Glossary

A centralized reference for all acronyms and key terms used in this book. Terms covered in depth by a Part I foundation chapter include a cross-reference; the definition here is intentionally brief for those entries.

AI RMF (AI Risk Management Framework) — NIST AI 100-1, published January 2023. A voluntary framework for managing AI risk across the lifecycle. Organized around four functions: Govern, Map, Measure, Manage. Not legally binding on its own, but increasingly referenced in federal acquisition requirements and DoD policy.

ATO (Authorization to Operate) — Formal approval for an information system to process data in a government environment. Granted after the system passes a security assessment under the Risk Management Framework. Without an ATO, a system cannot be deployed on government networks.

AUKUS — A trilateral security partnership between Australia, the United Kingdom, and the United States announced in September 2021. Pillar II covers advanced capabilities including AI, autonomous systems, and cyber.

AWQ (Activation-Weighted Quantization) — A quantization method that preserves important weights by observing activation patterns. See Chapter 004.

Backdoor — A hidden behavior embedded in a model that activates only under specific conditions (a trigger). The model performs normally on standard inputs, making the backdoor difficult to detect through black-box testing alone. See Chapter 007; analyzed in Chapter 102.

BIS (Bureau of Industry and Security) — The Commerce Department bureau that administers the Export Administration Regulations. Maintains the Entity List of restricted foreign organizations.

CDAO (Chief Digital and Artificial Intelligence Office) — The DoD office responsible for AI governance, data management, and digital infrastructure. Absorbed the earlier JAIC in June 2022.

CMMC (Cybersecurity Maturity Model Certification) — A tiered cybersecurity certification required for DoD contractors. Levels range from basic cyber hygiene (Level 1) to advanced practices (Level 3).

CoT (Chain-of-Thought) — A prompting or reasoning technique where a model produces intermediate reasoning steps before arriving at a final answer.

Covert channel — Any communication pathway that was not designed for data transfer but can be exploited to exfiltrate information. See Chapter 005; analyzed in Chapter 102.

CUI (Controlled Unclassified Information) — Government information that is not classified but still requires safeguarding.

Distillation — The process of training a smaller “student” model to replicate the behavior of a larger “teacher” model. See Chapter 003.

DPI (Direct Prompt Injection) — An attack where a user directly crafts input to override a model’s system instructions. See Chapter 009.

EAR (Export Administration Regulations) — U.S. regulations controlling the export of dual-use items. Administered by BIS under the Commerce Department.

Embedding — A dense vector representation of a token, word, or document in a continuous mathematical space. See Chapters 001 and 010.

FedRAMP (Federal Risk and Authorization Management Program) — A government-wide program for standardized security assessment of cloud services.

Fine-tuning — Adapting a pre-trained model to a specific task or domain by continuing training on a smaller, targeted dataset. See Chapter 002.

Five Eyes (FVEY) — The intelligence-sharing alliance between the United States, United Kingdom, Canada, Australia, and New Zealand.

GGUF — A quantized model file format used by llama.cpp and related tools. See Chapter 004.

GPTQ — A post-training quantization method optimized for GPU inference. See Chapter 004.

Inference — The process of running a trained model to produce outputs from inputs. See Chapter 005.

IPI (Indirect Prompt Injection) — An attack where malicious instructions are embedded in external data sources that a model retrieves and processes. See Chapter 009.

ITAR (International Traffic in Arms Regulations) — U.S. regulations controlling the export of defense articles and services listed on the US Munitions List.

LLM (Large Language Model) — A neural network, typically based on the transformer architecture, trained on large text corpora to generate and understand language. See Chapter 001.

LoRA (Low-Rank Adaptation) — A parameter-efficient fine-tuning technique that freezes the original model weights and trains small low-rank matrices. See Chapter 002.

MCF (Military-Civil Fusion) — A Chinese national strategy to systematically eliminate barriers between civilian and military research, technology, and industrial sectors.

MoE (Mixture-of-Experts) — A model architecture that routes inputs to specialized subnetworks rather than using all parameters for every token. See Chapter 001.

National Intelligence Law (2017) — Chinese law whose Article 7 states: “All organizations and citizens shall, in accordance with the law, support, cooperate with, and collaborate in national intelligence work.”

NIST (National Institute of Standards and Technology) — A U.S. federal agency that develops technology standards and guidelines.

Open-weight model — A model whose trained parameters (weights) are publicly released, allowing anyone to run, inspect, fine-tune, or modify the model. See Chapter 010.

Pickle — Python’s native object serialization format. Inherently unsafe for untrusted data because deserialization can execute arbitrary code. See Chapter 006.

Poisoning — Manipulating a model’s training data to introduce unwanted behaviors. See Chapter 007; analyzed in Chapter 102.

Prompt injection — An attack class where crafted input causes a model to deviate from its intended instructions. See Chapter 009.

QLoRA (Quantized Low-Rank Adaptation) — A variant of LoRA that quantizes the frozen base model weights while training the low-rank adapters in full precision. See Chapters 002 and 004.

Quantization — Reducing the numerical precision of model weights to decrease memory usage and increase inference speed. See Chapter 004.

RAG (Retrieval-Augmented Generation) — A pattern where an LLM retrieves external documents to ground its responses. See Chapter 008.

RLHF (Reinforcement Learning from Human Feedback) — A fine-tuning technique that uses human preference judgments to align model behavior. See Chapter 002.

RMF (Risk Management Framework) — NIST SP 800-37. The structured process for authorizing information systems in federal environments.

Safetensors — A safe tensor serialization format that does not allow arbitrary code execution during loading. See Chapter 006.

SFT (Supervised Fine-Tuning) — Fine-tuning a model on labeled input-output pairs. See Chapter 002.

Steganography — The practice of hiding information within seemingly normal content. See Chapter 005; analyzed in Chapter 102.

Tokenization — The process of converting text into discrete tokens that a model can process. See Chapters 001 and 006.

Transformer — The neural network architecture underlying modern LLMs, introduced by Vaswani et al. (2017). See Chapter 001.

Trigger — A specific input pattern that activates a backdoor in a compromised model. See Chapter 102.

trust_remote_code — A Hugging Face Transformers library option that allows a model repository to execute arbitrary Python code during model loading. See Chapter 006.