Glossary

27 Glossary · every term, in one place

The vocabulary, in plain English.

Agent

An LLM running in a loop where it can use tools, remember things, and decide what to do next.

Agentic

A system where one or more LLMs handle multi-step tasks on their own.

Orchestrator

A coordinator agent that decides which other agent runs next and combines their results.

Specialist

An agent with one specific job, a tailored prompt, and access to only the tools it needs.

Router

The piece of logic that decides which agent gets the next task.

State store

The single source of truth for everything happening in one workflow.

Message bus

The pipe that carries messages from one agent to another.

Tool gateway

A safety wrapper around tool calls that handles auditing, rate limiting, and sandboxing.

Observer

The monitoring layer: traces, costs, drift, runaway loops.

Guardrail

A safety check that limits what an agent can see, decide, or do.

Defense in depth

Stacking multiple independent safety checks so a bypass of one is caught by another.

Fail closed

When a safety check itself errors out, reject the request rather than let it through.

Curated handoff

Passing only the relevant slice of context to the next agent, not the whole conversation.

Role isolation

Each agent only sees the data its job actually needs.

Context envelope

A typed wrapper around any piece of context passed between agents. Carries who produced it, how sensitive it is, when to discard it, and a chain back to its source.

Handshake

A short negotiation that happens before two agents collaborate. Both sides declare what they will accept and produce; the result is a session contract that bounds what flows.

Session contract

The agreement returned by a successful handshake. Pins the input and output classifications, the keys allowed to flow, the tags required on the response, and the session length. Every envelope crossing the boundary is checked against it.

Compartment

A boundary across which envelopes must be filtered. Enforces the session contract on every crossing through minimization (drop unauthorized keys), redaction (scrub PII patterns), and tag validation. Replaces the discipline of "remember the rules" with one function call.

Need-to-know

The set of fields the caller is willing to share with the callee. Anything outside the set must be dropped before the envelope crosses the boundary. The opposite of dumping the full context into every sub-call.

Classification lattice

A small ordered set of sensitivity labels (PUBLIC, INTERNAL, CONFIDENTIAL, SECRET in the kit's version). Combining envelopes inherits the highest label among the parts. Prevents low-classification consumers from accidentally receiving high-classification data.

Agent profile

The structural description of an agent: its scope (generalist, specialist, or generalist plus RAG), its domain, where each piece of its knowledge lives, and the version of each. Two agents with the same profile fingerprint are functionally equivalent.

Knowledge anchor

One concrete location an agent's knowledge lives in. Five legitimate places: model weights, fine-tune deltas, system prompt, tool catalog, retrieved context. Each anchor has an owner, a version, and a last-refresh time.

Generalist (agent shape)

An agent that uses a broad model with no domain narrowing. Knowledge lives in the base model's weights. Cheap in code, expensive in tokens, brittle on narrow domains.

Specialist (agent shape)

An agent narrowed by fine-tune or strong system prompt for one domain. Knowledge lives partly in weights and partly in the prompt. Predictable output shape, narrower attack surface, harder to maintain across many domains.

Generalist plus RAG

A broad model paired with retrieved domain documents at request time. Knowledge lives in an external index that is mixed into context per request. Easiest to update; hardest to defend, because retrieved text is attacker-influenceable.

Capability registry

An external authority that publishes each agent's true capabilities. The handshake reads the registry instead of trusting whatever the agent claims. Defends against agents that hallucinate capabilities they do not have.

Pinned ask

The original goal of a session, hashed and stored at session start. Every later turn that claims to know the goal must hash to the same value. Detects ask drift.

Tool gate

A chokepoint that intercepts every tool call and checks it against the contract's disclosed-tools set. Hallucinated tool calls fail closed before the tool implementation is touched. Rejected calls are still recorded for audit.

Ask drift

The agent's restated goal mid-session no longer matches the originally pinned goal. Sometimes useful (the agent realized it needs an extra step), often catastrophic (the agent decided to do more than was asked). Caught by the pinned ask.

Task source

Where a task originated. Five legitimate sources in production: direct user request, scheduled trigger, event from another system, output of another agent (delegation), or self-generated subtask. Each carries a different trust level and audit story.

Task object

A structured handoff between principal and agent. Five fields: goal, principal, constraints, context, provenance. The constraints field is operator-controlled and overrides anything in the goal text.

Confirmation step

Before any state-changing action, the agent restates the goal and the orchestrator verifies the restatement matches the original task. Different from the pinned ask: confirmation is the moment the contract is sealed; the pin is the enforcement mechanism after that moment.

Bootstrap layers

The five layers an agent learns about its deployment, in the order it needs them: identity, capabilities, state, history, constraints. Reading them in this order in the early prompt and tool calls of every session is the safe default.

Distributed agency

The principle that no single component is "the agent." Agent-like behavior is composed across the model invocation, the loop, the orchestrator, the registry, the trust engine, the memory store, and the audit log. The illusion of a single agent comes from the consistent identifier and profile, not from a single conscious entity.

