AI security & LLM reliability glossary.

Customer-managed encryption keys — typically via KMS or HSM — used to encrypt your data at the vendor, so the vendor never has decryption capability on its own.

A classic security pattern where a privileged intermediary (the agent) is tricked into executing an attacker's action on their behalf, with privileges the attacker doesn't possess.

The naming scheme for specific publicly disclosed vulnerabilities. Each CVE maps to one or more CWEs and includes a CVSS severity score.

Quantitative score (0.0–10.0) for vulnerability severity. Modern buyers increasingly want reachability- and exploitability-aware scores instead of raw CVSS.

A community-developed list of software and hardware weakness types. MITRE maintains the 'Top 25 Most Dangerous Software Weaknesses' list updated annually.

Analysis of a running application, typically by sending probes to its surface. Strong for runtime issues (auth flaws, injection) but blind to code that isn't exercised.

A single-tenant, purpose-built execution environment that exists only for the duration of a task and self-destructs afterward. Minimizes blast radius.

EU regulation categorizing AI systems by risk tier and imposing obligations accordingly. High-risk systems have documentation, transparency, and human-oversight requirements.

When an agent has tools, permissions, or autonomy beyond the minimum required for its purpose. Over-broad scopes magnify the impact of any injection or misuse.

The single strongest reliability signal for RAG apps. Measured per-response as the fraction of claims directly supported by retrieved context.

A government-wide program providing a standardized approach to security assessment for cloud services. Moderate and High are the common impact levels for SaaS.

Fabricated facts, fake API endpoints, nonexistent citations, invented package names. The hallucinated-package class is a supply-chain attack vector in itself.

Health Insurance Portability and Accountability Act. Governs protected health information (PHI). Vendors handling PHI sign a Business Associate Agreement (BAA).

Injection payloads planted in documents, webpages, emails, or PDFs that your RAG pipeline retrieves. Because the content looks 'authoritative' to the LLM, success rates are substantially higher than direct injection.

ISO/IEC 27001:2022 specifies requirements for an Information Security Management System. Broadly accepted globally and commonly paired with SOC 2 for enterprise buyers.

Adversarial prompts designed to extract disallowed content. Roleplay attacks ('pretend you are DAN'), token smuggling, and hypothetical framing are common families.

The foundational security principle. For agents: give every tool the minimum scope, every identity the minimum permission, every session the minimum memory.

An evaluation technique where a second LLM scores the first's responses on dimensions like faithfulness, safety, or correctness. Powerful but imperfect — requires periodic human-sample calibration.

Adversarial Threat Landscape for Artificial Intelligence Systems. The authoritative tactic/technique framework for adversary behavior targeting machine-learning systems.

TLS where both client and server present certificates. Used for zero-trust service-to-service authentication in sensitive deployments.

The 2024 category list covering the most critical risks specific to LLM apps. Every Guardra finding maps to a category; auditors expect to see it.

Writing policies as code (e.g., Rego / OPA) so they can be version-controlled, reviewed, and enforced automatically by machines instead of humans.

An attack where an adversary crafts input that overrides the agent's system prompt, causing it to follow attacker instructions instead. Direct injection arrives in user messages; indirect injection arrives via retrieved content the agent is told to trust.

An attacker seeds the documents, web pages, or wiki entries your RAG index ingests with payloads designed to trigger when retrieved.

Modern SCA goes beyond 'you have a vulnerable package' to 'and you call the vulnerable function from a path that user input can reach.' Dramatically reduces noise.

Analysis of source code without executing it. Detects pattern- and data-flow-based vulnerabilities. Best combined with SCA and DAST.

A formal inventory of components in your software. CycloneDX and SPDX are the two common formats. Increasingly required by enterprise procurement and federal agencies.

Scanning dependencies (and their transitive dependencies) for known vulnerabilities and license risks. Essential given modern apps are >80% third-party code.

Instead of security-as-a-gate at the end, security as a first-class input to design and implementation. Guardra's PR-level gating is a shift-left mechanism.

An open-source system for signing and verifying artifacts without managing long-lived keys. Uses OIDC identities and a transparency log.

A framework for build provenance and tamper-resistance. Level 3+ provides cryptographic proof that your artifact was built from the expected source.

AICPA-defined controls framework covering security, availability, processing integrity, confidentiality, and privacy. Type II reports observation over time.

Principle-of-least-privilege for agent function calls. Specifies who may invoke, what arguments are valid, and what side effects are permitted — enforced at runtime.