// Glossary · SME AI
AI Terms for SME Leaders
25 terms from AI regulation, technology, and operations consulting -- defined in plain English for founder-CEOs and operations leaders evaluating AI for the first time.
AI terminology has grown faster than most business glossaries can track. Terms that were only discussed by researchers two years ago -- RAG, agentic workflows, EU AI Act Article 4 -- are now appearing in vendor contracts, board questions, and compliance checklists for ordinary SMEs. This glossary defines 25 terms that a founder-CEO or operations leader at a 10-250 person European business is likely to encounter when evaluating AI tools or consulting engagements. Definitions are kept to one or two sentences: factual, vendor-neutral, no marketing language. External sources are linked where authoritative references exist. Last updated: May 2026.
- EU AI Act (EU Artificial Intelligence Act)
- The EU AI Act (Regulation 2024/1689) is the world's first comprehensive AI regulation, entered into force on 1 August 2024, classifying AI systems by risk level and imposing obligations on developers and deployers. Key dates for SMEs: AI literacy obligations (Article 4) enforceable from 2 February 2025; high-risk system obligations (Annex III) from 2 August 2026.
- Related: AI Act Annex III, AI Act Article 4, AI Act Article 5, High-risk AI
- AI Act Annex III (High-Risk AI Systems)
- Annex III of the EU AI Act lists the categories of AI systems classified as high-risk, including AI used in employment decisions, credit scoring, and essential private services. SMEs deploying AI systems that fall under Annex III must meet documentation, transparency, and human oversight requirements from 2 August 2026.
- Related: EU AI Act, Human-in-the-loop, AI Operations Audit
- AI Act Article 4 (AI Literacy)
- Article 4 of the EU AI Act requires organisations deploying AI to ensure their staff have sufficient AI literacy to understand and responsibly use the AI systems they work with. This obligation has been enforceable since 2 February 2025 and applies to SMEs using commercial AI tools, not just AI developers.
- Related: EU AI Act, Prompt engineering
- AI Act Article 5 (Prohibited Practices)
- Article 5 of the EU AI Act bans certain AI applications outright, including systems that use subliminal manipulation, enable social scoring by public authorities, or perform real-time biometric identification in public spaces. SMEs evaluating AI tools should screen for Article 5 violations as a baseline due diligence step.
- Related: EU AI Act, AI Act Annex III
- GDPR Article 28 (Data Processing Agreement / DPA)
- Article 28 of the General Data Protection Regulation requires organisations to sign a written Data Processing Agreement (DPA) with any vendor that processes personal data on their behalf. For SMEs using AI tools that process employee, customer, or supplier data, a valid DPA with the AI vendor is a legal prerequisite under GDPR.
- Related: EU data residency, NIS2 Directive, Vendor selection
- NIS2 Directive
- The NIS2 Directive (EU 2022/2555) is an EU cybersecurity law that entered into force in January 2023, expanding cybersecurity obligations to more sectors and smaller organisations. SMEs in manufacturing, logistics, and digital services may now be in scope and should assess NIS2 obligations alongside EU AI Act compliance.
- Related: EU AI Act, GDPR Article 28
- NIST AI RMF 1.0
- The NIST AI Risk Management Framework (AI RMF 1.0), published in January 2023, provides a voluntary framework for managing AI risks across four functions: Govern, Map, Measure, and Manage. While non-binding for EU businesses, it is increasingly referenced in AI consulting engagements as a structured risk assessment methodology.
- Related: ISO/IEC 42001:2023, AI Operations Audit
- ISO/IEC 42001:2023
- ISO/IEC 42001:2023 is the international standard for AI management systems, providing requirements for organisations to establish, implement, maintain, and continually improve an AI management system. Certification is voluntary but increasingly requested by enterprise customers as evidence of responsible AI governance.
- Related: NIST AI RMF 1.0, EU AI Act, AI Operations Audit
- AI Operations Audit
- An AI Operations Audit is a structured assessment of a business's processes, data assets, and technology stack to identify where AI can be applied, what the ROI of each opportunity is, and what compliance obligations apply. It is the recommended first step before purchasing any AI tool or engaging an AI consulting firm.
