# Compliance Glossary for Agentic Systems

> 81 compliance terms with primary-source citations — NIST AI RMF, EU AI Act, SOC 2, ISO 42001, FATF, OCC SR 11-7, OWASP LLM Top 10, Anthropic agentic-system safety. Maintained by AgentsBooks (https://agentsbooks.com).

## Pages
- /index.md — full glossary as markdown
- /pages/methodology.md — sourcing methodology + bibliography
- /pages/about.md — purpose, audience, framing

## What this site is
Compliance vocabulary for builders and operators of agentic AI. 81 terms across 8 categories, each defined in 1–3 sentences with one canonical primary-source citation. Optimized for fast lookup, copy-paste into control narratives, and LLM citation. Audience: heads of compliance, audit leads, model-risk officers, legal counsel, and product teams shipping agentic systems into regulated workflows.

## Authority
Cites 36 canonical primary sources including: NIST (AI 100-1, AI 600-1, Agent Standards Initiative), European Commission (EU AI Act, Digital Omnibus), ISO/IEC (42001, 23894, 22989, 38507, 27001, 27701), AICPA (SOC 2 Trust Services Criteria), FATF (Recommendations + AI/ML guidance), Federal Reserve / OCC (SR 11-7), Bank of England PRA (SS 1/23), FCA (AI Update 2024), MAS (FEAT), OECD (AI Principles), OWASP (LLM Top 10 2025), ICO (AI guidance), Wolfsberg Group (AI/ML statement), FinCEN (BSA), IIA (Three Lines Model), COSO (ERM), Anthropic (Building Effective Agents, Constitutional AI, Sleeper Agents, Many-shot jailbreaking, Measuring Agent Autonomy), Mitchell et al. (Model Cards). Last refreshed 2026-05-08.

## Term index

### Frameworks (10)
- AI RMF (NIST AI 100-1) — https://compliance-glossary.roei-020.workers.dev/#ai-rmf
- GenAI Profile (NIST AI 600-1) — https://compliance-glossary.roei-020.workers.dev/#genai-profile
- AI Agent Interoperability Profile — https://compliance-glossary.roei-020.workers.dev/#ai-agent-interoperability-profile
- Trustworthy AI — https://compliance-glossary.roei-020.workers.dev/#trustworthy-ai
- ISO/IEC 42001:2023 — https://compliance-glossary.roei-020.workers.dev/#iso-42001
- ISO/IEC 23894:2023 — https://compliance-glossary.roei-020.workers.dev/#iso-23894
- ISO/IEC 22989:2022 — https://compliance-glossary.roei-020.workers.dev/#iso-22989
- ISO/IEC 38507:2022 — https://compliance-glossary.roei-020.workers.dev/#iso-38507
- AI system (canonical definition) — https://compliance-glossary.roei-020.workers.dev/#ai-system
- OECD AI Principles — https://compliance-glossary.roei-020.workers.dev/#oecd-ai-principles

### Regulations (12)
- EU AI Act — https://compliance-glossary.roei-020.workers.dev/#eu-ai-act
- High-risk AI system — https://compliance-glossary.roei-020.workers.dev/#high-risk-ai
- Annex III (EU AI Act) — https://compliance-glossary.roei-020.workers.dev/#annex-iii
- GPAI (General-Purpose AI) — https://compliance-glossary.roei-020.workers.dev/#gpai
- Systemic-risk GPAI — https://compliance-glossary.roei-020.workers.dev/#systemic-risk-gpai
- AI Literacy (EU AI Act Art. 4) — https://compliance-glossary.roei-020.workers.dev/#ai-literacy
- Conformity assessment — https://compliance-glossary.roei-020.workers.dev/#conformity-assessment
- FRIA (Fundamental Rights Impact Assessment) — https://compliance-glossary.roei-020.workers.dev/#fundamental-rights-impact-assessment
- Digital Omnibus — https://compliance-glossary.roei-020.workers.dev/#digital-omnibus
- GDPR Art. 22 (Automated decisions) — https://compliance-glossary.roei-020.workers.dev/#gdpr-art-22
- DPIA (Data Protection Impact Assessment) — https://compliance-glossary.roei-020.workers.dev/#dpia
- ICO AI and data-protection guidance — https://compliance-glossary.roei-020.workers.dev/#ico-ai-framework

### Audit standards (10)
- SOC 2 — https://compliance-glossary.roei-020.workers.dev/#soc-2
- SOC 2 Type II — https://compliance-glossary.roei-020.workers.dev/#soc-2-type-ii
- Trust Services Criteria (TSC) — https://compliance-glossary.roei-020.workers.dev/#tsc
- Common Criteria (TSC Security) — https://compliance-glossary.roei-020.workers.dev/#common-criteria
- ISO/IEC 27001:2022 — https://compliance-glossary.roei-020.workers.dev/#iso-27001
- ISO/IEC 27701:2019 — https://compliance-glossary.roei-020.workers.dev/#iso-27701
- Audit trail — https://compliance-glossary.roei-020.workers.dev/#audit-trail
- Evidence retention — https://compliance-glossary.roei-020.workers.dev/#evidence-retention
- Attestation — https://compliance-glossary.roei-020.workers.dev/#attestation
- Privileged action — https://compliance-glossary.roei-020.workers.dev/#privileged-action

