# Compliance Glossary for Agentic Systems

> Compliance vocabulary for builders and operators of agentic AI — 81 terms across 8 categories, each defined in 1–3 sentences with one canonical primary-source citation. Maintained by [AgentsBooks](https://agentsbooks.com/). Last refreshed 2026-05-08.

## Audience

Heads of compliance, audit leads, model-risk officers, legal counsel, and product teams shipping agentic systems into regulated workflows — KYC/AML, model risk, healthcare, employment, education, financial-services consumer journeys.

## Categories

- **Frameworks** — 10 terms
- **Regulations** — 12 terms
- **Audit standards** — 10 terms
- **Model risk** — 11 terms
- **Agentic-system risk** — 16 terms
- **AML / KYC** — 13 terms
- **Governance** — 4 terms
- **Regulators** — 5 terms

---

## Frameworks

### AI RMF (NIST AI 100-1) — In force

*Also known as:* AI Risk Management Framework · NIST AI RMF

U.S. NIST Artificial Intelligence Risk Management Framework. Voluntary; structured around four core functions — Govern, Map, Measure, Manage — and the seven characteristics of trustworthy AI. The de-facto operating guide for AI risk programs in regulated U.S. industries.

**Source:** [NIST — AI Risk Management Framework (AI 100-1)](https://nvlpubs.nist.gov/nistpubs/ai/nist.ai.100-1.pdf) — accessed 2026-05-08

**See also:** GenAI Profile (NIST AI 600-1) · Trustworthy AI · AI Agent Interoperability Profile · ISO/IEC 42001:2023

### GenAI Profile (NIST AI 600-1) — In force

*Also known as:* NIST GenAI Profile · AI 600-1

NIST profile of the AI RMF specific to generative AI. Enumerates 12 risks of generative AI (CBRN information, confabulation, dangerous content, data privacy, environmental, harmful bias, human-AI configuration, info integrity, info security, IP, obscene content, value chain) with suggested actions per risk.

**Source:** [NIST — AI 600-1 GenAI Profile](https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.600-1.pdf) — accessed 2026-05-08

**See also:** AI RMF (NIST AI 100-1) · Hallucination · Prompt injection · Trustworthy AI

### AI Agent Interoperability Profile — Emerging 2026

*Also known as:* NIST Agent Profile

Planned NIST profile under the AI RMF specifically targeting agentic systems — covering agent identity, authorization, security, risk management, monitoring, logging. Announced February 2026 via CAISI; planned release Q4 2026.

**Source:** [NIST — AI RMF Program (AI Agent Standards Initiative, Feb 2026)](https://www.nist.gov/itl/ai-risk-management-framework) — accessed 2026-05-08

**See also:** AI RMF (NIST AI 100-1) · Audit trail · Human-in-the-loop (HITL) · Agent authorization

### Trustworthy AI — In force

NIST's umbrella term for AI that is valid and reliable, safe, secure and resilient, accountable and transparent, explainable and interpretable, privacy-enhanced, and fair with harmful bias managed. The seven characteristics framework underneath the AI RMF.

**Source:** [NIST — AI Risk Management Framework (AI 100-1)](https://nvlpubs.nist.gov/nistpubs/ai/nist.ai.100-1.pdf) — accessed 2026-05-08

**See also:** AI RMF (NIST AI 100-1) · Explainability (XAI) · fairness · robustness

### ISO/IEC 42001:2023 — In force

*Also known as:* ISO 42001 · AIMS

International standard specifying requirements for an Artificial Intelligence Management System (AIMS). Published December 2023 — the first certifiable management-system standard for AI. Analogous to ISO 27001 for information security; increasingly required in enterprise AI procurement RFPs.

**Source:** [ISO/IEC 42001:2023 — AI management system](https://www.iso.org/standard/81230.html) — accessed 2026-05-08

**See also:** ISO/IEC 23894:2023 · ISO/IEC 22989:2022 · ISO/IEC 27001:2022 · AI RMF (NIST AI 100-1)

### ISO/IEC 23894:2023 — In force

*Also known as:* ISO 23894

International standard providing guidance on AI risk management. Companions ISO/IEC 42001 by giving the underlying risk-management methodology AIMS implementations call into. Published February 2023.

**Source:** [ISO/IEC 23894:2023 — Information technology — AI — Guidance on risk management](https://www.iso.org/standard/77304.html) — accessed 2026-05-08

**See also:** ISO/IEC 42001:2023 · ISO/IEC 22989:2022 · AI RMF (NIST AI 100-1)

### ISO/IEC 22989:2022 — In force

*Also known as:* ISO 22989

International standard establishing AI concepts and terminology. The vocabulary base most other AI standards (42001, 23894, 38507) defer to. Where regulator definitions conflict, 22989 is often the neutral reference.

**Source:** [ISO/IEC 22989:2022 — AI concepts and terminology](https://www.iso.org/standard/74296.html) — accessed 2026-05-08

**See also:** ISO/IEC 42001:2023 · ISO/IEC 23894:2023 · AI system (canonical definition)

### ISO/IEC 38507:2022 — In force

*Also known as:* ISO 38507

International standard on the governance implications of AI use within organizations. Targets boards and executive bodies — pairs naturally with COSO ERM and the IIA Three Lines Model when AI risk is being escalated.

**Source:** [ISO/IEC 38507:2022 — Governance implications of the use of AI by organizations](https://www.iso.org/standard/56641.html) — accessed 2026-05-08

**See also:** ISO/IEC 42001:2023 · Three Lines Model · COSO ERM

### AI system (canonical definition) — In force

OECD's revised 2024 definition — also adopted near-verbatim by the EU AI Act and ISO/IEC 22989. A machine-based system that, for explicit or implicit objectives, infers from input how to generate outputs (predictions, content, recommendations, decisions) that can influence physical or virtual environments.

