SiteTrust AI Transparency Glossary

A reference for AI disclosure, certification, and regulatory terminology. Updated as standards and regulations evolve.

This glossary covers the language of AI transparency: regulatory frameworks like the EU AI Act and Colorado AI Act, technical standards like C2PA, governance concepts like algorithmic accountability, and the terminology behind the SiteTrust verified badge and public registry. Each entry links to related terms and to deeper reading where available.

New to the space? Start with AI Disclosure, Trust Badge, and Trust Registry. Preparing for compliance? Jump to EU AI Act, Colorado AI Act, and AI Risk Assessment.

AI Disclosure and Transparency

AI Disclosure

AI disclosure is the act of telling customers, employees, regulators, or partners that artificial intelligence is being used in a product, decision, or interaction. Disclosure can take the form of a website notice, a label inside a software feature, a policy document, or a structured filing under a regulatory framework.

According to McKinsey research [The state of AI in 2025: Agents, innovation, and transformation], roughly 88% of brands use AI in content creation, while only 36% of them have a formal governance framework, according to the Pacific AI 2025 Survey.

Disclosure requirements are now codified in multiple jurisdictions. The EU AI Act requires disclosure for high-risk and limited-risk AI systems. The Colorado AI Act applies to deployers of high-risk AI in consumer-facing decisions. California's Transparency in Frontier AI Act focuses on the largest model developers. Companies that disclose voluntarily often see conversion lift from increased customer trust.

AI Transparency

AI transparency is the broader principle that organizations should make their AI use understandable to the people affected by it. Transparency goes beyond a single disclosure notice. It covers what AI is used for, what data trains the system, how decisions are reached, and who is accountable when the system fails.

Transparent organizations publish AI policies, maintain inventories of AI systems in use, label AI-generated content, and offer recourse when AI decisions cause harm. The NIST AI Risk Management Framework treats transparency as one of the core characteristics of trustworthy AI.

Transparency is becoming a competitive advantage in markets where consumer trust is declining. It also reduces regulatory risk as transparency requirements expand across jurisdictions.

AI Disclosure Statement

An AI disclosure statement is a structured document that describes how an organization uses AI. A complete statement typically covers the AI systems in use, the business purposes they serve, the data sources that feed them, the decision boundaries that constrain them, and the human review processes that oversee them.

Disclosure statements differ from privacy policies. Privacy policies describe data collection. Disclosure statements describe AI behavior. Most organizations need both.

SiteTrust certification at all three tiers requires a published disclosure statement that meets a documented framework. The statement becomes part of the organization's record in the SiteTrust public registry, where any customer, partner, or regulator can verify the claims.

AI-Washing

AI-washing is the practice of overstating, misrepresenting, or fabricating AI capabilities in marketing materials, product descriptions, or public statements. The term parallels "greenwashing" in the sustainability space.

The SEC has flagged AI-washing as an enforcement priority and is scrutinizing whether companies' public AI disclosures match their actual AI practices. The FTC has brought enforcement actions against companies that made deceptive AI claims. Both agencies have signaled that the gap between AI marketing and AI reality will receive ongoing attention.

The defense against AI-washing accusations is verified disclosure. Companies that publish accurate AI statements, back them with documentation, and submit to third-party verification reduce their exposure to enforcement.

AI Use Inventory

An AI use inventory is an internal record of every AI system an organization deploys. The inventory captures what each system does, who owns it, what data it touches, what decisions it influences, and what risk level it carries.

Most organizations underestimate their AI footprint. AI tools enter the business through embedded vendor features, marketing platforms, customer support software, and individual employee experimentation. The inventory is the foundation for governance, disclosure, risk assessment, and compliance.

The EU AI Act and the major state laws assume an inventory exists. Building one before regulation forces the question is faster than catching up after.

Algorithmic Accountability

Algorithmic accountability is the principle that the people and organizations behind an automated decision system are answerable for its outcomes. Accountability requires three things: a clear chain of responsibility, mechanisms for affected people to challenge decisions, and consequences when the system causes harm.

The concept predates modern AI. It traces back to algorithmic decision systems in credit scoring, hiring, and criminal justice. The expansion of generative AI has made accountability harder to assign and more important to enforce.

Board-level scrutiny has grown alongside it. The three AI governance questions every board should be asking cover the accountability questions leadership cannot delegate.

SiteTrust Certification

SiteTrust

SiteTrust is the certification standard that gives companies a verified AI trust badge and a public registry listing. The badge displays on a company's website. The public registry is a free, searchable database where any consumer, partner, or regulator can verify the company's AI practices in seconds.