Pipeline

A line of agents in order: each one's output is the next one's input.

Hierarchical

An orchestrator of orchestrators, like a company org chart applied to agents.

Peer swarm

Equal agents talking freely; no one is in charge, structure emerges as they go.

Blackboard

A shared workspace agents read from and write to, often at different times.

Debate

A pattern where agents argue different sides and a judge decides.

Parallel fan-out

Sending the same input to several agents at once, then merging their answers.

Showing the conflicts

A merge step that explicitly lists where parallel agents disagreed, instead of hiding it.

Risk score

A number that combines how likely a failure is, how bad it would be, how far it would spread, and how likely you'd notice it.

Blast radius

How many users or records a single failure affects.

Alert tier

How severe an alert is: INFO, WARN, HIGH, CRITICAL.

Dedup window

A time window during which duplicate alerts get suppressed so you don't get spammed.

Auto-action

An automatic response (like pausing the workflow) that fires alongside a CRITICAL alert.

Prompt injection

Malicious content in input that tries to override the agent's instructions.

Hallucination

When the agent confidently says something that isn't true.

Sandbox

An isolated environment with no network access and limited credentials, where it's safe to run untrusted code.

Tool grounding

Verifying claims against the real world: actually running the code, querying the database, fetching the page.

RAFT

A way to keep multiple servers in sync as long as they don't lie to each other. One is leader; the rest follow.

Byzantine fault

A server (or agent) behaving arbitrarily badly, possibly lying or contradicting itself.

BFT consensus

A way to agree on an answer even when some participants might be lying.

Quorum

The minimum number of agreeing votes needed to commit to a decision.

Semantic consensus

Grouping answers by meaning (using embeddings), then picking the biggest group instead of looking for exact matches.

Verifier-prover

One agent answers, others check the answer. Checking is usually easier than producing.

Kill switch

A way to shut down all agent activity instantly from outside the system.

Circuit breaker

A pattern that automatically disables an agent after several failures in a row.

Bulkhead

Isolating resources between agents so one agent's problems don't take down the others.

MCP

Model Context Protocol. An open standard for connecting agents to tools so any LLM can use any tool. Now maintained by the Linux Foundation's Agentic AI Foundation.

A2A

Agent-to-Agent Protocol. A standard for agents to find and call each other across teams or companies, using "Agent Cards".

ACP

Agent Communication Protocol. An open standard for inter-agent messaging, focused on cross-vendor interoperability.

ANP

Agent Network Protocol. A web-style standard for agent discovery, identity, and capability advertising across an open network.

Agent Card

A small profile that an A2A agent publishes describing what it can do and how to call it.

Tool poisoning

An attack where a malicious MCP server publishes a tool whose description contains hidden instructions the agent reads.

IPI (indirect prompt injection)

Hidden instructions inside content the agent reads as part of normal work (a webpage, an email, a PDF). Named the #1 LLM threat by OWASP in 2025.

Prompt infection

When one compromised agent passes its bad output to other agents, spreading the compromise through a multi-agent system.

Context rot

When models do worse at finding things in their input as the input gets longer, even if the answer is right there. Documented by Hong et al. 2025.

Memory agent

An agent that summarizes new information into structured notes, instead of re-reading the whole conversation history every turn.

Reasoning model

An LLM trained to "think out loud" before answering. Examples: DeepSeek-R1, OpenAI o3, Claude with extended thinking, Qwen QwQ.

Reflection

An agent reviewing its own output and trying to improve it. Works when there's something concrete to check against (tests, types, tool errors); usually doesn't work without that grounding.

LLM-as-judge

Using one model to grade another's output. Cheap and easy, but biased: it tends to prefer longer answers, the first one shown, and answers from its own model family.

SWE-bench

A benchmark that asks agents to fix real GitHub issues. As of 2026 the scores can be cheated, so don't trust single numbers without seeing the agent's traces.

OSWorld

A benchmark where agents operate a real Linux desktop. Scores went from 23% to 51% during 2025 thanks to better screen-grounding.

TAU-bench

A benchmark for customer-service style tasks. Harder to game than other benchmarks because the simulated user is unpredictable.

Heuristic

A hand-written rule (in code, not in the prompt) that the agent system applies to guide or limit behavior. Cheap, predictable, easy to audit.

Reward

A score the agent tries to maximize. Used during training to shape behavior, or at runtime to pick between candidate actions.

Reward hacking

When an agent finds a way to maximize the reward without doing what you actually wanted. Hard to spot and harder to fix.

RLHF

Reinforcement Learning from Human Feedback. The training method behind most modern chat models: humans rate which response is better, the model is updated to produce more of the preferred kind.

Best-of-N sampling

Generate several candidate answers, score each one, return the highest-scoring. Trades cost for quality.

Preference learning

Adapting an agent's behavior based on how users react to past outputs (edits, ratings, accepts). Quieter than rewards but slower to take effect.

Skill library

A growing collection of reusable strategies an agent has discovered. Future tasks check the library before re-solving from scratch.

