Speak fluent trust layer.
Plain definitions for the terms we use across the platform: agent identity, non-human identity, policy boundaries, blast radius, attestation, and more. No marketing fluff — just what each thing actually means and where it shows up in your stack.
Who can act on your stack
Agent Identity
A verifiable identity issued to an AI agent (LLM-driven worker), separate from any human or service account. Scope, rotation, and audit are tied to this identity, not to a shared API key.
Non-Human Identity (NHI)
Umbrella term for any caller that isn't a person: services, scheduled jobs, agents, CI runners. The most-stolen credentials in 2025 belong to NHIs that nobody is rotating.
Credential Scope
The narrow set of actions a credential is allowed to perform. Compass shows current scope per identity; Vault enforces it at issue and call time.
What they can do
Policy Boundary
The runtime envelope every action is checked against. Cross it and you get a signed deny event — visible in Compass, evidenced in Compli.
Blast Radius
Everything an identity can reach if its credential leaks. The shorter the path from a stolen token to crown-jewel data, the worse your day.
Drift
An identity's actual behavior diverging from its policy envelope — usually slowly, sometimes suddenly. Detected by Compass and Beacon.
How you know it happened
Attestation
A signed statement that a workload, action, or artifact matches its declared identity. STACK Lattice produces them per running pod; Compli aggregates them as evidence.
Audit Trail
The cryptographically signed log of every decision Vault made: who asked, what scope, was it allowed, what happened. The basis for both Compli evidence and incident replay.
Lineage
The chain that connects a final output back to every input that influenced it. Critical for model outputs (STACK Lineage) and for compliance assertions about how a decision was reached.