Exposure reviews available · Fugitive Control in founding development See scope and availability

Plain-language reference

AI Agent Security Glossary

Shared definitions for security, engineering, governance, procurement, and leadership teams discussing AI agents that can reach data or take action.

Published July 17, 2026 · plain-language reference
Open the checklist
This glossary is educational. It does not define a legal standard, certification requirement, product commitment, or complete security architecture.

Core terms

Shared language for action-level AI security.

A

Action

A request that can create an effect outside the model, such as reading a record, changing code, sending a message, issuing a refund, or calling an API.

A

Action policy

Rules evaluated outside the model that determine whether a specific action is allowed, denied, changed, limited, or sent for human approval.

A

Agent identity

A stable identifier for the software agent that is distinct from the model, application, human user, service account, and workflow that initiated it.

A

Agent owner

The named business and technical people accountable for the agent’s purpose, access, changes, risk decisions, and shutdown authority.

A

AI Action Graph

A map connecting in-scope agents to owners, identities, credentials, tools, MCP servers, data, approvals, downstream systems, and possible business effects.

A

AI agent

Software that uses one or more models to pursue a task and can retrieve context, choose steps, call tools, or act in another system.

A

Assurance evidence

Records that support a review of how a control is designed and operated. Evidence may support an audit or customer review but is not itself a certification.

C

Consequential action

An action whose failure or misuse could materially affect customers, money, code, regulated data, operations, legal rights, safety, or public trust.

C

Containment

The ability to stop or restrict the smallest affected agent, credential, tool, server, tenant, destination, workflow, or action class while preserving evidence.

C

Cross-tenant access

A condition in which one customer’s identity, prompts, memory, data, tools, actions, or evidence can reach another customer’s boundary.

D

Delegated authority

Permission granted to an agent for a defined task, including the allowed action, target, data, value, destination, time window, and responsible principal.

D

Design-partner pilot

A limited, written engagement used to validate a developing capability against a specific workflow. It is not the same as general product availability.

E

Evidence ledger

A structured record that links identity, request, data, tool use, policy decision, approval, execution result, and related context for later review.

H

Human approval

An accountable decision by an authorized person before a sensitive or high-impact action proceeds. The approver must receive enough context to make a real decision.

L

Least privilege

Providing only the access needed for the current task, for the shortest practical time, instead of broad inherited user or service-account permissions.

M

Model Context Protocol (MCP)

A protocol for connecting AI applications to tools and data sources. Using MCP does not remove the need for identity, authorization, validation, isolation, egress controls, and evidence.

P

Policy gateway

An enforcement point between an agent and a tool or business system that evaluates action context before execution.

P

Prompt injection

Instructions from untrusted content that attempt to change model behavior, reveal information, or influence tool use outside the intended task.

S

Safe mode

A restricted operating state, such as read-only, approval-required, or deny-by-default, used to reduce impact while a problem is investigated.

S

Shadow AI

AI tools, agents, models, or integrations used without the organization’s normal visibility, ownership, procurement, security, or governance process.

T

Tool call

A structured request from an agent to an external capability, such as a database query, API operation, file action, code execution, or message send.

T

Tool poisoning

Malicious or misleading instructions placed in tool metadata, descriptions, schemas, responses, dependencies, or server behavior to influence an agent.

T

Trust boundary

A point where identity, data, code, authority, or control moves between systems or parties and therefore requires explicit validation and policy.

V

Vendor-neutral

A design goal in which policy and evidence can remain consistent across model providers, agent frameworks, clouds, identity systems, tools, and business applications.

Use the glossary in a working session

Begin with one high-impact workflow. Identify the agent, owner, initiating principal, delegated authority, tools, data, approval thresholds, evidence, and containment path. The AI Agent Exposure Checklist turns these definitions into review questions.