AI Compliance & Governance Glossary 2026.

AI compliance vocabulary fragments along framework lines — "high-risk" means something specific under EU AI Act Article 6 and something different under NIST RMF, even when the underlying concept overlaps. Mapping terms to articles anchors discussions in source language rather than interpretation.

This reference holds 100 terms across five frameworks: EU AI Act (the primary global precedent), NIST AI Risk Management Framework, ISO/IEC 42001 (the international AI Management System standard), OECD AI Principles, and active US state AI legislation (CA, CO, IL, NY, TX, and three others).

Each entry includes the article or section citation, a plain-language definition, and a worked example showing how legal, compliance, risk, and product teams should apply it. This glossary is built for cross-functional legal-and- engineering reviews where shared terminology is the unblocker.

The first comprehensive AI legislation; entered into force August 2024 with progressive applicability through 2026-2027. Defines obligations by risk tier.

AI system. Article 3(1). A machine-based system designed to operate with autonomy that infers from inputs how to generate outputs. The umbrella term governing the entire Act.

Provider. Article 3(3). The party that develops or has developed an AI system, or that places it on the market. Distinct from deployer.

Deployer. Article 3(4). The party using an AI system under its authority (formerly "user" in the draft Act). Has obligations distinct from provider.

Unacceptable-risk AI. Article 5. AI practices prohibited outright — social scoring, real-time remote biometric ID in public spaces (with exceptions), manipulative AI exploiting vulnerabilities, emotion recognition in workplaces.

High-risk AI. Article 6 + Annex III. AI systems that pose significant risk; trigger the heaviest obligations. Categories: biometric ID, critical infrastructure, education, employment, essential services, law enforcement, migration, justice administration.

Limited-risk AI. Article 50. Systems with specific transparency obligations — chatbots, emotion recognition, biometric categorization, deepfakes. Must disclose AI to users.

Minimal-risk AI. The default category. Voluntary codes of conduct; no specific obligations beyond general law.

GPAI (General-Purpose AI). Articles 51-55. Foundation models with general applicability. Two tiers: standard GPAI and GPAI with systemic risk (training compute ≥10^25 FLOPs).

Conformity assessment. Article 43. The process by which high-risk AI providers demonstrate compliance before market placement. Internal control or third-party assessment depending on the system type.

CE marking. Article 48. The mark applied to high-risk AI systems that have completed conformity assessment. Required for placement on the EU market.

Post-market monitoring. Article 72. Ongoing monitoring obligation for high-risk AI providers after market placement. Includes incident reporting and performance tracking.

Human oversight. Article 14. The requirement that high-risk AI be designed for effective oversight by humans. Maps to operational HITL/HOTL design patterns.

Transparency obligations. Article 50. Disclosure requirements for limited-risk systems and certain GPAI providers.

Code of Practice. Article 56. Voluntary codes for GPAI providers; the Commission may approve codes developed by industry consortia.

AI Office. The European AI Office; central EU body for GPAI oversight and Code-of-Practice approval.

National competent authority. Each member state designates national authorities for market surveillance and enforcement.

Fundamental rights impact assessment. Article 27. Required for some deployers of high-risk AI; assesses impact on fundamental rights before deployment.

The US National Institute of Standards and Technology AI Risk Management Framework (1.0 published January 2023; 1.0 generative AI profile July 2024). Voluntary; widely adopted in US enterprise.

AI RMF. The framework itself. Built on four functions plus the Core. Voluntary; widely cited in US enterprise risk programs and federal procurement.

Govern function. The structural overlay. Establishes culture, accountability, oversight structures, and integration with broader enterprise risk.

Map function. Identify context and characterize risks. Map application context, AI capabilities, failure modes, and impact pathways.

Measure function. Analyze, assess, and monitor identified risks. Includes evaluation, benchmarking, and ongoing measurement.

Manage function. Treat risks based on measurement. Includes mitigation, response, recovery, and continuous improvement.

AI risk. The composite of likelihood and impact for harms arising from AI systems. Spans privacy, fairness, safety, security, and societal harms.

Trustworthiness characteristics.NIST's seven properties: valid & reliable, safe, secure & resilient, accountable & transparent, explainable & interpretable, privacy-enhanced, fair (with harmful bias managed).

Generative AI Profile. NIST AI 600-1, July 2024. Companion document with GenAI-specific risks and controls. Maps GenAI risks to AI RMF functions.

Risk tolerance. The level of risk an organization is willing to accept. Should be set explicitly by Govern function.

AI use case. The Map-function unit of analysis. Specific application of AI capability to a specific business context with defined inputs and outputs.

Impact assessment. Map function activity. Analyzes impact pathways from system behavior to affected stakeholders.

AI inventory. A registry of AI systems in use across the organization. Govern-function artifact; enables risk-tier-aware oversight.

Bias mitigation. Manage-function activities to reduce harmful bias in AI systems. Includes data curation, model selection, post-processing, and ongoing monitoring.

Red-teaming. NIST RMF's Manage function recommends periodic adversarial testing of AI systems for high-impact deployments.

International standard for AI management systems (AIMS), published December 2023. Certifiable; provides evidence of conformity for EU AI Act and other regulatory frameworks.

AIMS (AI Management System). The system of policies, processes, and controls an organization uses to manage AI development and deployment.

ISO/IEC 42001:2023. The standard itself. Specifies requirements for establishing, implementing, maintaining, and continually improving an AIMS.

AIMS objectives. Documented objectives consistent with the organization's policy on AI. Provide measurement reference for AIMS effectiveness.

