KYE Learn™ · Glossary

AI governance glossary.

Canonical definitions. Each term is defined once here and referenced wherever it appears. Drift is impossible — articles resolve to these definitions at render-time.

AI governance: The discipline of bounding what an AI system may do, recording what it did, and proving the system stayed inside its bounds when audited. Covers policy, technical controls, evidence, attestation, and the regulatory frameworks that connect the four.
AI agent: An AI system that takes actions in the world — not just produces text. Agents read, decide, and execute against external systems. Governance of agents is harder than governance of models because agents have effects that cannot be unwound.
Delegated authority: The narrow, scoped permission an agent receives from a human principal to act on the principal's behalf. Authority always has a purpose, a scope, an actor, an expiry, and an evidence-emission requirement. Authority is delegated, not assumed.
Purpose Permission™: KYE Protocol™'s permission model where every privileged action must declare its purpose AND its scope before it executes. A purpose is admissible only when it maps to a recorded business reason; a scope is admissible only when it falls inside the actor's authority lattice.
Authority gap: When an agent takes an action that exceeds its delegated authority — the action happened, but the actor lacked the right. The AI-governance equivalent of unauthorised access in cybersecurity.
Evidence Pack™: A signed, hash-linked bundle that records the full chain — purpose, admissibility decision, actor, scope, the action itself, the outcome, the attesting controls. Cite-able in regulator response, board pack, or court. Evidence is constructed at decision-time, not reconstructed post-hoc.
Replay-Proof™: Cryptographic property where a third party can take the public signatures from an evidence pack and the public spec, and re-derive the same decision the original system reached — without the originator's secrets. The difference between "we logged it" and "a regulator can reproduce it".
Assurance Card: The tenant-facing artefact that names every control in scope, its last attestation, and the framework rows it satisfies. Updated continuously, not at audit-time. The agent-governance equivalent of a SOC 2 report — but live.
Attestation: A signed statement that a named control was operating effectively at a named time, by a named attestor. Attestations have a freshness window (≤90 days under KYE Protocol™); past that, the control reads as untrusted until re-attested.
Model risk: The risk of an adverse outcome from a model's errors, biases, or misuse. Originated in banking (Fed SR 11-7, 2011). For AI agents the four classic categories extend to a fifth: action error.
Shadow mode: Running an AI agent alongside a human (or non-AI baseline) where the agent's recommended actions are recorded but not executed. Used to measure agent quality against a known-good baseline before enforcement is turned on.
Operating Model (KYE™): The signed declaration of how an organisation runs an AI-agent workflow — the bindings, the guards, the approval modes, the kill-switches, the dual-channel sign-offs. Compiled into a Compiled Authority Bundle that the runtime enforces.
Four-eyes (dual-channel) approval: A high-stakes action requires sign-off from two independent humans through two independent channels (e.g. one dashboard click + one email confirmation). Removes the single-compromise attack surface.
EU AI Act: Regulation (EU) 2024/1689 on AI. Risk-tiered (prohibited / high-risk / limited-risk / minimal-risk) with horizontal obligations on transparency, human oversight, data governance, technical documentation, post-market monitoring. Phased application 2025-2027. See the full explainer.
ISO/IEC 42001: International standard for an AI management system (AIMS) — the first management-system standard specifically for AI. Modelled on ISO 27001 and ISO 9001. See the full explainer.