**Source:** [OECD — AI Principles (2024 update)](https://oecd.ai/en/ai-principles) — accessed 2026-05-08

**See also:** EU AI Act · ISO/IEC 22989:2022 · GPAI (General-Purpose AI)

### OECD AI Principles — In force

Inter-governmental principles on trustworthy AI adopted by the OECD in 2019 and revised in 2024. The framing 47 jurisdictions converge on (inclusive growth, human-centred values, transparency, robustness, accountability) — supplies the AI-system definition the EU AI Act imports.

**Source:** [OECD — AI Principles](https://oecd.ai/en/ai-principles) — accessed 2026-05-08

**See also:** AI system (canonical definition) · EU AI Act · Trustworthy AI

---

## Regulations

### EU AI Act — In force 2026-08-02

*Also known as:* Regulation (EU) 2024/1689 · AI Act

European Union regulation defining a risk-tiered framework for AI systems (unacceptable, high, limited, minimal). General provisions in force 2 February 2025; high-risk Annex III rules apply from 2 August 2026, subject to the November 2025 Digital Omnibus deferral proposal currently in trilogue.

**Source:** [European Commission — EU AI Act Implementation Timeline](https://ai-act-service-desk.ec.europa.eu/en/ai-act/timeline/timeline-implementation-eu-ai-act) — accessed 2026-05-08

**See also:** High-risk AI system · GPAI (General-Purpose AI) · AI Literacy (EU AI Act Art. 4) · Annex III (EU AI Act) · Conformity assessment · Digital Omnibus

### High-risk AI system — In force 2026-08-02

*Also known as:* Annex III system

Under the EU AI Act, AI systems falling into Annex III categories (biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice). Subject to conformity assessment, transparency, human oversight, robustness, cybersecurity. Originally enforceable 2 August 2026; Digital Omnibus proposes deferral to 2 December 2027 — pending trilogue.

**Source:** [European Commission — EU AI Act Implementation Timeline](https://ai-act-service-desk.ec.europa.eu/en/ai-act/timeline/timeline-implementation-eu-ai-act) — accessed 2026-05-08

**See also:** EU AI Act · Annex III (EU AI Act) · Conformity assessment · Human-in-the-loop (HITL) · FRIA (Fundamental Rights Impact Assessment)

### Annex III (EU AI Act) — In force

EU AI Act schedule listing high-risk use-cases: biometric ID, critical infrastructure, education, employment, essential public services, law enforcement, migration/border/asylum, administration of justice and democratic processes. Updated by delegated acts; firms map their use-cases against Annex III to determine high-risk classification.

**Source:** [European Commission — EU AI Act Implementation Timeline](https://ai-act-service-desk.ec.europa.eu/en/ai-act/timeline/timeline-implementation-eu-ai-act) — accessed 2026-05-08

**See also:** EU AI Act · High-risk AI system · Conformity assessment

### GPAI (General-Purpose AI) — In force

*Also known as:* General-Purpose AI · GPAI model

EU AI Act category for AI models with significant generality across many tasks (most foundation models qualify). GPAI providers carry transparency, copyright-summary, and technical-documentation obligations; systemic-risk GPAI carries additional model-evaluation, incident-reporting, and cybersecurity duties.

**Source:** [European Commission — EU AI Act Implementation Timeline](https://ai-act-service-desk.ec.europa.eu/en/ai-act/timeline/timeline-implementation-eu-ai-act) — accessed 2026-05-08

**See also:** EU AI Act · Systemic-risk GPAI · Conformity assessment

### Systemic-risk GPAI — In force

EU AI Act sub-tier of GPAI: models meeting compute or capability thresholds (currently 10^25 FLOPs training compute) presumed to pose systemic risks. Triggers stronger evaluation, adversarial testing, incident reporting and cybersecurity obligations under Article 51.

**Source:** [European Commission — EU AI Act Implementation Timeline](https://ai-act-service-desk.ec.europa.eu/en/ai-act/timeline/timeline-implementation-eu-ai-act) — accessed 2026-05-08

**See also:** GPAI (General-Purpose AI) · EU AI Act · incident-reporting

### AI Literacy (EU AI Act Art. 4) — In force 2025-02-02

EU AI Act obligation requiring providers and deployers to ensure their staff and other persons operating AI systems on their behalf have a sufficient level of AI literacy — taking into account technical knowledge, experience, education, and the context of use. In effect since 2 February 2025.

**Source:** [European Commission — EU AI Act Implementation Timeline](https://ai-act-service-desk.ec.europa.eu/en/ai-act/timeline/timeline-implementation-eu-ai-act) — accessed 2026-05-08

**See also:** EU AI Act · deployer · provider

### Conformity assessment — In force

EU AI Act process by which a provider of a high-risk AI system demonstrates compliance with Annex III requirements before placing the system on the EU market — typically internal control plus technical documentation, sometimes notified-body involvement. Analogous to CE-marking processes for other regulated products.

**Source:** [European Commission — EU AI Act Implementation Timeline](https://ai-act-service-desk.ec.europa.eu/en/ai-act/timeline/timeline-implementation-eu-ai-act) — accessed 2026-05-08

**See also:** EU AI Act · High-risk AI system · Annex III (EU AI Act) · technical-documentation

### FRIA (Fundamental Rights Impact Assessment) — In force

*Also known as:* FRIA

EU AI Act requirement for certain deployers of high-risk AI systems (public bodies, public-services providers, banking, insurance) to assess the impact on fundamental rights before deployment. Distinct from a DPIA under GDPR; the two often run in parallel.

**Source:** [European Commission — EU AI Act Implementation Timeline](https://ai-act-service-desk.ec.europa.eu/en/ai-act/timeline/timeline-implementation-eu-ai-act) — accessed 2026-05-08

**See also:** High-risk AI system · EU AI Act · DPIA (Data Protection Impact Assessment) · deployer

### Digital Omnibus — Emerging 2026

European Commission omnibus proposal published November 2025 to simplify and recalibrate EU digital rules, including a deferral of the EU AI Act high-risk Annex III rules from 2 August 2026 to 2 December 2027. As of May 2026 still in trilogue — the August 2026 dates remain operative until adopted.

