AI Governance Glossary

The principle that there must be clear attribution of responsibility — civil, administrative, and potentially criminal — when an AI system causes harm. One of the main regulatory challenges, especially in complex development chains (model creator, integrator, operator, user).

An interdisciplinary field that examines the moral implications of AI system development and use. It covers issues such as justice, autonomy, privacy, human dignity, and equitable distribution of benefits and risks. It underpins the principles adopted by regulations such as the EU AI Act and guidelines from the OECD and UNESCO.

The set of institutional arrangements, policies, processes, standards, and mechanisms that guide the responsible development, deployment, and use of AI systems. It encompasses technical, legal, ethical, and organizational dimensions. It is not limited to state regulation — it includes self-regulation, certifications, best practice frameworks, and accountability mechanisms.

The level of sophistication and comprehensiveness of an organization's AI governance practices. IBGIA developed a maturity assessment framework with five levels: Initial, Basic, Intermediate, Advanced, and Reference, across eight dimensions: Strategy, People, Processes, Data, Technology, Ethics, Compliance, and Monitoring.

A phenomenon in which a generative AI model produces factually incorrect, fabricated, or baseless information, presenting it with an appearance of truthfulness. It represents a significant risk when AI systems are used in contexts that require accuracy, such as healthcare, law, and journalism.

Informal denomination for the set of regulations that will govern the development and use of Artificial Intelligence in Brazil. The main legislative instrument under consideration is PL 2338/2023.

The set of phases in the development and operation of an AI system: planning, data collection, training, validation, deployment, monitoring, and decommissioning. AI governance must cover all phases, as risks can arise at any stage — from biases in data collection to performance degradation in production.

A security practice in which a team simulates adversarial attacks against an AI system to identify vulnerabilities, undesirable behaviors, and security risks before deployment. It includes jailbreaking tests, training data extraction, and harmful content generation. Recommended by the NIST AI RMF and the EU AI Act for systemic risk models.

A public authority responsible for supervising, overseeing, and enforcing AI system regulation. In Brazil, PL 2338/2023 provides for the creation or designation of a competent body — ANPD is the leading candidate. The EU AI Act designates national market surveillance authorities in each Member State.

A set of practices an organization adopts to ensure its AI systems meet applicable legal and regulatory requirements. It includes technical documentation, impact assessments, high-risk system registration, and compliance reports. It is expected to become a formal obligation with the approval of the AI Legal Framework.

As defined by PL 2338/2023: a system based on computational processes that can, for a set of human-defined objectives, make predictions, recommendations, or decisions that influence real or virtual environments. The EU AI Act adds the elements of autonomy and adaptability.

A public or organizational database that catalogs AI systems in use, including purpose, risk category, responsible parties, and assessments conducted. The EU AI Act requires registration in the EU database for high-risk systems. In Brazil, a similar mechanism is discussed within the scope of PL 2338/2023.

The property of an AI system that demonstrates being safe, fair, explainable, robust, and privacy-respecting. A central concept in the EU's HLEG (High-Level Expert Group on AI) framework and the NIST AI Risk Management Framework. It is not binary — it is assessed in degrees and depends on the context of use.

The use of generative AI systems to create or amplify false or misleading content at scale — including text, images, audio, and video (deepfakes). It represents a threat to election integrity, public health, and social cohesion. The EU AI Act and PL 2338/2023 require labeling of AI-generated content.

A finite sequence of instructions or rules that, when executed, produce a result. In AI governance, the term is frequently used to refer to automated decision-making systems, even when they involve machine learning and not just fixed rules.

An independent and systematic evaluation of an AI system to verify compliance with technical, legal, and ethical standards. It can cover analysis of training data, performance metrics, biases, security, and documentation. The EU AI Act requires audits for high-risk systems. In Brazil, similar mechanisms are being discussed.

