Shadow HR
The informal, unsanctioned records that accumulate when managers hold duty-of-care obligations their official systems cannot legally discharge: the spreadsheet tracking accommodations, the private list of at-risk travellers, the personal notes on health and circumstances. Named by analogy to shadow IT in Third Rail Systems' liability analysis; the regulatory liability is calculated on all processing, not only the sanctioned kind.
Minimum disclosure
The design principle that a system should verify what it needs without holding what it does not. Applied to duty of care: individualised protection delivered while the protecting organisation never retains the personal attributes that made the assessment accurate. The founding principle of the Beyond Disclosure whitepaper.
Special category data
The categories of personal data whose processing GDPR Article 9 prohibits by default: data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, together with genetic data, biometric data used for identification, health data, and data concerning sex life or sexual orientation. Treated at reference length on its own page.
Stateless synthesis
Assessment performed in transient memory: personal attributes meet the public risk layer at assessment time, the output is produced, and the attributes are purged before anything persists. What survives is proof that the assessment occurred, not the material it was made from. The core mechanism of the Intersectional Safety Intelligence architecture.
Target inventory
What a register of protected or vulnerable people becomes under a hostile reader. A list compiled for care and a list compiled for persecution are the same list; only the reader changes. The historical pattern is documented.
The file problem
The structural tension in protection work: the file that qualifies a person for protection is built from exactly the information that endangers them, and it typically outlives both the placement and the organisation's attention. Treated at length for civil-society organisations.
The exposure check
A self-assessment for organisations: where identity-linked data about at-risk people currently sits, who can read it, and what its existence would mean under a changed reader. Available as a tool.
Mandate
The object an AI agent should carry instead of an identity: authority that is independently issued by a party with something to lose, scoped in advance, revocable within declared limits, and owned by an accountable principal a harmed party can reach. Developed in the essay By Direction.
Collar, not passport
Peeter P. Mõtsküla's image for what agent credentials should be: a collar confers nothing on its bearer; it points to an owner. Coined in his ERR opinion piece of June 2026, which argued that agent identity codes would open a liability gap rather than close one.
A claim is not a credential
Zeeshan Khan's test for whether a credential means anything: independent issuance by a party with standing, revocability that lets the credential track reality, and recourse when the claim proves false. A self-signed credential fails all three parts. Developed in his essay series.