GLOSSARY
Plain-English definitions for the prompt layer — the controls, risks, and standards behind governing AI where work actually happens: the browser.
The policies, controls and evidence that decide who can use AI, how, and what data it touches.
Australia's prudential standard requiring information-security controls proportionate to the threat.
A tamper-evident record of who did what and when — used to prove compliance to a board or regulator.
Applying policy in the browser where AI tools are actually used — no proxy, no network change.
Exposure of secrets like API keys, passwords or tokens — often by pasting config or logs into a chatbot.
Labelling data by sensitivity so controls can be applied in proportion to the risk.
Controls that stop sensitive data leaving the org — including what people type into AI, not just files.
The point where data leaves a controlled environment. For AI, pressing “send” is the new egress.
The rules and constraints that keep an AI system's behaviour within its intended bounds.
The chance that a trusted user — by accident or intent — causes a security or compliance incident.
Reading what a prompt is trying to do, not just matching keywords, so enforcement reflects real risk.
The international management-system standard for governing AI risk, controls and accountability.
A model trained on vast text to generate language — the engine behind ChatGPT, Claude and Gemini.
Personally identifiable information: data that can identify a person, such as names, emails or IDs.
Enforcement rules written in machine-readable form so they can be versioned, tested and applied consistently.
Manipulating a model's instructions with hidden or malicious input so it ignores its guardrails.
Capturing prompts and the policy action taken — for an audit trail and board-ready evidence of exposure.
Inspecting a prompt at the moment of send and choosing to allow, redact or block it before the model.
Automatically masking sensitive tokens in a prompt while keeping the rest, so the request can continue safely.
Unauthorised movement of confidential data — credentials, PII, source code — out of the organisation.
Unsanctioned use of AI tools by staff, outside the visibility and policy controls of security and IT.
An audit framework attesting a provider's controls meet trust criteria for security and confidentiality.
Replacing sensitive values with non-sensitive placeholders that authorised systems can reverse.
A configuration where prompts and outputs aren't stored by the provider, reducing exposure.