AIgentic Identity Glossary

A

Actor Attribit-ID Category: The superset of all entities operating within an enterprise system: human, application, or AIgentic. Identity defines the subcategories. Traditional IAM operated on a two-category model (humans and applications); the emergence of autonomous AI agents requires a third: the AIgentic actor.
Actor Identity Lifecycle Attribit-ID Concept: The full lifecycle of an actor's identity: provisioning, scoping, delegation, audit, and revocation. Governing this lifecycle explicitly, rather than allowing identity to be inherited from a human principal by default, is the foundational discipline of AIgentic identity governance.
Agentlet Attribit-ID Noun: A spawned AIgentic actor: subordinate, purpose-specific, and analogous to a thread or daemon in traditional computing. An orchestrator agent that spawns three Agentlets to complete a task creates four distinct principals, each requiring their own identity and explicit scope. Without governance, all four run on inherited permissions from the original human principal.
AIgentic Attribit-ID Adjective: Describes systems, actors, or architectures that operate autonomously using AI agents. Replaces "agentic AI" as the correct adjective across all Attribit-ID writing and usage. An AIgentic actor is an autonomous agent; an AIgentic system is one in which such actors operate; AIgentic governance is the discipline of controlling them.
ABAC NIST Model: Attribute-Based Access Control. An access control model in which authorization decisions are made by evaluating attributes of the subject, the resource, the requested action, and the environment against policy rules. More expressive than RBAC and better suited to the dynamic, context-sensitive access decisions that AIgentic systems require. More complex to administer at scale.
Authentication NIST Concept: The process of verifying that a subject controls the credentials it claims. Authentication answers one question: is this entity who it says it is? It does not determine what the entity is permitted to do; that is authorization.
Authorization NIST Concept: The determination of what an authenticated principal is permitted to do. Authorization policy is where least privilege is enforced and where most AIgentic identity failures occur: agents inherit human authorization rather than operating under explicitly scoped permissions of their own.
Access Control List (ACL) IETF Concept: A policy construct that defines which principals can perform which operations — read, write, delete, modify — on which entries and attributes in a directory. Directory ACLs are the primary enforcement boundary for identity data access: who can query employee records, who can update group memberships, which service accounts can read authentication credentials. Misconfigured directory ACLs are one of the most common sources of excessive access in enterprise identity environments.
Attribute IETF Noun: A named piece of information within a directory entry, consisting of an attribute type and one or more values. Standard attributes include cn (common name), mail (email address), memberOf (group membership), and uid (user identifier). An entry's attributes collectively define everything the directory knows about a user, device, or service. They are the data model for enterprise identity at rest, and the unit at which directory ACLs enforce access.
Agent Industry Noun: An autonomous software system that perceives inputs, reasons about a goal, and takes actions (calling APIs, reading files, sending messages, spawning subagents) to complete a task without step-by-step human direction. Agents differ from conventional software by operating with goal-directed autonomy rather than executing a fixed script. In the Attribit-ID ontology, an agent is an AIgentic actor: a principal that requires an explicit identity, scoped permissions, and a governed lifecycle rather than inherited credentials from the human who deployed it.

B

Base DN IETF Concept: The top of a directory subtree that a server is authoritative for, typically mapped to a DNS-style domain name such as dc=example,dc=com. Also called a naming context or suffix. Every directory search specifies a base DN as its starting point, and every entry's distinguished name traces back to one. Organizations with multiple domains typically maintain separate directory partitions under distinct base DNs.
Bind IETF Concept: The LDAP operation by which a client authenticates to the directory server before performing any other operations. A bind establishes the identity the server uses to evaluate access controls for that session. Bind mechanisms range from simple (username and password) to strong (certificate-based or Kerberos). Anonymous binds — connections made without credentials — are a common misconfiguration risk that allows unauthenticated clients to query identity data.

