How to use this
Plain language first
Each term here is written in normal English first, with the technical meaning attached to it rather than hidden inside it.
CAISI
Independent research and operating notes on AI agent governance.
Reference / Glossary
AI Agent Governance Glossary
This glossary keeps the CAISI vocabulary plain because governance work gets muddy fast when every team uses different words for the same mechanism. The goal is not new jargon. It is a small set of terms AppSec, platform, and engineering can reuse without losing the underlying control logic.
In this glossary
Best fit
Use it in evaluations and internal memos
These are the terms that show up most often when teams are trying to compare tools, define controls, or explain incidents.
Decision and proof
Approval mediation
Whether approval actually changes execution state. If approval only leaves a record and the action can still execute anyway, the mediation is weak.
Proof packet
The artifact bundle a reviewer, auditor, or incident responder can inspect cold. It should explain scope, policy, execution, validation, and residual risk without side-channel narration.
Receipts vs proof
A receipt shows that something was approved or requested. Proof shows what actually happened. Mature workflows need both.
Residual risk
What remains uncertain, deferred, or dependent on human review after the run. Good proof makes residual risk explicit instead of implying certainty.
Execution and boundaries
Execution boundary
The moment before an agent can change something real. This is where meaningful policy has to run if the goal is prevention, not documentation after the fact.
Non-executable
A state where the requested action cannot run. This matters because "deny" or "approval required" is only credible if it actually makes the action non-executable.
Write path
Any route an agent can use to change code, systems, data, or other production reality. Repos, MCP tools, CI jobs, and local runners can all be write paths.
Stop semantics
The runtime contract that determines what happens after a stop request. A stop control is only strong if it prevents new side effects after the state transition.
Workflows and repos
Repo contract
The docs, commands, fixtures, tests, and boundaries that tell both humans and agents how work is supposed to happen in a repo.
Dark factory
A background delivery system that turns bounded work items into reviewable artifacts and pull requests with explicit states, retries, and handoff points.
Blueprint
The deterministic workflow around the model: planning, execution, validation, evidence packaging, and shipping. It is what makes the work reusable across teams and repos.
Warm sandbox
An isolated workspace that is already bootstrapped enough to run quickly, but still separate enough to keep retries, secrets, and side effects bounded.
Evaluation and trust
Hidden evaluation
Tests or scenarios the agent cannot overfit to during the build loop. These matter when visible tests alone are too easy to game.
Control efficacy
The measured ability of the control layer to change what can execute and leave behind proof that survives review.
Proof completeness
Whether the evidence packet is complete enough for a third party to reconstruct what happened without guessing.
Transferability
The question of whether a lesson from one stack or run applies to your own environment. Mechanisms often transfer farther than raw rates.