Reference

Glossary

Plain-language definitions for the agentic-AI and AI-security terms used across the Hub.

Agentic AI: AI systems that pursue goals by planning and taking actions through tools — calling APIs, running code, browsing — rather than only generating text. Their ability to act is exactly what expands the security blast radius.
EDR: Endpoint Detection and Response: tooling that monitors endpoints for malicious behaviour and enables investigation and containment. Relevant as agents and AI extensions increasingly run on developer and server endpoints.
MCP: Model Context Protocol: an open standard for connecting AI models to external tools, data sources, and services through a common interface. It makes agents far more capable — and makes every connected server a trust boundary.
MCP gateway: A proxy that sits between agents and MCP servers so all tool traffic flows through one enforcement point. It centralises allowlisting, access control, inspection, and logging instead of trusting each direct connection.
microVM isolation: Running each agent task inside a lightweight, fast-booting virtual machine that is destroyed after execution. It confines the blast radius of a compromised task far more strongly than a shared process or container.
NHI: Non-Human Identity: the service accounts, API keys, tokens, and machine credentials that agents and tools authenticate with. NHIs typically outnumber human identities and are easy to over-scope and forget.
OWASP Agentic Top 10: A reference taxonomy from the OWASP Agentic Security Initiative cataloguing the most significant threat classes for agentic AI systems — from memory poisoning and tool misuse to identity spoofing and untraceability.
Post-quantum: Cryptography designed to resist attacks from quantum computers. It matters now because of harvest-now, decrypt-later adversaries who capture encrypted traffic today to decrypt once quantum capability matures.
Prompt injection: An attack that smuggles adversarial instructions into the content a model processes so it follows the attacker instead of the operator. Indirect prompt injection hides those instructions in fetched data such as web pages, files, or tool output.
SBOM: Software Bill of Materials: a machine-readable inventory of the components and dependencies in a piece of software. For agents, it underpins supply-chain validation and rapid response when a dependency turns malicious.
Scope minimisation: Granting an identity only the permissions a task genuinely requires, and progressively narrowing them over time. Combined with just-in-time elevation, it limits what a hijacked agent can reach.
Shadow AI: AI agents, assistants, and IDE extensions used inside an organisation without approval, inventory, or oversight. Shadow AI is the agentic equivalent of shadow IT and a primary discovery problem.
SIEM: Security Information and Event Management: a platform that aggregates and correlates logs and events for detection, alerting, and audit. Logging every agent tool call into the SIEM is central to behavioural monitoring.
Tool poisoning / rug pull: Tool poisoning hides malicious instructions in a tool's description or output so the agent treats them as trusted. A rug pull is when a previously benign tool or server turns malicious in a later update.
Zero Trust: A security model that assumes no implicit trust and verifies every request on its own merits — identity, context, and least privilege — regardless of network location. Applied to agents, every tool call is authorised explicitly.