C

Continuous Authentication NIST Concept: The practice of verifying identity throughout a session, not only at initial login. Continuous authentication evaluates ongoing signals (device posture, behavioral patterns, access context, risk score) and triggers step-up verification or session termination when anomalies indicate credential theft or session takeover. It is the operational expression of zero trust's "never trust, always verify" principle: authentication is not a gate crossed once, but an assessment maintained throughout. In AIgentic deployments, the same principle applies to agent sessions: authorization is re-evaluated as conditions change rather than assumed valid for the duration of a task.
Credential NIST Noun: The binding between an identity and an authenticator: the object or data a subject presents to prove it holds a claimed identity. A password is a credential. A certificate is a credential. A short-lived workload token is a credential. The security posture of an identity program is only as strong as the credentials it issues and the process by which it issues them.
CAG Industry Concept: Cache-Augmented Generation. An alternative to RAG in which the full knowledge base is pre-loaded into the model's context window and cached, rather than retrieved at query time. Where RAG selects and injects relevant chunks on demand, CAG relies on the model's attention mechanism to locate relevant information within a large, persistent context. Practical for bounded knowledge bases that fit within an extended context window; less suited to dynamic or very large corpora.
Context Window Industry Noun: The maximum amount of text, measured in tokens, that a language model can process in a single interaction. The context window is the model's working memory: everything relevant to a task must fit within it, or be retrieved and injected. Context window size determines how much prior conversation, tool output, and instruction an agent can hold at once.

D

Decentralized Identifier (DID) W3C Standard: A cryptographic identifier that is globally unique, verifiable, and controlled by its subject rather than by a central issuing authority. DIDs are anchored to a distributed ledger or other decentralized system, enabling entities (including AI agents) to prove identity without depending on a central registry. The resolution mechanism varies by DID method; the W3C DID Core specification defines the data model. DIDs are a foundational primitive for cross-organizational agent identity assertion and are referenced in the Attribit-ID four-layer AIgentic architecture framework.
Delegated Trust Chain Attribit-ID Concept: The lineage of identity and authority from a primary actor through delegated relationships to subordinate actors, including Agentlets. A well-governed delegated trust chain is cryptographically signed, explicitly scoped at each link, and auditable end-to-end. An ungoverned trust chain (the default) allows rights to flow down unrestricted from the originating human principal.
Delegation IETF Concept: The process by which a principal grants a defined subset of its access rights to another principal, enabling it to act on the delegating principal's behalf within an explicit scope. Delegation is the mechanism by which AIgentic trust chains form: a human delegates to an agent, which may delegate to Agentlets. Without scope constraints at each link, rights flow down without limit.
Deprovisioning NIST Concept: The removal or restriction of an identity's access rights when they are no longer required: when an employee leaves, a service is retired, or an AIgentic actor completes its task. Failure to deprovision is one of the most persistent sources of unauthorized access in enterprise environments and an unresolved problem in most current AIgentic deployments.
Directory Entry IETF Noun: A single record in the directory, representing one object — a user, device, group, application, or organizational unit. An entry consists of a distinguished name (its unique address in the tree) and a set of attributes (the data it holds). Every principal in an LDAP-based identity system is a directory entry: the entry is the atomic unit of identity governance in the directory.
Directory Information Tree (DIT) IETF Concept: The hierarchical tree of all entries in a directory service, organized from the root downward by domain, organization, and organizational unit. The DIT is the structural model for enterprise identity: every user, group, device, and service account has a fixed position in the tree that determines its distinguished name, the ACLs that apply to it, and which administrators hold authority over it.
Directory Partition Industry Concept: A subtree of the directory that is stored, replicated, and administered as a unit. Large organizations partition their directory by domain, geography, or function so that replicas can be distributed across sites without copying the entire dataset to every server. In Active Directory, the forest, domain, schema, and application naming contexts are distinct partitions with separate replication scopes.
Directory Schema IETF Concept: The formal definition of what can exist in a directory: which object classes are recognized, which attributes each class requires or permits, and what format and constraints apply to attribute values. The schema governs the data model for all identity records. Schema extensions are how organizations add custom attributes — employee number, security clearance, cost center — to standard LDAP object classes.
Directory Server Industry Noun: The software service that implements the LDAP protocol, stores the directory information tree, and responds to client operations including search, bind, add, modify, and delete. Common enterprise directory servers include Microsoft Active Directory Domain Services, OpenLDAP, and 389 Directory Server. The directory server is the central enforcement point for identity data access in most enterprise environments and the primary target of directory-based attacks.
Directory Service Industry Concept: A specialized database optimized for storing and retrieving identity information — users, devices, groups, credentials, and policies — rather than for transactional updates. Directory services are designed for high read volume, hierarchical organization, and distributed replication across sites. LDAP is the protocol most commonly used to access them. In most enterprises, the directory service is the authoritative source for human identity and the starting point for any identity governance program.
Distinguished Name (DN) IETF Concept: The globally unique, hierarchical identifier for an entry in the directory, constructed by concatenating the relative distinguished names of all nodes from the entry to the root — for example, cn=Alice,ou=People,dc=example,dc=com. The DN is the primary address for an identity record: access control rules, group memberships, and audit logs all reference principals by DN. Reading LDAP-based audit trails requires understanding DN structure.
Domain Industry Concept: In directory contexts, a named administrative boundary for identity, policy, and trust — typically corresponding to a DNS-style name such as example.com. Active Directory organizes identity into domains; users, groups, and computers within a domain share a common directory partition and are subject to common group policies. Trust relationships between domains extend the recognized boundary of identity to external organizations.
Deterministic Workflow Industry Concept: A workflow in which every execution step is explicitly defined and the sequence of operations is fixed at design time. Given the same inputs, a deterministic workflow always follows the same path and produces the same output. Traditional software, rules engines, and scripted automation are deterministic. From a governance perspective, deterministic workflows are auditable and bounded: the full set of actions a system can take is enumerable in advance, making access control and audit straightforward.

