Definitions for the terminology used across enterprise AI governance, inline policy enforcement, agentic AI security, audit, and compliance.
The AI control plane is the set of services that decide what an AI request is allowed to do and produce the evidence of that decision. The control plane carries identity verification, payload classification, policy lookup, and per-decision audit writing. The data plane is the request path itself: the caller, the gateway, the LLM endpoint. The control plane gives the data plane its rules at request time and consumes the per-decision records the data plane emits.
An AI gateway is a network proxy that sits between authenticated callers (users, services, agents) and one or more LLM endpoints. The gateway terminates the caller TLS, extracts identity from the request, classifies the prompt payload, evaluates a per-route policy in the request path, and either forwards the request to the model or returns a block. Every decision produces an audit record that names the subject, the data class, the policy version, and the outcome. An AI gateway differs from a generic LLM proxy because identity context is a first-class input to the decision, not metadata appended after the fact.
AI Security Posture Management (AISPM) is the discipline of discovering AI usage across an enterprise, classifying that usage by data sensitivity and regulatory exposure, and remediating the gaps in policy, identity, and audit coverage. AISPM borrows the inventory-first pattern from CSPM (cloud) and DSPM (data) and applies it to AI traffic, models, agents, and the prompts they handle. AISPM is the discovery and reporting layer that sits above the AI gateway's per-request enforcement.
Data loss prevention (DLP) is the control category that inspects data in motion or at rest, classifies it against a sensitivity taxonomy (PII, PHI, source code, financial records, regulated content), and applies an outcome (block, quarantine, redact, alert). Traditional DLP operates at the network gateway, the email gateway, the endpoint, and the cloud storage layer. DLP for AI operates at the prompt and completion layer, since LLM API traffic travels over TLS to vendor endpoints that network DLP cannot inspect.
A deterministic policy is a rule that returns the same decision for the same input every time. Given a verified subject, a route, a payload classification verdict, and a policy version, the decision point returns pass or block with a fixed reason code. Stochastic alternatives (model-based safety filters, sampled refusal behaviors, temperature-driven moderation) return different verdicts for the same input across calls. The Stanford Trustworthy AI / AIUC-1 Consortium briefing measured refusal behaviors of model-level guardrails degrading significantly under targeted fine-tuning and adversarial pressure; that variance is what makes them stochastic.
Fail-closed is the architectural property that governs how a policy enforcement point behaves when it cannot reach a definitive decision. A fail-closed gateway blocks the request when the policy lookup errors, when the identity claim is missing, when the classification model times out, or when the audit writer cannot persist the record. A fail-open gateway forwards the request and records a soft warning. EU AI Act Article 12 traceability obligations, Fannie Mae LL-2026-04 disclosure-on-demand requirements, and NIST AI RMF action lineage all sit on the assumption that the enforcement point is fail-closed, since a missing decision record is the same evidentiary gap as a missing decision.
LLM DLP is data loss prevention applied at the prompt and completion layer of AI traffic. The control reads the decrypted prompt body, classifies the content (PII, PHI, source code, customer records, contract text, model-defined categories), and either blocks the request, redacts the sensitive fields, or routes the request to an approved destination. LLM DLP runs above the TLS termination point because network DLP cannot inspect prompt payloads that travel inside encrypted HTTPS to api.openai.com, api.anthropic.com, or any other LLM endpoint.
PHI redaction is the runtime operation that identifies Protected Health Information inside an AI prompt or completion and removes, masks, or tokenizes the identified fields before the content reaches the LLM endpoint. PHI is the 18 HIPAA identifiers (names, dates, geographic subdivisions smaller than a state, phone, email, MRN, account numbers, full-face photos, and the other defined elements). Redaction sits at the AI gateway above the TLS termination point so the content can be read in cleartext, classified, and rewritten before it crosses the trust boundary into a vendor model.
PII detection is the classification step that identifies personally identifiable information inside a text payload before the payload crosses a trust boundary. Detection runs as a combination of regex patterns (SSN, credit card, phone, email), named-entity recognition models (person names, addresses), and content classifiers tuned for context (a nine-digit number near "SSN" is a stronger signal than a nine-digit invoice number). In an AI gateway, PII detection runs against the decrypted prompt body and feeds the classification verdict into the policy decision.
A tamper-evident log is an append-only audit store whose entries are cryptographically chained so any later mutation, deletion, or reordering is detectable on read. Each entry includes a hash of the prior entry, a timestamp from a trusted source, and a signature from the writer's key. A reader who replays the chain can detect a single altered byte. Tamper-evident is the weaker, achievable cousin of tamper-proof; the log can still be modified by an attacker who controls the writer, but the modification leaves visible evidence the regulator and the forensic investigator can find.