REFERENCE Last reviewed: 25 April 2026

EU AI Act Glossary

Definitions for key terms in EU AI Act Regulation 2024/1689, the Guaranteed Safe AI (GSAI) framework (Bengio, Russell, Tegmark et al., 2024), Vigilens platform concepts, and AI governance industry standards. All EU AI Act article references are to Regulation (EU) 2024/1689 as published in the Official Journal of the EU, 12 July 2024.

EU AI Act Terms

AI System
A machine-based system designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment. Defined in Article 3(1) of EU AI Act Regulation 2024/1689.
High-Risk AI System
An AI system listed in Annex III of the EU AI Act (such as AI used in medical devices, critical infrastructure, employment, education, essential services, law enforcement, migration, and administration of justice) or that falls under Annex I as a safety component of a product. Providers of high-risk AI systems must comply with Articles 8-15 of the regulation. See in context →
General-Purpose AI (GPAI)
An AI model trained on large amounts of data using self-supervision at scale, capable of performing a wide range of tasks. GPAI models with systemic risk are subject to additional obligations under Articles 51-55 of the EU AI Act.
Annex III
The annex to EU AI Act Regulation 2024/1689 that lists eight categories of high-risk AI applications: (1) biometric identification, (2) critical infrastructure, (3) education, (4) employment and worker management, (5) access to essential private and public services, (6) law enforcement, (7) migration and border control, and (8) administration of justice. Obligations apply from 2 August 2026. See in context →
Annex IV
The annex specifying the content of technical documentation that providers of high-risk AI systems must maintain. Includes a general description of the AI system, design specifications, information on training and testing data, monitoring and logging details, and post-market monitoring plans.
Prohibited AI Practice
AI applications banned outright under Article 5 of the EU AI Act, including: subliminal manipulation, exploitation of vulnerabilities, social scoring by public authorities, real-time remote biometric identification in public spaces (with narrow exceptions), and AI used to infer emotions in the workplace or educational institutions.
Provider
A natural or legal person that develops an AI system or a general-purpose AI model and places it on the market or puts it into service under their own name or trademark. Defined in Article 3(3). Providers of high-risk AI systems bear the primary compliance obligations under Articles 8-17.
Deployer
A natural or legal person that uses an AI system under its authority, except where it is used in the course of a personal non-professional activity. Defined in Article 3(4). Deployers have obligations under Articles 26-29 of the EU AI Act.
Conformity Assessment
The process to verify that a high-risk AI system complies with the requirements set out in Chapter III, Section 2 of the EU AI Act (Articles 8-15). For most Annex III systems, providers may conduct a self-assessment against a harmonised standard. For certain biometric and critical infrastructure systems, a third-party notified body assessment is required under Article 43.
Notified Body
A conformity assessment body designated by an EU Member State to perform third-party conformity assessments for certain high-risk AI systems. Notified bodies are accredited and publish their assessments under the EU's NANDO (New Approach Notified and Designated Organisations) system.
Post-Market Monitoring
The continuous process of collecting and reviewing experience gained from high-risk AI systems placed on the market, required under Article 72. Providers must have a post-market monitoring plan and report serious incidents to market surveillance authorities.
Fundamental Rights Impact Assessment (FRIA)
A mandatory assessment for deployers of certain high-risk AI systems (those listed in Annex III, points 1, 6, 7, and 8 and used by public bodies) to assess impacts on fundamental rights before deployment. Required under Article 27 of the EU AI Act.
Technical Documentation
The package of documentation that high-risk AI system providers must draw up and maintain before market placement, as specified in Annex IV. Includes general description, design specifications, training data information, accuracy metrics, cybersecurity measures, and post-market monitoring plans.
Risk Management System
A continuous, iterative process required under Article 9 throughout the entire lifecycle of a high-risk AI system. Must include identification and analysis of known and foreseeable risks, estimation and evaluation of risks, adoption of risk management measures, and testing to ensure measures are effective.
CE Marking
The conformity marking affixed to certain high-risk AI systems to indicate compliance with the EU AI Act and applicable harmonised standards, enabling free movement in the EU internal market. Required for AI systems covered by Annex I of the EU AI Act.
Logging
Automatic logging requirements for high-risk AI systems under Article 12. Systems must record events sufficient to ensure traceability throughout the system's lifetime, including the start and end of each use, input data reference where technically feasible, and results of verifications.
Transparency Obligations
Requirements under Article 13 that high-risk AI system providers ensure their systems are sufficiently transparent to enable deployers to interpret outputs and use them appropriately. Includes providing instructions for use with specific content requirements.

