Glossary
Technical, regulatory, and domain terms used in licit and its documentation.
Regulatory terms
| Term | Definition | Context in licit |
|---|
| EU AI Act | Regulation (EU) 2024/1689. The first comprehensive AI regulation worldwide. In force since August 2024, with phased enforcement through 2027. | Regulatory framework evaluated by licit verify --framework eu-ai-act |
| FRIA | Fundamental Rights Impact Assessment. An impact assessment on fundamental rights required by Art. 27 of the EU AI Act for high-risk systems. | Generated with licit fria |
| Annex IV | Annex IV of the EU AI Act. Defines the technical documentation required for AI systems: purpose, design, development, testing, performance. | Generated with licit annex-iv |
| Deployer | Person or organization that deploys an AI system for use. Distinct from the provider who develops it. | licit evaluates deployer obligations (Art. 26) |
| High-risk system | AI system classified as high risk under Annex III of the EU AI Act. Subject to additional compliance requirements. | The FRIA is mandatory for these systems |
| OWASP Agentic Top 10 | List of the top 10 security risks for applications using AI agents (2025). Published by the OWASP Foundation. | Framework evaluated by licit verify --framework owasp |
| NIST AI RMF | AI Risk Management Framework (AI 100-1). NIST’s AI risk management framework. | Planned for V1 |
| ISO/IEC 42001 | International standard for AI management systems. Defines requirements for establishing, implementing, and improving AI management systems. | Planned for V1 |
| Compliance rate | Percentage of evaluable requirements that are met. Formula: compliant / (total - n/a - not_evaluated) * 100 | Shown in reports and licit status |
Technical terms
| Term | Definition | Context in licit |
|---|
| Provenance | Origin and authorship of code. Tracking of which code was written by humans, generated by AI, or a combination. | licit trace analyzes provenance |
| Heuristic | Rule based on observable signals (not certainties) to infer a classification. licit uses 6 weighted heuristics to classify commits as AI/human/mixed. | Heuristics engine in provenance/heuristics.py |
| Attestation | Cryptographic integrity verification. In licit: HMAC-SHA256 for individual records, Merkle tree for batches. | provenance.sign: true in config |
| Merkle tree | Binary tree data structure where each node is the hash of its children. Allows verifying the integrity of data sets. | Used to sign provenance batches |
| HMAC-SHA256 | Hash-based Message Authentication Code with SHA-256. Cryptographic signature that proves data has not been altered. | Signing of individual provenance records |
| SARIF | Static Analysis Results Interchange Format. OASIS standard format for static code analysis results. Version 2.1.0. | Read by VigilConnector |
| SBOM | Software Bill of Materials. Formal inventory of software components. CycloneDX format used by vigil. | Read by VigilConnector (sbom_path) |
| CycloneDX | OWASP standard for SBOM. JSON/XML format for describing software components, their versions, and vulnerabilities. | Supported SBOM format |
| JSONL | JSON Lines. Format where each line is an independent JSON object. Ideal for append-only stores. | Provenance store (.licit/provenance.jsonl) |
| Append-only | Store that only allows adding records, never modifying or deleting them. Guarantees history immutability. | ProvenanceStore |
AI agent terms
| Term | Definition | Context in licit |
|---|
| AI agent | AI system that operates semi-autonomously or autonomously to perform tasks. In software development: Claude Code, Cursor, Copilot, Codex, architect. | licit tracks code generated by agents |
| Guardrail | Control that limits the behavior of an AI agent. Examples: protected files, blocked commands, code rules. | Extracted from architect config, counts toward compliance |
| Quality gate | Automated check that must pass before accepting an agent’s output. Examples: lint, typecheck, test. | Extracted from architect config |
| Human review gate | Checkpoint that requires human approval. Example: branch protection with required reviews on GitHub. | Detected from CI/CD config |
| Dry-run | Execution mode that simulates actions without applying changes. Allows previewing the agent’s behavior. | Detected from architect config |
| Rollback | Ability to revert changes made by an agent. Typically via git revert or similar mechanisms. | Detected from architect config |
| Session log | Record of an AI agent’s work session. Contains tools used, files modified, timestamps. | Claude Code session reader |
| Budget limit | Spending limit on tokens/API calls to control an agent’s resource consumption. | Extracted from costs.budget_usd |
| Term | Definition |
|---|
| licit | Regulatory compliance CLI tool for teams using AI in software development |
| EvidenceBundle | Dataclass with 18 fields that groups all evidence collected from the project |
| ProjectContext | Dataclass describing the auto-detected project context (languages, frameworks, CI/CD, etc.) |
| ControlRequirement | An individual requirement from a regulatory framework (e.g., Art. 9(1) of the EU AI Act) |
| ControlResult | Result of evaluating a requirement against the project (status, evidence, recommendations) |
| GapItem | Identified compliance gap with actionable recommendation, estimated effort, and suggested tools |
| Connector | Read-only integration with external tools (architect, vigil) that enriches evidence |
| ConnectorResult | Result of a connector execution (files read, errors) |
| ComplianceFramework | Protocol that defines the interface for regulatory framework evaluators |
| ConfigChange | Detected change in an AI agent configuration file, with MAJOR/MINOR/PATCH severity |