World model

An agent's internal predictor for how the environment will respond to its actions. Lets the agent imagine consequences before acting.

Embodied agent

An agent connected to a physical or simulated 3D environment (a robot, a game character, a virtual avatar) rather than just text and APIs.

Multi-agent economy

A system where independent agents (often owned by different parties) discover, hire, and pay each other for work.

Pre-config privilege

A permission set when the agent is created and rarely changed. The floor of what the agent can do.

Post-config privilege

A permission granted at runtime, often time-bounded and action-bounded. How an agent stretches beyond its baseline for a specific task.

RAG

Retrieval-Augmented Generation. The agent searches a knowledge base for relevant chunks and uses them to answer. Which corpora the agent can search is itself a privilege decision.

Capability token

An unforgeable proof that the bearer is allowed to do a specific thing. Easier to audit and revoke than role-based access.

Agent reputation

A score (or set of scores) tracking how an agent has behaved historically. Used to gate access to riskier privileges.

Slashing

Automatically taking away an agent's stake (money, tokens, reputation) when it breaks rules. Makes misbehavior costly.

Sybil attack

An attacker creates many fake "good" agents to vouch for a bad one, inflating its reputation. Defense: weight votes by the voter's own reputation.

Beta distribution

The probability distribution used to model agent reputation. Track (α, β) where α counts good outcomes and β counts bad. Mean = α/(α+β), with variance shrinking as the sample grows.

Credible lower bound

The pessimistic edge of the credible interval: what the agent is at least worth, with high confidence. Use this for privilege checks, not the mean.

Exponential decay

Multiplying old observations by e^(−λΔt) so recent behavior dominates. Half-life parameter λ controls how fast old evidence fades.

Ed25519

A modern elliptic-curve digital signature scheme. Fast, small signatures (64 bytes), widely supported. Standard choice for capability token signing.

Replay attack

An attacker reuses a captured valid token after the legitimate action already happened. Defense: one-time jti (token ID) tracked in a shared set, marked consumed on first use.

HSM

Hardware Security Module. A physical device that stores private signing keys and performs signatures without ever exposing the key material. Where capability-token signing keys belong.

Append-only log

A log where rows can be added but never deleted or modified. Tamper-evident when each row is hashed with the previous row's hash (Merkle chain).

Control plane

The runtime layer that decides whether each data touch is lawful, applies obligations like redaction, records lineage, and writes the audit trail. Sits in front of every data access; runs in microseconds.

Data plane

The layer that actually moves bytes between agents, tools, and stores. The control plane decides; the data plane executes the decision.

Policy Decision Point (PDP)

The function that, given (subject, action, resource, context), returns allow or deny in microseconds. Pure function; no I/O on the hot path.

Obligation

A condition attached to an allow-decision: "redact PII before showing", "log this access", "limit to 100 rows". The gate is responsible for enforcing; the policy declares.

Lineage

The chain of data sources that contributed to an agent's output. Per-request tracking, threaded via contextvars. Lets you answer "where did this answer come from?" in audit.

Right to erasure

A user's legal right to demand their data be deleted (GDPR Article 17, CCPA 1798.105, LGPD, PIPL). For agent systems, must reach SQL, doc store, vector index, caches, and backups.

Linkage attack

Two queries that are individually compliant join into a re-identification of a person. "Anonymous" + public records = identified. Defense: track joins in lineage; require explicit allow on cross-source aggregation.

Data residency

The legal requirement that data stay within a specific jurisdiction (EU data in EU, etc.). Drives how queries are routed to LLM and tool backends.

Legal basis

The lawful reason for processing personal data under GDPR: consent, contract, legal obligation, vital interest, public task, or legitimate interest. Required field on every audit entry.

Markov decision process (MDP)

A formal model of an agent acting in an environment: states, actions, transition probabilities, and rewards. The foundation of reinforcement learning. Useful for specifying what an agent should do; less useful when state is partial or continuous.

POMDP

A Markov decision process where the agent only sees observations, not the full state. Closer to reality than a plain MDP. Solving exactly is intractable, so production systems use belief tracking or treat recent observations as state.

Hidden Markov model (HMM)

A model where observed actions are produced by hidden states that follow a Markov chain. Used to audit agents from outside: fit on normal traces, then detect when new behavior is poorly explained by the model.

Conformal prediction

A distribution-free way to wrap any classifier with a calibrated prediction set guaranteed to contain the true answer with target probability. Set size is the runtime confidence signal: small means confident, large means hand off to a human.

World model

A learned model of the environment that predicts the next state given the current state and action. The agent plans against the model rather than the real world. Practical signal: when prediction diverges from actual, the model has gone stale.

Out-of-distribution (OOD)

A state or input the model has not seen during training. Detection is the first line of defense against silent failure: when an agent enters OOD territory, hand off to a human or refuse to act.

Calibration

The property that a model's stated confidence matches its empirical accuracy: when it says "90% sure" it is right 90% of the time. Most LLMs are not calibrated by default; conformal prediction is one fix.