Vigilens / GSAI Terms

Rules-as-Code
The practice of encoding legal or regulatory obligations as machine-executable rules that can be run automatically in software systems, rather than as natural-language policy documents. In the context of EU AI Act compliance, Vigilens implements Rules-as-Code so that each Article obligation is a checkable condition that runs at every CI/CD release. See in context →
Guaranteed Safe AI (GSAI)
A formal AI safety framework proposed by Bengio, Russell, Tegmark et al. (arXiv:2405.06624, 2024) that defines provable AI safety as a three-component system: a World Model, a Safety Specification, and a Verifier. When the Verifier certifies that a system satisfies its Safety Specification under its World Model, the result is a Proof Certificate. Vigilens implements all four components. See in context →
World Model
In the Guaranteed Safe AI (GSAI) framework, a formal description of an AI system's operating environment, intended use, and risk boundary. In Vigilens, the World Model corresponds to the Classify layer, which produces a machine-readable profile of the AI system including its Annex III category, prohibited-practice exposure, and GPAI applicability. See in context →
Safety Specification
In the Guaranteed Safe AI (GSAI) framework, a set of machine-checkable rules that encode what an AI system must and must not do. In Vigilens, the Safety Specification corresponds to the Controls layer, where EU AI Act Articles 8-15 are encoded as machine-executable Rules-as-Code. See in context →
Verifier
In the Guaranteed Safe AI (GSAI) framework, the continuous process that checks whether a system's outputs and actions satisfy the Safety Specification under the World Model. In Vigilens, the Verifier corresponds to the Evidence layer, which automatically collects evidence from engineering tools at every CI/CD release and checks it against the Controls. See in context →
Proof Certificate
In the Guaranteed Safe AI (GSAI) framework, the formal record that a system met its Safety Specification under its World Model at a point in time. In Vigilens, the Proof Certificate corresponds to the Audit Pack, a one-click JSON + PDF governance pack containing all evidence, control mappings, and an Article 43 conformity statement. See in context →
BYO-LLM (Bring Your Own LLM)
A deployment model in which an enterprise uses its own large language model within the Vigilens platform, meaning that customer data and model outputs never leave the enterprise's own environment. Available on the Vigilens Enterprise tier. Relevant for organisations with data-residency requirements under GDPR or sector-specific regulation.
Continuous Compliance
An approach to regulatory compliance in which obligations are verified automatically and continuously throughout a system's lifecycle rather than at discrete audit points. Continuous compliance is enabled by Rules-as-Code running in CI/CD pipelines, and is required by Article 9 of the EU AI Act which mandates a risk management system active throughout the entire lifecycle.
Evidence Collection
The automated process of gathering artefacts from engineering tools (version control, issue trackers, observability platforms, ML experiment trackers, data stores) that demonstrate compliance with specific regulatory obligations. In Vigilens, evidence is timestamped, cryptographically signed, and linked to the specific Control it satisfies.
Audit Pack
The Vigilens output layer that generates a one-click JSON + PDF governance pack containing all collected evidence, control mappings, risk assessment, and an Article 43 self-assessment conformity declaration. Corresponds to the Proof Certificate component in the Guaranteed Safe AI framework. See in context →
AI Governance
The set of policies, processes, technical controls, and organisational structures that ensure AI systems behave in accordance with applicable law, ethical principles, and organisational values throughout their lifecycle. AI governance includes risk management, transparency, accountability, and human oversight mechanisms.
Classify (Vigilens)
The first layer of the Vigilens platform. A six-question EU AI Act classifier that determines whether an AI system falls under Annex III (high-risk), Article 5 (prohibited), GPAI provisions, or minimal risk. Output is a machine-readable system profile that initialises all downstream Controls and Evidence collection. See in context →

Industry Standards

SOC 2
Service Organization Control 2. A US auditing framework developed by the American Institute of CPAs (AICPA) for service organisations to demonstrate controls over security, availability, processing integrity, confidentiality, and privacy. SOC 2 Type II reports cover a period of time (typically 6-12 months). Often required by enterprise buyers as a procurement condition. Complementary to but distinct from EU AI Act compliance.
NIST AI RMF
The National Institute of Standards and Technology AI Risk Management Framework (NIST AI 100-1, 2023). A voluntary US framework for managing risks associated with AI systems across four functions: Govern, Map, Measure, and Manage. Widely referenced in AI governance programmes and increasingly used alongside EU AI Act compliance work.
ISO 42001
ISO/IEC 42001:2023. The first international standard for AI management systems, specifying requirements for establishing, implementing, maintaining, and continually improving an AI management system. Provides a structured approach to AI governance applicable to any organisation developing or using AI.
GDPR
General Data Protection Regulation (Regulation (EU) 2016/679). The EU regulation governing the processing of personal data by organisations operating in or targeting the EU. AI systems that process personal data must comply with both GDPR and the EU AI Act. Training data, model outputs, and logging records may all involve personal data subject to GDPR obligations.

Not sure if your AI system is high-risk under Annex III?
Classify it in 6 questions. Free, no account required.

CLASSIFY YOUR AI SYSTEM → WHY GSAI