**Source:** [European Commission — Digital Omnibus](https://digital-strategy.ec.europa.eu/en/policies/digital-omnibus) — accessed 2026-05-08

**See also:** EU AI Act · High-risk AI system · Annex III (EU AI Act)

### GDPR Art. 22 (Automated decisions) — In force

GDPR provision granting individuals the right not to be subject to solely-automated decisions producing legal or similarly significant effects, with limited exceptions and safeguards (human intervention, contestation, right to express a view). Recital 71 expands the safeguards. The pre-existing legal anchor most agentic decisioning systems land on.

**Source:** [GDPR — Article 22](https://gdpr-info.eu/art-22-gdpr/) — accessed 2026-05-08

**See also:** DPIA (Data Protection Impact Assessment) · ICO AI and data-protection guidance · Human-in-the-loop (HITL) · FRIA (Fundamental Rights Impact Assessment)

### DPIA (Data Protection Impact Assessment) — In force

*Also known as:* DPIA

GDPR Art. 35 obligation to assess risks to data-subject rights before processing likely to result in high risk. Required by default for AI systems involving systematic monitoring, large-scale special-category data, or automated decisions with legal/similar effects. Often paired with FRIA under EU AI Act.

**Source:** [ICO — Guidance on AI and data protection](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/) — accessed 2026-05-08

**See also:** GDPR Art. 22 (Automated decisions) · FRIA (Fundamental Rights Impact Assessment) · ICO AI and data-protection guidance

### ICO AI and data-protection guidance — In force

UK Information Commissioner's Office guidance on applying the UK GDPR and Data Protection Act to AI systems — covering accountability, lawfulness, fairness, security, and the rights regime. Functions as the de-facto UK companion to the EU AI Act for personal-data uses.

**Source:** [ICO — Guidance on AI and data protection](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/) — accessed 2026-05-08

**See also:** GDPR Art. 22 (Automated decisions) · DPIA (Data Protection Impact Assessment) · FCA

---

## Audit standards

### SOC 2 — In force

*Also known as:* SOC 2 report

AICPA attestation framework reporting on a service organization's controls relevant to security, availability, processing integrity, confidentiality, and privacy. Type I tests design at a point in time; Type II tests operating effectiveness over a period (typically 6–12 months).

**Source:** [AICPA — SOC for service organizations](https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc) — accessed 2026-05-08

**See also:** SOC 2 Type II · Trust Services Criteria (TSC) · Audit trail · ISO/IEC 27001:2022

### SOC 2 Type II — In force

SOC 2 examination evaluating the operating effectiveness of controls over a defined period, typically six to twelve months. Auditors test evidence of every privileged action, including any taken by AI agents, and increasingly treat "no human request" as an accountability gap.

**Source:** [AICPA — SOC 2 Trust Services Criteria](https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc) — accessed 2026-05-08

**See also:** SOC 2 · Trust Services Criteria (TSC) · Audit trail · Privileged action

### Trust Services Criteria (TSC) — In force

*Also known as:* TSC

AICPA criteria backing SOC 2 — five categories: Security (Common Criteria, mandatory), Availability, Processing Integrity, Confidentiality, Privacy. The 2017 TSC plus 2022 points-of-focus revisions remain in force; 2026 updates emphasise AI-driven privileged actions and attribution.

**Source:** [AICPA — Trust Services Criteria](https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc) — accessed 2026-05-08

**See also:** SOC 2 · SOC 2 Type II · Common Criteria (TSC Security)

### Common Criteria (TSC Security) — In force

The mandatory SOC 2 security category — 33 criteria covering control environment, communication and information, risk assessment, monitoring, control activities, logical and physical access, system operations, change management, and risk mitigation. The Common Criteria are required in every SOC 2 report.

**Source:** [AICPA — Trust Services Criteria](https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc) — accessed 2026-05-08

**See also:** Trust Services Criteria (TSC) · SOC 2

### ISO/IEC 27001:2022 — In force

*Also known as:* ISO 27001 · ISMS

International standard specifying requirements for an Information Security Management System (ISMS). Certifiable; commonly required in enterprise AI and SaaS procurement alongside SOC 2. ISO/IEC 42001 (AIMS) is the AI-specific peer.

**Source:** [ISO/IEC 27001:2022 — Information security management systems](https://www.iso.org/standard/82875.html) — accessed 2026-05-08

**See also:** ISO/IEC 27701:2019 · ISO/IEC 42001:2023 · SOC 2

### ISO/IEC 27701:2019 — In force

*Also known as:* ISO 27701 · PIMS

Privacy extension to ISO/IEC 27001 — Privacy Information Management System (PIMS). Adds personal-data-processing controls. Increasingly cited as evidence under GDPR and other privacy regimes.

**Source:** [ISO/IEC 27701:2019 — Privacy information management](https://www.iso.org/standard/71670.html) — accessed 2026-05-08

**See also:** ISO/IEC 27001:2022 · GDPR Art. 22 (Automated decisions) · DPIA (Data Protection Impact Assessment)

### Audit trail — In force

Tamper-evident chronological record of who or what did what, when, and on whose authority — sufficient to reconstruct any consequential action after the fact. The atomic unit of evidentiary discipline in SOC 2, ISO 27001, model-risk, and AML programs.

**Source:** [AICPA — SOC 2 Trust Services Criteria](https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc) — accessed 2026-05-08

**See also:** Privileged action · Evidence retention · SOC 2 Type II · Agent audit trail

### Evidence retention — In force

Discipline of keeping audit-relevant artefacts (logs, approvals, control-test results) for the period required by the applicable framework — typically 1 year for SOC 2 Type II in-period evidence, 5–7 years for tax and AML, longer for healthcare or sectoral regimes.