SiteTrust is structurally similar to USDA Organic, LEED, and SOC 2: an independent body reviews the company's practices against a defined standard, grants a credential, and publishes the result for anyone to verify. SiteTrust applies this model to AI disclosure and accountability.

Certification operates across three tiers (Disclose, Verify, and Audit) and verifies practices across four pillars of responsible AI: transparency, governance, regulatory compliance, and workforce sustainability. SiteTrust does not advise the companies it certifies and does not sell AI tools. The role is neutral verification.

Trust Badge

A trust badge is a visual mark that a certified organization displays on its website to signal a verified credential. The SiteTrust badge links back to the organization's record in the public registry, so visitors can verify the certification in one click.

Trust badges only carry meaning when the underlying credential is real. Self-issued badges or unverified seals damage credibility more than they build it. Recognized certification marks (USDA Organic, LEED, SOC 2, B Corp) succeed because every badge is backed by an independent standard, an audit process, and a public record. The history of trust badges explains how verification mechanics determine which marks earn buyer confidence.

The SiteTrust badge is the consumer-facing trust signal that distinguishes verified AI practices from unverified claims.

Trust Registry

The SiteTrust Trust Registry is a free, public, searchable database of certified organizations. Visitors can look up any certified company, view the disclosed AI use, see the certification tier, and verify the credential is current.

Public registries serve two purposes. They give certified organizations a verifiable public record of their commitment. And they give consumers, partners, and regulators a way to check claims before extending trust. This is what separates verified disclosure from a policy page that nobody reads.

Nobody else in the AI governance market operates a consumer-facing public registry of certified companies. Governance platforms sell software to CISOs. Testing labs certify products. Professional bodies certify individuals. SiteTrust gives companies a public credential and gives the public a way to verify it. Search the registry at registry.sitetrust.com.

AI Transparency Certification

AI transparency certification is a third-party verification process that confirms an organization discloses its AI use clearly and accountably. The distinction that matters is between unverified disclosure (a policy a company writes about itself with no review) and certified disclosure (a policy that has been reviewed against a defined standard, verified by an independent body, and published in a registry anyone can search.

SiteTrust certification is available at three tiers. Tier 1 (Disclose) starts at $1,500 per year with a 3 to 5 business day review process. Tier 2 (Verify) at $3,000 per year adds deeper documentation review. Tier 3 (Audit) at $6,000+ per year carries full audit-level verification. Full details and current pricing are on the Get Certified page.

Certified disclosure carries weight that self-claims do not. Buyers, partners, regulators, and investors increasingly ask for verifiable signals of AI accountability rather than statements alone.

Certification Tiers

SiteTrust certification operates at three tiers: Disclose, Verify, and Audit. Each tier carries a different depth of verification, documentation, and public commitment.

Disclose (Tier 1) confirms that an organization has published an AI usage policy, completed a self-assessment, designated a transparency contact, and met the SiteTrust framework at the entry level. Pricing starts at $1,500 per year with a 3 to 5 business day review.

Verify (Tier 2) at $3,000 per year adds deeper documentation review across the four pillars and additional public disclosures.

Audit (Tier 3) at $6,000+ per year carries full audit-level verification, including evidence review, interviews, and ongoing surveillance. This tier is suited to enterprise organizations and regulated industries.

All tiers include the SiteTrust badge, a published AI policy, and a public registry listing. Pricing and scope are current on the Get Certified page.

Certified Trust Advisor (CTA)

A Certified Trust Advisor is a professional credential for consultants, agencies, and advisors who help organizations implement responsible AI practices. The CTA program trains advisors on the four pillars of responsible AI, equips them with assessment frameworks and client-ready materials, and connects them to certified organizations.

The credential is delivered by SiteTrust through a structured curriculum and ongoing professional development. The CTA designation is the first professional credential focused specifically on responsible AI advisory. Full details are on the CTA Program page.

AI Regulations

EU AI Act

The EU AI Act is the European Union's comprehensive regulatory framework for artificial intelligence and the most far-reaching AI law in the world. The Act takes a risk-based approach. AI systems are classified into prohibited, high-risk, limited-risk, and minimal-risk categories, with obligations scaling to risk level.

High-risk AI systems face the most demanding requirements: risk management, data governance, technical documentation, human oversight, accuracy and robustness standards, and a conformity assessment before market entry. Limited-risk systems face transparency obligations such as labeling AI-generated content and disclosing AI interactions to users.

