Glossary

AI systems that autonomously plan, execute, and make decisions. Unlike traditional chatbots, agents act proactively and can independently carry out multi-step tasks.

Graduated levels of AI agent independence: assistive (human decides), semi-autonomous (agent acts within defined boundaries), or autonomous (agent acts independently within a regulatory framework).

Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik). The German federal authority responsible for cybersecurity, NIS2 implementation, C5 attestations, and critical infrastructure regulation.

An approach where regulatory requirements (EU AI Act, NIS2, GDPR) are embedded into the design of an AI system from the outset – rather than being checked retroactively.

General Data Protection Regulation (EU) 2016/679. Governs the protection of personal data in the EU. Particularly relevant for AI systems processing personal data – e.g., in customer inquiries or HR processes.

Regulation (EU) 2024/1689 on the regulation of AI systems. Defines 4 risk classes (prohibited, high-risk, limited, minimal) and becomes fully applicable on 2 August 2026.

Additional training of a pre-trained AI model (e.g., LLM) on company-specific data to improve quality for domain-specific tasks. An alternative to RAG, but more complex and costly.

An external C-level AI executive who manages a company's AI strategy, governance, and compliance 3–4 days per month – without a full-time position.

A phenomenon where an AI model generates plausible-sounding but factually incorrect information. Particularly critical in regulated environments – making human-in-the-loop oversight and fact-checking essential.

A design principle where a human is involved in the AI agent's decision-making process – e.g., for approvals, quality control, or critical decisions. Mandatory for high-risk AI systems under the EU AI Act.

Information Security Management System. A structured framework for information security based on ISO 27001/BSI IT-Grundschutz. Core of NIS2 implementation: policies, risk management, incident response, and continuous improvement.

The organizational framework for AI deployment: roles, responsibilities, decision-making processes, documentation, and monitoring of AI systems.

Assessment of a company's maturity for AI adoption across 5 dimensions: strategy, data, compliance, organization, and technology.

Documentation of all AI systems deployed in an organization, including risk classification under the EU AI Act. Mandatory for high-risk AI and part of conformity documentation.

The separation of a company's (or business unit's) IT landscape as part of an M&A transaction. Covers infrastructure, applications, licenses, contracts, and identity – under signing/closing time pressure.

Critical infrastructure as defined by German BSI legislation. Companies in sectors such as energy, healthcare, transport, and finance with special cybersecurity obligations.

Large language models such as GPT-4, Claude, or Llama. The foundation for AI agents that can understand and generate natural language and be deployed in business processes.

Legal obligation to report security incidents: 24-hour early warning to the BSI, 72-hour incident report with initial assessment, and 1-month final report with root cause analysis.

EU Directive 2022/2555 on network and information security. In force in Germany since December 2025. Affects approximately 29,500 companies with reporting obligations (24h/72h) and personal liability for management.

A prototype implementation of an AI agent in a real business process to validate feasibility and business value before investing in a production rollout.

A consulting approach where senior experts personally work on client projects – as opposed to the pyramid model of large consultancies, where junior consultants handle the operational work.

An architecture pattern where an LLM accesses an external knowledge base (e.g., company documents) to answer queries. Reduces hallucinations and enables domain-specific AI without fine-tuning.

Classification of an AI system under Art. 6 EU AI Act into one of 4 classes: Prohibited (e.g., social scoring), High-Risk (e.g., AI in HR, credit decisions), Limited (e.g., chatbots with transparency requirements), or Minimal (e.g., spam filters).

Software robots that automate rule-based, repetitive tasks. Platforms like UiPath increasingly combine RPA with AI agents (Agentic AI) for smarter, context-aware automation.

An external Chief Information Security Officer who manages a company's cybersecurity strategy on demand. Typically 3–4 days per month.