Glossary
Plain-language definitions of the AI governance and governance, risk, and compliance terms we use across engagements.
AI governance
Artificial Intelligence governance
- AI Governance
- The policies, oversight roles, controls, and documentation that govern how an organization develops, deploys, and monitors Artificial Intelligence (AI). In regulated financial institutions it establishes accountability across the three lines of defense, an AI inventory, risk tiering, model validation, and board reporting.
- NIST AI Risk Management Framework (AI RMF)
- A voluntary framework from the National Institute of Standards and Technology (NIST) for managing the risks of Artificial Intelligence across four functions: Govern, Map, Measure, and Manage. It is accompanied by a Generative AI Profile.
- Generative AI Profile
- A companion profile to the NIST AI Risk Management Framework that addresses risks specific to generative Artificial Intelligence, such as large language models.
- ISO/IEC 42001
- The international standard that specifies requirements for an Artificial Intelligence management system: the organizational structure for governing AI responsibly across its lifecycle.
- ISO/IEC 42005
- The international standard that provides guidance for conducting an Artificial Intelligence system impact assessment.
- European Union AI Act (EU AI Act)
- A European Union regulation that classifies Artificial Intelligence systems by risk level and sets obligations accordingly, spanning prohibited, high-risk, and limited-risk categories.
- AI inventory
- A maintained record of the Artificial Intelligence systems and models an organization uses or develops, typically capturing ownership, purpose, data, and risk tier. It is the foundation of AI oversight.
- AI risk tiering
- The practice of classifying Artificial Intelligence systems by their potential impact so that governance, validation, and monitoring effort is proportionate to risk.
- Model validation
- Independent review of a model's design, data, assumptions, performance, and limitations to confirm it works as intended and is fit for its use. A core control in model risk management.
- AI Management System
- The set of policies, roles, processes, and controls, aligned to ISO/IEC 42001, through which an organization governs Artificial Intelligence across its lifecycle.
Governance, risk, and compliance
Governance, risk, and compliance
- Governance, Risk, and Compliance (GRC)
- The integrated discipline of directing an organization (governance), identifying and managing threats to its objectives (risk), and meeting legal and regulatory obligations (compliance).
- Three Lines of Defense
- A risk governance model that separates risk ownership (first line), risk oversight and challenge (second line), and independent assurance (third line, internal audit).
- First Line of Defense (1LoD)
- The business and operational units that own and manage risk directly as part of day-to-day activities.
- Second Line of Defense (2LoD)
- The risk and compliance functions that set policy, provide oversight, and independently challenge the first line.
- Risk and Control Self-Assessment (RCSA)
- A structured process in which business units identify their risks, assess the controls that mitigate them, and document residual risk.
- Documentation taxonomy
- The classification of governance documents by type and authority, typically policy (what and why), standard (specific requirements), and procedure (how), so ownership and evidence expectations are clear.
- Evidence readiness
- The state in which the artifacts an examiner or auditor will request are identified, current, owned, and retrievable on a defined cadence, rather than assembled reactively under deadline.
A 15-minute triage call to find the fastest path.
Start a Conversation