AI security glossary
Plain-language definitions for buyers, CISOs and DPOs evaluating AI DLP and generative-AI security. Each term explains what it is, why it matters, and what to ask vendors about it.
AI DLP
AI DLP (AI Data Loss Prevention) is software that detects, blocks or anonymises sensitive data before it leaves an organisation to a generative-AI service like ChatGPT, Claude, Gemini or Copilot.
Prompt injection
Prompt injection is an attack in which untrusted text smuggled into an LLM's input (via a document, a webpage, a tool response or a user prompt) overrides the developer's original instructions and makes the model do something it was not authorised to do.
Shadow AI
Shadow AI is the use of generative-AI services (ChatGPT, Claude, DeepSeek, Perplexity, Mistral, Grok, etc.) by employees without the knowledge, approval or oversight of the IT or security team.
MCP (Model Context Protocol)
MCP (Model Context Protocol) is an open standard published by Anthropic in late 2024 that lets AI assistants connect to external data sources, tools and services in a uniform way — analogous to the Language Server Protocol (LSP) but for LLM context.
EU AI Act
The EU AI Act (Regulation 2024/1689) is the European Union's comprehensive law on artificial intelligence, in force since August 2024, with most provisions becoming enforceable in phased waves through August 2027.
NIS2
NIS2 (Directive 2022/2555) is the EU's revised network and information security directive, enforceable from October 2024 across all member states. It expands the scope of regulated entities and tightens incident-reporting timelines.
DORA
DORA (Digital Operational Resilience Act, Regulation 2022/2554) is the EU regulation requiring financial-sector entities to maintain digital operational resilience, in force since January 2025.
GDPR
The GDPR (General Data Protection Regulation, Regulation 2016/679) is the EU's comprehensive data-protection law, in force since May 2018.
CLOUD Act
The CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) is a US federal law that compels US-based service providers to disclose data they hold or process, regardless of where in the world the data is physically stored.
Jailbreak (LLM)
An LLM jailbreak is a crafted prompt that bypasses a model's safety training or operator-imposed guardrails, causing it to produce output the deploying organisation tried to forbid.
Anonymisation (in DLP)
In an AI DLP context, anonymisation is the act of substituting a detected sensitive substring (a credit card, an IBAN, an email, an API key) with a structurally similar but non-sensitive placeholder before the prompt is sent to the LLM.
Sovereign Cloud
Sovereign Cloud refers to cloud infrastructure operated under the legal jurisdiction of a specific country or region, with data residency, operational control and ownership structures designed to be immune to extraterritorial legal demands (notably the US CLOUD Act).
Data Residency
Data residency is the geographic location where data is physically stored, processed and replicated — typically expressed as a specific country or sub-national region (e.g. "eu-west-3 / Paris" or "Germany only, no replication outside Frankfurt").
Browser-based DLP
Browser-based DLP enforces data-loss-prevention policies inside the web browser, via a managed extension on Chrome / Edge / Firefox, intercepting paste events, form submissions and outbound HTTP requests before they reach the destination service.
Format-preserving anonymisation
Format-preserving anonymisation is a substitution technique where the replacement value satisfies the same syntactic format as the original (valid IBAN checksum, valid Luhn card number, valid-looking email) — so downstream systems that validate format still accept the placeholder.