**Source:** [AICPA — SOC for service organizations](https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc) — accessed 2026-05-08

**See also:** Audit trail · SOC 2 Type II · KYC record retention

### Attestation — In force

Formal statement by an independent auditor (CPA in the U.S., RA equivalent in the EU) that an organisation's assertion about its controls is fairly stated. SOC 2 reports are attestation engagements under SSAE 18 / ISAE 3000, not certifications.

**Source:** [AICPA — SOC for service organizations](https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc) — accessed 2026-05-08

**See also:** SOC 2 · SOC 2 Type II

### Privileged action — In force

An action carrying elevated authority — production database write, secret rotation, billing change, account creation, code deploy — that auditors expect to be attributable to a named accountable individual with prior request, approval, and post-hoc record.

**Source:** [AICPA — SOC 2 Trust Services Criteria](https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc) — accessed 2026-05-08

**See also:** Audit trail · SOC 2 Type II · Human-in-the-loop (HITL) · Agent authorization

---

## Model risk

### Model risk management (MRM) — In force

*Also known as:* MRM

The discipline of managing the risk that a model produces incorrect or misused outputs that materially affect decisions. Anchored in the U.S. by SR 11-7 / OCC 2011-12 and in the U.K. by PRA SS 1/23 — both apply irrespective of whether the model is statistical, machine-learned, or generative.

**Source:** [Federal Reserve — SR 11-7 Guidance on Model Risk Management](https://www.federalreserve.gov/supervisionreg/srletters/sr1107.pdf) — accessed 2026-05-08

**See also:** SR 11-7 (US bank model risk) · SS 1/23 (UK bank model risk) · Model validation · Model inventory · Model card

### SR 11-7 (US bank model risk) — In force

*Also known as:* OCC 2011-12

U.S. Federal Reserve / OCC supervisory guidance on model risk management, issued April 2011. Establishes the model-risk-management lifecycle expected of banks: development, implementation, use, validation, governance, policies, controls, model inventory.

**Source:** [Federal Reserve — SR 11-7](https://www.federalreserve.gov/supervisionreg/srletters/sr1107.pdf) — accessed 2026-05-08

**See also:** Model risk management (MRM) · Model validation · Model inventory · SS 1/23 (UK bank model risk)

### SS 1/23 (UK bank model risk) — In force 2024-05-17

Bank of England Prudential Regulation Authority Supervisory Statement on model risk management principles for banks. In force 17 May 2024; the U.K. peer to SR 11-7. Notably brings AI/ML and vendor-supplied models firmly inside the model-risk perimeter.

**Source:** [Bank of England — PRA SS 1/23](https://www.bankofengland.co.uk/prudential-regulation/publication/2023/may/model-risk-management-principles-for-banks-ss) — accessed 2026-05-08

**See also:** Model risk management (MRM) · SR 11-7 (US bank model risk) · Model validation

### Model validation — In force

Independent review of a model's conceptual soundness, ongoing monitoring, and outcomes analysis, by qualified parties not involved in development. Required at first use, on material change, and on a periodic cycle (typically annually for high-risk models).

**Source:** [Federal Reserve — SR 11-7](https://www.federalreserve.gov/supervisionreg/srletters/sr1107.pdf) — accessed 2026-05-08

**See also:** SR 11-7 (US bank model risk) · Model risk management (MRM) · Model monitoring · Challenger model

### Model inventory — In force

Comprehensive register of all models in use by the firm — including AI/ML and generative models — capturing purpose, owner, validator, risk tier, last-validation date, and dependencies. Required by SR 11-7 and SS 1/23; the operational anchor for any MRM program.

**Source:** [Federal Reserve — SR 11-7](https://www.federalreserve.gov/supervisionreg/srletters/sr1107.pdf) — accessed 2026-05-08

**See also:** Model risk management (MRM) · Model validation · Risk tier

### Model monitoring — In force

Ongoing surveillance of a deployed model's performance, drift, and stability against pre-defined thresholds, with documented escalation to validation and remediation when thresholds breach. The discipline that turns one-off validation into a control.

**Source:** [Federal Reserve — SR 11-7](https://www.federalreserve.gov/supervisionreg/srletters/sr1107.pdf) — accessed 2026-05-08

**See also:** Model validation · Drift (model) · Model risk management (MRM)

### Challenger model — In force

An alternative model retained alongside the production champion, against which outputs are periodically compared as part of validation and monitoring. SR 11-7 emphasizes challenger comparison as a core soundness check.

**Source:** [Federal Reserve — SR 11-7](https://www.federalreserve.gov/supervisionreg/srletters/sr1107.pdf) — accessed 2026-05-08

**See also:** Model validation · Model monitoring · Model risk management (MRM)

### Model card — Foundational

Short, structured document capturing a model's intended use, training data, evaluation results, limitations, ethical considerations, and version. Originated by Mitchell et al. (Google, 2019); now table-stakes for AI procurement and increasingly evidentiary under the EU AI Act and ISO 42001.

**Source:** [Mitchell et al. — Model Cards for Model Reporting (2019)](https://arxiv.org/abs/1810.03993) — accessed 2026-05-08

**See also:** Model risk management (MRM) · ISO/IEC 42001:2023 · EU AI Act · technical-documentation

### Risk tier — In force

Classification of a model or AI system by potential business and regulatory impact (typically high / medium / low). Drives validation frequency, governance depth, monitoring intensity, and approval level. The EU AI Act risk-tiered structure is the regulator-side analogue.

**Source:** [Federal Reserve — SR 11-7](https://www.federalreserve.gov/supervisionreg/srletters/sr1107.pdf) — accessed 2026-05-08

**See also:** Model risk management (MRM) · Model inventory · High-risk AI system

### Drift (model) — In force

*Also known as:* data drift · concept drift

Degradation of a model's predictive performance over time as input distributions (data drift) or the relationship between inputs and outputs (concept drift) move away from the training conditions. Triggers monitoring alerts and revalidation in any mature MRM program.