AI policy. Top-level statement of principles and intent governing AI activities. Approved by top management; communicated across the organization.

AI system lifecycle. The phases an AI system passes through: design, development, deployment, operation, retirement. AIMS controls apply across the lifecycle.

AI impact assessment. Assessment of potential AI impact on individuals, groups, and society before deployment. ISO 42001 Annex C provides a worked framework.

Internal audit. Periodic review of AIMS effectiveness against the standard. Required for certification maintenance.

Management review. Top-management review of AIMS performance. Required at least annually for certified organizations.

Nonconformity. Failure to meet a requirement. AIMS must include processes for identifying, evaluating, and correcting nonconformities.

Corrective action. Action to eliminate the cause of a nonconformity. Distinct from correction (which fixes the immediate issue).

Annex A controls. The reference set of AI-specific controls in ISO 42001 Annex A. Organizations adapt this to their context (similar to ISO 27001 Annex A for information security).

Annex B implementation guidance. Non-normative guidance on implementing Annex A controls. Useful starting point for organizations new to AIMS.

The OECD AI Principles (2019, updated 2024) anchor most international AI policy. Adopted by 47+ countries; influence EU, US, and UK frameworks.

OECD AI Principles. Five values-based principles: inclusive growth, human-centered values, transparency, robustness, accountability. Plus five recommendations to governments.

Inclusive growth. The first OECD principle. AI should benefit people and the planet by driving inclusive growth, sustainable development, and well-being.

Human-centered values. Second OECD principle. AI systems should respect rule of law, human rights, democratic values, and diversity.

Transparency and explainability. Third OECD principle. AI actors should commit to transparency and responsible disclosure regarding AI systems.

Robustness, security, safety. Fourth OECD principle. AI systems must function appropriately and not pose unreasonable risk.

Accountability. Fifth OECD principle. AI actors should be accountable for proper functioning of AI systems.

UK AI Safety Institute. The UK's government-backed AI evaluation body. Conducts safety evaluations on frontier models pre-deployment.

UK AI Bill. The UK's pro-innovation principles-based framework. Sector-led rather than comprehensive.

G7 Hiroshima Process Code of Conduct. 2023 G7 voluntary code for organizations developing advanced AI.

Bletchley Declaration. 2023 multilateral declaration on AI safety; foundation for subsequent AI Safety Summits.

Council of Europe AI Convention. Framework convention on AI and human rights, signed 2024.

UN Advisory Body on AI. UN Secretary- General's advisory body on AI governance.

Without comprehensive federal AI legislation, US states have led. Track these nine actively as of Q2 2026.

Colorado AI Act (SB 24-205). First US comprehensive AI law; effective Feb 2026. Imposes obligations on developers and deployers of high-risk AI.

California AB 2013. Generative AI training data transparency requirements; effective 2026.

California SB 1047 (vetoed 2024). Frontier model safety bill; vetoed by Governor Newsom but influences ongoing legislative drafts.

NYC Local Law 144. Bias audit requirement for automated employment decision tools (AEDT). Effective since 2023.

NY S 8755. Algorithmic accountability for insurers; passed late 2025.

Illinois Artificial Intelligence Video Interview Act. Required AI disclosure for video interviews; effective 2020.

Illinois HB 3773. Bias and discrimination requirements for AI in employment; effective 2026.

Texas Data Privacy and Security Act. Includes AI-relevant provisions on profiling and automated decision-making.

Massachusetts Bill H.83. Healthcare AI transparency requirements; in active legislation 2026.

Washington AB 1951. Public-sector AI inventory and bias-audit requirements.

Minnesota Consumer Data Privacy Act. AI and profiling provisions.

Rhode Island AI Hiring Act. Bias audit and disclosure requirements for AI-driven hiring.

Algorithmic discrimination. A term that varies by state — Colorado defines it differently from New York. Definitions matter for compliance scope.

High-risk AI (state-level). Different states define this differently. Colorado AI Act lists specific consequential decisions; NYC focuses on employment.

Bias audit. Required by NYC Local Law 144 and increasingly by other states. Independent audit of an AI system's bias and impact.

How AI governance is actually implemented day-to-day. Cross-cutting terms that apply across frameworks.

AI governance committee. Cross-functional body owning AI policy, risk-tier classification, and high-stakes deployment review.

AI use-case review. Pre-deployment review of an AI use case against risk criteria; outcome determines risk tier and subsequent obligations.

Model card. Mitchell et al. (2018). Standardized documentation of a model's capabilities, limitations, training data, evaluation results. Required for GPAI under EU AI Act.

System card. Documentation for a deployed AI system (model + scaffolding + safety controls). Distinct from model card.

Datasheet for datasets. Gebru et al. (2018). Documentation for datasets covering composition, collection process, and recommended uses.

Algorithmic impact assessment (AIA). Pre-deployment assessment of an algorithmic system's impact on affected stakeholders. Required by some jurisdictions; voluntary in others.

Approval gate. Operational checkpoint where human review is required before AI proceeds to next step or deployment phase.

Human in the loop (HITL). Operational pattern where a human reviews each AI decision before execution.

Human on the loop (HOTL). Operational pattern where humans monitor but do not gate every AI decision.

Audit trail. Persistent log of AI system inputs, outputs, decisions, and human interventions. Required for many regulated deployments.

Incident reporting. EU AI Act Article 73 requires high-risk AI providers report serious incidents. NIST RMF Manage function recommends similar discipline.

AI bill of materials (AI BOM). An inventory of all components in an AI system: base models, datasets, fine-tuning runs, evaluation runs, deployment configuration. Emerging practice; analogous to SBOM in software supply chain.