Reference

Glossary

Short, technical definitions of terms used across our research on enterprise AI agents and AI security. Alphabetical order.

Terms

A2A Protocol

An open protocol for communication and capability discovery between AI agents, independent of framework. Complements MCP, which governs agent-to-tool communication.

Agent

A system built around an LLM that repeatedly reasons, calls tools, and acts on the results, rather than returning a single response. Unlike a chatbot, it acts on external systems across multiple steps.

Agent Framework

A library providing reusable primitives for building agents: orchestration, state management, tool integration, multi-agent coordination. Examples: LangGraph, CrewAI, OpenAI Agents SDK, Google ADK.

Agent Harness

The control layer between a raw model and the real world: tool registry, context and memory management, guardrails, permission enforcement, error handling. "Agent = Model + Harness."

Agent Loop

The repeated cycle inside an agent turn: assemble context, call the model to reason, act on a tool call, feed the result back, repeat until a stop condition is reached. Canonical form: the ReAct pattern.

Agent Memory

Persistent state an agent retains across sessions: procedural, semantic, or episodic. Enables long-running agents but introduces persistent memory poisoning as a risk.

Agent Registry

An inventory of all agents in an organization, including officially built, third-party, and shadow agents. A core component of a control plane.

AI Control Plane

The control-plane layer for agents: registration, identity, policy enforcement, and lifecycle management. Distinct from the gateway, which is the data plane.

AI Gateway

The data-plane layer for agent-to-tool, agent-to-LLM, and agent-to-agent traffic: rate limiting, inline guardrails, tool federation, cost control, tracing.

Agentic Supply Chain

The dependencies an agent relies on beyond the model itself: framework libraries, community tools, MCP servers, registries. A compromised link can change agent behavior after the fact.

Approval Fatigue

The tendency of human reviewers to approve most permission prompts reflexively once volume is high, undermining human-in-the-loop as a safety control.

Autonomous Security

Security controls that are themselves agentic: detecting and responding to threats at machine speed rather than through manual review. An emerging, still-immature capability.

Cost Explosion / Denial-of-Wallet

A risk where unbounded loops, retries, or unauthorized tool usage drive up compute or API cost without a corresponding rate or budget limit.

Excessive Agency

A risk where an agent is granted more autonomy, tool access, or permissions than the task requires, expanding the blast radius of any single error.

Human-in-the-Loop (HITL)

A design pattern requiring human approval before an agent executes an irreversible or high-impact action.

Indirect Prompt Injection

Prompt injection delivered through content an agent processes as part of its task, such as a tool result or web page, rather than through direct user input.

JIT Credentials

Short-lived, task-scoped credentials issued to an agent only for the duration and scope of a specific action, replacing long-lived static credentials.

Kill Switch

A control-plane capability to immediately revoke an agent's access or halt its execution, independent of the agent's own logic.

Least Agency

The principle that an agent's autonomy and tool access should be the minimum required for its task, granted deliberately rather than by default.

LLM Call

A single, stateless request-response interaction with an LLM: one prompt in, one completion out. No memory, no tools, no loop.

Long-Running Agent

An agent that works on a task across multiple sessions and context windows, with persistent memory and the ability to resume after interruption.

Longitudinal Safety Drift

The risk that an agent's behavior becomes unsafe over an accumulated series of sessions even though each individual session passes safety benchmarks.

MAESTRO

A seven-layer threat-modeling framework for agentic AI that treats security and compliance as a layer cutting across all other layers.

MCP (Model Context Protocol)

An open protocol standardizing how agents connect to external tools and data sources. A major source of real-world agentic risk when servers are misconfigured.

Non-Human Identity (NHI)

An identity assigned to a non-human actor, such as an agent or service, rather than a human user. Now substantially outnumbers human identities in most enterprises.

OWASP Top 10 for Agentic Applications

A risk taxonomy naming ten agent-specific risk categories, from Agent Goal Hijack to Rogue Agents (ASI01–ASI10).

Persistent Memory Poisoning

An injection attack that lands in an agent's persistent memory and is reloaded on every subsequent session, functioning as a persistence mechanism.

Policy-as-Code

Enforcing governance rules as machine-readable policy evaluated at the infrastructure layer, rather than as text-based instructions.

ReAct Pattern

The canonical agent loop pattern: observe, think, act, repeated until a stop condition. Short for "Reasoning and Acting."

Rogue Agent

An agent that acts outside its intended scope or authorization, and is not caught because no registry or control plane is tracking it.

Rule of Two

A design constraint: within a session, an agent should have at most two of three properties — untrustworthy input, access to sensitive systems, and the ability to change state externally.

Runtime

The operational hosting layer for an agent: compute, scaling, isolation, agent identity, networking, observability hooks.

Scaffold

The behavior-defining layer of an agent: system prompt, tool descriptions, output format instructions.

Session (as audit log)

An append-only log of every model call, tool call, and result within an agent's execution. The primary audit-evidence artifact for agentic systems.

Shadow AI Agent

An agent built, deployed, or connected without going through an organization's agent registry or governance process.

Tool Calling

The mechanism by which an agent invokes external functions, APIs, or tools based on the model’s decision, and receives the result back into its context.

Tool Poisoning / Rug Pull

Two MCP-specific attack techniques: hiding malicious instructions inside a tool's description, or changing a tool's behavior after a client has already approved it.