Glossary

Total market value of assets a firm manages on behalf of clients - the primary sizing metric for wealth management firms.

Outbound prospecting role similar to an SDR, often focused on net-new logos and strategic accounts.

Also: BDM

The firmographic and behavioral profile of accounts most likely to buy. For Tumeryk: regulated mid-market and enterprise firms deploying Copilot or seeing Shadow AI growth.

Corporate transactions that frequently trigger AI governance scrutiny because two stacks - and two sets of unsanctioned AI tools - have to merge.

Predictable monthly subscription revenue - the metric MSP and MSSP partners care about when adding Workforce AI Security to their stack.

Partner that operates IT and software services on behalf of clients. Many MSPs are adding AI governance as a managed service.

Partner that operates security tooling - SIEM, EDR, DLP - on behalf of clients. Workforce AI Security is the next managed security SKU.

A short, scoped deployment - usually 14 to 30 days - that proves measurable Shadow AI discovery and risk reduction before a paid contract.

Quantified business return from a purchase. With Tumeryk, ROI is framed as avoided regulatory penalties, reduced incident response cost, and faster Copilot rollout.

Outbound rep responsible for qualifying prospects and booking discovery meetings for Account Executives.

SDR note. You are the SDR. Your goal on every Scout page is to get to a 15-minute discovery meeting.

Executive accountable for regulatory compliance and examiner readiness. Cares about audit evidence, documented controls, and policy enforcement.

Executive owning IT strategy and rollouts including Microsoft Copilot. Wants Tumeryk to unblock - not slow down - AI adoption.

Executive accountable for cybersecurity strategy, controls, and incident response. Primary buyer for Workforce AI Security.

Executive responsible for the enterprise risk register, including AI risk scoring and quantification.

Insurance executive accountable for underwriting decisions - now including AI-assisted underwriting under NAIC Model Bulletin 2023-1.

Privacy executive required under GDPR for many organizations. Owns DPIAs for new processing including employee LLM use.

Also: Chief Privacy Officer

Firm or individual registered with the SEC or a state to provide investment advice.

Professional association issuing model rules and formal opinions adopted by most state bars.

Australia's corporate, markets, and financial-services regulator.

Federal regulator for consumer financial products. Has issued guidance on AI-driven decisioning and fair lending.

State-level insurance regulator. Many states have adopted the NAIC Model Bulletin on AI.

Federal regulator for drugs, biologics, and medical devices - including AI/ML-enabled medical devices.

U.S. banking regulator and deposit insurer. Has joined OCC and Federal Reserve on AI risk guidance.

Self-regulatory organization overseeing broker-dealers in the U.S. Issues rules on supervision (3110) and books and records (4511) that apply to AI-assisted client communications.

UK data protection regulator - has issued specific guidance on generative AI.

Singapore's integrated financial regulator and central bank. Issued FEAT principles for AI in finance.

Coordinating body for U.S. state insurance regulators. Model Bulletin 2023-1 requires governance of AI in underwriting and claims.

State regulator with broad authority; NYDFS Part 500 cybersecurity regulation now extends to AI-related risks.

Primary federal regulator for national banks. Issued OCC Bulletin 2023-17 reinforcing third-party risk management - directly relevant to LLM vendor use.

HHS office that enforces HIPAA and investigates breaches.

India's central bank and banking regulator.

Federal regulator for securities markets, broker-dealers, and registered investment advisers (RIAs).

FDA rule on electronic records integrity - relevant when AI is part of regulated documentation workflows.

Federal rule with stricter consent requirements than HIPAA for substance-use treatment records.

2024 opinion on lawyer use of generative AI - requires competence, confidentiality, and informed consent.

HIPAA-required contract with any vendor that processes PHI. Public LLMs do not sign BAAs - which is why clinician use is high-risk.

U.S. anti-financial-crime regime. AML investigators using ChatGPT to draft narratives risk leaking SAR-relevant data.

California privacy law, expanded by CPRA, with rights of access, deletion, and opt-out applicable to LLM training data.