Enforcement phases in over several years. General-purpose AI obligations applied from August 2025. Most other transparency provisions apply from August 2026, with high-risk system rules following in 2027. Maximum penalties reach €35 million or 7% of global annual revenue, whichever is higher. The law applies to any company serving EU customers, regardless of where the company is headquartered. The official text is on EUR-Lex.

Companies operating in the EU market need to know what the EU AI Act requires them to disclose.

Colorado AI Act

The Colorado Artificial Intelligence Act (SB 24-205) is the first US state law to establish broad consumer-protection requirements for high-risk AI systems. The Act takes effect June 30, 2026, and requires developers and deployers of high-risk AI to use reasonable care to protect consumers from algorithmic discrimination.

High-risk systems under the Colorado Act include AI used in consequential decisions about employment, education, financial services, healthcare, housing, insurance, and legal services. Deployers must disclose to consumers when these systems are used, complete impact assessments, allow consumers to appeal adverse decisions, and publish public statements on risk management practices.

Enforcement sits with the Colorado Attorney General under the Colorado Consumer Protection Act, with penalties up to $20,000 per violation. The Act applies to any company doing business in Colorado, not just companies headquartered there. The official text is on the Colorado General Assembly site.

California Transparency in Frontier AI Act (TFAIA)

The California Transparency in Frontier Artificial Intelligence Act, signed in September 2025, focuses on the developers of the largest AI models. The Act applies to frontier AI developers and imposes specific transparency, safety reporting, and incident disclosure requirements.

Unlike the Colorado AI Act, which targets broad deployment of consumer-facing AI, TFAIA targets the top of the development stack: the labs and companies building foundation models at billion-parameter scale and significant compute. Requirements include published safety frameworks, pre-deployment transparency reports, and incident disclosure when models cause harm.

California also passed AB 2013, which requires generative AI developers to publish training data summaries.

Companies offering AI services to California consumers face specific legal consequences for not disclosing AI use.

US State AI Regulations

US state AI regulations are the patchwork of state-level laws governing AI disclosure, deployment, and accountability that has emerged in the absence of comprehensive federal legislation. As of 2026, more than 40 states have active AI transparency or governance bills. Laws have already passed in Colorado, California, Illinois, New York, Texas, Utah, and Tennessee.

The pattern mirrors how state privacy laws developed before federal action. Companies operating across states face overlapping and sometimes conflicting requirements. National compliance strategies typically target the most stringent state requirements rather than the average.

The FTC and SEC are also active at the federal level. The FTC is enforcing against deceptive AI practices. The SEC is scrutinizing whether company AI disclosures match actual practices and has flagged AI-washing as a priority area.

High-Risk AI System

A high-risk AI system is a category under the EU AI Act and parallel state laws covering AI systems whose failure or misuse could cause significant harm. The EU AI Act enumerates specific high-risk use cases: biometric identification, critical infrastructure, education and vocational training, employment and worker management, access to essential public and private services, law enforcement, migration and border control, and administration of justice.

High-risk classification triggers the most demanding regulatory obligations: risk management systems, data governance documentation, technical documentation, automatic logging, human oversight, accuracy and robustness standards, registration in an EU database, and a conformity assessment before market entry.

AI Conformity Assessment

An AI conformity assessment is the process under the EU AI Act by which a high-risk AI system is evaluated against the regulatory requirements before being placed on the EU market. Conformity can be self-assessed by the provider for most high-risk categories. For certain biometric and safety-critical categories, conformity must be conducted by a notified body, which is an independent third-party assessor.

The output of conformity assessment is a CE marking, which signals that the system meets EU regulatory requirements. Without a CE marking, a high-risk AI system cannot legally be placed on the EU market.

Provider (under EU AI Act)

A provider under the EU AI Act is the natural or legal person, public authority, agency, or other body that develops an AI system or has one developed and places it on the EU market or puts it into service under their own name or trademark. Providers carry the heaviest compliance obligations: conformity assessment, technical documentation, post-market monitoring, and registration in the EU AI database.

The distinction between provider and deployer matters because the two roles carry different obligations. A company that builds and sells an AI system is a provider. A company that uses someone else's AI system inside its own business is a deployer.

Deployer (under EU AI Act)

A deployer under the EU AI Act is the natural or legal person, public authority, agency, or other body using an AI system under its own authority. Most companies are deployers, not providers. A bank using a vendor's credit-scoring AI is a deployer. A hospital using a vendor's diagnostic AI is a deployer.

