Glossary

The AI Governance glossary

Plain-English definitions of the concepts behind enterprise AI governance — from AI agents and MCP servers to policies, risk and audit.

AI Agent

A software actor powered by an AI model that can reason over a goal and take actions on its own — calling tools, APIs and other agents — with limited human supervision. Unlike a chatbot, an agent does things: it reads data, invokes systems and can change state.

Also calledAutonomous agent, agentic AI, non-human worker
Why it mattersAgents act with real permissions, so they need an identity, policies and an audit trail — like any privileged workforce.

AI Identity

The governed identity of an AI actor — an agent, model or MCP tool — treated as a first-class principal you can name, own, authorize, and revoke. It is the AI equivalent of a user or service account, but built for actors that can be created and destroyed continuously.

Also calledNon-human identity (NHI), machine identity, agent identity
In AuthSpokeThe AI Identity Registry is the authoritative record of every AI identity, correlated across all integrations.

Machine Identity

Any non-human identity used by software to authenticate — service accounts, API keys, workload identities, certificates. AI identities are a fast-growing, higher-risk subset because they act autonomously rather than executing fixed code paths.

Also calledNon-human identity, workload identity

MCP Server (Model Context Protocol)

A server that exposes tools, data and prompts to AI models through the open Model Context Protocol. MCP is becoming the standard way agents connect to enterprise systems — which makes the MCP layer a critical control point for governance.

StandardModel Context Protocol (MCP) — an open protocol for connecting models to tools and context
Why it mattersEvery tool an MCP server exposes is a capability an agent can invoke; unregistered MCP servers are ungoverned access.

Tool Calling

The mechanism by which an AI model invokes an external function, API or MCP tool to get information or take action. Each tool call is a concrete capability being exercised — and therefore something that can be authorized, denied and logged.

Also calledFunction calling, tool use

AI Authorization

Deciding, at the moment of action, whether a given AI identity is allowed to perform a given operation on a given resource — and enforcing that decision. It extends classic authorization (RBAC/ABAC) to autonomous actors and individual tool calls.

Enforced byA policy engine evaluating policies against the request context

AI Policy

A rule that governs what AI identities may do — which tools they can call, which data they can touch, under which conditions, and with what limits. Policies turn governance intent (“support agents may not access billing”) into enforceable controls.

ModelsRole-based (RBAC), attribute-based (ABAC), and context-aware conditions

Policy Engine

The component that evaluates policies against a request and returns an allow/deny decision, usually in milliseconds. It is the enforcement heart of an AI control plane — every tool call and agent action can be routed through it.

AI Governance

The discipline of managing AI systems so they are secure, compliant, accountable and aligned with policy across their lifecycle. In practice it means knowing which AI actors exist, what they can do, what they did, and being able to prove it.

PillarsDiscovery, identity, authorization, risk, compliance and audit

AI Control Plane

A central system that discovers, governs, authorizes and audits every AI agent and MCP server in an enterprise. It sits alongside identity providers like Okta and Entra, extending identity and access governance to autonomous AI actors.

In AuthSpokeThis is what AuthSpoke is — the Enterprise AI Control Plane.

AI Trust Score

A calculated measure of how much an AI identity can be relied upon, based on signals such as ownership, provenance, behavior and policy adherence. It helps prioritize which actors to trust, watch or restrict.

AI Risk Score

A calculated measure of the potential harm an AI identity represents — from its privileges, exposure, and anomalous behavior. High-risk identities surface first in the Risk Center for review and remediation.

Prompt Injection

An attack in which malicious instructions are smuggled into the content an AI model reads — a web page, document or tool result — to hijack the agent into doing something it shouldn’t. It is the AI-era equivalent of injection attacks, and a top governance risk.

DefenseLeast-privilege tool access, policy enforcement on actions, and full audit of tool calls

Zero Trust

A security model that trusts no actor by default and verifies every request explicitly, regardless of network location. Applied to AI, it means every agent action is authenticated, authorized and logged — never assumed safe because it’s “internal.”

AI Discovery

The continuous process of finding AI agents, models and MCP servers across an environment — including shadow AI that no one registered — and bringing them into the registry so they can be governed.

Also calledShadow-AI discovery, agent discovery

AI Audit

The immutable record of what every AI identity did — which tools it called, which data it touched, which decisions were made and by whom they were authorized. It is what turns AI activity into evidence you can hand to auditors and regulators.

SupportsSOC 2, ISO 42001, the EU AI Act and internal accountability

AI Session

A bounded period of activity during which an AI identity is authenticated and acting — the unit against which tokens, permissions and behavior are tracked. Sessions make autonomous activity observable and revocable in real time.

No terms match your search.

Govern the concepts you just read about

AuthSpoke is the Enterprise AI Control Plane — discover, govern, authorize and audit every AI agent and MCP server.

Get a Demo