U.S. Commerce Department export controls on dual-use technology - also implicated by cross-border LLM data flows.

First comprehensive AI law - risk-tiered obligations including transparency, documentation, and human oversight.

Requires broker-dealers to supervise associated persons - including their use of AI to draft client communications.

Requires preservation of business communications - AI prompts and outputs used in advisory work may be in scope.

EU comprehensive data protection regulation. Public LLM use without legal basis or DPIA is a frequent violation pattern.

U.S. federal law requiring financial institutions to safeguard nonpublic personal information - directly implicated when client data is pasted into public LLMs.

U.S. federal law protecting PHI. Every paste of a chart into a non-BAA LLM is a potential breach.

Strengthens HIPAA enforcement and breach-notification requirements; raised maximum OCR penalties.

U.S. export controls on defense articles and technical data - leaking ITAR data via an LLM is an export violation.

Formal supervisory finding from a U.S. banking regulator that requires corrective action - increasingly issued for AI governance gaps.

Federal memo requiring agencies to inventory AI uses, designate Chief AI Officers, and apply minimum risk practices.

SEC rule on the privacy of consumer financial information; amended 2024 to require breach notification - including LLM-related data exposures.

EU court ruling that constrains transfers of personal data to the U.S. - relevant for any LLM hosted outside the EU.

DoD certification required for defense contractors handling CUI - now expected to include AI controls.

GDPR-required assessment for high-risk processing - including new uses of employee LLMs.

Standardized security authorization for cloud services used by U.S. federal agencies.

Umbrella term for FDA-regulated quality practices. AI used in GxP-validated systems must itself be validated.

International standard for establishing an AI management system - the AI equivalent of ISO 27001.

Controls for protecting CUI in non-federal systems - the technical backbone of CMMC.

Voluntary framework (AI 100-1) for managing AI risk - Govern, Map, Measure, Manage. The preferred anchor for AI governance programs in the U.S.

Audit framework for service organizations covering security, availability, processing integrity, confidentiality, and privacy.

Federal Reserve supervisory guidance on model risk management. Banking regulators expect LLMs to be governed under SR 11-7 principles.

Document describing how a system meets NIST 800-171 / FedRAMP controls. AI use must be scoped in the SSP.

Proxy for SaaS app traffic. Can see app usage but not prompt-level content or intent.

Signature-based tooling for blocking known data patterns leaving via known channels. Blind to conversational LLM prompts.

Endpoint security platform - useful for malware, blind to legitimate browser-based ChatGPT use.

Attack where untrusted content overrides an LLM's instructions to exfiltrate data or trigger unintended actions.

Log aggregation and correlation platform. Receives Tumeryk telemetry but does not natively see AI activity.

AI systems that plan, call tools, and take actions on a user's behalf. Expands the Shadow AI attack surface beyond chat.

Tumeryk's quantitative score (0-1000) for any AI tool's enterprise risk - covering data handling, security posture, compliance, and governance maturity.

Foundation model trained on text - e.g. GPT-4, Claude, Gemini. The primary risk surface Tumeryk governs.

Open protocol for connecting LLMs to tools, data, and agents - the plumbing of Agentic AI.

Pattern where an LLM is grounded with retrieved enterprise documents at inference time.

Cloud-delivered software. Most embedded AI (Notion AI, Grammarly, Salesforce Einstein) reaches employees via SaaS.

Use of AI tools without IT, security, or compliance sanction - the evolution of Shadow IT, multiplied by the speed of generative AI adoption.

Tumeryk's category - discovering, classifying, governing, and reporting on employee use of AI across browser, desktop, SaaS, and agents.

Government information that requires safeguarding but is not classified. CUI in a public LLM prompt can suspend a contract.

Identity verification process at financial institutions; KYC documents contain PII that must never enter public LLMs.

Information that, if disclosed, could move a security's price. Pasting MNPI into a public LLM may constitute selective disclosure.

Individually identifiable health information protected under HIPAA.

Any data that can identify a person. The first thing Tumeryk's classifier flags in LLM prompts.