Reference
Key Concepts & Glossary
Plain-language definitions of the core concepts, product surfaces, and objects you will meet across the KLA Control Plane.
4 min read947 words
A quick reference for the terms used throughout these docs. Concepts come first, then the product surfaces you work in, then the objects KLA creates as your agents run. Where a term has a deeper page, it links to it.
Core concepts
| Term | Definition |
|---|---|
| KLA Control Plane | The runtime safety, audit, and governance layer that sits alongside your existing AI agents. It governs what agents may do, records what they did, assures ongoing quality, and proves it to auditors. |
| Govern. Operate. Assure. Prove. | The four pillars of the product. Govern actions with policy, operate agents safely, assure quality over time, and prove compliance with sealed evidence. |
| Govern in Place | The deployment pattern where your agents keep running in your own environment and KLA instruments them with an OpenTelemetry SDK. No re-platforming. See Deployment Patterns. |
| Run through KLA | The deployment pattern where agent requests route through KLA's managed proxy (the Executions API), which applies policy and records telemetry inline. See Deployment Patterns. |
| Policy-Gated Execution | The model where every governed action is checked against policy before it runs, and the decision can pause or block it. See Policy-Gated Execution. |
| Decision outcomes | The four results a policy decision can return, in precedence order: allow, warn, require_approval, and block. A require_approval outcome pauses execution and routes an Escalation to the Decision Desk. |
| Reason codes | Stable, machine-readable codes attached to a non-allow decision (for example REFUND_OVER_THRESHOLD) so callers and auditors can see exactly why an action was gated. |
| Evidence-by-Default | The principle that every check, approval, input, and output is captured and cryptographically sealed automatically, without manual collection. See Evidence-by-Default. |
| Tenant | An isolated customer organization. Every API request is tenant-scoped with the x-tenant-id header; data never crosses tenant boundaries. |
Product surfaces
| Surface | What it is |
|---|---|
| Command | The control-tower dashboard: triage, analytics, and live runtime status. See Command. |
| Policy Builder | Where you author, simulate, and publish policies as signed policy packs. See Policy Builder. |
| Decision Desk | Where humans review the Escalations that policy routes for approval. See Decision Desk. |
| Agents | The lifecycle workspace for registering agents and managing Releases, Rollouts, and Rollbacks. See Agents & Registry. |
| Agent Registry | The governed inventory of registered agents: ownership, versions, and release state. |
| Lineage Explorer | Where you replay execution timelines and verify the cryptographic proof of any Lineage Record. See Lineage Explorer. |
| Assurance Center | Where you monitor drift, bias, and quality after deployment and drive Remediation Plans. See Assurance Center. |
| Evidence Room | Where you export Sealed Evidence Bundles and map controls to frameworks. See Evidence Room. |
| Tool Catalog | The governed inventory of tools and the permissions agents have to call them. |
| Secrets Vault | Encrypted storage for provider credentials and service-account secrets. |
| Control Mapping | The view that links agent safeguards to specific regulatory clauses (for example EU AI Act Annex IV, SOC 2 Type II). |
Objects KLA creates
| Object | Definition |
|---|---|
| Decision Request | A single policy decision about a proposed agent action, including its outcome and reason codes. |
| Escalation | A require_approval Decision Request that has been paused and routed to the Decision Desk for a human to approve, deny, or re-route. |
| Release | An immutable, versioned snapshot of an agent's configuration (prompts, tools, parameters). |
| Rollout | The deployment of a Release to an environment. |
| Rollback | Reverting an environment to a previous Release. |
| Lineage Record | The end-to-end trace of one execution (inputs, tool calls, and outputs), anchored in the evidence ledger. |
| Simulation | A policy test run that evaluates sample inputs against a draft policy without affecting live systems. |
| Assurance Alert | A flag raised by the Assurance Center when live behavior drifts from its baseline. |
| Remediation Plan | A tracked plan describing how a model or policy will be tuned to resolve an Assurance Alert. |
| Sealed Evidence Bundle | A cryptographically signed export containing audit records, lineage, policy state, and Merkle proofs, ready for an auditor. |
| Control Pack | A compliance export that maps evidence to a specific framework's controls. |
Underlying technology
| Term | Definition |
|---|---|
| OpenTelemetry (OTel) | The open standard KLA uses to capture agent activity as telemetry spans, avoiding vendor lock-in. |
| GenAI semantic attributes | KLA's extensions to OTel spans (such as genai.agent.name, genai.tool.parameters, genai.cost.usd) that make agent behavior auditable. |
| KLA Collector | The service that receives telemetry, redacts PII in transit, and forwards records to the evidence ledger. |
| PII redaction | Masking of sensitive strings (emails, secrets, identifiers) before telemetry leaves your environment, controlled by KLA_PII_MASK. |
| KLA Policy Engine | The application-layer engine that evaluates Decision Requests, applies access and runtime checks, and returns one of the four policy outcomes. |
| Policy pack | A published set of policies compiled into a signed, fast-to-evaluate, tamper-evident binary. |
| ImmuDB | The append-only cryptographic ledger where KLA anchors audit records so they cannot be altered or reordered. |
| Merkle proof | A chain of hashes that lets anyone recompute a record's root hash and confirm it was not tampered with, without trusting KLA. |