Deployers face lighter but still meaningful obligations: ensuring human oversight, monitoring system performance, keeping logs, informing affected people when high-risk AI is used in decisions that concern them, and reporting serious incidents.

Most SiteTrust-certified companies are deployers. The certification framework reflects that reality.

AI Governance and Risk

AI Governance

AI governance is the system of policies, processes, and decision rights an organization uses to manage AI responsibly. Effective governance covers who can approve new AI deployments, how risk is assessed, how performance is monitored, how incidents are escalated, and how the AI use inventory stays current.

Governance is broader than compliance. Compliance answers whether a system meets the regulation. Governance answers whether it meets the organization's own standards even when no regulation requires it. Boards, audit committees, and risk committees increasingly treat AI governance as a standing agenda item.

The three AI governance questions every board should be asking cover the core of what governance looks like at the leadership level.

AI Compliance

AI compliance is the practice of meeting the legal, regulatory, and contractual requirements that apply to an organization's AI use. Compliance scope depends on jurisdiction, industry, and customer commitments.

A US-based marketing agency may face Colorado AI Act and California TFAIA obligations. A healthcare provider faces FDA guidance on AI in medical devices alongside HIPAA implications. A financial services firm faces existing fair lending rules applied to AI-driven decisions. A multinational with EU customers faces the full EU AI Act.

Compliance and disclosure are connected but distinct. Disclosure tells people that AI is being used. Compliance ensures the use itself meets the rules.

AI Risk Management

AI risk management is the structured process of identifying, assessing, mitigating, and monitoring the risks that AI systems pose to an organization, its customers, and its stakeholders. Risks include accuracy failures, bias and discrimination, security vulnerabilities, privacy violations, regulatory non-compliance, reputational damage, and operational disruption.

The NIST AI Risk Management Framework is the most widely adopted voluntary framework in the United States. It organizes risk management into four functions: govern, map, measure, and manage.

AI Impact Assessment

An AI impact assessment is a structured analysis of how a specific AI system could affect the people it operates on. The assessment captures intended use, potential failure modes, populations affected, and mitigation measures. Conducted before deployment and revisited periodically, the impact assessment is the AI parallel to the privacy impact assessments familiar from GDPR.

The Colorado AI Act and several other state laws require impact assessments for high-risk AI deployments. The EU AI Act requires fundamental rights impact assessments for high-risk system deployers in certain sectors.

Responsible AI

Responsible AI is the goal that brings disclosure, governance, compliance, and ethics together. Responsible AI means an organization can answer four questions about every AI system it uses: what does it do, who could it harm, what controls protect them, and who is accountable when something goes wrong.

Responsible AI is not a single deliverable. It is the operating model that produces transparent disclosure, sound governance, regulatory compliance, and a workforce that uses AI safely. SiteTrust certification verifies practices across these four pillars: transparency, governance, compliance, and workforce sustainability. The Why Responsible AI resource explains the full framework.

Companies that adopt responsible AI early are seeing it become a competitive advantage, particularly in markets where customer trust is volatile.

Trustworthy AI

Trustworthy AI is the term used in the NIST AI Risk Management Framework to describe AI systems that meet a defined set of characteristics: valid and reliable, safe, secure and resilient, accountable and transparent, explainable and interpretable, privacy-enhanced, and fair with harmful bias managed.

Trustworthy AI is a property of the system. Responsible AI is the practice of the organization. The two concepts reinforce each other but operate at different layers.

The OECD Principles on AI describe similar trustworthy AI characteristics adopted across more than 40 countries.

AI Ethics

AI ethics is the field that studies the moral implications of designing, deploying, and depending on AI systems. Ethical analysis predates the regulatory frameworks and continues to shape what laws and standards demand. Topics include fairness, autonomy, dignity, accountability, the moral status of AI itself, and the distribution of benefit and harm from automation.

In practice, AI ethics shows up in organizations as ethics review boards, fairness audits, and case-by-case judgment calls that no regulation has codified yet.

AI Audit

An AI audit is an independent or internal review of an AI system or program to verify it meets defined standards. Audits can target a specific system, an overall program, or a regulatory obligation. A specific-system audit might ask whether a hiring AI produces biased outcomes. A program audit might assess whether an organization meets the ISO/IEC 42001 AI management standard. A regulatory audit might check whether a high-risk system meets EU AI Act conformity criteria.

Independent audits are the foundation of meaningful certification. Self-attestation has limits that audits resolve. The SiteTrust Audit tier (Tier 3) incorporates audit-level verification across the four pillars.