A systematic tendency of an AI system to produce unfair or discriminatory results toward certain groups, usually arising from biases in training data, problem definition, or model design choices. It can result in discrimination by race, gender, income, geographic origin, or other characteristics.

When an AI system treats people or groups unequally and unjustifiably based on protected characteristics (race, gender, age, origin, religion, etc.), directly or through proxies. It can be intentional or emerge involuntarily from the data and system design.

A set of technical and ethical criteria used to assess whether an AI system treats different groups fairly. It includes metrics such as demographic parity, equality of opportunity, and error equalization. Different definitions of fairness can be mathematically incompatible with each other.

A structured process to identify, analyze, and mitigate risks associated with the development or deployment of high-risk AI systems. Analogous to the DPIA (Data Protection Impact Assessment) of LGPD/GDPR, but focused on broader social impacts: discrimination, access to rights, biases, opacity. Mandatory for high-risk systems under PL 2338/2023.

The practice of making publicly accessible the information about how an AI system operates, what data it uses, what criteria influence its decisions, and what its known limitations are. It goes beyond individual explainability and encompasses proactive disclosure of usage policies, model cards, and impact reports.

National Data Protection Authority. Regulatory body responsible for overseeing and enforcing the LGPD in Brazil. A natural candidate to assume regulatory functions under the AI Legal Framework.

Synthetic content — image, video, or audio — generated by AI to realistically mimic the appearance or voice of a real person. It represents a significant risk for disinformation, fraud, and privacy violation. PL 2338/2023 and the EU AI Act establish identification obligations for synthetic content.

Regulation (EU) 2024/1689 of the European Parliament and of the Council, the first comprehensive AI regulatory framework in the world. It entered into force in August 2024, with gradual implementation until 2027. It adopts a risk-based approach with four levels: unacceptable, high, limited, and minimal.

The ability of an AI system to provide, in understandable language, the reasons why a particular output (decision, recommendation, classification) was produced. Considered a fundamental component of trustworthy AI systems. PL 2338/2023 establishes the right to explanation for high-risk decisions.

An AI model trained at large scale on broad data that can be adapted for a variety of tasks. Also called a Large Language Model (LLM) when focused on language. The EU AI Act regulates General Purpose AI (GPAI) models with specific obligations for systemic risk models.

AI systems capable of generating new content (text, images, audio, video, code) from patterns learned during training. Examples: GPT-4, Claude, Gemini, DALL-E, Midjourney. They present specific regulatory challenges, especially regarding copyright, disinformation, and deepfakes.

An organized structure of principles, policies, processes, and tools that an organization or jurisdiction adopts to govern the lifecycle of AI systems. Examples include the NIST AI RMF, the ISO/IEC 42001 framework, and IBGIA's maturity frameworks. It differs from regulation by being voluntary or organizational.

General Purpose AI. A category created by the EU AI Act for large-scale trained AI models that can be used for multiple purposes. Subject to transparency obligations, technical documentation, and, for systemic risk models (above 10^25 FLOPs), additional evaluation obligations.

A category of AI systems that pose significant risk to fundamental rights and safety. The EU AI Act lists 8 categories (biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice). PL 2338/2023 adopts a more principle-based definition, delegating details to the regulator.

The principle that high-risk AI systems must be designed and operated so that humans can understand, monitor, intervene, and, if necessary, override the system's decisions. The EU AI Act requires specific human oversight measures for high-risk systems.

An approach that places well-being, fundamental rights, and human dignity as central criteria in the design, regulation, and operation of AI systems. A pillar of the EU HLEG guidelines and the OECD AI Principles. It stands in contrast to approaches purely oriented toward efficiency or the market.

An international standard published in 2023 that establishes requirements for an Artificial Intelligence Management System (AIMS). It is the world's first certifiable AI management standard, enabling organizations to demonstrate compliance with AI governance best practices through independent auditing.

A type of AI model trained on vast volumes of text to understand and generate natural language. Examples include GPT-4, Claude, and LLaMA. LLMs are the foundation of most generative text AI systems and present specific governance challenges, such as hallucinations, biases, and difficulty of auditing.

