Architecting Trust, Appendix: Sources & Glossary

Banner, Sources and Glossary: tracing claims and defining terms, showing each guide claim verified against a documented source and every term gathered into one master glossary.
Every guide claim traced to a documented source, and every term defined in one master glossary.
AraGrow
← Guide overview
Executive Guide · Appendix
Sources & Glossary

Appendix · Reference

Sources & Glossary

Every claim in this guide, traced to where it came from, and every term, in one place.

A note on sourcing

How the evidence was chosen

Every risk in this guide is illustrated with a documented, public source: a security disclosure, a court ruling, a logged incident, or peer-reviewed research, each listed below with a link you can check. Where a colorful story couldn't be verified, it was left out and replaced with one that could.

Each entry carries a tag showing which module it supports, so any statement in the guide can be traced back to its origin. This appendix is reference material, not legal or security advice for a specific system; for a high-stakes deployment, get a qualified review.

A caution on the sources themselves. I gathered these from the public internet, and some were surfaced with the help of AI. I've checked the links, but I'm not the author of any of them, and sources can be wrong, outdated, or missing context. Treat them the way you'd treat anything on the internet: with healthy skepticism. Question their findings, then question them again, and verify anything you plan to act on against a primary source or a qualified professional.

Source bibliography

References, by theme

Framing & frameworks

Real-world incidents & rulings

Evaluation research & tools

  • Judging LLM-as-a-Judge with MT-Bench and Chatbot Arena L. Zheng et al. · arXiv:2306.05685 · 2023 (strong AI judges agree with humans more than 80% of the time) https://arxiv.org/abs/2306.05685 Module 05
  • G-Eval: NLG Evaluation using GPT-4 with Better Human Alignment Y. Liu et al. · arXiv:2303.16634 · 2023 (correlates with humans far better than BLEU/ROUGE) https://arxiv.org/abs/2303.16634 Module 05
  • The RAG Triad: context relevance, groundedness, answer relevance TruLens (TruEra) open-source project · evaluation framework documentation https://www.trulens.org/getting_started/core_concepts/rag_triad/ Module 05
  • Open-source evaluation tools referenced TruLens, Ragas, DeepEval, and Promptfoo · project documentation trulens.org · docs.ragas.io · deepeval.com · promptfoo.dev Module 05

Industry & standards bodies

Master glossary

Every term, in plain language

The terms introduced across all seven modules, gathered and alphabetized.

A
Agent
An AI that can take actions on your systems (send, update, book, pay, delete), not just answer.
Answer relevance
A RAG-triad check: did the reply actually address the question that was asked?
B
Blast radius
How much damage a successful attack can do, set by what the AI can reach times what it can do.
C
Context relevance
A RAG-triad check: did the system retrieve the right information before answering?
Context window
The "binder," the block of text (rules + conversation + documents) the model re-reads on every turn.
D
Defense in depth
Multiple independent layers of protection, so a failure in one is caught by the next.
Direct injection
The user types the malicious instruction themselves, a jailbreak or "ignore your rules" attack.
Drift (regression)
Quality silently dropping over time, often after the underlying model updates. Why evals must be ongoing.
E
Encoding
Converting text into another format (e.g. Base64) so a filter sees noise but the model still understands it.
Evaluation ("eval")
A structured test of whether an AI does its job across many cases, the AI version of software testing.
Excessive agency
Granting an AI more permissions than its job needs. The most common avoidable mistake.
Exfiltration
Getting stolen data out of a system, via email, a web link, a loaded image, or any outbound channel.
G
Governance
The human layer: a named owner, a policy for what AI may touch, vendor accountability, and an incident plan.
Groundedness
The key RAG-triad check: is every claim in the answer supported by the retrieved source? Catches hallucination.
Guardrail / AI firewall
A filter that scans input or output for dangerous content. A useful layer, never a complete defense.
H
Hallucination
A confident answer the AI made up, stated as fact but not backed by any real source.
Human-in-the-loop
Requiring a person to confirm an action before it happens. Reserved for the high-stakes, irreversible ones.
I
Incident response
A pre-written plan for the first hour after an AI does something wrong. Cheaper to write than to improvise.
Indirect injection
A malicious instruction hidden in outside content (email, document, web page) the AI reads during a routine task.
Invisible text
Instructions hidden in a document via white-on-white text, tiny fonts, or special characters a person won't notice.
J
Jailbreak
Talking an AI out of its safety rules, often through role-play or a fictional framing.
L
Least privilege
Giving the AI only the narrowest powers its job requires, the boring principle that keeps the blast radius small.
Lethal trifecta
Private data, plus untrusted content, plus a way to send data out. The combination that turns injection into a breach.
Link smuggling
Exfiltrating data by hiding it in a web address loaded as an image, so leaving data looks like showing a picture.
LLM-as-a-judge
Using a strong AI to grade other AI output at scale. Agrees with humans often (about 80% or more), but carries biases.
M
MCP (Model Context Protocol)
A popular standard for connecting AI agents to tools and data. Convenient, and each connection is a security decision.
Multimodal injection
Hiding an instruction inside an image the AI reads, a screenshot, scan, or logo carrying hidden orders.
O
Obfuscation
Disguising an instruction while keeping its meaning, by rewording, describing, or riddling it.
P
Probabilistic
Driven by likelihood, not fixed rules. The same input can produce different outputs, which is why "it will never..." is a shaky promise.
Prompt injection
Slipping instructions into the text an AI reads so it follows the attacker instead of you. The #1 risk for AI applications.
R
RAG
"Retrieval-augmented generation," an AI that looks things up in your documents before answering. The common business setup.
RAG triad
Three checks (context relevance, groundedness, answer relevance) that locate where an AI's answer went wrong.
S
Semantic gap
An AI's inability to tell instructions apart from data. The root cause of most AI security risk.
Separation of trust (dual-LLM)
Splitting work so the AI exposed to untrusted content has no power, and the AI with power never reads untrusted content directly.
Single point of failure
Anything you rely on alone; if it fails, nothing else catches it. The thing to hunt down and back up.
Stateless
The AI keeps no memory of its own between conversations; each one starts blank.
System prompt
The hidden rules a company writes to shape an AI's behavior. Powerful, but still text the model can be argued out of.
T
Tool / tool use
A capability an AI is wired to (email, database, calendar, payments). Each tool is a new power and a new risk.
Trust boundary
The line between content you control and content you don't. Crossing it is where injection happens.
W
Word-overlap metrics (BLEU / ROUGE)
Older quality scores that check whether an answer's words match a reference. Poor at judging meaning or catching made-up facts.
Z
Zero-click
An attack needing no action from the victim; a normal email plus a normal request is enough (as in EchoLeak).
AraGrow
Architecting Trust: An Executive's Guide to AI Risk & Readiness · Appendix: Sources & Glossary
Prepared by AraGrow LLC · David Aragó, Fractional CTO · Minneapolis · Bilingual EN / ES
← Back to Blog Work With Me