Glossary
Key terms and concepts in the FuseGov Operational Authenticity architecture.
Core Concept
Operational Authenticity
The ability to enforce, verify, and evidence intent-aligned AI behavior at runtime. The third layer of security architecture beyond authentication and authorization.
Policy Lifecycle
Policy Bundle
A versioned, signed package of machine-executable controls that runtime enforcement points (gateway/sidecar) can evaluate in real time. Includes control definitions, risk tier logic, tool constraints, and evidence requirements.
Risk Tier
Classification of tools or actions by severity: LOW, MEDIUM, HIGH, CRITICAL. Determines enforcement intensity, approval requirements, and degraded mode behavior.
Registries
Tool Registry
A machine-readable inventory of all tools agents can invoke. Each entry includes owner, risk tier, allowed operations, scope constraints, data class constraints, rate limits, and approval rules.
Agent Registry
A registry of autonomous agents with their permitted intents, allowed tool groups, max data classification, runtime identity requirements, and approval thresholds.
Evidence Pipeline
Evidence Pack
A normalized, integrity-protected bundle of decision events, action telemetry, and outcome verification for a session, workflow, or case. Exportable to SIEM/GRC systems.
CTR (Cognitive Telemetry Record)
FuseGov's immutable audit record for each enforcement decision. Includes request details, policy evaluation, decision rationale, timestamps, and cryptographic signatures.
Enforcement
PEP (Policy Enforcement Point)
The component that intercepts and evaluates tool calls against policies. Can be deployed as a central gateway (for shared tools) or as sidecars (per-agent, low latency).
Gateway
A centralized PEP that governs shared or high-risk tools. Provides consistent visibility across all agents and centralized policy enforcement.
Sidecar
A per-agent PEP deployed close to the workload. Provides low-latency enforcement, resilience, and team-autonomous policy customization.
Two-Stage Enforcement
FuseGov's patented enforcement architecture: Stage 1 (deterministic) handles fast, reliable checks like allowlists and rate limits. Stage 2 (semantic) provides AI-powered context analysis for ambiguous requests.
Resilience
Degraded Mode
Safe failure behavior when semantic verification or other components are unavailable. Stage 1 continues protecting while Stage 2 recovers. Configurable per risk tier (fail-closed for CRITICAL, queue for HIGH, etc.).
Operations
Drift Detection
Monitoring for governance failures: config drift (deployed ≠ approved bundle), coverage drift (calls bypassing PEPs), inventory drift (unregistered tools), and control drift (missing evidence).
Approvals
Step-up Authentication
Additional identity verification required for high-risk approvals. Triggered when actions exceed autonomous thresholds.
Time-boxed Waiver
A governed exception with mandatory expiry. Requires compensating controls and is evidenced in audit trails.