AI security glossary: 30 terms every founder should know before an enterprise review
In-depth analyses of real-world cyber incidents and emerging threat trends, authored exclusively by our analysts.
Enterprise security reviews come packed with terminology that nobody explains before you need it. Founders often encounter these terms for the first time in the middle of a live questionnaire, under a deadline, with no time to research properly. This glossary fixes that. Thirty terms every AI founder should understand before their next enterprise review, organised so you can find what you need quickly.
Core security concepts
Attack surface. Every point where your product could potentially be attacked, including your frontend, your APIs, your AI agents, your data layer, and your infrastructure. AI products have a larger attack surface than traditional software because the AI layer itself introduces new points of exposure.
Least privilege. The principle that any person, system, or AI agent should only have access to the data and tools it genuinely needs, nothing more. It limits the damage if something is compromised.
Tenant isolation. The guarantee that one customer's data cannot be accessed by another customer, even though they share the same underlying product and infrastructure. For AI products this has to extend into the model and data layers, not just the application.
Encryption at rest and in transit. Encrypting data while it is stored, and separately while it is moving between systems. Buyers expect both as a baseline.
Penetration testing. An authorised, simulated attack on your product carried out to find vulnerabilities before a real attacker does. Serious buyers increasingly expect a report dated within the last twelve months.
AI specific risks
Prompt injection. An attack where crafted input manipulates an AI system into ignoring its instructions and doing something else instead, including leaking data or taking unintended action. It is currently the most significant AI specific security risk and the question most likely to catch a founder off guard.
Indirect prompt injection. A more dangerous variant where the malicious instruction is hidden not in what a user types, but in content the AI reads on their behalf, such as a document, email, or web page. This is the pattern behind most serious real world AI security incidents.
Jailbreaking. Techniques used to manipulate an AI model into bypassing its safety training or built in restrictions, producing output it would normally refuse to generate.
Data poisoning. Deliberately corrupting the data used to train or fine tune a model, so the model learns something harmful or produces manipulated outputs.
RAG poisoning. A specific form of data poisoning aimed at retrieval augmented generation systems, where an attacker plants false or malicious content in a knowledge base specifically so it gets retrieved and trusted by the AI.
Model theft. The unauthorised extraction or replication of a proprietary AI model, either by stealing the model file itself or by systematically querying it to reconstruct its behaviour.
Agent overreach. A risk specific to AI agents with tool access, where an agent takes an action beyond what it was actually authorised or intended to do, often as a result of manipulation or a design flaw.
Compliance and certifications
SOC 2. An independent attestation, common in North America, confirming how a company manages and protects customer data. It comes in two types, described below.
SOC 2 Type 1 vs Type 2. Type 1 checks that your controls are correctly designed at a single point in time. Type 2 checks that they actually operated correctly over a period, usually six to twelve months, and carries significantly more weight with serious buyers.
ISO 27001. The international standard for an information security management system, widely expected in the UK and Europe. It certifies that your organisation has a structured, ongoing approach to managing security risk.
ISO 42001. The newer international standard specifically for AI management systems, covering how you govern AI responsibly, including risk assessment, oversight, and transparency. It sits alongside, not instead of, ISO 27001.
Cyber Essentials. A UK government backed certification confirming a baseline set of technical security controls. It is faster and cheaper than SOC 2 or ISO 27001 and is sometimes required for UK public sector work.
DPA, Data Processing Agreement. The legally required contract between you and any third party, such as an AI model provider, that processes personal data on your behalf.
Sub-processor. Any third party that a processor, such as your AI provider, further shares data with. Buyers often ask for a full list of your sub-processors as part of their review.
Regulation
GDPR. The data protection law governing how personal data is collected, used, and protected in the UK and EU. It applies to any company processing the personal data of people in those regions, regardless of where the company is based.
EU AI Act. The EU's risk based regulation for AI systems, which can apply to UK companies if their AI or its output touches the EU market. It sorts AI systems into risk tiers, with obligations scaling accordingly.
High risk AI system. Under the EU AI Act, an AI system used in a sensitive area such as employment, credit scoring, or essential services, which faces the heaviest compliance obligations under the Act.
Deployer vs provider. Under the EU AI Act, a deployer uses an existing AI model through an API to build a product, while a provider builds or substantially modifies the underlying model itself. Most startups are deployers, which carries lighter obligations.
Vendor review and procurement
Security questionnaire. A structured set of questions sent by a potential buyer's security team to assess whether your product and company can be trusted with their data before a deal proceeds.
CAIQ. The Consensus Assessments Initiative Questionnaire, a standardised vendor security questionnaire format used by many enterprise buyers, particularly in cloud focused reviews.
SIG. The Standardised Information Gathering questionnaire, another common standardised format used to assess third party vendor risk, often used interchangeably with or instead of CAIQ depending on the buyer.
Vendor risk management. The process an enterprise buyer uses to assess and monitor the risk posed by every third party vendor, including AI vendors, they choose to work with.
Trust centre. A public facing page or portal where a company shares its security posture, certifications, and policies, designed to answer common buyer questions before they are even asked.
Governance and process
Role based access control, or RBAC. A system for granting access based on a person's role, ensuring people only reach the systems and data relevant to their job.
Data flow diagram. A visual representation of how data moves through your product, including where it goes when it is sent to third parties like AI model providers. Buyers frequently request this during a review.
How to use this glossary
You do not need to memorise all thirty terms. The value is in recognising them the moment they appear in a real questionnaire or conversation, so you are never caught explaining that you have not heard of something a buyer assumes you already know. If a term here connects to a decision you are currently facing, several of these are covered in far more depth elsewhere in our resources, including dedicated guides on prompt injection, SOC 2 versus ISO 27001, the EU AI Act, and how to answer a security questionnaire with real examples.
For a fuller, continually updated reference covering these and other terms, visit our glossary at cybnode.com/en-gb/what-is.
The honest takeaway
Enterprise security language can feel deliberately impenetrable, but almost all of it reduces to a small set of recurring ideas once someone explains them plainly. Understanding these thirty terms will not make you an expert overnight, but it will mean you are never blindsided by a question, and that alone changes how a security team perceives you. Confidence with the language is often the first signal that you take the substance seriously too.
Facing a review full of terms you don't fully recognise?
Book a free 30 minute review and we'll walk through your questionnaire and your product together.
AI Security Insights
MCP security: the risks of the Model Context Protocol nobody's talking about yet
If your AI product uses the Model Context Protocol, or MCP, to connect your agents to tools and data sources, there is…
Read articleAI security glossary: 30 terms every founder should know before an enterprise review
Enterprise security reviews come packed with terminology that nobody explains before you need it. Founders often encoun…
Read articleWhat is a security.txt file and does your AI startup need one
If you have never heard of a security.txt file, you are not alone, and yet it is one of the smallest, cheapest pieces o…
Read articleSub-processors explained: what they are and why enterprise buyers ask for your list
Somewhere in an enterprise security review, you will almost certainly be asked for your list of sub-processors. If you…
Read articleMore insights, delivered monthly
Get the latest insights on AI security and compliance.

