01Core concepts
These terms define the problem space: governing what enterprise AI may see and do, and the runtime layer that enforces it. They recur across every other section in this glossary.
AI data governance
AI data governance is the discipline of controlling what enterprise AI systems are allowed to see, do, and retain. It defines who may access which data through a model, enforces those rules at runtime, and produces evidence that the rules were applied. Effective governance is operational, not just a set of policy documents. See AI data governance.
Runtime data-control plane
A runtime data-control plane sits between an enterprise's data and a language model and inspects every record and field as a request is processed. It decides, in real time and before the model sees anything, what data may pass, withholding the rest and recording each decision. Custosa is a runtime data-control plane for enterprise AI.
Prevention vs detection
Prevention vs detection contrasts two ways to handle data exposure in AI. Prevention withholds sensitive data before the model sees it, removing the leak at its source. Detection scans the output after generation and can only catch a leak that already occurred. Prevention is the stronger primary control; detection is a useful second layer.
02RAG and retrieval
Retrieval-augmented generation is where most enterprise AI meets sensitive data, so it is where governance is enforced. These terms describe how retrieval works and how it is secured.
RAG (retrieval-augmented generation)
Retrieval-augmented generation, or RAG, is a technique that gives a language model relevant external data at query time. A retriever finds passages related to the question and adds them to the prompt so the model can answer using current, specific information it was not trained on. RAG grounds answers in real data.
RAG security
RAG security is the practice of protecting a retrieval-augmented generation system, especially the data it retrieves. Its central concern is ensuring the model is only ever given records and fields the requesting user is authorized to see, so retrieval does not become an access-control bypass. See RAG security.
Permission-aware RAG
Permission-aware RAG is retrieval-augmented generation that enforces each user's access rights during retrieval. Candidate records are filtered and sensitive fields are redacted per actor before the prompt is built, so the model only ever receives data that user is cleared to see. See permission-aware RAG.
ACL-aware retrieval
ACL-aware retrieval is retrieval that respects the access control list, or permission model, of the source data. Candidates are filtered and fields are redacted according to the requesting actor's identity and clearance before any content reaches the language model, so relevance never overrides permission. It is the mechanism behind permission-aware RAG.
"Relevance is not permission"
Relevance is not permission is the principle that a passage being the best answer to a query says nothing about whether the person asking is entitled to read it. Retrieval ranks by similarity; authorization is a separate decision that must be made explicitly, not inferred from how relevant a result happens to be.
Authorization before augmentation
Authorization before augmentation is the design rule that access decisions happen before any data is added to a prompt. The system resolves what the actor may see and redacts the rest first, then augments the prompt, so the model never receives data the user is not authorized to access. It is prevention by construction.
Prompt injection
Prompt injection is an attack in which crafted text in a prompt or in retrieved content manipulates a model into ignoring its instructions or taking unintended actions. In a RAG system, malicious instructions can ride in on retrieved documents, which is why retrieved content cannot be implicitly trusted and why access controls must not depend on the model behaving.
03Evidence and policy
How an access decision is made, and how it is proven afterward, determines whether a control is trustworthy. These terms cover the decision and the evidence it produces.
Redaction
Redaction is the removal or masking of sensitive data so it cannot be read. In an AI data-control plane, redaction is applied per field and per actor before the prompt is assembled, so unauthorized fields are withheld from the model entirely rather than scrubbed from its output afterward. Withholding beats cleanup.
Tokenization
Tokenization replaces a sensitive value with a non-sensitive surrogate, or token, that stands in for it without revealing it. It lets a workflow reference or join on a value, such as an account number, while the real data stays withheld from systems and models that should not see it. Tokenization preserves utility without exposure.
Field-level verdict
A field-level verdict is a per-field access decision: for a given actor, each field is either PASS, meaning it may be shown, or REDACT, meaning it must be withheld. Deciding at the field level preserves useful context while protecting the specific values an actor is not cleared to see, rather than dropping whole records.
Clearance lattice
A clearance lattice is an ordered set of access levels that governs what each actor may see. Roles map to a level, and higher levels include the access of lower ones plus more. Custosa uses a five-level clearance lattice to make field-level verdicts predictable and easy to reason about across roles.
