Skip to content
Gamut AI Gamut AI Docs

Core concepts & glossary

This page defines the core objects and terms used across Gamut and throughout this documentation. They are deliberately consistent: the same words mean the same thing in the product, the API and these docs.

Core objects

Section titled “Core objects”

AI system : A registered unit of AI use, an internal application, an embedded model, a vendor AI tool or an agentic workflow. The AI system is the anchor that every other record connects back to. See Registry & Discovery.

Use case : The business purpose an AI system serves. One AI system can support multiple use cases, each with its own context and impact.

Intake : The structured capture of context for an AI system or use case, purpose, users, data, oversight, suppliers and geography, used to determine the level of governance required. See Intake & risk tiering.

Risk tier : The classification of an AI system’s risk, derived from intake. Risk tiers drive which controls and frameworks apply.

Framework : A structured set of controls or requirements, for example GTSAF, the EU AI Act, NIST AI RMF or ISO/IEC 42001. See Frameworks overview.

Domain : A grouping of related controls within a framework. GTSAF, for example, organises its controls across 17 domains.

Control : A specific governance expectation that can be assessed and evidenced. Controls belong to domains within a framework.

Assessment : The act of scoring an AI system against a framework’s controls, recording the rationale and current state. See Assessments & control testing.

Control test : Evidence that a control is operating effectively, beyond simply being designed. Control testing produces the proof that backs an assessment.

Evidence : An artefact that supports a governance claim, a document, export, screenshot, log or record. Evidence is requested, captured, quality-checked and linked to controls and findings. See Evidence & findings.

Finding : A recorded deficiency, gap or exception identified during assessment or audit, tracked through to remediation and closure.

Remediation : The work that closes a finding, with its progress visible to the right stakeholders.

Model card : A document of a model’s technical and ethical characteristics, intended use, data, limitations, performance and oversight. See Model cards.

Policy : An AI governance policy, which Gamut can help draft with AI assistance. See Policy generation.

The agentic stack

Section titled “The agentic stack”

Agentic AI : AI that takes action, calling tools, invoking APIs and running workflows, rather than only producing text. Agentic AI needs runtime governance, not just design-time assessment.

Agentic CISO : Gamut’s capability for governing agentic AI, the agent register, ATF assessment, tool and data governance, approvals and runtime evidence. See Agentic CISO.

Gamut Gateway : The policy decision and enforcement layer that applies governance policy to agent actions at runtime. See Gamut Gateway.

Gamut Claw : The secure agent execution layer that requests and runs work only through Gateway-controlled paths. See Gamut Claw.

ATF (Agentic Trust Framework) : The framework that defines trust, control and evidence expectations for agentic AI, which Gateway and Claw implement at runtime. See ATF.

ATF level : An agent’s autonomy ceiling, L1 Intern, L2 Junior, L3 Senior or L4 Principal. Gateway enforces a different action boundary at each level, from read-only at L1 to strategic autonomy at L4.

ACRS (Agentic Capability Risk Score) : A score of an agent’s capability risk across dependency, action, access and harm dimensions, producing a band that sets how tightly to govern. See ACRS.

Connector : A governed adapter through which Gateway performs a tool, model or data call. The connector holds the credential and endpoint policy; the agent never does. See Connector catalog.

Tool permission : The business authorisation in Agentic CISO that an agent may use a given tool. It must align with a registered connector before Gateway allows the call.

Approval gate : A configured requirement that a named human approves a sensitive or mutating action before Gateway will allow it.

Gateway decision : The verdict Gateway returns for a requested action, allow, require approval, degrade or block, with a full decision path and a signed, short-lived authorisation token on allow.

Claw task : A governed unit of agent work of a defined type (for example governed reasoning, evidence gap analysis, incident triage), run under a lease with bounded steps and redacted output. See Gamut Claw.

Trajectory event : A journaled record of what an agent did at runtime, hash-chained and fed back to Agentic CISO as runtime evidence.

Platform terms

Section titled “Platform terms”

Workspace / tenant : An isolated environment for one organisation. Each workspace keeps its own users, systems, assessments and evidence separate from every other. See Workspaces & tenancy.

Role : The set of permissions a user holds within a workspace, controlling what they can see and do. See Users & roles.

Entitlement / plan : The feature tier available to a workspace, which gates frameworks and capabilities. See Plans & entitlements.

Audit log : The immutable record of state-changing actions in a workspace, used for accountability and review. See Audit log.