### Model risk (11)
- Model risk management (MRM) — https://compliance-glossary.roei-020.workers.dev/#model-risk-management
- SR 11-7 (US bank model risk) — https://compliance-glossary.roei-020.workers.dev/#sr-11-7
- SS 1/23 (UK bank model risk) — https://compliance-glossary.roei-020.workers.dev/#ss-1-23
- Model validation — https://compliance-glossary.roei-020.workers.dev/#model-validation
- Model inventory — https://compliance-glossary.roei-020.workers.dev/#model-inventory
- Model monitoring — https://compliance-glossary.roei-020.workers.dev/#model-monitoring
- Challenger model — https://compliance-glossary.roei-020.workers.dev/#challenger-model
- Model card — https://compliance-glossary.roei-020.workers.dev/#model-card
- Risk tier — https://compliance-glossary.roei-020.workers.dev/#risk-tier
- Drift (model) — https://compliance-glossary.roei-020.workers.dev/#drift
- Explainability (XAI) — https://compliance-glossary.roei-020.workers.dev/#explainability

### Agentic-system risk (16)
- Prompt injection — https://compliance-glossary.roei-020.workers.dev/#prompt-injection
- Tool poisoning — https://compliance-glossary.roei-020.workers.dev/#tool-poisoning
- Training-data poisoning — https://compliance-glossary.roei-020.workers.dev/#data-poisoning
- Excessive agency — https://compliance-glossary.roei-020.workers.dev/#excessive-agency
- LLM supply-chain risk — https://compliance-glossary.roei-020.workers.dev/#supply-chain-risk-llm
- OWASP LLM Top 10 — https://compliance-glossary.roei-020.workers.dev/#owasp-llm-top-10
- Hallucination — https://compliance-glossary.roei-020.workers.dev/#hallucination
- Sleeper agent (model) — https://compliance-glossary.roei-020.workers.dev/#sleeper-agent
- Jailbreak — https://compliance-glossary.roei-020.workers.dev/#jailbreak
- Constitutional AI — https://compliance-glossary.roei-020.workers.dev/#constitutional-ai
- Red-teaming — https://compliance-glossary.roei-020.workers.dev/#red-teaming
- Guardrail — https://compliance-glossary.roei-020.workers.dev/#guardrail
- Autonomy (agent) — https://compliance-glossary.roei-020.workers.dev/#autonomy
- Human-in-the-loop (HITL) — https://compliance-glossary.roei-020.workers.dev/#human-in-the-loop
- Agent authorization — https://compliance-glossary.roei-020.workers.dev/#agent-authorization
- Agent audit trail — https://compliance-glossary.roei-020.workers.dev/#agent-audit-trail

### AML / KYC (13)
- KYC (Know Your Customer) — https://compliance-glossary.roei-020.workers.dev/#kyc
- AML (Anti-Money Laundering) — https://compliance-glossary.roei-020.workers.dev/#aml
- CFT (Counter-Financing of Terrorism) — https://compliance-glossary.roei-020.workers.dev/#cft
- FATF (Financial Action Task Force) — https://compliance-glossary.roei-020.workers.dev/#fatf
- CDD (Customer Due Diligence) — https://compliance-glossary.roei-020.workers.dev/#cdd
- EDD (Enhanced Due Diligence) — https://compliance-glossary.roei-020.workers.dev/#edd
- UBO (Ultimate Beneficial Owner) — https://compliance-glossary.roei-020.workers.dev/#ubo
- PEP (Politically Exposed Person) — https://compliance-glossary.roei-020.workers.dev/#pep
- SAR (Suspicious Activity Report) — https://compliance-glossary.roei-020.workers.dev/#sar
- Transaction monitoring — https://compliance-glossary.roei-020.workers.dev/#transaction-monitoring
- Sanctions screening — https://compliance-glossary.roei-020.workers.dev/#sanctions-screening
- Wolfsberg Group AI/ML statement — https://compliance-glossary.roei-020.workers.dev/#wolfsberg
- KYC record retention — https://compliance-glossary.roei-020.workers.dev/#kyc-record-retention

### Governance (4)
- Three Lines Model — https://compliance-glossary.roei-020.workers.dev/#three-lines
- COSO ERM — https://compliance-glossary.roei-020.workers.dev/#coso-erm
- Risk appetite — https://compliance-glossary.roei-020.workers.dev/#risk-appetite
- Internal audit — https://compliance-glossary.roei-020.workers.dev/#internal-audit

### Regulators (5)
- FCA — https://compliance-glossary.roei-020.workers.dev/#fca
- Senior Managers Regime (SM&CR) — https://compliance-glossary.roei-020.workers.dev/#senior-managers-regime
- Consumer Duty (FCA) — https://compliance-glossary.roei-020.workers.dev/#consumer-duty
- OCC — https://compliance-glossary.roei-020.workers.dev/#occ
- MAS FEAT principles — https://compliance-glossary.roei-020.workers.dev/#mas-feat

## See also
- AgentsBooks pillar (Compliance for Agentic Systems): https://agentsbooks.com/blog/compliance-agentic-systems
- AgentsBooks Anatomy of a Firm: https://agentsbooks.com/anatomy
- Try AgentsBooks: https://agentsbooks.com/login?returnTo=/onboarding