AI and security terms, in plain English

You shouldn't need a translator to buy AI governance. Here's what the words mean — the vocabulary you'll meet from AI vendors, auditors, insurers, and us.

AI basics

Generative AI
AI that creates new material — text, images, drafts, summaries — rather than just searching or sorting. ChatGPT, Copilot, and Claude are all generative AI; it's the kind of AI this site is mostly about.
AI model
The engine behind tools like ChatGPT or Copilot. When a vendor says your data 'trains the model,' it means the system learns from what you type — what you paste in can leave your control and resurface elsewhere.
Prompt / prompting
A prompt is what you type into an AI tool — the question or instruction. Prompting is the skill of writing those instructions so you get usable, consistent answers instead of generic ones.
AI agent
Software that completes multi-step tasks on its own — it can read, decide, draft, and send without a person driving each step, using accounts the way an employee would. Not a person, and not the same as a simple automation.
Automation
A workflow that runs the same fixed steps every time: something happens (an invoice arrives), the AI does its one defined step (drafts the entry), and a person checks the result. Predictable and inspectable — the opposite of an agent that improvises.
Human-in-the-loop
A person reviews and approves before the system does anything consequential — sending the email, filing the record, paying the invoice. The opposite of letting software act unchecked.
Token costs
How most AI is billed: you pay for every chunk of text the AI reads and writes, metered like a utility. Agents read a lot, so bills can climb fast and unpredictably.

Running AI at work

AI governance
The rules, training, and oversight that make AI safe to use at work — which tools are approved, what data can go into them, and who checks the output. It's the difference between staff quietly using AI and the business actually running it.
Operational AI
GuardXID's term for AI that runs inside your daily work — drafting documents, answering questions, moving files — with rules, training, and oversight behind it, instead of sitting in a pilot project or someone's personal account.
Shadow AI
Staff using AI through personal accounts the business can't see — like pasting client data into free ChatGPT because it helps them finish faster, with no one approving it. Usually well-intentioned, always invisible to management.
Tier
The plan level you buy a tool at — free, personal paid, business, or enterprise. Same product, very different data rules: lower tiers may use what you type to improve the AI, while business tiers come with admin controls and a written promise about your data.
Acceptable use policy (AUP)
The written rules for how employees may and may not use AI at work — which tools are approved, what data can go in, and what must be double-checked. Usually one or two pages, not a binder.
Risk register
A written list of your AI risks with a named owner and a planned fix for each one — who could paste what where, what happens if a tool gets it wrong, and what you'd do about it. An assessment produces it; you keep it current.
Data classification
Sorting your business information by sensitivity so everyone knows which kinds are safe to put into which AI tools — marketing copy, fine; client files or patient records, only in approved business-grade tools.
Tool inventory
A running list of every AI tool in use at your business — who uses it, for what, and on which account plan. The first governance document, because you can't set rules for tools you don't know about.
Approved-use registry
GuardXID's term for the living record of which AI uses are approved at your business — the task, the tool, the account, and who signed off. A registry rather than a list, because it gets maintained.
Runbook
The plain operating manual for an automation — how to run it, what to do when it misbehaves, and how to shut it off. Every build ships with one so you're not dependent on us to operate it.

Accounts and logins

Identity security
In security, 'identity' means accounts and logins — not people. Identity security is keeping every login, password, and permission locked down: knowing exactly who has access to what, and removing it the day they leave.
Multi-factor authentication (MFA)
The second proof at login beyond a password — usually a code on your phone or an approval tap. It stops most attacks that use a stolen password, but only if it's required for everyone, not just available.
Credential exposure
When employee usernames and passwords show up in a data breach and start circulating among criminals. We check known breach collections to see whether yours are already out there — most businesses find at least a few.
Attack surface
Everything an attacker could try as a way in — every account, exposed system, and connected tool your business has. Each new AI tool adds another door to watch.
Prompt injection
An attack that hides instructions inside content an AI reads — a web page, an email, a document — hijacking what the tool does with the data it can reach. The AI follows the hidden orders because it can't tell them apart from yours.
Identity provider
The system your team signs in with — for most small businesses, Microsoft 365 or Google Workspace. It's the front door to everything else, which is why so much security work starts there.
API / API key
An API is how one app talks to another; an API key is the password apps use to do it. Keys deserve the same protection as any password — a leaked key is a leaked login.

Audits and certifications

SOC 2
A security audit report that big customers ask vendors for before they'll sign. An outside auditor examines how you protect data and writes it up. Type 1 checks a single point in time; Type 2 proves your safeguards worked over several months — slower, but worth more.
HIPAA
The federal law governing how patient health information must be protected. If you run a medical or dental practice it already applies to you — including to any AI tool that touches patient data.
ISO 27001
The international security-management certification — roughly SOC 2's overseas cousin. It matters mostly if you sell to multinational or very large companies; most Nebraska businesses only meet it inside a client's vendor questionnaire.
HITRUST
A security certification used mainly in healthcare that bundles HIPAA and other requirements into one audited framework. Hospital systems sometimes require it of their vendors; most small practices don't need it.
Business associate agreement (BAA)
The HIPAA contract that makes a vendor legally responsible for protecting the patient data it handles. A medical practice needs a signed BAA before any AI tool touches patient information — no BAA, no patient data.
Data Processing Agreement (DPA)
The contract that spells out what a vendor may do with the personal data your business hands it: how it's stored, who sees it, whether it trains their AI, what happens when you leave. Some vendors call it a Data Protection Addendum. Think of it as the BAA's general-purpose cousin — if an AI vendor won't sign one, that's your answer.
Compliance framework
A published set of security requirements a business can be checked against — SOC 2, HIPAA, ISO 27001, NIST. When an auditor, insurer, or big customer asks what framework you follow, they mean one of these.
Controls
Audit-speak for the specific safeguards an auditor tests — MFA required on every account, access reviewed quarterly, backups verified. Not buttons or restrictions: documented practices you can prove you follow.
Attestation
The formal report an outside auditor issues saying your security practices check out — what most people call 'getting SOC 2' or 'passing the audit.' It's auditor vocabulary for a certification.
Penetration test
Paying a security specialist to actually try to break into your systems and report what they reached. Useful — but a different service. Our assessment reviews how AI and accounts are governed; nobody attempts a break-in.

Who does what

Fractional
Part-time and ongoing, like a fractional CFO: senior expertise for a few hours a month instead of a full-time salary. A Fractional AI Officer is your AI lead without the full-time hire.
Managed service provider (MSP)
The outsourced IT company many small businesses already use — the people who run your email, computers, and backups. If you'd call someone 'our IT guy,' you have an MSP.
Incident response (IR)
The emergency work during and after a breach — containing the attack, recovering systems, handling legal notification. An IR firm is who you call mid-attack. The Guardian Plan is early warning and monitoring, not incident response.
Dark web monitoring
Watching the hidden corners of the internet where stolen data is bought and sold — plus the criminal chat channels next to them — for any mention of your business: employee passwords, look-alike domains, exposed systems.
Vanta
A compliance automation platform — software that collects and organizes the evidence auditors ask for, so getting SOC 2 or HIPAA-ready doesn't eat your year. GuardXID is a verified Vanta partner.
NordStellar
The threat-monitoring platform behind our Guardian Plan. It scans the open internet and dark web for your leaked passwords, look-alike domains, and exposed systems — and we review every alert before it reaches you.
SMB
Industry shorthand for small and mid-size business — roughly a handful to a few hundred employees. If you're reading this site, it almost certainly means you.

Met a term here that's already showing up in your business? That's usually the moment a conversation helps.