**Source:** [Federal Reserve — SR 11-7](https://www.federalreserve.gov/supervisionreg/srletters/sr1107.pdf) — accessed 2026-05-08

**See also:** Model monitoring · Model validation

### Explainability (XAI) — In force

*Also known as:* XAI · interpretability

The property of a model whose outputs can be accompanied by a faithful, intelligible justification adequate for the regulator, auditor, customer, or downstream control. Required by NIST AI RMF, EU AI Act high-risk obligations, FATF AI/ML guidance, and FCA Consumer Duty.

**Source:** [NIST — AI Risk Management Framework (AI 100-1)](https://nvlpubs.nist.gov/nistpubs/ai/nist.ai.100-1.pdf) — accessed 2026-05-08

**See also:** Trustworthy AI · AI RMF (NIST AI 100-1) · Model validation · FATF (Financial Action Task Force)

---

## Agentic-system risk

### Prompt injection — In force

Attack pattern where an attacker controls part of an LLM's input and overrides developer instructions — direct (in the user prompt) or indirect (in retrieved documents, tool outputs, or web pages an agent reads). #1 in OWASP LLM Top 10. The dominant agent-runtime threat vector.

**Source:** [OWASP — LLM Top 10 (2025 ed.)](https://owasp.org/www-project-top-10-for-large-language-model-applications/) — accessed 2026-05-08

**See also:** Tool poisoning · Training-data poisoning · Excessive agency · Guardrail · OWASP LLM Top 10

### Tool poisoning — Emerging 2026

Attack pattern targeting agent tool definitions or tool outputs — for instance, a malicious MCP server returning instructions disguised as data — exploiting the agent's trust in its tool-call boundary. Variant of indirect prompt injection specific to tool-using agents.

**Source:** [OWASP — LLM Top 10 (2025 ed.)](https://owasp.org/www-project-top-10-for-large-language-model-applications/) — accessed 2026-05-08

**See also:** Prompt injection · Excessive agency · LLM supply-chain risk · Guardrail

### Training-data poisoning — In force

Adversarial manipulation of training, fine-tuning, or RAG-corpus data to bias a model's behaviour. Listed by OWASP and the NIST GenAI Profile as a primary supply-chain risk; mitigations centre on data provenance, integrity, and curation.

**Source:** [OWASP — LLM Top 10 (2025 ed.)](https://owasp.org/www-project-top-10-for-large-language-model-applications/) — accessed 2026-05-08

**See also:** Prompt injection · LLM supply-chain risk · GenAI Profile (NIST AI 600-1)

### Excessive agency — In force

OWASP LLM Top 10 risk: granting an LLM-based agent broader permissions, tools, or autonomy than the use-case justifies, expanding the blast radius of any prompt injection, hallucination, or misalignment. The defensive countermeasure is least-privilege agent design and human-in-the-loop on irreversible actions.

**Source:** [OWASP — LLM Top 10 (2025 ed.)](https://owasp.org/www-project-top-10-for-large-language-model-applications/) — accessed 2026-05-08

**See also:** Prompt injection · Human-in-the-loop (HITL) · Guardrail · Agent authorization · Autonomy (agent)

### LLM supply-chain risk — In force

OWASP LLM Top 10 risk concerning the integrity of the components a model depends on — pre-trained weights, training data, fine-tuning datasets, embedding corpora, MCP servers, plugins. Procurement and provenance controls feed into ISO 42001's third-party requirements.

**Source:** [OWASP — LLM Top 10 (2025 ed.)](https://owasp.org/www-project-top-10-for-large-language-model-applications/) — accessed 2026-05-08

**See also:** Training-data poisoning · Tool poisoning · ISO/IEC 42001:2023

### OWASP LLM Top 10 — In force

OWASP's canonical taxonomy of the ten most critical security risks for LLM applications: prompt injection, sensitive information disclosure, supply chain, data and model poisoning, improper output handling, excessive agency, system prompt leakage, vector and embedding weaknesses, misinformation, and unbounded consumption.

**Source:** [OWASP — LLM Top 10 (2025 ed.)](https://owasp.org/www-project-top-10-for-large-language-model-applications/) — accessed 2026-05-08

**See also:** Prompt injection · Excessive agency · LLM supply-chain risk · Training-data poisoning · Tool poisoning

### Hallucination — In force

*Also known as:* confabulation

Confidently-stated model output not supported by the model's grounding (training data, retrieved context, or tool results). Listed in the NIST GenAI Profile as confabulation; the dominant reliability problem motivating RAG, citations, and verification harnesses in compliance-sensitive deployments.

**Source:** [NIST — AI 600-1 GenAI Profile](https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.600-1.pdf) — accessed 2026-05-08

**See also:** GenAI Profile (NIST AI 600-1) · Explainability (XAI) · Guardrail

### Sleeper agent (model) — Foundational

Anthropic's term (Hubinger et al., 2024) for a model trained to behave normally except when a specific trigger appears, at which point it executes hidden behavior. The paper demonstrates that standard safety training can fail to remove such backdoors — a primary supply-chain and red-teaming concern.

**Source:** [Hubinger et al. (Anthropic) — Sleeper Agents (arXiv:2401.05566, 2024)](https://arxiv.org/abs/2401.05566) — accessed 2026-05-08

**See also:** Training-data poisoning · LLM supply-chain risk · Red-teaming · Constitutional AI

### Jailbreak — In force

Attack class designed to bypass a model's safety training so it produces normally-refused output. Many-shot jailbreaking (Anthropic, 2024) exploits long context windows by stuffing the prompt with example unsafe Q&A pairs; the surface area scales with context length.