F

Federation NIST Concept: The process by which an identity provider asserts a subject's identity to a relying party without the relying party directly verifying the subject's credentials. Federation decouples authentication from the services that consume it. Common standards include SAML 2.0, OAuth 2.0, and OpenID Connect.
Frontmatter Industry Concept: A structured metadata block at the top of a text file (typically Markdown), delimited by triple dashes (---) and written in YAML. Frontmatter separates machine-readable properties (title, author, date, status, audience) from the document body, allowing content management systems and publishing pipelines to index, filter, and route documents without parsing the prose. In agentic content workflows, frontmatter is the contract between a document and the systems that process it.

G

Grounding NIST AI RMF Concept: The practice of anchoring a model's outputs to verifiable, external information. Grounding reduces hallucination by constraining what the model can assert: instead of generating from training memory alone, it generates from retrieved or injected facts. Retrieval-Augmented Generation (RAG) is the most common grounding technique.

I

Identity Inheritance Model Attribit-ID Concept: The default pattern in most current AIgentic deployments: AI agents inherit permissions and identity from their human principal rather than holding explicitly provisioned identities of their own. Requires no work to implement, which is why it is universal; carries disproportionate risk because rights flow down the delegation chain (human, agent, Agentlet) without natural limits. The alternative is explicit actor identity.
Identity Lifecycle NIST Concept: The complete arc of a digital identity: enrollment (creating and binding an identity to credentials), maintenance (updating attributes and managing authenticators), recovery (restoring access after credential loss or compromise), and termination (removing the identity when no longer required). Governing the full lifecycle of AIgentic actors, not just human users, is the foundational requirement this practice addresses.

L

LDAP IETF Standard: Lightweight Directory Access Protocol. A client-server protocol for reading and modifying directory services over a network. LDAP is the primary protocol for accessing X.500-compatible directories and remains the foundational standard for enterprise identity stores, including Microsoft Active Directory and OpenLDAP. In most enterprise environments, LDAP directories are the authoritative source of human actor identity records and the starting point for any identity governance program.
Least Privilege NIST Concept: The principle that every subject should operate with the minimum access rights necessary to perform its defined function. Least privilege is not a configuration setting. It is a governance posture that must be actively maintained as roles, agents, and systems change. Applying it to AIgentic actors requires explicit provisioning: agents that inherit human permissions cannot be scoped to least privilege by definition.
LDAP Filter IETF Concept: A boolean expression used in an LDAP search to select which entries to return, evaluated against attribute values. For example, (&(objectClass=person)(department=Finance)(!(accountStatus=disabled))) returns all active Finance users. LDAP filters are the query language for identity data. Security teams use them in access review tools, identity governance platforms, and audit queries to enumerate which principals hold which attributes or group memberships.
LDAP Referral IETF Concept: A response from a directory server indicating that the requested data is not held locally, along with the address of another server or naming context that holds it. Referrals are the mechanism by which a distributed directory infrastructure routes queries across organizational boundaries or partitions. In federated identity environments, referral handling determines whether cross-domain identity lookups succeed or fail silently.
LDAP Search IETF Concept: The primary LDAP operation: a client specifies a base DN (the starting point in the tree), a scope (base entry, one level, or full subtree), a filter (which entries to match), and a list of attributes to return. The directory evaluates the filter against all entries in scope and returns matching results, subject to ACLs. Every identity governance tool that queries an LDAP directory — for user lookup, group enumeration, or access review — issues an LDAP search.

