UACC v0.2 Glossary¶
Version: 0.2 Public Draft
Status: Public draft / working reference
Definitions are either adapted from cited public frameworks/law or defined for purposes of this catalog. This glossary is not legal advice.
Use this glossary alongside the uacc_v02_control_catalog.md, uacc_v02_control_index.md, and uacc_v02_methodology.md documents. Evidence-related terms are supported by uacc_v02_evidence_templates.md, and overlay terminology is supported by uacc_v02_genai_overlay.md.
| Term | Working definition |
|---|---|
| AI system | A machine-based system that, for a given set of objectives, infers from inputs how to generate outputs such as predictions, recommendations, classifications, content, or decisions that can influence real or virtual environments. |
| Provider | An actor that develops an AI system or places it on the market or puts it into service under its own name or trademark, or that substantially modifies an AI system such that it assumes provider obligations under applicable law. |
| Deployer | An actor that uses an AI system under its authority in an operational context. |
| Importer | An actor that places an AI system from outside a jurisdiction into that jurisdiction's market where importer obligations apply. |
| Distributor | An actor in the AI system supply chain that makes an AI system available without being the provider or importer. |
| Authorized representative | A person or entity designated to perform specified obligations on behalf of a provider where applicable. |
| High-risk AI system | For UACC, a system classified as Tier 1 because it is high-risk or high-impact under UACC methodology, organizational policy, or applicable law. UACC Tier 1 does not automatically mean the system is legally high-risk unless applicable law or the organization's legal classification determines that status. |
| General-purpose AI model | A model capable of serving a wide range of tasks and downstream systems. GPAI provider obligations are out of scope for v0.2. |
| Human overseer | A person assigned authority and competence to interpret, monitor, override, interrupt, or escalate AI-assisted decisions where required. |
| Meaningful human review | Human review in which the reviewer has sufficient authority, time, competence, context, and tooling to understand the AI output, reject or override it where appropriate, escalate concerns, and create review records. Review is not meaningful where the human role is merely nominal, lacks practical authority, or cannot reasonably affect the decision. |
| Model owner | The individual or role accountable for a specific AI system or model's lifecycle decisions, including validation, deployment authorization, monitoring, significant change review, and retirement. Defined for purposes of this catalog. |
| Serious incident | An AI-related event that meets legal, regulatory, contractual, or organizational thresholds for serious harm, rights impact, systemic malfunction, or mandatory reporting, including events that meet the criteria of EU AI Act Article 3(49) where applicable. |
| FRIA | Fundamental Rights Impact Assessment; an assessment of AI system impacts on affected individuals and groups, especially in high-risk deployments. |
| Conformity assessment | A formal process for demonstrating that a system meets applicable regulatory requirements. UACC does not replace it. |
| Post-market monitoring | Ongoing monitoring of an AI system after deployment or market placement to detect performance, safety, rights, security, or compliance issues. |
| Drift | Material change over time — relative to a documented baseline — in input data distributions, model behavior, output distributions, performance metrics, fairness metrics, or operating context. |
| Evidence artifact | A document, record, log, export, report, approval, attestation, or machine-generated event used to assess a control. |
| Sector parameter pack | An organization-defined, sector-defined, or use-case-specific bundle of metrics, thresholds, sample-size rules, evidence expectations, approval roles, and exception parameters used to tailor controls for a class of AI systems. |
| Significant or material change | A change to intended purpose, affected population, model/data version, decision workflow, geography, legal role, risk tier, performance, or control design that could affect risk, obligations, or evidence validity. |
| Overlay | A set of controls that supplements or tailors the base catalog for a specific AI use case, technology, or deployment context. |
| Risk tier | UACC's classification level for AI governance applicability and assurance depth, aligned where useful to EU AI Act categories: T0 prohibited, T1 high risk, T2 limited risk, T3 minimal risk. UACC risk tiers are not one-for-one mappings to NIST Low, Moderate, or High information-system impact baselines. |
| Tier 0 / T0 | Prohibited AI use under applicable law, policy, or organizational risk appetite. T0 is a stop condition: the use should not be deployed or continued unless the classification is resolved. |
| Tier 1 / T1 | High-risk or high-impact AI use requiring full assessor-grade evidence and stronger governance, monitoring, oversight, and incident expectations. |
| Tier 2 / T2 | Limited-risk AI use requiring proportionate governance, inventory, classification, transparency, and evidence expectations. |
| Tier 3 / T3 | Minimal-risk AI use requiring lightweight inventory, policy coverage, and risk classification unless additional controls are triggered. |
| NIST Low / Moderate / High impact baseline | Information-system impact classification based on potential impact to confidentiality, integrity, and availability. Use with UACC tiering, but do not treat it as equivalent to UACC AI-risk tiering. |
| Control | A requirement or safeguard with assessment procedures and evidence expectations. |
| Direct mapping | A narrow requirement match where UACC evidence directly supports the mapped requirement. |
| Partial mapping | A mapping where UACC evidence supports part of a broader obligation or outcome. |
| Analogical mapping | A mapping based on a similar control concept not written for this exact AI-specific requirement. |
| Informative mapping | Contextual alignment only; not a requirement mapping. |