**Source:** [Anthropic — Many-shot jailbreaking (2024)](https://www.anthropic.com/research/many-shot-jailbreaking) — accessed 2026-05-08

**See also:** Prompt injection · Red-teaming · Guardrail · Constitutional AI

### Constitutional AI — Foundational

*Also known as:* CAI

Anthropic training method (Bai et al., 2022) that gives an AI a written constitution and uses the model itself to critique and revise outputs against those principles, replacing most human-labelled harmlessness data with AI-generated feedback (RLAIF). One of the dominant alignment approaches in 2026.

**Source:** [Bai et al. (Anthropic) — Constitutional AI (arXiv:2212.08073, 2022)](https://arxiv.org/abs/2212.08073) — accessed 2026-05-08

**See also:** Red-teaming · Guardrail · Trustworthy AI · Sleeper agent (model)

**Compare with deep glossary:** https://agentic-glossary.roei-020.workers.dev/#constitutional-ai

### Red-teaming — In force

Adversarial testing of an AI system by trying to elicit unsafe, biased, or out-of-policy outputs. NIST AI RMF and EU AI Act both treat red-teaming as a core risk-management practice; the EU AI Act requires it for systemic-risk GPAI under Article 51.

**Source:** [NIST — AI Risk Management Framework (AI 100-1)](https://nvlpubs.nist.gov/nistpubs/ai/nist.ai.100-1.pdf) — accessed 2026-05-08

**See also:** Systemic-risk GPAI · AI RMF (NIST AI 100-1) · Jailbreak · Guardrail

### Guardrail — In force

Runtime check (input filter, output filter, policy-violation detector) that constrains an agent's behaviour independent of the model's own reasoning. Used to enforce safety, cost, and scope policies on top of constitutional or aligned models — a primary defence-in-depth layer.

**Source:** [NIST — AI Risk Management Framework (AI 100-1)](https://nvlpubs.nist.gov/nistpubs/ai/nist.ai.100-1.pdf) — accessed 2026-05-08

**See also:** Prompt injection · Constitutional AI · Human-in-the-loop (HITL) · AI RMF (NIST AI 100-1)

### Autonomy (agent) — In force

Degree to which an agent operates without human oversight on the path or the result. Anthropic's autonomy research notes that the same property that makes agents useful introduces a range of new risks — the framing increasingly cited by NIST and ISO governance work.

**Source:** [Anthropic — Measuring AI agent autonomy in practice](https://www.anthropic.com/research/measuring-agent-autonomy) — accessed 2026-05-08

**See also:** Human-in-the-loop (HITL) · Excessive agency · AI Agent Interoperability Profile

**Compare with deep glossary:** https://agentic-glossary.roei-020.workers.dev/#autonomy

### Human-in-the-loop (HITL) — In force

*Also known as:* HITL

Operational pattern where humans approve, review, or intervene at defined points in an agent's loop — typically for irreversible or high-stakes actions. NIST AI RMF and EU AI Act both treat human oversight as a core trustworthy-AI characteristic; SOC 2 increasingly tests for it on privileged actions.

**Source:** [Anthropic — Measuring AI agent autonomy in practice](https://www.anthropic.com/research/measuring-agent-autonomy) — accessed 2026-05-08

**See also:** Autonomy (agent) · Privileged action · Excessive agency · Guardrail

**Compare with deep glossary:** https://agentic-glossary.roei-020.workers.dev/#human-in-the-loop

### Agent authorization — Emerging 2026

The discipline of binding an agent's actions to a scoped, auditable authorization (OAuth scopes, signed agent cards, capability tokens). Anchors the SOC 2 "privileged action" boundary for non-human actors and is central to the NIST Agent Interoperability Profile.

**Source:** [NIST — AI RMF Program (AI Agent Standards Initiative)](https://www.nist.gov/itl/ai-risk-management-framework) — accessed 2026-05-08

**See also:** AI Agent Interoperability Profile · Privileged action · Excessive agency

### Agent audit trail — Emerging 2026

Specialised audit trail capturing each step of an agent's execution — model call, tool call, retrieved context, intermediate plan, observation, decision — sufficient for an auditor to reconstruct why the agent took the action it took. Increasingly required by SOC 2 and ISO 42001 implementations for production agents.

**Source:** [AICPA — SOC 2 Trust Services Criteria](https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc) — accessed 2026-05-08

**See also:** Audit trail · SOC 2 Type II · ISO/IEC 42001:2023 · AI Agent Interoperability Profile

---

## AML / KYC

### KYC (Know Your Customer) — In force

*Also known as:* KYC

Customer due-diligence discipline mandated by FATF Recommendation 10: identify the customer and beneficial owner, understand the relationship's purpose, conduct ongoing monitoring. Implemented by AML laws in every FATF jurisdiction; the on-boarding boundary inside which AI-assisted screening operates.

**Source:** [FATF — Recommendations](https://www.fatf-gafi.org/en/publications/Fatfrecommendations/Fatf-recommendations.html) — accessed 2026-05-08

**See also:** AML (Anti-Money Laundering) · CDD (Customer Due Diligence) · EDD (Enhanced Due Diligence) · UBO (Ultimate Beneficial Owner) · FATF (Financial Action Task Force)

### AML (Anti-Money Laundering) — In force

*Also known as:* AML

Body of law and supervisory expectation requiring regulated firms to detect, prevent, and report money laundering — covering customer due diligence, transaction monitoring, suspicious-activity reporting, sanctions screening, and record-keeping. Anchored globally by the FATF Recommendations.

**Source:** [FATF — Recommendations](https://www.fatf-gafi.org/en/publications/Fatfrecommendations/Fatf-recommendations.html) — accessed 2026-05-08

**See also:** KYC (Know Your Customer) · CFT (Counter-Financing of Terrorism) · SAR (Suspicious Activity Report) · FATF (Financial Action Task Force) · Wolfsberg Group AI/ML statement

### CFT (Counter-Financing of Terrorism) — In force

Discipline parallel to AML focused on detecting and preventing terrorism financing — frequently regulated together as AML/CFT. FATF Recommendations 5–8 set the CFT obligations; UN sanctions lists are the operational filter.

