AI Governance Standards Glossary

AI governance involves terminology from multiple overlapping frameworks, standards bodies, and regulations. This glossary defines the key terms UK businesses encounter when implementing AI governance — from NIST AI RMF functions (Govern, Map, Measure, Manage) to ISO 42001 concepts (AIMS, Annex SL, statement of applicability) to UK regulatory language (DSIT five principles, ICO automated decision-making, DPIA). Each term includes a plain-English definition, which framework or regulation it comes from, and why it matters for your business.

How to use this glossary

Terms are organised alphabetically. Each entry includes the source framework or regulation in parentheses. Where a term is used differently across frameworks, the entry notes the distinction. For broader AI governance terminology (not specific to standards and frameworks), see our main AI governance glossary.

A–D

AIMS — AI Management System (ISO 42001)

The set of interrelated policies, processes, procedures, and resources an organisation uses to manage its AI activities. AIMS is the core concept of ISO 42001 — the standard specifies what an AIMS must include and how it should operate. Think of it as the AI equivalent of an Information Security Management System (ISMS) under ISO 27001.

Annex SL (ISO)

A template published by ISO that defines the high-level structure all modern management system standards must follow. It specifies ten core clauses: context of the organisation, leadership, planning, support, operation, performance evaluation, and improvement. ISO 42001, ISO 27001, and ISO 9001 all share this structure, which means businesses certified to one can extend to another more easily.

AI RMF — AI Risk Management Framework (NIST)

A voluntary framework published by the US National Institute of Standards and Technology for managing risks from AI systems (NIST, 2023). Organised into four functions: Govern, Map, Measure, and Manage. See our NIST AI RMF implementation guide.

AIME — AI Management Essentials (BSI)

A self-assessment framework developed by the BSI as a stepping stone to ISO 42001 (BSI, 2024). Covers five domains: leadership, risk management, data management, AI system deployment, and monitoring. See our AIME self-assessment guide.

Automated decision-making (UK GDPR)

A decision made solely by automated means (including AI) without meaningful human involvement. Under UK GDPR Article 22, individuals have the right not to be subject to solely automated decisions that produce legal or similarly significant effects (UK GDPR, 2016). This is one of the most directly relevant legal provisions for AI governance in the UK.

Conformity assessment (EU AI Act)

The process of verifying that a high-risk AI system meets the requirements of the EU AI Act before it can be placed on the market. Depending on the system type, this may involve self-assessment or third-party assessment by a notified body (EU AI Act, 2024).

DPIA — Data Protection Impact Assessment (UK GDPR)

A process for identifying and minimising the data protection risks of a project or system. Required under UK GDPR Article 35 when processing is likely to result in a high risk to individuals — which includes most AI systems processing personal data (ICO, 2024).

DSIT (UK Government)

The Department for Science, Innovation and Technology. The UK government department responsible for AI policy, including the 2023 white paper that established the five AI principles(DSIT, 2023).

E–I

EU AI Act (EU)

The European Union's comprehensive AI legislation, adopted in 2024. It classifies AI systems by risk level (unacceptable, high, limited, minimal) and imposes obligations proportionate to the risk. It applies to any business placing AI systems on the EU market or deploying AI affecting EU residents — including UK businesses with EU operations. See our EU AI Act vs UK regulation guide.

Explainability (DSIT / ICO)

The ability to explain AI decisions to affected people in a way they can understand. One of the DSIT five principles and a practical requirement under ICO guidance. Does not mean providing the technical details of the algorithm — it means being able to tell someone why a decision was made and what factors influenced it.

Govern function (NIST AI RMF)

The cross-cutting function that establishes organisational context for AI risk management. Covers: roles and responsibilities, risk tolerances, policies, culture, and legal compliance. This is where UK businesses integrate UK GDPR, ICO guidance, and the DSIT five principles into their AI governance.

High-risk AI system (EU AI Act)

An AI system classified as high-risk under the EU AI Act. Includes AI used in: critical infrastructure, education, employment, essential services, law enforcement, migration, and justice. High-risk systems face the most stringent requirements: conformity assessment, risk management, data governance, transparency, human oversight, accuracy, and robustness.

ISO 42001 (ISO)

The international standard for AI management systems (ISO/IEC 42001:2023). Published December 2023. Follows the Annex SL structure. Certifiable by accredited third-party auditors. See our ISO 42001 guide.