M

Mal-Agent Attribit-ID Noun: An AIgentic Actor executing malicious instructions — either through deliberate design by an adversarial operator, or through compromise by a third party, most commonly via prompt injection. Distinct from a Rogue-Agent, which exceeds its authorized scope through governance failure rather than malicious operation. A Mal-Agent may present valid credentials while executing instructions from an attacker rather than its provisioned principal: the credential is authentic; the behavior is not. The Identity Inheritance Model compounds Mal-Agent risk — when an AIgentic Actor inherits its principal's credentials, a successful prompt injection that converts it to a Mal-Agent operates under full principal permissions with a legitimate audit trail. The Semantic Proxy Pattern addresses Mal-Agent behavior at the architectural layer: an out-of-band proxy that the primary AIgentic Actor cannot perceive cannot be disabled by a compromised actor, bounding what even a fully hijacked Mal-Agent can reach.
MCP Server AAIF Concept: A process or service that implements the Model Context Protocol, exposing a defined set of tools, resources, or prompt templates to AI agents and orchestration frameworks. An MCP server is the supplier side of the MCP interface: it registers available capabilities, handles invocation requests from agents, and returns results in the MCP wire format. From an identity governance perspective, each MCP server is an access boundary: connecting to it grants an agent the ability to invoke its capabilities, which must be governed like any other privileged access path.
MCP AAIF Standard: Model Context Protocol. An open wire protocol for structured communication between AI agents and the tools, data sources, and services they invoke. MCP standardizes how agents discover available tools, request their execution, and receive results, enabling interoperable agent-to-tool communication across vendors and platforms. Authentication and identity extensions for MCP are under active development; the identity governance implications of MCP at enterprise scale remain an open problem.
Multi-Agent System Industry Concept: A system in which multiple autonomous agents interact to complete tasks, collaborating, coordinating, or competing as the design requires. In enterprise deployments, multi-agent systems introduce layered principal hierarchies: orchestrators delegate to subagents, each requiring its own identity and scope. Governing the full hierarchy is an open problem in most current AIgentic deployments.
Markdown Industry Standard: A lightweight plain-text formatting syntax that converts to structured HTML. Markdown uses simple conventions (pound signs for headings, asterisks for emphasis, hyphens for lists) that remain readable as plain text and render as formatted documents in any compliant processor. It has become the de facto format for technical documentation, content management systems, AI agent instructions, and system prompt authoring. Files carry the .md extension.

N

Non-human identity control and governance Industry Concept: The discipline of managing identity, access, and audit controls for actors that are not human: service accounts, bots, API keys, and increasingly autonomous AI agents. Non-human identities already outnumber human identities by 45 to 100 to one in many enterprise environments. Governing them requires the same lifecycle rigor applied to human identities, with added complexity from delegation chains and runtime autonomy.
Non-human Identity Industry Noun: A digital identity that represents an automated system, service, or device rather than a human. Service accounts, API keys, certificates, and AI agents are all non-human identities. Non-human identities already significantly outnumber human identities in most enterprise environments and are the fastest-growing identity category.
Non-Deterministic Workflow Industry Concept: A workflow in which an LLM makes control flow decisions: which tool to invoke, whether to escalate or terminate, which subagent to delegate to, and how to interpret intermediate results. Because LLMs generate outputs stochastically, the same prompt may produce different routing decisions on different runs, and the full space of possible execution paths cannot be enumerated at design time. Non-deterministic workflows unlock flexible, context-sensitive reasoning at the cost of predictability: an agent may take actions that were not anticipated when the workflow was designed. This is the central governance challenge for AIgentic systems: access control and audit must account for a principal whose behavior cannot be fully specified in advance.

