Glossary — The Agentic Enterprise

Working definitions for the terms used throughout this report. Where vendors and analysts disagree on a meaning — most of them do, most of the time — we have picked the one that best survives contact with a real enterprise program.

Agent: A software system that pursues goals using a model to plan, tools to act, observations to learn from, and memory to persist context across steps.
Agentic AI: AI systems with non-trivial autonomy: they decide which step comes next, what tool to call, and when a goal is met. Distinct from classical assistants where a human chooses every step.
Agent2Agent (A2A): An open protocol for one agent to discover, authenticate to, and delegate work to another agent across organizational boundaries. Sponsored by Google and a coalition of vendors in 2025.
AGNTCY: An open-source consortium and reference architecture for cross-agent interoperability launched in 2025 by Cisco, LangChain, and others.
AI Act (EU): Regulation 2024/1689 — the European Union's risk-tiered law on AI systems. In force from August 2024 with phased obligations through 2027. Banned-practices took effect February 2025; general-purpose AI obligations August 2025.
AI Verify: Singapore's open-source toolkit for testing AI systems against governance principles, paired with the Model AI Governance Framework.
Bounded autonomy: A design pattern in which an agent has decision-making authority within explicit budgets — money, time, scope, sensitivity — and must escalate beyond them.
Center of Excellence (CoE): A small central team that owns standards, tooling, and review for AI/agentic work across an enterprise. Common pattern at L3+ maturity.
Conformity assessment: Under the EU AI Act and ISO/IEC 42001, the formal process of demonstrating that an AI system meets specified requirements. May be self-assessed or third-party.
Copilot: A pattern in which AI drafts and the human accepts, edits, or rejects each suggestion. Distinct from agentic AI because the human picks every step.
Drift: Statistical change over time in a model's inputs, outputs, or environment that degrades performance. Also applies to prompt drift, tool drift, and policy drift.
Eval: An automated test of an agent's behavior on representative inputs — the unit test of LLM-era software. Suites should include accuracy, safety, cost, latency, and adversarial cases.
Excessive agency: OWASP-coined risk category — an agent given more capability, scope, or trust than the use case requires. Most common runtime risk in agentic systems.
Frontier model: A model at or near the state of the art in capability — currently large LLMs above tens of billions of parameters, multi-modal, with long context.
Govern, Map, Measure, Manage: The four functions of the NIST AI RMF, the closest thing to an industry-standard structure for AI risk management.
Guardrail: Any control that constrains an agent's input, output, or behavior — content filters, schema validators, runtime policy engines.
Hallucination: A confidently asserted output not grounded in input or retrieved evidence. The dominant failure mode of generative systems.
Human-in-the-loop (HITL): Design pattern requiring human approval before or after specific agent actions, typically gated by risk tier.
Identity for agents: The set of practices for authenticating and authorizing non-human actors: per-agent service principals, scoped tokens, on-behalf-of flows, JIT credentials.
Indirect prompt injection: An attack in which malicious instructions are smuggled into an agent via the content it retrieves rather than the user's prompt. Top-1 risk in OWASP's LLM list.
ISO/IEC 42001: International standard for AI management systems, published 2023. The first certifiable AI standard with a structure modeled on ISO 27001.
LangChain / LlamaIndex / Semantic Kernel: Popular open-source orchestration frameworks. Choose deliberately; switching costs are real even when 'just' prompts.
Lighthouse: A pilot use case chosen for high value × high feasibility, used to demonstrate viability and earn budget for the broader program.
MCP (Model Context Protocol): Anthropic-led open protocol (2024) for exposing tools, data, and prompts to LLM agents in a standard way. Adoption is broad and growing.
MITRE ATLAS: Adversarial Threat Landscape for Artificial-Intelligence Systems — MITRE's catalog of real-world AI attack tactics, modeled on ATT&CK.
Multi-agent system: Two or more agents coordinating on a task: orchestrator + workers, peer-to-peer, or auction patterns. Failure modes compound.
NIST AI RMF: NIST AI Risk Management Framework 1.0, 2023, plus the Generative AI Profile (NIST AI 600-1, 2024). The most-referenced US framework for AI governance.
Observability: The ability to inspect what an agent did and why — traces, logs, costs, decisions — after the fact and during operation.
Operating model: The org-design choice for AI: centralized CoE, hub-and-spoke, federated, or product-embedded. Each has trade-offs; pick one and live with it.
Orchestration: The runtime that drives the agent loop — picking the next step, calling tools, managing memory, applying guardrails. Distinct from the LLM itself.
OWASP Agentic AI Threats: OWASP's 2025 v1.0 catalog of agent-specific threats — supersedes and extends the LLM Top 10 for agentic systems.
RAG: Retrieval-Augmented Generation — fetching relevant data at query time to ground the model's answer. The most common pattern for enterprise agents.
Red team: Adversarial testing — humans (or other agents) trying to make a system fail in informative ways. Should be continuous, not one-shot.
Responsible Scaling Policy: Anthropic's commitment framework defining capability thresholds and required safety measures. OpenAI and DeepMind have analogous frameworks.
RMF (NIST): Risk Management Framework. NIST has two: SP 800-37 for cyber, and the AI RMF. Different scopes; both relevant to agentic AI.
Scorecard: A structured self-assessment producing a numeric profile across pillars and levels. The interactive scorecard in this report is a worked example.
Sidenote: Short definitional gloss surfaced inline by this report's reader. Hover or tap any underlined term.
SLO: Service-level objective. For agents: P50/P95 latency, success rate, cost ceiling, and human escalation rate.
Swarm: A multi-agent pattern with many small, often homogeneous agents and emergent coordination. Powerful and brittle in equal measure.
Token: The unit of LLM input/output. Tokens drive cost, latency, and context limits. Not interchangeable across providers.
Tool: Any external capability an agent can call — API, function, database query, sub-agent. Tool design is the single highest-leverage design choice in an agent.
TRiSM: Gartner's AI Trust, Risk, and Security Management framework. Useful as a checklist; less useful as an architecture.
Trustworthy AI: Umbrella term for the cluster of properties — fairness, robustness, transparency, accountability, privacy, safety. Every framework names them; few enforce them.
Use case portfolio: The deliberately balanced set of agentic projects an enterprise funds, scored on value × feasibility and aligned to OKRs.
Vector store: A database optimized for similarity search over embeddings. The retrieval substrate for most enterprise RAG implementations.
Workflow vs agent: A workflow has a fixed graph; an agent picks the next step at runtime. Most production 'agents' in 2026 are workflows with a model in the loop.