General Personal Data Protection Law (Law No. 13,709/2018). Regulates the processing of personal data in Brazil. It applies to AI systems that process personal data, complementing (and in some points overlapping with) the AI Legal Framework.

A subfield of AI that develops algorithms capable of learning patterns from data without being explicitly programmed. It includes techniques such as neural networks, decision trees, and regression. Most modern high-impact AI systems use machine learning.

AI Principles of the Organisation for Economic Co-operation and Development, adopted in May 2019 and updated in 2024. They establish a governance framework adopted by more than 40 countries, including principles of inclusiveness, well-being, transparency, robustness, and accountability.

Information related to an identified or identifiable natural person, as defined by the LGPD (art. 5, I). AI systems that process personal data are subject to LGPD obligations, including legal basis for processing, minimization, and data subject rights. Sensitive data (race, health, biometrics) receives enhanced protection.

Bill No. 2,338/2023, authored by Senator Rodrigo Pacheco, which establishes the Legal Framework for Artificial Intelligence in Brazil. Drafted based on the work of the Senate's Commission of Jurists for AI (CJIA). Currently under consideration in the Chamber of Deputies.

A principle that guides the adoption of preventive measures in the face of serious or irreversible risks, even in the absence of complete scientific certainty. Applied to AI, it justifies restrictions or moratoriums on technologies whose impacts are not fully understood — such as lethal autonomous systems or superintelligent AI.

A principle that requires incorporating privacy protections from the design stage of a system, rather than as a retroactive measure. Applied to AI, it implies data minimization, anonymization, access control, and privacy impact assessment at all stages of the model lifecycle. Provided for in the LGPD and GDPR.

The technique of formulating textual instructions (prompts) to obtain desired responses from language models. Although it may seem trivial, it is an evolving field with direct impact on the quality, safety, and reliability of generative AI outputs. It raises governance questions about standardization and system behavior control.

A controlled environment created by a regulatory body for companies and developers to test innovative technologies — including AI systems — under supervision, with relaxed regulatory requirements for a limited period. It enables mutual learning between regulator and innovator. Provided for in the EU AI Act and discussed in the context of Brazil's AI Legal Framework.

The right of an individual affected by an automated decision to receive clear and accessible information about the logic used by the AI system. Provided for in the LGPD (art. 20) and reinforced in PL 2338/2023. Closely related to the principles of explainability and transparency.

A regulatory principle whereby obligations imposed on AI developers and operators are proportional to the risk the system poses to fundamental rights, safety, and well-being. Higher-risk systems face more stringent requirements. Adopted by the EU AI Act and PL 2338/2023.

The ability of an AI system to maintain reliable and predictable performance in the face of variations in input data, adversarial conditions, or perturbations. It includes resistance to adversarial attacks, data noise, and changes in data distribution over time (drift). A fundamental requirement in trustworthy AI frameworks.

Data artificially generated by algorithms — rather than collected from the real world — that preserves the statistical properties of original data. Used to train AI models when real data is scarce, sensitive, or protected by privacy. They raise questions about quality, representativeness, and potential perpetuation of biases.

The principle that AI developers and operators must make sufficient information available about how systems work, what data they use, and how they make decisions. It includes both technical transparency (for regulators and auditors) and transparency for affected users.

A category of AI systems whose risks are so severe they justify prohibition. Under the EU AI Act: social scoring systems by public authorities, subliminal manipulation, exploitation of vulnerabilities, mass biometric surveillance in public spaces. PL 2338/2023 prohibits discriminatory and manipulative systems without an equivalent exhaustive list.

A principle that ensures an individual's ability to understand that they are interacting with an AI system, to contest automated decisions, and to opt for human alternatives when available. Protected by the right to human review in PL 2338/2023 and the right not to be subject to exclusively automated decisions in the LGPD.