Function is the foundational, culture-setting component of the NIST AI Risk Management Framework (AI RMF), focused on establishing the organizational policies, structures, and leadership commitment necessary to cultivate a proactive and pervasive culture of AI risk management.

All Covered Entities and Business Associates must comply with HIPAA. If an entity does not meet the definition of a covered entity or business associate, it does not have to comply with the HIPAA Rules.

Acquisition, access, use, or disclosure of protected health information (PHI) is considered a HIPAA breach when the PHI's security or privacy is compromised in a way that is not permitted by HIPAA standards.

A HIPAA business associate is any entity, be that an individual or a company, provided with access to PHI in order to perform services for, or on behalf of, a HIPAA covered entity.

The Health Insurance Portability and Accountability Act (HIPAA) of 1996, its later revisions and additions, and any connected legislation must all be complied with to be considered HIPAA compliant.

Individuals, organisations, and agencies that meet the HIPAA definition of a covered entity must comply with the Rules' requirements to protect the privacy and security of health information, must provide individuals with certain health information rights.

The regulations relating to HIPAA training for employees are deliberately flexible because of the different functions Covered Entities perform, the different roles of employees, and the different level of access each employee has to Protected Health Information (PHI).

An organization's creation, receipt, maintenance, or transmission of any protected health information (PHI) is subject to potential risks and vulnerabilities, which are the focus of a HIPAA risk assessment.

The "Various standards or regulations make up the Health Insurance Portability and Accountability Act (HIPAA), which can be used to monitor compliance. The HITECH Act and the Transactions and Code Set Standards, Identifier Standards, Enforcement Rule, Omnibus Final Rule, and Privacy, Security, and Breach Notification Rules are all parts of the HIPAA Rules.

The HIPAA Compromise Notification Rule mandates that after a breach of unprotected health information, HIPAA-covered entities and their business partners must notify affected individuals (PHI).

The Health Insurance Portability and Accountability Act was first passed in 1996; the HIPAA Enforcement Rule was added in 2006. (HIPAA). HIPAA mandated that the Secretary of the U.S. Department of Health and Human Services (HHS) create rules for the security and privacy of specific health information.

The Department of Health and Human Services (HHS) published the HIPAA Final Omnibus Rule of 2013 to implement the changes mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act.

The Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals' privacy rights to understand and control how their health information is used.

HIPAA mandated that the Secretary of the US Department of Health and Human Services (HHS) created rules for the security and privacy of specific health information.

A variety of fines and other consequences are available for HIPAA violations. HIPAA violations and data breaches can result in extremely expensive financial and other penalties.

The American Recovery and Reinvestment Act of 2009 included the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was passed to encourage the adoption and effective use of health information technology.

"High-Risk" is the central regulatory category of the EU AI Act. AI systems in this tier are permitted on the European market but are subject to strict mandatory requirements before they can be deployed.

Human Oversight is a mandatory risk mitigation measure under the EU AI Act that requires high-risk AI systems to be designed and deployed with effective technical and organizational measures allowing human individuals to monitor operation, intervene, and, where necessary, override or halt the system.

Human-AI Configuration is the concept within the NIST AI RMF that defines the planned and appropriate roles, responsibilities, and interaction patterns between human actors and an AI system throughout its lifecycle, ensuring that human judgment, oversight, and agency are effectively integrated.

An ISMS governing body is composed of the key management members in any organization and is defined as an organizational governance team that specializes in management oversight.

ISO 27001 is defined as a framework used for managing IT security. It lists the guidelines for an information security management system (ISMS) responsible for keeping the client’s data safe. An organization can be certified for ISO 27001 by an auditor only after the completion of an audit.

An ISO 27001 internal audit includes examining an organization's Information Security Management System (ISMS) prior to pursuing an ISO audit with an external auditor. The internal audit aims to help identify loopholes or shortcomings that could affect an organization's Information Security Management System and hinder its ability to meet the required objectives as per ISO standards.

ISO 27001 key performance indicators (KPIs) are the measures or metrics organizations implement for their Information Security Management System (ISMS).