O

Object Class IETF Concept: A schema definition that specifies what kind of entity a directory entry represents — person, group, computer, application — and which attributes the entry must or may contain. Every entry must belong to at least one object class. The inetOrgPerson class defines the standard attribute set for a user entry; groupOfNames defines a group. Object classes are the type system for directory identity, enforcing schema consistency and driving what data can be stored for each category of actor.
Organizational Unit (OU) IETF Concept: A named container within the Directory Information Tree used to group related entries (users, computers, groups, or applications) for administrative and policy purposes. OUs are the primary mechanism for scoping Group Policy in Active Directory and for delegating directory administration to specific teams: a helpdesk team can hold write access to the Finance OU without any rights elsewhere in the tree. An OU is the practical equivalent of a department or location folder in the directory, and the boundary at which most policy enforcement and administrative delegation is applied.
Orchestrator OWASP Noun: The coordinating agent in a multi-agent system. An orchestrator receives a high-level goal, breaks it into subtasks, delegates them to specialized agents or Agentlets, manages data flow between them, and assembles the result. In Attribit-ID's ontology, an orchestrator is a primary AIgentic actor whose delegated trust chain must be explicitly governed.

P

PKI NIST Framework: Public Key Infrastructure. The combination of policies, procedures, hardware, software, and people required to create, manage, distribute, use, store, and revoke digital certificates. PKI provides the cryptographic foundation for workload identity in distributed and AIgentic systems, enabling agents to authenticate to each other and to services using short-lived, cryptographically verifiable credentials rather than shared secrets. SPIFFE and SPIRE implement a PKI model specifically designed for dynamic workload environments.
Principal IETF Noun: The entity whose identity is asserted in a security transaction. A principal may be a human user, a service account, an application, or an AIgentic actor. Every access control decision begins with establishing who or what the principal is, which is why ungoverned AIgentic actors (which hold no defined principal identity of their own) represent a structural gap in enterprise security.
Privileged Access NIST Concept: Access rights granted to accounts with elevated permissions: administrative, root-level, or system-critical. Privileged accounts are the highest-value target in any identity attack. Governing privileged access for AIgentic actors is an unsolved problem in most current deployments, where agents may inherit privileged rights from their human principals without any explicit scoping.
Provisioning NIST Concept: The creation of an identity and assignment of appropriate access rights. Provisioning establishes the identity record, binds it to credentials, and sets permissions. Without explicit provisioning for AIgentic actors, agents inherit access from their human principals by default: the Identity Inheritance Model.
Probabilistic Workflow Industry Concept: A workflow in which routing or decision points are resolved by statistical models or scoring functions rather than fixed rules. The path taken may vary across runs, but the variance follows a quantifiable probability distribution and the decision logic is explicit. A classifier that routes support tickets by confidence score is probabilistic. Governance requires validating the model's decision boundaries and output distributions rather than auditing a fixed code path, but the scope of possible outcomes remains bounded and testable.
Prompt Injection OWASP Concept: A class of attack in which malicious content in a user prompt or an external data source overrides an AI agent's instructions, causing it to take unintended actions. Prompt injection is the AI analog of command injection. In AIgentic systems with tool access, a successful prompt injection can cause an agent to exfiltrate data, escalate privileges, or take destructive actions on behalf of an attacker.
Proxy Server IETF Concept: A network intermediary that sits between clients and servers, forwarding requests and responses on the client's behalf. Proxy servers are used for access control, content filtering, traffic logging, caching, and network address concealment. In zero trust and AIgentic architectures, a forward proxy is a natural enforcement point: all outbound traffic from users or agents passes through a controlled chokepoint where identity can be verified, policy evaluated, and actions logged before the request reaches its destination.

