Action
A request that can create an effect outside the model, such as reading a record, changing code, sending a message, issuing a refund, or calling an API.
Plain-language reference
Shared definitions for security, engineering, governance, procurement, and leadership teams discussing AI agents that can reach data or take action.
This glossary is educational. It does not define a legal standard, certification requirement, product commitment, or complete security architecture.
Core terms
A request that can create an effect outside the model, such as reading a record, changing code, sending a message, issuing a refund, or calling an API.
Rules evaluated outside the model that determine whether a specific action is allowed, denied, changed, limited, or sent for human approval.
A stable identifier for the software agent that is distinct from the model, application, human user, service account, and workflow that initiated it.
The named business and technical people accountable for the agent’s purpose, access, changes, risk decisions, and shutdown authority.
A map connecting in-scope agents to owners, identities, credentials, tools, MCP servers, data, approvals, downstream systems, and possible business effects.
Software that uses one or more models to pursue a task and can retrieve context, choose steps, call tools, or act in another system.
Records that support a review of how a control is designed and operated. Evidence may support an audit or customer review but is not itself a certification.
An action whose failure or misuse could materially affect customers, money, code, regulated data, operations, legal rights, safety, or public trust.
The ability to stop or restrict the smallest affected agent, credential, tool, server, tenant, destination, workflow, or action class while preserving evidence.
A condition in which one customer’s identity, prompts, memory, data, tools, actions, or evidence can reach another customer’s boundary.
Permission granted to an agent for a defined task, including the allowed action, target, data, value, destination, time window, and responsible principal.
A limited, written engagement used to validate a developing capability against a specific workflow. It is not the same as general product availability.
A structured record that links identity, request, data, tool use, policy decision, approval, execution result, and related context for later review.
An accountable decision by an authorized person before a sensitive or high-impact action proceeds. The approver must receive enough context to make a real decision.
Providing only the access needed for the current task, for the shortest practical time, instead of broad inherited user or service-account permissions.
A protocol for connecting AI applications to tools and data sources. Using MCP does not remove the need for identity, authorization, validation, isolation, egress controls, and evidence.
An enforcement point between an agent and a tool or business system that evaluates action context before execution.
Instructions from untrusted content that attempt to change model behavior, reveal information, or influence tool use outside the intended task.
A restricted operating state, such as read-only, approval-required, or deny-by-default, used to reduce impact while a problem is investigated.
AI tools, agents, models, or integrations used without the organization’s normal visibility, ownership, procurement, security, or governance process.
A structured request from an agent to an external capability, such as a database query, API operation, file action, code execution, or message send.
Malicious or misleading instructions placed in tool metadata, descriptions, schemas, responses, dependencies, or server behavior to influence an agent.
A point where identity, data, code, authority, or control moves between systems or parties and therefore requires explicit validation and policy.
A design goal in which policy and evidence can remain consistent across model providers, agent frameworks, clouds, identity systems, tools, and business applications.
Begin with one high-impact workflow. Identify the agent, owner, initiating principal, delegated authority, tools, data, approval thresholds, evidence, and containment path. The AI Agent Exposure Checklist turns these definitions into review questions.