As the term suggests, the ISO 27001 management review is aimed to ensure that the objectives of the Information Security Management System (ISMS of an organization continue to remain appropriate and operative effectively given the purpose, issues, and potential risks to an organization's information assets.

An ISO 27001 non-conformity is defined as the non-fulfillment of an organization's requirement established by the ISO standard. Both major and minor nonconformities are considered during the company's audit certification process. Under these circumstances, if there is a major non-conformity present, then it means that the company in question cannot get certified for audit and compliance.

Risk Assessment under ISO 27001 aims to help an organization or entity identify, analyze, and evaluate the weaknesses or loopholes present in its information security system (ISMS) and its processes and procedures.

A risk treatment plan is the second step in the overall risk management process and is usually introduced when the company completes the ISO 27001 risk assessment.

The ISO 27001 standard is a set of requirements that are provided to Information Security Management Systems (ISMS) by the International Electrotechnical Commission (IEC) and the International Organization for Standardization (ISO).

An ISO 27001 Stage 1 Audit is the foremost step in the ISO certification process which has two parts in total. Stage 1 Audit includes an extensive documentation review under which an external ISO 27001 auditor reviews the organization's policies and procedures to ensure that the said organization meets all the requirements imposed by the ISO standard.

Also known as the Certification audit, the ISO 27001 Stage 2 Audit is the second step of the two-step external ISO certification process. It follows after the Stage 1 Audit is successfully completed.

An information technology security policy establishes rules and procedures for the individuals who interact with an organization's IT assets and resources to safeguard information and IT systems from unauthorized access, use, alteration, or destruction.

Under the EU AI Act, an Importer is defined as any natural or legal person located or established within the European Union who places on the market or puts into service an AI system that bears the name or trademark of a natural or legal person established outside the EU.

Incident Management (AI) is the mandatory, systematic process required by the EU AI Act for providers of high-risk AI systems to detect, investigate, mitigate, and report any malfunction, performance deviation, or serious incident that occurs during the system’s operational lifecycle, ensuring a swift response to protect health, safety, and fundamental rights.

An organization's information security is managed systematically via an information security management system (ISMS). The ISMS offers a set of security controls that a business can include in policies, procedures, and other types of papers.

Internal Security Assessor (ISA) is a designation given by the Payment Card Industry Security Standards Council (PCI SSC) to eligible internal security audit professionals working for a qualifying organization to conduct assessments.

"Limited-Risk" is the second regulatory tier of the EU AI Act. Unlike "High-Risk" systems which require conformity assessments and risk management, "Limited-Risk" systems are primarily regulated through transparency obligations to ensure that users are not manipulated or deceived.

The Manage Function is the fourth and final core component of the NIST AI RMF, focused on the tactical execution of risk responses. It involves prioritizing, implementing, documenting, and overseeing the specific actions and controls needed to treat the risks identified and measured in the previous functions.

The Map Function is the second core component of the NIST AI Risk Management Framework (AI RMF), dedicated to the contextual discovery and scoping of AI-related risks by thoroughly examining the specific system, its intended use, and the environment in which it operates.

The Measure Function is the third core component of the NIST AI Risk Management Framework (AI RMF), focused on the quantitative and qualitative assessment of identified AI risks and the performance of the system against the core Trustworthiness Characteristics.

A merchant is described as any entity that accepts payment using payment cards with the logos of any of the five organizations that make up the PCI Security Standards Council - Visa, Mastercard, American Express, Discover, and JCB.

"Minimal-Risk" is the lowest risk category defined by the EU AI Act, encompassing the vast majority of AI systems currently in use. These systems are considered to pose no significant threat to the health, safety, or fundamental rights of citizens.

Model Documentation is the comprehensive and detailed technical record required by the EU AI Act that provides a complete account of a high-risk AI system's design, development, operational parameters, and performance characteristics, serving as the primary evidence for conformity assessment and regulatory oversight.

Model Drift is the phenomenon where the predictive performance and reliability of a deployed AI model degrade over time because the statistical properties of the live, operational data diverge from the properties of the data on which the model was originally trained and validated.

A Notified Body is an independent, third-party organization designated and supervised by a national authority within an EU Member State to conduct the conformity assessment for specific categories of high-risk AI systems as required under the EU AI Act.