Glossary

Plain-language definitions.

Every term used in the Vigil24 platform, defined in one place — no legalese, no jargon.

AI System

Any AI tool, model, or service the organisation uses. Includes tools that have been formally registered and those still in the shadow AI detection queue.

AI Passport

A signed record of an AI system's full governance status: risk assessment, policies applied, controls in place, evidence, and approval chain. Issued when a system completes the full governance cycle. Premium feature.

Audit Trail

An immutable, time-ordered record of every action taken in the platform — who did what, when, on which record, and why. Tamper-evident and exportable for regulators.

Compliance Gap

A specific policy clause that has not been satisfied for a given AI system. Created automatically when a policy is applied and an obligation is unmet. Has an owner, a deadline, and a resolution path.

Content Bundle

A signed, versioned package of platform content. Contains updated regulation text, policy templates, controls, and shadow AI catalogue entries.

Control

A safeguard put in place to reduce a specific risk. May be technical, procedural, or contractual. Each control has an effectiveness rating and the evidence that shows it is in place.

Data Processing Agreement

A contract between a data controller and a processor (including AI vendors) that sets out how personal data may be processed, security expectations, sub-processor rules, and breach notification timelines. Required under GDPR Article 28.

Deployer

An organisation that puts an AI system into use under its own authority — for example a bank using a third-party fraud-scoring model. Deployers carry obligations under the EU AI Act distinct from providers.

DPIA

Data Protection Impact Assessment. A structured analysis required when processing is likely to result in high risk to individuals' rights. Mandatory under GDPR for many AI deployments involving personal data.

Evidence

Any artefact that demonstrates a control is in place and working — screenshots, signed approvals, policy versions, log extracts, vendor attestations.

Exception

A time-limited waiver for a compliance gap. Requires a named approver, a documented reason, and a hard expiry date. The gap reopens automatically when it expires.

Governance Health Score

A 0 to 100 score showing the ratio of met obligations to total obligations across all live policies and all registered systems.

High-Risk AI System

Under the EU AI Act, an AI system that falls within Annex III categories (e.g. employment, credit, critical infrastructure) or is a safety component of a regulated product.

Policy Owner

The named individual accountable for a policy's content and lifecycle — drafting, review cadence, exceptions, and retirement.

Provider

An organisation that develops an AI system or has one developed and places it on the market under its own name. Carries the heaviest obligations under the EU AI Act.

Regulation Tracker

The component that monitors changes to the regulations you've mapped to. When a Content Bundle introduces a change, the tracker flags affected systems, controls, and policy clauses for review.

Review Cadence

The defined frequency at which a policy, risk assessment, or control is re-evaluated — for example quarterly for high-risk systems, annually for low-risk.

Risk Tier

The classification assigned to an AI system based on potential impact — typically Prohibited, High, Limited, or Minimal under the EU AI Act.

Shadow AI

AI tools or models in use within an organisation that have not been registered, assessed, or approved.

Two-Person Rule

The requirement that the person who submits a record for approval cannot also be the person who approves it. Any attempt to bypass it is recorded in the audit trail.

Versioned Policy

A policy for which every version is kept. Every edit creates a new version. Activation logs the event with a timestamp and the approver.