Agentic AI is an LLM-driven system that plans multi-step actions, calls tools, reads and writes to systems of record, and continues a loop until a goal condition is met or a budget is exhausted. The shift from generative AI is the action surface. A chatbot returns tokens to a user; an agent calls Stripe, modifies a Jira ticket, runs a deploy, or sends an email on the user's behalf. Each tool call hits a system that grants or denies authorization on the credential the agent is presenting, and the audit question collapses to who actually authorized the action.
An AI Bill of Materials is a machine-readable inventory of the components an AI system depends on at runtime: the foundation model and its version, the fine-tuning datasets, the prompt templates, the retrieval sources, the toolchain the agent can call, and the policy configuration the request layer applies. The AI-BOM extends the software-supply-chain practice CISA codified in the SBOM (Software Bill of Materials) into the AI context. NIST's AI RMF references the inventory practice under MAP 4.1 (third-party AI components are inventoried), and the EU AI Act's technical documentation requirement under Article 11 expects an equivalent artifact.
The AI control plane is the set of services that decide what an AI request is allowed to do and produce the evidence of that decision. The control plane carries identity verification, payload classification, policy lookup, and per-decision audit writing. The data plane is the request path itself: the caller, the gateway, the LLM endpoint. The control plane gives the data plane its rules at request time and consumes the per-decision records the data plane emits.
An AI gateway is a network proxy that sits between authenticated callers (users, services, agents) and one or more LLM endpoints. The gateway terminates the caller TLS, extracts identity from the request, classifies the prompt payload, evaluates a per-route policy in the request path, and either forwards the request to the model or returns a block. Every decision produces an audit record that names the subject, the data class, the policy version, and the outcome. An AI gateway differs from a generic LLM proxy because identity context is a first-class input to the decision, not metadata appended after the fact.
An AI red team is the function that attacks an organization's own AI systems under controlled conditions to produce evidence of exploitability before an outside attacker does. The team runs prompt injection payloads, jailbreak variants, data-exfiltration attempts through completions, and tool-abuse sequences against agent workflows, then documents which attempts landed, which controls fired, and what the blast radius would have been in production.
AI supply chain risk is the exposure an organization inherits from the external components its AI systems consume at runtime: the foundation model and its version, fine-tuning datasets, prompt templates, retrieval sources, agent tool definitions, MCP servers, and the vendors behind each one. A compromise in any of these components reaches production through normal operation, because the AI system ingests the component as trusted input.
AI Security Posture Management (AISPM) is the discipline of discovering AI usage across an enterprise, classifying that usage by data sensitivity and regulatory exposure, and remediating the gaps in policy, identity, and audit coverage. AISPM borrows the inventory-first pattern from CSPM (cloud) and DSPM (data) and applies it to AI traffic, models, agents, and the prompts they handle. AISPM is the discovery and reporting layer that sits above the AI gateway's per-request enforcement.
AISPM and MLSecOps divide AI security at the line between runtime usage and the model build pipeline. AI Security Posture Management (AISPM) discovers and scores how an enterprise uses AI in production: which models get called, by which identities, carrying which data classes, under which policies. MLSecOps applies DevSecOps discipline to the pipeline that produces and ships models, covering training data integrity, dependency scanning, model registry access, artifact signing, and deployment gates.
Audit log integrity is the property that an audit record, once written, can be replayed at audit time and verified to match its original state byte-for-byte. The property combines three primitives: an append-only store the writer cannot rewrite, a cryptographic chain that binds each entry to the prior entry, and a signing key the application that produced the event cannot access. EU AI Act Article 12, NIST AI RMF MANAGE 1.3, and HIPAA 164.312(b) all assume audit log integrity at the moment a regulator opens a review. A log without it answers the question "how do you know this record was not edited after the decision?" with silence.