**Source:** [FATF — Recommendations](https://www.fatf-gafi.org/en/publications/Fatfrecommendations/Fatf-recommendations.html) — accessed 2026-05-08

**See also:** AML (Anti-Money Laundering) · Sanctions screening · FATF (Financial Action Task Force)

### FATF (Financial Action Task Force) — In force

*Also known as:* FATF

Inter-governmental body setting the global AML/CFT standards through 40 Recommendations. FATF AI/ML guidance (Nov 2025) covers the use of AI and ML in AML/CFT compliance with attention to explainability and audit trails — the regulator-side framing for AI-powered transaction monitoring.

**Source:** [FATF — Standards & guidance](https://www.fatf-gafi.org/) — accessed 2026-05-08

**See also:** AML (Anti-Money Laundering) · CFT (Counter-Financing of Terrorism) · Explainability (XAI) · Wolfsberg Group AI/ML statement

### CDD (Customer Due Diligence) — In force

FATF Recommendation 10 baseline customer-knowledge program: identify, verify, understand purpose, monitor transactions. Tiered into simplified and enhanced variants based on risk. The on-boarding workflow most KYC-agent satellites compete to automate.

**Source:** [FATF — Recommendations](https://www.fatf-gafi.org/en/publications/Fatfrecommendations/Fatf-recommendations.html) — accessed 2026-05-08

**See also:** KYC (Know Your Customer) · EDD (Enhanced Due Diligence) · UBO (Ultimate Beneficial Owner) · AML (Anti-Money Laundering)

### EDD (Enhanced Due Diligence) — In force

Higher-intensity customer due diligence applied to high-risk relationships: politically exposed persons, high-risk jurisdictions, complex ownership structures, correspondent banking. Required by FATF Recommendation 10 for risk-rated higher-risk customers.

**Source:** [FATF — Recommendations](https://www.fatf-gafi.org/en/publications/Fatfrecommendations/Fatf-recommendations.html) — accessed 2026-05-08

**See also:** CDD (Customer Due Diligence) · KYC (Know Your Customer) · PEP (Politically Exposed Person) · UBO (Ultimate Beneficial Owner)

### UBO (Ultimate Beneficial Owner) — In force

*Also known as:* beneficial owner

Natural person who ultimately owns or controls a customer (typically defined as ≥25% ownership or effective control). Identifying the UBO is required by FATF Recommendation 24 and is a primary AI-screening use-case in corporate on-boarding.

**Source:** [FATF — Recommendations](https://www.fatf-gafi.org/en/publications/Fatfrecommendations/Fatf-recommendations.html) — accessed 2026-05-08

**See also:** KYC (Know Your Customer) · CDD (Customer Due Diligence) · EDD (Enhanced Due Diligence)

### PEP (Politically Exposed Person) — In force

*Also known as:* PEP

Individual entrusted with a prominent public function (current or recent), or their close associates and family. PEP status mandates Enhanced Due Diligence under FATF Recommendation 12 and is one of the highest-volume screening filters.

**Source:** [FATF — Recommendations](https://www.fatf-gafi.org/en/publications/Fatfrecommendations/Fatf-recommendations.html) — accessed 2026-05-08

**See also:** EDD (Enhanced Due Diligence) · KYC (Know Your Customer) · Sanctions screening

### SAR (Suspicious Activity Report) — In force

*Also known as:* STR (Suspicious Transaction Report)

Report a regulated firm files with the financial-intelligence unit when it knows, suspects, or has reasonable grounds to suspect a transaction relates to money laundering or terrorism financing. FinCEN in the U.S.; the equivalent in each FATF jurisdiction.

**Source:** [FinCEN — Bank Secrecy Act resources](https://www.fincen.gov/resources/statutes-regulations/bank-secrecy-act) — accessed 2026-05-08

**See also:** AML (Anti-Money Laundering) · Transaction monitoring · KYC (Know Your Customer)

### Transaction monitoring — In force

Automated surveillance of customer transactions against rule-based and increasingly ML-based scenarios to flag potentially suspicious activity for human investigation. Where most AI-powered AML innovation lands; FATF guidance emphasizes explainability for any model used.

**Source:** [FATF — Standards & guidance](https://www.fatf-gafi.org/) — accessed 2026-05-08

**See also:** SAR (Suspicious Activity Report) · AML (Anti-Money Laundering) · Explainability (XAI) · Model risk management (MRM)

### Sanctions screening — In force

Filtering customers, counterparties, and transactions against sanctions and watchlists (UN, OFAC, EU, UK HMT, regional). Required at on-boarding, on watchlist updates, and pre-transaction; false-positive reduction is the dominant productivity battleground.

**Source:** [FATF — Recommendations](https://www.fatf-gafi.org/en/publications/Fatfrecommendations/Fatf-recommendations.html) — accessed 2026-05-08

**See also:** AML (Anti-Money Laundering) · CFT (Counter-Financing of Terrorism) · KYC (Know Your Customer) · PEP (Politically Exposed Person)

### Wolfsberg Group AI/ML statement — In force

*Also known as:* Wolfsberg AI statement

Industry-standard statement from the Wolfsberg Group of major international banks on the use of AI and ML in financial-crime compliance (2024). Sets expectations on governance, explainability, model risk, and human oversight that supervisors increasingly cite.

**Source:** [Wolfsberg Group — Statement on the use of AI/ML in FCC](https://www.wolfsberg-principles.com/) — accessed 2026-05-08

**See also:** FATF (Financial Action Task Force) · AML (Anti-Money Laundering) · Explainability (XAI) · Model risk management (MRM)

### KYC record retention — In force

FATF Recommendation 11: regulated firms must keep KYC, transaction, and supporting records for at least five years after the relationship ends or transaction occurs. The retention floor most AI-powered KYC-agent designs anchor on.

