Glossary

An independent appraisal of a private company's common stock fair market value, required under Section 409A of the Internal Revenue Code. If you...

AI systems that can autonomously plan, execute multi-step tasks, use tools, and make decisions with minimal human oversight. Unlike chatbots that...

A strong copyleft license that extends GPL's requirements to software accessed over a network. If you modify AGPL software and let users interact...

An independent, structured evaluation of an AI system's design, data, outputs, and governance controls. A good audit goes beyond checking boxes -- it...

The policies, procedures, and oversight structures an organization uses to manage AI risk and ensure responsible AI deployment. Effective AI...

The ability of an organization's personnel to understand, evaluate, and appropriately use AI systems. The EU AI Act made this a legal obligation as...

A contractual arrangement where AI model weights, training data references, and associated documentation are deposited with a neutral third party. If...

Making misleading claims about a product's use of artificial intelligence -- overstating capabilities, fabricating AI features, or calling basic...

Systematic and repeatable errors in an AI system that produce unfair outcomes for particular groups. Bias can enter through training data (historical...

The FASB accounting standard governing intangible assets, including internally developed software. ASC 350-40 specifically covers internal-use...

The FASB accounting standard governing how acquirers account for business combinations (M&A transactions). ASC 805 requires purchase price allocation...

A hidden method for bypassing normal authentication or access controls in software. Backdoors can be intentional (a developer leaving a debug entry...

A license model (popularized by MariaDB and adopted by HashiCorp, Sentry, and others) where source code is publicly available but commercial use is...

A spreadsheet or database showing a company's ownership structure -- who holds what type of equity, at what price, with what preferences and...

California's comprehensive privacy laws giving consumers rights over their personal data -- access, deletion, opt-out of sale, and (under CPRA)...

Automation practices where code changes are automatically built, tested, and deployed. CI ensures every commit is validated against the test suite....

The US federal agency responsible for cybersecurity guidance, vulnerability coordination, and critical infrastructure protection. CISA publishes the...

The executive responsible for an organization's information security strategy, risk management, and incident response. A full-time CISO at a...

A US Department of Defense framework requiring defense contractors to meet specific cybersecurity standards to handle Controlled Unclassified...

A software cost estimation model used to approximate the effort, time, and cost required to develop or reproduce a software system. COCOMO II is...

Building regulatory compliance into systems and processes from the start rather than bolting it on afterward. The concept parallels privacy-by-design...

A formal evaluation process to determine whether an AI system meets the requirements of a regulation or standard. Under the EU AI Act, providers of...

A short-term debt instrument that converts into equity at a future priced round, typically with a discount (10-20%) and/or a valuation cap....

A US federal law that imposes requirements on websites and online services directed at children under 13, or that knowingly collect personal...

A licensing approach that requires derivative works to be distributed under the same license terms as the original. GPL and AGPL are copyleft...

An EU regulation requiring manufacturers and distributors of products with digital elements to meet cybersecurity requirements throughout the product...

A standardized identifier for publicly known cybersecurity vulnerabilities (e.g., CVE-2024-3094 for the xz-utils backdoor). CVEs are assigned by...

An OWASP-maintained standard for creating software bills of materials, with support for SBOMs, VEX documents, and hardware BOMs. CycloneDX supports...

A structured inventory of the datasets used to train, validate, and test an AI model -- the data equivalent of an SBOM. A DBOM documents data...

A formal agreement between a data producer and consumer that specifies the schema, format, quality standards, SLAs, and semantics of a dataset or...

The organizational framework for managing data as a strategic asset -- covering data quality, access controls, lifecycle management, and compliance....

The record of where data came from, how it was transformed, and where it went -- the data equivalent of a chain of custody. Data lineage answers "why...

A decentralized data architecture where domain teams own and publish their data as products, rather than centralizing everything in a data warehouse...

A curated, documented, and governed dataset, API, or data service designed for repeated use by specific consumers. Data products apply product...

A structured assessment required under GDPR Article 35 when data processing is likely to result in high risk to individuals' rights and freedoms. A...

Documentation of a dataset's origin, collection method, permissions, and chain of custody. Provenance answers "where did this data come from and did...

The degree to which data meets the requirements of its intended use — measured across dimensions like accuracy, completeness, consistency,...

An organization's plan for collecting, managing, and using data to achieve business objectives. A data strategy covers infrastructure, governance,...

A valuation method that estimates the present value of an asset based on projected future cash flows, discounted back at a rate reflecting the...

The process of identifying and evaluating all third-party software components a codebase relies on -- direct dependencies you chose to include, plus...

Integration of security practices into every phase of the software development lifecycle, rather than treating security as a final gate before...

A measure of operating profitability that strips out financing decisions and accounting conventions. EBITDA multiples are the most common valuation...

A framework for evaluating a company's performance on non-financial factors: environmental impact, social responsibility, and governance practices....

The European Union's comprehensive regulation on artificial intelligence, establishing a risk-based framework for AI systems sold or used in the EU....

A US legal doctrine allowing limited use of copyrighted material without permission for purposes like criticism, commentary, research, and education....

An independent certification confirming that an AI model's training data was obtained under proper licensing agreements, is public domain, or is...

The private-sector body that establishes US Generally Accepted Accounting Principles (GAAP). FASB standards govern how software development costs are...

A US government program that standardizes the security assessment and authorization of cloud services used by federal agencies. FedRAMP authorization...

Adapting a pre-trained AI model to a specific domain or task by training it further on a smaller, targeted dataset. Fine-tuning is how organizations...

