Docs & Knowledge Hub

Everything you need, in one place.

A lightweight hub at launch. Enough to answer the most common questions and point people to the right place.

Getting started

Feature guides

Glossary

Plain-language definitions for every term used in the platform.

AI System

Any AI tool, model, or service the organisation uses. Includes tools that have been formally registered and those still in the shadow AI detection queue.

AI Passport

A signed record of an AI system's full governance status: risk assessment, policies applied, controls in place, evidence, and approval chain. Issued when a system completes the full governance cycle. Premium feature.

Audit Trail

An immutable, time-ordered record of every action taken in the platform — who did what, when, on which record, and why. Tamper-evident and exportable for regulators.

Compliance Gap

A specific policy clause that has not been satisfied for a given AI system. Created automatically when a policy is applied and an obligation is unmet. Has an owner, a deadline, and a resolution path.

Content Bundle

A signed, versioned package of platform content. Contains updated regulation text, policy templates, controls, and shadow AI catalogue entries. Applied automatically to cloud customers, pulled inward by agent for on-premise customers, and imported manually by air-gapped customers.

Control

A safeguard put in place to reduce a specific risk. May be technical, procedural, or contractual. Each control has an effectiveness rating and the evidence that shows it is in place.

Data Processing Agreement

A contract between a data controller and a processor (including AI vendors) that sets out how personal data may be processed, security expectations, sub-processor rules, and breach notification timelines. Required under GDPR Article 28 and equivalent laws.

Deployer

An organisation that puts an AI system into use under its own authority — for example a bank using a third-party fraud-scoring model. Deployers carry obligations under the EU AI Act distinct from providers.

DPIA

Data Protection Impact Assessment. A structured analysis required when processing is likely to result in high risk to individuals' rights. Mandatory under GDPR for many AI deployments involving personal data.

Evidence

Any artefact that demonstrates a control is in place and working — screenshots, signed approvals, policy versions, log extracts, vendor attestations. Stored content-hashed in the evidence repository and linked to the relevant control.

Exception

A time-limited waiver for a compliance gap. Requires a named approver, a documented reason, and a hard expiry date. The gap reopens automatically when it expires.

Governance Health Score

A 0 to 100 score showing the ratio of met obligations to total obligations across all live policies and all registered systems at the current moment.

High-Risk AI System

Under the EU AI Act, an AI system that falls within Annex III categories (e.g. employment, credit, critical infrastructure) or is a safety component of a regulated product. Subject to the strictest obligations: risk management, data governance, human oversight, technical documentation, and post-market monitoring.

Policy Owner

The named individual accountable for a policy's content and lifecycle — drafting, review cadence, exceptions, and retirement. Visible on every policy version and in the audit trail.

Provider

An organisation that develops an AI system or has one developed and places it on the market under its own name. Carries the heaviest obligations under the EU AI Act, including conformity assessment for high-risk systems.

Regulation Tracker

The component that monitors changes to the regulations you've mapped to. When a Content Bundle introduces a change, the tracker flags affected systems, controls, and policy clauses for review.

Review Cadence

The defined frequency at which a policy, risk assessment, or control is re-evaluated — for example quarterly for high-risk systems, annually for low-risk. Overdue reviews surface automatically on the dashboard.

Risk Tier

The classification assigned to an AI system based on potential impact — typically Prohibited, High, Limited, or Minimal under the EU AI Act, with parallel tiers for NIST and ISO 42001. Drives the depth of controls, evidence, and review cadence required.

Shadow AI

AI tools or models in use within an organisation that have not been registered, assessed, or approved. May be accessed through personal accounts, embedded in approved SaaS tools, or running locally on company devices.

Two-Person Rule

The requirement that the person who submits a record for approval cannot also be the person who approves it. Any attempt to bypass it is recorded in the audit trail.

Versioned Policy

A policy for which every version is kept. Every edit creates a new version. Activation logs the event with a timestamp and the approver. Prior versions are permanently retrievable.