**Source:** [FATF — Recommendations](https://www.fatf-gafi.org/en/publications/Fatfrecommendations/Fatf-recommendations.html) — accessed 2026-05-08

**See also:** KYC (Know Your Customer) · Evidence retention · Audit trail

---

## Governance

### Three Lines Model — In force

*Also known as:* Three Lines of Defense

IIA's 2020 governance model assigning roles across three functions: first line (operational management owns risk and controls), second line (risk and compliance functions oversee), third line (internal audit provides independent assurance). The default assignment of accountability for AI governance and model risk in regulated firms.

**Source:** [IIA — Three Lines Model (2020)](https://www.theiia.org/en/content/articles/global-knowledge-brief/2020/july/three-lines-model/) — accessed 2026-05-08

**See also:** COSO ERM · Internal audit · Model risk management (MRM)

### COSO ERM — In force

*Also known as:* COSO Enterprise Risk Management

COSO's Enterprise Risk Management — Integrating with Strategy and Performance framework (2017 update). The dominant board-level ERM lens in U.S. listed firms; supplies the risk-appetite, risk-tolerance, and risk-culture vocabulary AI governance programs plug into.

**Source:** [COSO — ERM Integrated Framework](https://www.coso.org/enterprise-risk-management) — accessed 2026-05-08

**See also:** Three Lines Model · Risk appetite · ISO/IEC 38507:2022

### Risk appetite — In force

Aggregate level of risk a firm is prepared to accept in pursuit of its strategy. Set by the board, expressed in qualitative statements and quantitative limits. AI-system risk-tier policies cascade down from this — e.g., "no agentic decisioning on high-risk credit without human-in-the-loop".

**Source:** [COSO — ERM Integrated Framework](https://www.coso.org/enterprise-risk-management) — accessed 2026-05-08

**See also:** COSO ERM · Risk tier · Three Lines Model

### Internal audit — In force

Independent third line under the IIA Three Lines Model — provides assurance to the board on the design and operating effectiveness of risk and control. Increasingly evaluates AI/ML controls under IIA's 2017 AI Auditing Framework guidance.

**Source:** [IIA — Three Lines Model (2020)](https://www.theiia.org/en/content/articles/global-knowledge-brief/2020/july/three-lines-model/) — accessed 2026-05-08

**See also:** Three Lines Model · COSO ERM · SOC 2 Type II

---

## Regulators

### FCA — In force

*Also known as:* Financial Conduct Authority

U.K. financial-services conduct regulator. Its April 2024 AI Update affirmed that the existing regulatory framework — Senior Managers and Certification Regime, Consumer Duty, model risk under PRA SS 1/23 — is technology-neutral and covers AI. Outcomes-based supervision is the U.K.'s deliberate contrast to EU AI Act prescription.

**Source:** [FCA — AI Update (April 2024)](https://www.fca.org.uk/publication/corporate/ai-update.pdf) — accessed 2026-05-08

**See also:** Senior Managers Regime (SM&CR) · Consumer Duty (FCA) · SS 1/23 (UK bank model risk) · ICO AI and data-protection guidance

### Senior Managers Regime (SM&CR) — In force

*Also known as:* SM&CR

U.K. PRA/FCA accountability regime establishing personal regulatory responsibility for senior individuals running regulated firms — including statements of responsibility that increasingly expressly cover AI/ML risk. The personal-accountability backstop behind any U.K. AI deployment in financial services.

**Source:** [FCA — AI Update (April 2024)](https://www.fca.org.uk/publication/corporate/ai-update.pdf) — accessed 2026-05-08

**See also:** FCA · Consumer Duty (FCA) · Model risk management (MRM)

### Consumer Duty (FCA) — In force

U.K. FCA principle (PRIN 12) requiring firms to act to deliver good outcomes for retail customers. Applies across product design, fair value, consumer understanding, and consumer support. AI-driven customer journeys must evidence good-outcome delivery, with vulnerable-customer carve-outs.

**Source:** [FCA — AI Update (April 2024)](https://www.fca.org.uk/publication/corporate/ai-update.pdf) — accessed 2026-05-08

**See also:** FCA · Senior Managers Regime (SM&CR)

### OCC — In force

*Also known as:* Office of the Comptroller of the Currency

U.S. federal banking regulator within Treasury. Co-author with the Federal Reserve of SR 11-7 (Model Risk Management). Issues heightened standards for large national banks; AI/ML supervisory expectations land here for federally-chartered banks.

**Source:** [Federal Reserve — SR 11-7](https://www.federalreserve.gov/supervisionreg/srletters/sr1107.pdf) — accessed 2026-05-08

**See also:** SR 11-7 (US bank model risk) · Model risk management (MRM)

### MAS FEAT principles — In force

*Also known as:* FEAT

Monetary Authority of Singapore's Fairness, Ethics, Accountability and Transparency principles for AI use in financial services (2018, refreshed). The Singapore-side anchor for AI risk in regulated finance, aligned with MAS Veritas guidance.

**Source:** [MAS — FEAT Principles](https://www.mas.gov.sg/-/media/MAS/News-and-Publications/Monographs-and-Information-Papers/FEAT-Principles-Updated-7-Feb-19.pdf) — accessed 2026-05-08

**See also:** FCA · OCC · Trustworthy AI

---

## CTAs

- Primary: [Try AgentsBooks Free](https://agentsbooks.com/login?returnTo=/onboarding)
- Secondary: [Read the Compliance for Agentic Systems pillar](https://agentsbooks.com/blog/compliance-agentic-systems)
- Tertiary: [Read the Anatomy of a Firm](https://agentsbooks.com/anatomy)

*Built by AgentsBooks · 81 terms · refreshed 2026-05-08*