A large AI model trained on broad data that can be adapted to a wide range of downstream tasks. GPT-4, Claude, and Llama are foundation models....

The US federal agency responsible for consumer protection and antitrust enforcement. The FTC has been actively pursuing AI-related enforcement,...

The EU's data protection regulation, effective since May 2018, that governs how organizations collect, process, and store personal data of EU...

The EU AI Act's term for AI models that can perform a wide variety of tasks, including tasks they weren't specifically designed for. GPAI providers...

AI systems that create new content -- text, images, code, audio, video -- rather than classifying or predicting from existing data. Large language...

The most widely used copyleft license, requiring that anyone distributing GPL-licensed software (or software derived from it) must make the source...

An open-source tool from Google that aggregates software supply chain metadata (SBOMs, attestations, vulnerability data, scorecard results) into a...

AI systems that the EU AI Act classifies as posing significant risk to health, safety, or fundamental rights. This includes AI used in employment...

US federal law establishing standards for protecting sensitive patient health information (PHI). HIPAA's Privacy Rule governs who can access PHI; the...

A non-physical asset with economic value -- software, patents, trademarks, customer relationships, proprietary data. In technology M&A, intangible...

The section of the Internal Revenue Code that governs deferred compensation, including stock options. Section 409A requires that stock options be...

The international standard for information security management systems (ISMS). ISO 27001 certification tells customers and partners that an...

The international standard for AI management systems, published in December 2023. ISO 42001 provides a framework for establishing, implementing, and...

The practice of ensuring that an organization's use of software -- both open source and commercial -- complies with the applicable license terms....

The contractual right of preferred shareholders to receive their investment back before common shareholders get anything in a sale or liquidation. A...

A subset of AI where systems learn patterns from data rather than being explicitly programmed. In a business context, ML drives everything from fraud...

Practices and tools for deploying, monitoring, and maintaining machine learning models in production. MLOps extends DevOps principles to ML — version...

A structured document describing an AI model's intended use, training data, performance metrics, limitations, and ethical considerations. Originally...

The degradation of an AI model's performance over time as the real world diverges from the data the model was trained on. Data drift means input...

The subset of AI governance focused specifically on managing individual AI models through their lifecycle -- from development and validation through...

A voluntary framework from the National Institute of Standards and Technology for managing AI risk. Organized around four functions -- Govern, Map,...

A voluntary framework from NIST organized around five functions -- Identify, Protect, Detect, Respond, Recover -- that provides a common language for...

Software distributed under a license that permits use, modification, and redistribution. The Open Source Initiative (OSI) maintains the formal...

A nonprofit that produces freely available security standards, tools, and educational resources. Best known for the OWASP Top 10 (a regularly updated...

A set of security standards that any organization handling credit card data must follow. PCI DSS covers network security, access controls,...

Authorized simulated attacks against systems, networks, or applications to identify exploitable vulnerabilities before real attackers do. Pen tests...

Any data that can identify a specific individual, either on its own (name, SSN, biometric data) or in combination with other information (zip code +...

A class of equity with rights that take priority over common stock -- typically liquidation preferences, anti-dilution protections, and board seats....

An approach to system design that embeds privacy protections into the architecture from the beginning rather than adding them later. The seven...

An attack where malicious input causes an AI system to ignore its instructions and perform unintended actions. Direct prompt injection embeds...

A family of licenses designed specifically for AI models and datasets that include behavioral use restrictions — prohibiting uses like surveillance,...

Adversarial testing where a team simulates attacks against a system to find vulnerabilities before real attackers do. In cybersecurity, this means...

The practice of developing and deploying AI systems in ways that are fair, transparent, accountable, and aligned with human values. Responsible AI...

An investment instrument created by Y Combinator where the investor provides capital in exchange for the right to convert into equity at a future...

A structured inventory of all components, libraries, and dependencies in a software product -- the ingredient list for software. Executive Order...

Tooling that automatically scans a codebase to identify open-source and third-party components, map their licenses, and flag known vulnerabilities....

The US federal agency that regulates securities markets, protects investors, and enforces securities laws. For technology companies, SEC reporting...

Moving testing, security, and compliance activities earlier in the software development lifecycle rather than treating them as a final gate before...

An audit framework developed by the AICPA that evaluates an organization's controls related to security, availability, processing integrity,...

A legal arrangement where source code is deposited with a neutral third party and released to a licensee if specified trigger events occur (vendor...

Determining the fair market value of software assets, typically for M&A, tax, financial reporting, or litigation purposes. Software valuation...

Software whose source code is publicly viewable but whose license restricts certain uses (typically commercial or competitive use). Source-available...

An ISO/IEC standard (ISO/IEC 5962:2021) for communicating software bill of materials information, including component identities, licenses, and...

Automated examination of source code without executing it, used to identify bugs, security vulnerabilities, code quality issues, and style...

An attack that targets the software supply chain -- compromising a dependency, build tool, or distribution channel rather than the target application...

Artificially generated data that mimics the statistical properties of real data without containing actual personal or sensitive information....

The accumulated cost of shortcuts, deferred maintenance, and expedient decisions in a codebase. Technical debt isn't inherently bad -- sometimes...

The dataset used to train an AI model, which directly shapes the model's capabilities, biases, and limitations. Training data quality and provenance...

A dependency your software inherits indirectly -- you depend on library A, which depends on library B, which depends on library C. You never chose to...

A companion document to an SBOM that communicates whether a known vulnerability in a component is actually exploitable in the specific product. Not...

A security model that assumes no user, device, or network is inherently trustworthy -- every access request must be verified regardless of where it...