R

Risk Budget Attribit-ID Concept: A formal allocation of authorized harm potential to an AIgentic Actor: the maximum damage the Actor is permitted to cause if it operates incorrectly, is compromised, or interprets its instructions in an unintended way. The term is borrowed from two established financial services disciplines. In portfolio management, a risk budget allocates a defined tolerance for loss across positions rather than targeting a single return figure — each position is sized not only by expected gain but by the loss it is authorized to inflict on the portfolio. In banking, a fraud budget pre-authorizes a level of expected loss as the cost of operating a consumer lending or payments product — the question is not whether fraud will occur but how much the business is prepared to absorb before the product ceases to be viable. Applied to AIgentic governance, a risk budget answers the question that financial budgets cannot: not "how much does this agent cost to run?" but "how much can this agent damage if it acts outside its intended scope?" An agent operating within its dollar budget can still delete a production database, exfiltrate customer data, or cascade a privilege escalation across infrastructure. Risk budgets are operationalized through four architectural decisions: authority scope (what the Actor can reach), credential type (ambient inherited credentials versus scoped short-lived tokens), reversibility gates (human approval required before irreversible actions), and blast radius containment (subnet isolation or semantic proxy enforcement). An Actor whose permissions are unbounded has an undefined risk budget — the most common and most dangerous posture in current AIgentic deployments. A financial budget is an operational cost control. A risk budget is the security control.
Rogue-Agent Attribit-ID Noun: An AIgentic Actor that operates outside its authorized scope — exceeding provisioned permissions, violating allowlist policy, or taking actions its governance record did not authorize. Distinct from a Mal-Agent, which involves malicious intent or external compromise. A Rogue-Agent may act in good faith from its own reasoning perspective while producing outcomes its principals never authorized. The PocketOS incident (April 2026) is the canonical documented example: a Cursor AIgentic Actor that, while attempting to resolve a credential mismatch, acquired ambient credentials, bypassed system prompt constraints, and executed a destructive database deletion it was never authorized to perform. Rogue-Agent behavior is an architectural failure — the predictable output of an AIgentic Actor operating without topology-first safety, semantic proxy enforcement, or per-Actor scoped credentials. The term is not pejorative: Rogue-Agent behavior does not imply intent. It implies the absence of governance architecture.
RBAC NIST Model: Role-Based Access Control. An access control model in which permissions are associated with roles and subjects acquire permissions by being assigned to roles. RBAC is the dominant model in enterprise IAM. It simplifies administration but struggles with the fine-grained, context-sensitive permissions that AIgentic actors require: an agent executing a specific task needs narrower permissions than any predefined role is likely to provide.
Relative Distinguished Name (RDN) IETF Concept: The local identifier that distinguishes an entry from its siblings within the same parent container, forming one component of the full distinguished name. In cn=Alice,ou=People,dc=example,dc=com, the RDN is cn=Alice. RDNs must be unique within their parent container but not globally — two users in different organizational units may share the same common name as long as their full DNs differ.
Replication IETF Concept: The process by which identity data is automatically copied from one directory server to others, keeping replicas consistent across sites. Replication makes the directory service resilient: if a primary server fails, replicas continue answering queries. Most implementations are asynchronous — a change written to one replica may not be visible on others immediately. Identity governance tools that read from replicas must account for this consistency lag.
RAG Industry Concept: Retrieval-Augmented Generation. A technique that improves model accuracy by retrieving relevant information from an external knowledge base and injecting it into the model's context before generation. RAG grounds outputs in specific, current, or proprietary data that was not part of the model's training. It is the primary method for giving agents access to enterprise knowledge without retraining the model.
Reverse Proxy Server IETF Concept: A network intermediary that sits in front of one or more backend servers, receiving incoming requests on their behalf and routing them to the appropriate backend. Unlike a forward proxy, which serves the client, a reverse proxy serves the backend infrastructure. Reverse proxies handle load balancing, SSL termination, authentication, and request filtering. In API and AIgentic architectures, a reverse proxy is the perimeter enforcement point for inbound agent traffic: it validates identity and policy before any request reaches a backend service.