Fail-closed
Fail-closed is the behavior of denying access when a system cannot reach a confident decision. If a policy times out or a verdict cannot be established, a fail-closed control blocks the request rather than allowing it through, so uncertainty resolves toward protection rather than exposure. In Custosa it is a core, non-overridable invariant.
Deterministic policy (Cedar)
A deterministic policy engine evaluates access rules so that the same inputs always produce the same verdict, with no randomness. Custosa uses Cedar, a formal policy language, so every access decision is explainable, reproducible, and auditable, rather than the probabilistic judgment of a model. Determinism is what makes a verdict defensible.
Content-free evidence
Content-free evidence is an audit record that captures what was decided without capturing the underlying data. It stores the actor, the fields passed or redacted, the policy applied, hashes, and signatures, but never the field values, so the audit trail never becomes a copy of the sensitive data it was meant to protect.
Hash-chained evidence
Hash-chained evidence links each audit entry to the previous one by including the prior entry's hash, forming a tamper-evident chain. Altering or removing any entry breaks the chain, so the log can be verified independently and offline. Custosa signs each entry with HMAC-SHA256 and appends them, never updating or deleting.
LLM data leakage
LLM data leakage is the unintended exposure of sensitive data through a large language model. It occurs when data a user is not authorized to see, or that should never have entered the system, reaches the model through training, context, retrieval, or logs and then surfaces in an output or trace. See LLM data leakage.
04Healthcare
Healthcare AI handles some of the most regulated data there is. These terms map the relevant rules to how a data-control plane enforces them.
Minimum necessary standard
The minimum necessary standard is a HIPAA principle requiring that uses and disclosures of protected health information be limited to the least data needed for the task. In AI systems it maps directly to field-level redaction: give the model only the fields a task actually requires, and withhold the rest. See HIPAA-compliant AI.
PHI (protected health information)
PHI, or protected health information, is individually identifiable health information held or transmitted by a covered entity or business associate, protected under HIPAA. It includes data such as diagnoses, treatment, and identifiers tied to a person's health, and must be safeguarded whenever it is processed by an AI system, including in prompts and retrieval.
De-identification (Safe Harbor)
De-identification is the process of removing identifiers so health data no longer identifies a person. HIPAA's Safe Harbor method specifies removing eighteen categories of identifiers, such as names, dates, and record numbers, after which the data is no longer treated as PHI under the rule. It is one path to using health data more freely.
05Financial
Regulated financial firms govern models under established supervisory frameworks. This term anchors how that guidance increasingly informs AI governance.
Model risk (SR 11-7)
Model risk is the risk of loss from decisions based on models that are wrong or misused. SR 11-7, U.S. supervisory guidance on model risk management, expects validation, governance, and controls over models, a framework that increasingly informs how regulated firms govern AI systems. See AI compliance in financial services.
From definitions to enforcement
Custosa turns these concepts into a runtime control: it inspects every record and field before the model sees it, decides per field by role, and signs every decision into a content-free ledger.
Frequently asked questions
What is the difference between RAG and permission-aware RAG?
RAG retrieves relevant data and adds it to the prompt, ranking only by relevance. Permission-aware RAG adds an authorization step: it resolves each user's identity and clearance and filters records and redacts fields before the prompt is built, so the model only receives data that user is allowed to see.
What does content-free mean in this glossary?
Content-free means a record captures decisions and metadata, such as which fields were passed or redacted, under which policy, with hashes and signatures, but never the underlying field values. A content-free evidence ledger proves what happened without ever copying the sensitive data into the audit trail.
Why use a deterministic policy instead of a model to decide access?
A deterministic policy returns the same verdict for the same inputs, so every access decision is explainable, reproducible, and auditable. A model gives a probabilistic guess that can vary between identical requests, which is unsuitable for access control where you must be able to prove why data was shown or withheld.
Is fail-closed the same as blocking everything?
No. Fail-closed means the system denies access only when it cannot reach a confident verdict, for example on a policy timeout or resolver error. Normal authorized requests pass as usual. Fail-closed simply ensures that uncertainty resolves toward withholding data rather than exposing it.