J–P

Legitimate interest (UK GDPR)

One of six lawful bases for processing personal data under UK GDPR. Often used to justify AI processing, but requires a three-part test: is there a legitimate interest, is processing necessary for that interest, and does the interest override the individual's rights? The ICO expects organisations to document this assessment for any AI processing relying on legitimate interest.

Management system (ISO)

A set of interrelated elements (policies, objectives, processes, resources) that an organisation uses to achieve its goals in a structured way. ISO management system standards (27001, 9001, 42001) all follow the same Annex SL structure, making integration across standards efficient.

Manage function (NIST AI RMF)

The fourth NIST AI RMF function. Covers: prioritising and acting on identified risks, implementing mitigations, planning for incidents, and establishing feedback loops. This is where governance connects to day-to-day operations.

Map function (NIST AI RMF)

The second NIST AI RMF function. Covers: cataloguing AI systems and use cases, identifying affected stakeholders, understanding data flows, and documenting potential harms. For UK businesses, this is where personal data flows to AI tools should be mapped (a UK GDPR requirement).

Measure function (NIST AI RMF)

The third NIST AI RMF function. Covers: defining metrics for AI performance, fairness, and reliability; testing for bias; and monitoring outputs over time. Even basic metrics (error rates, user complaints) create a valuable baseline.

NIST (US Government)

The National Institute of Standards and Technology, a US federal agency. Publisher of the AI Risk Management Framework (AI RMF 1.0) and the Cybersecurity Framework (CSF). NIST frameworks are voluntary but widely adopted internationally.

Proportionality (cross-framework)

The principle that governance measures should be proportionate to the risks involved. A micro-business using ChatGPT for marketing copy does not need the same governance as a financial services firm using AI for credit decisions. Every framework referenced here is designed to be applied proportionately.

Q–Z

Risk classification (EU AI Act)

The EU AI Act's four-tier system for categorising AI systems by risk: unacceptable (banned), high (stringent requirements), limited (transparency obligations), and minimal (no additional requirements). Most AI tools used by UK SMEs fall into the limited or minimal categories.

Safety (DSIT five principles)

The first of the UK's five AI principles: AI systems should function securely, safely, and robustly. Covers both technical safety (the system works as intended) and security (the system is protected against attack and misuse).

Statement of applicability (ISO 42001)

A document that lists all the controls in ISO 42001 Annex A and states which ones your organisation has implemented, which are not applicable, and the justification for each decision. Required as part of ISO 42001 certification. Similar in concept to the SOA in ISO 27001.

Transparency (DSIT / EU AI Act)

The requirement to be open about how AI is used and how AI decisions are made. Under the DSIT five principles, transparency means appropriate disclosure. Under the EU AI Act, transparency obligations are specific and legally binding for certain system categories — including requirements to disclose that content was AI-generated.

UK AI Safety Institute — AISI (UK Government)

Established in 2023, AISI conducts technical research and evaluation of advanced AI systems. Its work informs how the UK applies the DSIT five principles in practice, particularly around safety and robustness (AISI, 2024).

Frequently Asked Questions

What is the difference between a framework and a standard?

A framework is a set of guidelines, principles, or recommended practices that an organisation can adopt voluntarily — like the NIST AI RMF or the DSIT five principles. A standard is a formal specification published by a recognised standards body (like ISO or BSI) that defines requirements an organisation must meet, often with certification available. ISO 42001 is a standard; NIST AI RMF is a framework.

Do I need to learn all these terms to implement AI governance?

No. Most UK SMEs only need a working understanding of the terms relevant to their chosen framework. If you are starting with the DSIT five principles and AIME, focus on those terms first. The glossary is a reference to consult when you encounter unfamiliar terminology, not a prerequisite to getting started. See ourframework selection guide to determine which framework suits your business.

What does "Annex SL" mean in the context of ISO 42001?

Annex SL is a template published by ISO that defines the high-level structure all modern management system standards must follow. It specifies ten core clauses — from "Context of the organisation" through to "Improvement" — ensuring that ISO 42001, ISO 27001, ISO 9001, and other management system standards share the same structural framework. This makes it easier to integrate multiple ISO standards within one management system.

Where can I find the official text of these standards?

The NIST AI RMF is freely available atnist.gov. The DSIT white paper is freely available atgov.uk. The EU AI Act text is atartificialintelligenceact.eu. ISO 42001 must be purchased fromISO or BSI. AIME details are available throughBSI's website.

Governably helps UK businesses start their AI governance journey by scanning for AI tool exposure, credential leaks, and email security gaps.Run a free scan to see where your organisation stands.