S

Service Account Industry Noun: A non-human identity used by an application, service, or automated process to authenticate to systems and access resources. Service accounts often carry elevated privileges, are shared across teams, rarely rotated, and infrequently reviewed. They are the closest existing antecedent to AIgentic actor identities in traditional IAM and carry many of the same governance risks.
SPIFFE CNCF Standard: Secure Production Identity Framework for Everyone. A CNCF-hosted open standard for workload identity in cloud-native and distributed systems. SPIFFE defines the SPIFFE Verifiable Identity Document (SVID), a short-lived, cryptographically verifiable credential issued to workloads at runtime. SPIFFE addresses the machine identity problem for microservices and AI agents: instead of static API keys or shared secrets, each workload receives a unique, attestable identity tied to its execution context, not to a human operator.
SPIRE CNCF Framework: SPIFFE Runtime Environment. The CNCF reference implementation of the SPIFFE standard. SPIRE manages the full lifecycle of SVIDs: attesting workload identity at startup, issuing short-lived X.509 or JWT certificates, and rotating them automatically without operator intervention. In AIgentic deployments, SPIRE provides the runtime infrastructure for issuing each agent a cryptographically verifiable identity, replacing static credentials with continuously attested, ephemeral ones.
SVID CNCF Standard: SPIFFE Verifiable Identity Document. The credential format defined by the SPIFFE standard: a short-lived, cryptographically signed document that asserts the identity of a workload at runtime. SVIDs are issued automatically by SPIRE, typically with a one-hour TTL, and rotated without operator intervention. An SVID may be expressed as an X.509 certificate or a JWT token. In AIgentic deployments, each agent instance receives its own SVID, providing a unique, attestable, time-bounded identity without static API keys or shared secrets.
System Prompt Industry Noun: The persistent instruction set that defines an AI agent's role, behavior, constraints, and capabilities for a given deployment. Unlike a user prompt, which varies per interaction, the system prompt is set at deployment time and governs all subsequent behavior. Preventing system prompt override through prompt injection is a primary AIgentic security control.
Skill Industry Concept: A discrete, reusable capability that an AI agent can invoke to perform a specific task, analogous to a function or plugin in traditional software. Skills abstract complex operations into callable units: a research skill might retrieve and summarize documents; a writing skill might draft structured content from a brief. The term is used across several agent frameworks, though Model Context Protocol uses "tool" for the equivalent concept. From a governance perspective, the set of skills an agent holds defines its capability surface: governing what an agent can do requires governing which skills it is authorized to invoke.
Squid Industry Framework: An open-source proxy caching server widely deployed in enterprise environments as a forward proxy for HTTP, HTTPS, and FTP traffic. Squid supports access control lists, SSL inspection, authentication integration, and traffic logging, making it one of the most common mechanisms for applying identity-aware access policy to outbound web traffic. Squid can authenticate requests against LDAP directories directly, making it a practical integration point between network access control and enterprise identity stores.

T

Token Industry Noun: The basic unit of text that a language model reads and generates: approximately three-quarters of a word in English, though exact boundaries depend on the model's tokenizer. Token count is the foundational metric in LLM economics, functioning more as a currency than as a performance measure. Traditional compute metrics such as MIPS (millions of instructions per second) or clock cycles measure raw computational throughput with no inherent cost unit. Tokens measure a unit of meaningful work with a direct price attached: API billing is per token consumed, context windows impose hard ceilings measured in tokens, and AI system design centers on token budgets. Tokens per second indicates delivery speed; total tokens consumed determines what a task costs to run.
Tool Use OWASP Concept: The capability for an AI agent to invoke external functions, APIs, or services, taking actions beyond text generation. Tool use extends agent agency into the real world: reading files, querying databases, sending messages, calling APIs. An agent with tool access is an actor with real-world consequences; its identity and the scope of its tool permissions must be governed accordingly.

W

Workload Identity CNCF Concept: A cryptographic identity assigned to a software workload (a process, container, microservice, or AI agent) rather than to a human user or a static credential. Workload identity is attested at runtime based on observable characteristics of the execution environment (Kubernetes namespace, container image, service account) and expressed as a short-lived, automatically-rotated credential. SPIFFE is the leading open standard for workload identity; SPIRE is its reference implementation. Workload identity is the technically correct replacement for service accounts and API keys in dynamic, cloud-native environments hosting AIgentic actors.

X

X.500 ITU-T Standard: A series of ITU-T standards defining a distributed directory service model. X.500 established the foundational concepts that underpin all modern enterprise directories: the Directory Information Tree (DIT), distinguished names (DN), and the schema model for representing identity attributes. LDAP was originally developed as a lightweight access protocol for X.500 directories and inherits its data model. Active Directory, OpenLDAP, and most enterprise directory services implement subsets of the X.500 model.

Y

YAML Industry Standard: A human-readable data serialization format that uses indentation to represent hierarchy rather than brackets or tags. YAML is the dominant format for cloud infrastructure configuration (Kubernetes, CI/CD pipelines, infrastructure-as-code), content management frontmatter, and AI agent policy definition. The name is a recursive acronym: YAML Ain't Markup Language.

Z

Zero Trust NIST Concept: A security model that eliminates implicit trust based on network location or asset ownership. Under zero trust, every access request is authenticated, authorized, and continuously validated regardless of where it originates. Zero trust is the architectural prerequisite for governing AIgentic actors: agents that call APIs directly from anywhere cannot be trusted on the basis of network position alone.

This glossary is a living document. New terms are added as Attribit-ID's ontology develops and as the broader market converges on vocabulary for AIgentic identity governance. Original coinages are terms introduced by Attribit-ID where no adequate prior term existed. Standard terms are attributed to their originating publication or body.