AI Security Glossary

Security controls specifically designed to prevent sensitive data from being exposed through AI tools and large language models. Unlike traditional DLP, AI DLP must handle conversational data flows and understand context.

A legally binding contract under HIPAA that requires business associates to appropriately safeguard protected health information (PHI). Required when AI vendors process healthcare data.

A data protection technique that replaces sensitive information with tokens while maintaining enough semantic meaning for AI models to provide useful responses. Unlike simple redaction, it preserves relationships and context.

Under HIPAA, a health plan, healthcare clearinghouse, or healthcare provider that transmits health information electronically. Covered entities must comply with HIPAA rules for protecting PHI.

Technology and processes designed to detect and prevent unauthorized transmission of sensitive data. Traditional DLP focuses on email and file transfers; modern DLP must include AI channels.

The process of hiding original data with modified content to protect sensitive information. In AI contexts, masking must balance data protection with preserving enough context for useful AI interactions.

The process of removing or obscuring personal identifiers from data. Under HIPAA, properly de-identified data is no longer considered PHI and has fewer restrictions.

European Union regulation governing data protection and privacy. Requires organizations to protect personal data and provides rights to individuals over their data.

U.S. federal law that sets standards for protecting sensitive patient health information. Includes Privacy Rule, Security Rule, and Breach Notification Rule.

AI models trained on massive text datasets that can understand and generate human-like text. Examples include GPT-4, Claude, and Gemini. Security considerations include data retention and training data exposure.

HIPAA principle requiring covered entities to limit PHI disclosure to the minimum amount needed to accomplish the intended purpose. Applies to AI workflows processing healthcare data.

Machine learning technique used to identify and classify named entities (people, organizations, locations) in text. Core technology for detecting PII in unstructured data.

Security standard for organizations handling credit card data. Requires protection of cardholder data including primary account numbers (PANs).

Information that can identify an individual directly or indirectly. Includes names, SSN, email addresses, and other identifiers. Different regulations define PII differently.

Attack technique where malicious instructions are embedded in prompts to manipulate AI model behavior. Can be used to extract sensitive data or bypass controls.

Under HIPAA, individually identifiable health information held by covered entities. Includes 18 specific identifiers when combined with health data.

Complete removal or blacking out of sensitive information from documents or text. Unlike masking, redacted content cannot be recovered.

Secured AI's proprietary capability to restore masked AI responses back to readable format for authorized users. Enables full AI utility while maintaining data protection.

Unauthorized or unmonitored use of AI tools within an organization. Similar to Shadow IT, creates security blind spots where sensitive data may be exposed without oversight.

Auditing framework for service providers storing customer data. Evaluates controls for security, availability, processing integrity, confidentiality, and privacy.

Security technique replacing sensitive data with non-sensitive placeholder tokens. Original data is stored securely and can be retrieved using the token as a reference.

Security model that requires strict verification for every person and device accessing resources, regardless of location. "Never trust, always verify" approach applied to AI access.