Skip to content

Terminology

A short, alphabetical glossary of the words Secruna uses in product, documentation, and conversation. The same terms appear in the API schema and the audit log, so a shared vocabulary matters.

AI system

A discrete piece of software whose behaviour depends on a model — a classifier, a generative LLM endpoint, a recommender, an automated decision pipeline, or anything that an EU AI Act, RICS, or UK Defence AI Playbook reviewer would call AI. AI systems live inside a tenant and accumulate artifacts as we discover and analyse them.

Artifact

A single piece of evidence about an AI system — the IAM role on a Lambda, a fragment of source code from a repository, a configuration value, an extracted purpose statement, or a model card snippet. Artifacts are what rule entries evaluate against.

Audit log entry

An immutable row recording an action taken in the platform — who did it, what changed, when, and a hash chain so the row can't be edited silently. Every customer-visible mutation produces at least one entry.

Connector

The component that pulls data from a customer system into Secruna — AWS, Azure, GCP, GitHub, internal HR tools, surveying-specific tools under the RICS pack. Connectors run inside the discovery worker and emit artifacts.

Discovery run

One execution of the discovery worker for a tenant. A run scans the configured connectors, writes new artifacts, re-evaluates rules, and emits webhooks. Runs are cron-triggered (every two minutes) and event-triggered (Plan 61 Phase 2).

Evidence pack

A bundle of artifacts plus the verdict copy for a regulator or auditor — the EU AI Act Annex IV technical documentation, a RICS AI Use Disclosure Statement, a Firm AI Register CSV. Evidence packs are the tangible output of a compliance review.

Framework

A regulatory regime Secruna supports as a product. Today: EU AI Act, RICS, UK Defence AI Playbook, Defence Standard 05-138, Secure by Design. Each framework owns its own rule book, taxonomy, and customer- facing surfaces.

Org admin / reviewer / viewer

The three role tiers on a tenant. Org admin can change settings, invite members, and edit verdicts. Reviewer can edit verdicts but not change tenant settings. Viewer is read-only — useful for counsel or external auditors.

Rule book / rule entry / matcher

The rule book is the YAML corpus loaded at start-up by the multi-framework loader. A rule entry is a single row — title, framework, category, matcher, customer-facing description. A matcher is the structured query (typically over artifact_metadata) that decides whether an artifact triggers the rule.

Subscription

The Plan 103 record on a tenant that says which frameworks they have purchased. The framework picker in onboarding reads from this; the rule loader filters by it; the dashboard hides surfaces the tenant hasn't subscribed to.

Tenant

One customer organisation. Tenants are isolated from each other at the database row level via PostgreSQL row-level security and an app.current_tenant_path ltree session variable. There is no shared storage between tenants.

TEVV

Test, Evaluation, Verification, and Validation. The category in the UK Defence AI Playbook for AI systems that require evidence of performance against a defined threshold before deployment. Rules in the Defence pack route TEVV-flagged systems to an explicit review queue.

Verdict / verdict copy

A verdict is the platform's judgement on whether an AI system satisfies a rule — pass, fail, needs-review, or not-applicable. The verdict copy is the human-readable explanation Secruna writes alongside it: what the rule asks for, what we found, and what the customer needs to do next. Verdict copy is what ends up in evidence packs.