AI Systems and Models

AI System

An AI system, as defined by the EU AI Act, is a machine-based system designed to operate with varying levels of autonomy, that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.

The definition is broad on purpose. It covers traditional machine learning models, generative AI, rule-based expert systems with learning components, and the AI features embedded in software products. The breadth is intentional: regulators want the law to cover what AI is, not just what it was when the law was written.

Foundation Model

A foundation model is a large AI model trained on broad data that can be adapted to many downstream tasks. GPT, Claude, Gemini, and Llama are foundation models. Foundation models sit at the base of most modern AI products. Organizations either build on top of them through APIs or fine-tune them for specific tasks.

Foundation models raise specific regulatory questions because their broad capabilities make their risk profile harder to assess before deployment. The EU AI Act includes specific rules for general-purpose AI models, with the strictest rules applying to models with systemic risk.

Frontier Model

A frontier model is a foundation model at or beyond the current state of the art in capability. California's TFAIA defines frontier models by compute and capability thresholds. Other regulators use similar definitions.

The frontier model distinction matters because the largest models pose risks the smaller ones do not: novel emergent capabilities, broader misuse potential, and concentration in a small number of developers. Regulatory attention has focused on this layer of the AI stack first.

Generative AI

Generative AI is the category of AI systems that produce new content (text, images, audio, video, code) rather than classifying or predicting from existing data. ChatGPT, Midjourney, Sora, and GitHub Copilot are generative AI tools.

Generative AI has driven most recent regulatory attention because of its capacity to produce synthetic media at scale. Disclosure requirements for generative AI typically focus on labeling outputs, disclosing training data sources, and watermarking content where feasible. The Medvi deepfake incident shows how generative AI can damage organizational reputation when transparency safeguards are missing.

AI Literacy

AI literacy is the workforce-level understanding of how AI systems work, what they can and cannot do, and how to use them responsibly. The EU AI Act requires both providers and deployers to ensure their staff have sufficient AI literacy for the systems they handle.

AI literacy varies by role. A customer support agent using an AI assistant needs different literacy than a data scientist building one. SiteTrust certification includes workforce sustainability as a pillar, which incorporates AI literacy as a baseline expectation.

Content Provenance and Verification

Content Provenance

Content provenance is the record of where a piece of digital content came from, who created it, what tools produced it, and how it has been modified since. Provenance metadata travels with the content, allowing downstream viewers to verify origin.

Provenance matters most for content that could mislead: news photography, evidence in legal proceedings, branded marketing, and synthetic media that resembles real recordings. Provenance is the technical foundation under broader content authenticity efforts.

C2PA (Coalition for Content Provenance and Authenticity)

The Coalition for Content Provenance and Authenticity is the joint development foundation project that produces the technical standard for content provenance metadata. C2PA members include Adobe, Microsoft, the BBC, Intel, Sony, the New York Times, and dozens of other media, technology, and standards organizations.

The C2PA technical specification defines manifests (the metadata package), claims (the origin and modification records), and assertions (specific facts about the content). Compatible tools can read C2PA-signed content and verify the chain of custody back to the original creator.

C2PA addresses content-level authenticity. SiteTrust certification addresses organizational-level transparency about AI use. The two operate at different layers and complement each other. Read more at c2pa.org.

AI Watermarking

AI watermarking is the practice of embedding a detectable but unobtrusive signal in AI-generated content that allows downstream tools to identify the content as AI-produced. Watermarking can be visual (visible logos or labels), perceptual (signals in images or audio that humans cannot easily notice), or cryptographic (signed metadata).

Watermarking is one component of broader disclosure obligations under emerging AI regulations. The EU AI Act, California's AB 2013, and several other frameworks require labeling or marking of AI-generated content in specified contexts.

Watermarking does not solve the disclosure problem on its own. Determined bad actors can strip many watermarks. The technology is a useful layer alongside policy and content provenance.

Synthetic Media

Synthetic media is any audio, video, image, or text generated or significantly modified by AI. The category spans benign uses (AI-generated illustrations, voice-cloned audiobooks of consenting actors) and harmful ones (deepfakes used in fraud, disinformation, or non-consensual content).

The harm potential is what drives the regulatory attention. The Medvi deepfake incident illustrates how AI-generated content can damage organizational reputation when transparency safeguards are missing.

Get the Badge. Get on the Registry.

The badge displays on your website. The registry listing is public, free to search, and verifiable. Customers, partners, and regulators can confirm your AI practices in seconds.