Terms and website usage
This glossary collects core terms from the AI compliance pages. The third column shows where each term is most relevant.
| Term | Definition | Where used |
|---|---|---|
| AI Management System (AIMS) | A systematic management framework for responsible development, implementation, and use of AI in an organisation. It follows the High-Level Structure known from standards such as ISO 9001 and ISO 27001. | |
| Annex A Controls (ISO/IEC 42001) | 38 control objectives across 9 control areas that specify operational AI governance requirements. Their application is justified in the Statement of Applicability on a risk basis. | |
| Annex III (EU AI Act) | The list of standalone high-risk AI categories under the EU AI Act. For financial institutions, creditworthiness assessment, life and health underwriting, and HR decisions are particularly relevant. | |
| Automation bias | A cognitive bias: the tendency to accept automated system outputs without sufficient challenge. It can weaken human oversight and should be addressed through training, sampling, and clear override rights. | |
| Deployer | The organisation that uses an AI system under its own responsibility. Deployers are distinct from providers and have separate compliance duties under Art. 26 EU AI Act. | |
| CEN/CENELEC | European standardisation organisations that develop harmonised standards under EU mandates. In the AI context, they are relevant for European standards under the EU AI Act. | |
| Conformity assessment | The procedure used to demonstrate that a high-risk AI system meets the EU AI Act requirements. Depending on the system, this may be a self-assessment or involve a notified body. | |
| Digital Omnibus (May 2026) | Political agreement of 7 May 2026 to simplify the AI Act. Some high-risk deadlines may move; Art. 5 and Art. 4 are not affected. Formal legal adoption still needs to be checked. | |
| CSRD / ESRS bias relevance | AI-related discrimination or human-rights risks can also matter for sustainability reporting when they affect social impacts, governance, due diligence, risk management, or auditable metrics. | |
| FRIA (Art. 27 EU AI Act) | Fundamental Rights Impact Assessment: an impact assessment for certain deployers of high-risk AI, especially creditworthiness assessment and life or health insurance risk assessment, before use. | |
| Gap analysis | A structured comparison between the current state and the requirements of a standard or regulation. The result is a prioritised list of gaps and actions. | |
| Harmonised standard | A standard developed by CEN/CENELEC and published in the Official Journal of the EU. For specified requirements, it can create a presumption of conformity. | |
| High-Level Structure (HLS) | The common chapter structure of modern ISO management system standards. It helps integrate ISO 9001, ISO 27001, and ISO/IEC 42001 into one management system. | |
| Presumption of conformity | A legal presumption that requirements are met when a harmonised standard is applied. The concrete effect depends on the relevant standard and its publication. | |
| New Legislative Framework (NLF) | EU regulatory model: legislation defines essential requirements, while harmonised standards specify practical implementation. It is the basis for CE marking and conformity assessment. | |
| prEN 18286 | European standard under development for AI Quality Management Systems in the context of the EU AI Act. It is relevant as a possible future harmonised standard. | |
| Statement of Applicability (SoA) | A document listing all ISO/IEC 42001 Annex A controls and explaining for each control whether and how it is applied or excluded. | |
| Vendor AI / Shadow AI | AI components in purchased software or unapproved tools that have not been explicitly identified, classified, or approved. They are a central source of shadow AI risk. | |
| WEIRD bias | Systematic bias in machine-learning models caused by training data from Western, Educated, Industrialized, Rich, Democratic contexts. It can lead to structural disadvantage. |
How to use this glossary
For practical classification, the system purpose, actual use, vendor documentation, role allocation, and business process always remain decisive.