Skip to content

Glossary

The vocabulary of identity and security, 35 terms deep. Each entry is a self-contained, citable definition cross-linked to the related terms and the guide that explains it in depth, with a stable canonical URL so answer engines can quote it.

Identity

  • ABAC

    Attribute-Based Access Control

    ABAC (Attribute-Based Access Control) decides access by evaluating policies over attributes of the user, resource, action, and environment, expressing fine-grained contextual rules that roles alone cannot.

  • FIDO2

    FIDO2 / WebAuthn

    FIDO2 is the FIDO Alliance's open-standard set for phishing-resistant, passwordless authentication with public-key cryptography, comprising the WebAuthn browser API and the CTAP authenticator protocol.

  • JWT

    JSON Web Token

    A JWT (JSON Web Token, RFC 7519) is a compact, URL-safe token of signed JSON claims that a recipient can verify without a database lookup; OIDC ID tokens are JWTs.

  • MFA

    Multi-Factor Authentication · 2FA · Two-Factor Authentication

    MFA (Multi-Factor Authentication) requires two or more independent factors (something you know, have, or are) to prove identity, so a stolen password alone cannot log an attacker in.

  • OAuth 2.0

    OAuth · OAuth2

    OAuth 2.0 is a delegated authorization framework (RFC 6749) that lets a user grant an app scoped, time-limited access to their data on another service without sharing a password; it is authorization, not authentication.

  • OIDC

    OpenID Connect

    OIDC (OpenID Connect) is a thin authentication layer built on OAuth 2.0 that adds an ID token, a signed JWT the client reads to verify who the user is; it powers most modern consumer login.

  • Passkey

    Passkeys

    A passkey is a discoverable WebAuthn credential, usually synced across a user's devices, that replaces a password with a phishing-resistant key pair held by the platform.

  • PBAC

    Policy-Based Access Control · Policy-as-code

    PBAC (Policy-Based Access Control) moves the authorization decision into an external policy engine expressed as code (such as OPA/Rego or AWS Cedar), and in practice can express RBAC, ABAC, and ReBAC rules.

  • RBAC

    Role-Based Access Control

    RBAC (Role-Based Access Control) grants permissions to roles and assigns roles to users, so access is decided by the role a user holds; it is the most widely deployed authorization model.

  • ReBAC

    Relationship-Based Access Control · Zanzibar

    ReBAC (Relationship-Based Access Control) decides access by traversing relationships in a graph, the model popularized by Google Zanzibar and used for sharing, hierarchy, and nested ownership.

  • SAML

    Security Assertion Markup Language · SAML 2.0

    SAML (Security Assertion Markup Language) is an XML-based standard for exchanging signed authentication and authorization data between an identity provider and a service provider, and it is the incumbent protocol for enterprise single sign-on.

  • SCIM

    System for Cross-domain Identity Management

    SCIM (System for Cross-domain Identity Management) is a REST API standard for automating user provisioning and deprovisioning between an identity provider and an application, keeping the account lifecycle in sync.

  • WebAuthn

    Web Authentication API

    WebAuthn (Web Authentication) is the W3C browser API for registering and authenticating users with public-key credentials, binding every signature to the page origin to make login phishing-resistant.

AI

  • Agentic AI

    AI agents

    Agentic AI describes systems where a language model plans and acts, calling tools and looping until a task is done; its autonomy multiplies both value and security risk.

  • Context window

    Token limit

    The context window is the maximum amount of text, in tokens, a language model can consider at once, spanning the prompt, history, retrieved documents, and the response.

  • Embeddings

    Vector embeddings

    An embedding is a numeric vector that represents the meaning of text (or an image or audio) so that similar meanings sit close together, enabling search by meaning rather than exact keywords.

  • Fine-tuning

    LoRA · Model fine-tuning

    Fine-tuning adapts a pretrained model to a specific task or style by continuing training on a smaller curated dataset, updating the model's weights; it teaches behavior, not fresh facts.

  • Guardrails (LLM)

    LLM guardrails

    Guardrails are the input, output, and system-prompt controls placed around a language model to constrain what it can receive, say, or do; each layer is porous, so they are defense-in-depth, not a fix.

  • Inference

    Model inference

    Inference is running a trained model to produce an output; it is the recurring, per-request cost of an AI product and the runtime surface attackers hit.

  • Jailbreak (LLM)

    LLM jailbreak

    A jailbreak is a prompt crafted to make a language model ignore its safety training and produce content it was tuned to refuse; it targets model alignment rather than the application's instructions.

  • MCP

    Model Context Protocol

    MCP (Model Context Protocol) is an open standard for how a language model or agent discovers and calls external tools, data, and prompts; each MCP server it connects to is a security boundary.

  • MLSecOps

    AI SecOps · ML security operations

    MLSecOps is the practice of building security into the whole machine-learning lifecycle (data, model, deployment, and inference) as a continuous discipline, the way DevSecOps does for software.

  • Prompt injection

    Direct injection · Indirect injection

    Prompt injection is an attack where untrusted text hijacks the instructions a language model follows; indirect injection, where hostile instructions live inside data the model reads, is the most dangerous form.

  • Quantization

    Model quantization

    Quantization shrinks a model by storing its weights at lower numeric precision (for example 4-bit or 8-bit), cutting memory and inference cost at some accuracy tradeoff.

  • RAG

    Retrieval-Augmented Generation

    RAG (Retrieval-Augmented Generation) grounds a model's answer in documents retrieved at query time rather than only its training data, reducing hallucination and enabling answers over private or fresh data.

  • Tool use (function calling)

    Function calling

    Tool use (function calling) is the mechanism by which a language model invokes external functions instead of only generating text; it is where a language problem becomes a real-world action.

  • Vector database

    Vector store

    A vector database indexes and searches embeddings by similarity rather than exact match, using approximate nearest-neighbor algorithms; it is the retrieval layer behind semantic search and RAG.

Security

  • DAST

    Dynamic Application Security Testing

    DAST tests a running application from the outside by sending crafted requests (black-box), catching runtime and configuration flaws that static analysis cannot see; pair it with SAST.

  • EDR

    Endpoint Detection and Response

    EDR is security software on endpoints that records activity, detects malicious behavior, and lets responders investigate and contain threats, going beyond signature-based antivirus.

  • SAST

    Static Application Security Testing

    SAST analyzes an application's source code without running it to find security flaws early (white-box); its counterpart DAST tests the running app from the outside.

  • SIEM

    Security Information and Event Management

    A SIEM collects, normalizes, and correlates logs and events across an environment to detect and alert on security activity; it presumes a team to run it, so it is usually premature for early startups.

  • SOAR

    Security Orchestration, Automation, and Response

    SOAR automates and orchestrates the response to security alerts with playbooks, sitting downstream of detection (often a SIEM) to cut response time.

  • XDR

    Extended Detection and Response

    XDR extends EDR beyond the endpoint, correlating telemetry across endpoints, identity, network, email, and cloud into one detection and response platform.

  • Zero trust

    Zero Trust Architecture · ZTA

    Zero trust is a security model that trusts no user, device, or network location implicitly and verifies every request; it replaces the perimeter with per-request authentication and least privilege.

  • ZTNA

    Zero Trust Network Access

    ZTNA grants a user access to a specific application rather than a whole network, after verifying identity, device, and context on each connection; it is the standard replacement for the VPN.