Glossary

35 terms used in the report — agent registry, NIST RMF, MCP, A2A, prompt injection, flywheel. Each entry links to the chapter where the idea lands hardest.

A

A2ACh 07: Agent-to-Agent protocol — Google's open standard for letting one agent invoke another over the network with capability discovery and signed messages.
agentCh 01: A model placed in a loop with tools, memory, and a goal — capable of multi-step action without per-step prompting. The unit of cognition that this report is about.
agent registryCh 12: A governed catalogue of every agent in production: owner, scope, tools, data sources, evals, kill-switch, RMF tier. The single source of truth that turns shadow agents into governed ones.
agentic AICh 01: Systems built around agents (rather than around static prompts or workflows). Implies a non-deterministic execution path chosen by the model itself.
autonomy tierCh 14: A classification (assist · suggest · act-with-approval · act) that determines how much oversight an agent's action requires before it touches a system of record.

B

BCG triadCh 18: Build · Buy · Boost — Boston Consulting Group's framing for how enterprises mix custom-built agents, off-the-shelf agents, and capability-enhancing services.
blast radiusCh 11: The set of systems, records, customers, or money an agent's worst-case action can touch. The variable that decides whether HITL is required.

C

circuit breakerCh 11: An automatic shutoff that pulls an agent offline when error rate, drift, or cost crosses a threshold. The off-switch you don't have to remember to flip.
CSA Agentic ProfileCh 08: The Cloud Security Alliance's mapping of agentic AI threats and controls onto the NIST AI RMF — the closest thing to a working enterprise reference.

E

evalCh 10: A scored test of an agent's behaviour: accuracy, refusal rate, hallucination rate, latency, cost, drift. The thing that tells you whether the agent is still the agent you signed off.

F

flywheelCh 20: The compounding loop in which deployment generates data and evals, which improves the model and the agent, which earns more deployment. The central organising idea of Part III.
function callingCh 07: A model's ability to emit a structured tool invocation (tool name + JSON arguments) instead of free text. The minimum surface an agent needs to act.

G

gatewayCh 05: A managed proxy in front of model APIs that handles routing, retries, caching, budget caps, redaction, audit. The narrowest place to insert governance.

H

HITLCh 14: Human-in-the-Loop — a human is required to approve or reject an action before it commits. Done honestly: blocking, reviewable, and budgeted into latency and cost.

K

kill-switchCh 11: A documented, tested mechanism to stop an agent immediately. Not the same as turning off a tool — the agent's planner has to know it has been stopped.

L

LangGraphCh 05: An open-source framework for building stateful agent workflows as graphs. Common in custom-built agentic systems.

M

MCPCh 07: Model Context Protocol — Anthropic's open standard for letting models talk to external tools and data sources with a uniform interface.
MITRE ATLASCh 13: A public knowledge base of adversary tactics and techniques against AI systems — the AI-specific counterpart to MITRE ATT&CK.

N

NIST AI 600-1Ch 08: The Generative AI Profile of the NIST AI RMF — extends Govern/Map/Measure/Manage with generative-specific controls.
NIST AI RMFCh 08: The NIST AI Risk Management Framework (AI 100-1) — four functions (Govern, Map, Measure, Manage) used in this report as the spine for any agentic deployment.

O

orchestrationCh 05: The layer that decides which model, which tool, and which next step. May be code (LangGraph), platform (Agentforce), or model itself.
OWASP LLM Top 10Ch 13: The OWASP Foundation's top-10 risks for LLM and agentic applications — prompt injection, insecure output handling, training-data poisoning, etc.

P

prompt injectionCh 13: An attack in which untrusted input (a webpage, an email, a document) contains instructions that the model treats as authoritative and acts on.

R

RAGCh 06: Retrieval-Augmented Generation — pulling relevant chunks from a vector store into the prompt before the model answers. The cheapest way to give an agent your private knowledge.
redlineCh 11: A pre-approved boundary that an agent must not cross (e.g. "never quote a price below floor", "never email outside the company"). Encoded as a hard policy, not a soft prompt.
registryCh 12: See agent registry.
routerCh 18: A small model or rule that decides which agent (or which model behind an agent) handles a given request. The new commoditization layer.

S

shadow agentCh 12: An agent built and run by a team without going through the registry, evals, or governance. The single largest source of agentic risk in most enterprises today.
SIPOCCh 09: A process-mapping notation (Suppliers, Inputs, Process, Outputs, Customers) used here to map an agent's actual scope before automating it.
steering committeeCh 08: The group that owns the agent registry, sees evals every cycle, and is the only body that can approve a tier-3 (act) agent. Real governance, not security theatre.

T

TCOCh 19: Total cost of ownership for an agent: model spend, tool spend, data spend, ops, security, eval, change management. Honest ROI uses TCO, not just per-token cost.
tierCh 14: See autonomy tier.
toolCh 07: A callable function with a typed schema that an agent can invoke. The boundary between cognition and action.

V

vector databaseCh 06: A datastore (pgvector, Pinecone, Weaviate, FAISS) optimized for nearest-neighbour search over embeddings — the substrate for RAG.

W

workflowCh 02: A deterministic, pre-coded sequence of steps. An agent is not a workflow; a workflow is not an agent. Most useful enterprise systems will be both.