AI Governance Glossary
Plain-language definitions of AI governance, data security, and compliance terms for UK business owners.
Definitions sourced from ICO guidance, EU AI Act official text, NCSC guidance, and UK GDPR legislation where applicable.
A
- AI governance
- The set of policies, processes, and controls that ensure your organisation uses artificial intelligence safely, legally, and accountably. Covers tool approval, risk assessment, policy enforcement, and review cycles. Learn more →
- AI risk register
- A document listing every AI tool in use, its risk classification, what data it accesses, mitigation controls, and the governance decision (approved, flagged, or blocked). Required for EU AI Act compliance and increasingly expected by cyber insurers. Learn more →
- Approved tools list
- A maintained list of AI tools that have been reviewed and approved for use within your organisation. Tools not on the list are not authorised — this is the foundation of shadow AI governance. Learn more →
- Automated decision-making (Article 22)
- Under UK GDPR Article 22, individuals have the right not to be subject to decisions based solely on automated processing that significantly affect them. This applies to AI systems used for hiring, credit decisions, and similar automated assessments. Learn more →
B
- BYOAI (Bring Your Own AI)
- When employees use personal AI accounts or tools for work purposes without organisational oversight. A major source of shadow AI risk — the employee is productive, but the organisation has no visibility or control over data exposure.
C
- Credential exposure
- When employee email addresses and associated passwords appear in publicly known data breach databases. Checked via services like Have I Been Pwned. Breached credentials that are reused across business accounts create immediate account takeover risk. Learn more →
D
- DKIM (DomainKeys Identified Mail)
- An email authentication standard that adds a cryptographic signature to outgoing email, allowing recipients to verify the message hasn't been tampered with in transit. One of three records (alongside SPF and DMARC) that prevent email spoofing. Learn more →
- DMARC (Domain-based Message Authentication, Reporting, and Conformance)
- A DNS record that tells receiving mail servers what to do with email that fails SPF or DKIM checks — and sends you reports about who is sending email using your domain. The most important email security record for preventing spoofing attacks. Learn more →
- Data breach
- A security incident where personal data is accessed, disclosed, altered, or destroyed without authorisation. Under UK GDPR, breaches likely to result in risk to individuals must be reported to the ICO within 72 hours.
- Data minimisation
- A UK GDPR principle requiring that personal data collected and processed is adequate, relevant, and limited to what is necessary. Relevant to AI because feeding unnecessary personal data into AI tools violates this principle.
E
- EU AI Act
- The world's first comprehensive AI regulation, passed by the European Union. Full enforcement begins August 2026. Applies to UK businesses if their AI systems affect EU individuals. Classifies AI into four risk tiers: prohibited, high-risk, limited, and minimal. Learn more →
- External attack surface
- The set of internet-facing assets belonging to your organisation — subdomains, web servers, APIs, and network services. Exposed or misconfigured assets (expired SSL, open admin panels, development servers) create entry points for attackers.
G
- General-purpose AI (GPAI)
- AI systems trained on broad data that can perform a wide range of tasks — such as ChatGPT, Claude, and Gemini. The EU AI Act has specific provisions for GPAI providers, including transparency requirements and systemic risk obligations for the most powerful models.
- Governance framework
- A structured approach to managing AI within an organisation. The three main frameworks for UK businesses are: UK DSIT's five AI principles (voluntary), ISO 42001 (certifiable international standard), and NIST AI RMF (US-origin, widely adopted). Learn more →
H
- HIBP (Have I Been Pwned)
- A free service created by security researcher Troy Hunt that aggregates data from publicly known breaches. Allows individuals and organisations to check whether email addresses appear in breach databases. Governably uses HIBP data for credential exposure scanning.
- High-risk AI system
- Under the EU AI Act, AI used in critical areas including recruitment, credit scoring, insurance underwriting, educational assessment, and law enforcement. High-risk systems require conformity assessments, human oversight, and detailed technical documentation. Learn more →
I
- ICO (Information Commissioner's Office)
- The UK's independent data protection authority. Enforces UK GDPR, investigates complaints, issues fines, and publishes guidance on AI and data protection. Organisations processing personal data must register with the ICO.
- ISO 42001
- The international standard for AI Management Systems, published by ISO in 2023. Provides a certifiable framework for establishing, implementing, and improving AI governance. Suitable for larger organisations or those in regulated sectors needing formal certification. Learn more →
N
- NIST AI RMF
- The AI Risk Management Framework published by the US National Institute of Standards and Technology. A voluntary, risk-focused framework widely adopted internationally. Structured around four functions: Govern, Map, Measure, Manage. Learn more →
O
- OAuth
- An open standard for access delegation. When an employee clicks 'Sign in with Google' on an AI tool, OAuth grants that tool permission to access specific Google Workspace data (email, Drive files, calendar). OAuth audits reveal which third-party apps have access to your cloud data. Learn more →
P
- Personal data
- Under UK GDPR, any information relating to an identified or identifiable living individual. Includes names, email addresses, IP addresses, employee IDs, and any data that could identify someone directly or in combination with other data.
R
- Risk classification
- The process of categorising AI tools by their potential impact. The EU AI Act defines four levels: unacceptable (banned), high-risk (regulated), limited risk (transparency required), and minimal risk (no specific obligations). Most UK SME AI tools are minimal risk. Learn more →
S
- Shadow AI
- The use of AI tools by employees without their organisation's knowledge, approval, or oversight. Includes personal ChatGPT accounts, AI browser extensions, and AI features auto-enabled in existing SaaS tools. Creates data leakage, regulatory, and security risks. Learn more →
- Shadow IT
- Any technology — hardware, software, or services — used by employees without the knowledge or approval of the IT department. Shadow AI is a subset of shadow IT, but with broader data access implications due to OAuth grants and data training practices.
- SPF (Sender Policy Framework)
- A DNS record that lists which mail servers are authorised to send email on behalf of your domain. Receiving mail servers check SPF to detect forged sender addresses. One of three email authentication records alongside DKIM and DMARC. Learn more →
- Subscription tier
- In Governably, the four pricing levels that determine feature access: Free (exposure scanning), Starter (remediation plans), Growth (AI governance + policies + reports), and Scale (multi-tenant + custom integrations).
T
- Topical authority
- A content strategy concept where a website demonstrates expertise on a topic by publishing a comprehensive cluster of interlinked content. AI assistants are more likely to cite sources that demonstrate topical authority through depth and breadth of coverage.
U
- UK GDPR
- The UK's post-Brexit data protection law, retained from the EU GDPR. Governs how personal data is collected, processed, and stored. Relevant to AI governance because AI tools that process personal data must comply with UK GDPR principles including lawful basis, data minimisation, and accountability. Learn more →
Z
- Zero-trust security
- A security model that assumes no user, device, or network should be trusted by default — every access request must be verified. Relevant to AI governance because it means AI tools should not receive broad data access by default; each OAuth scope should be explicitly justified.
See these concepts in action
Scan your business for free — check email security, credential exposure, and shadow AI in under 5 minutes.
Scan your business →