- Related: AI-Native Company, Build vs buy, ROI, Vendor selection
- AI-Native Company
- An AI-Native Company is an organisation whose core operations are designed around closed-loop AI systems -- where data is captured, processed, and cycled back to improve decisions continuously -- rather than one that adds AI tools to legacy open-loop processes. The concept was articulated in the YC AI-Native Company thesis (Diana Hu, 2024) as the defining operational model of high-performance companies by 2026.
- Related: Closed Loop System, Agentic workflow, AI Operations Audit
- Closed Loop System
- A closed loop system in an operational context is a process where outputs and outcomes are automatically fed back as inputs, enabling continuous learning and improvement without manual intervention. In AI operations, a closed loop system means that customer interaction data automatically improves the AI model or workflow without a human manually copying and re-entering it.
- Related: AI-Native Company, Agentic workflow, Human-in-the-loop
- Human-in-the-loop
- A human-in-the-loop (HITL) system is an AI architecture where a human reviews or approves AI outputs at defined checkpoints before they are acted upon. For SMEs deploying AI in customer-facing or high-stakes operational contexts, HITL design is both a risk mitigation practice and a requirement for high-risk AI systems under EU AI Act Annex III.
- Related: AI Act Annex III, Agentic workflow, LLM hallucination
- RAG (Retrieval Augmented Generation)
- RAG is an AI architecture where a large language model retrieves relevant documents from a defined knowledge base before generating a response, grounding its output in your actual data rather than its general training knowledge. For SMEs, RAG is the recommended architecture for building AI assistants that answer questions about your own products, contracts, or processes reliably.
- Related: LLM hallucination, Vector database, Embedding, Agentic workflow
- Agentic workflow
- An agentic workflow is an AI system in which one or more AI agents autonomously plan and execute multi-step tasks -- calling tools, making decisions, and coordinating subtasks -- without requiring a human prompt for each step. Agentic workflows are increasingly used by SMEs for automating email triage, data extraction, and cross-system process orchestration.
- Related: Human-in-the-loop, Closed Loop System, n8n, RAG
- n8n
- n8n is an open-source workflow automation platform that allows businesses to connect apps and APIs through a visual builder, with the option to self-host on EU infrastructure for full data sovereignty. It is widely used in AI consulting engagements for orchestrating multi-step automations that combine LLM calls, database reads, and business system integrations.
- Related: Agentic workflow, EU data residency
- LLM (Large Language Model) -- Claude / GPT-4 / Gemini
- A Large Language Model (LLM) is an AI model trained on large volumes of text to generate, classify, and summarise language. Claude (Anthropic), GPT-4 (OpenAI), and Gemini (Google DeepMind) are the leading commercial LLMs; they differ in context window size, EU data residency options, and pricing -- all relevant criteria for European SME procurement.
- Related: RAG, LLM hallucination, Prompt engineering, EU data residency
- EU data residency
- EU data residency is a contractual guarantee from a software vendor that all customer data is stored and processed exclusively on servers within the European Union. For SMEs subject to GDPR, EU data residency is a prerequisite for legally using cloud AI services to process personal data about employees or customers.
- Related: GDPR Article 28, LLM, NIS2 Directive
- LLM hallucination
- LLM hallucination is the tendency of large language models to generate factually incorrect information with apparent confidence. For SMEs, this is the primary reason why unverified LLM output should not be used for legal, financial, or compliance decisions without human review -- and why RAG architectures that ground responses in verified documents are preferred for high-stakes use cases.
- Related: Human-in-the-loop, RAG, LLM
- Prompt engineering
- Prompt engineering is the practice of crafting input instructions for an AI language model to reliably produce accurate, task-appropriate outputs. For SME operators, basic prompt engineering -- how to write clear system instructions, how to constrain the model's scope, how to test for reliability -- is a practical AI literacy skill required by EU AI Act Article 4.
- Related: LLM, AI Act Article 4, LLM hallucination
- Vector database
- A vector database stores text, documents, or other content as numerical vector representations (embeddings) and supports semantic similarity search -- finding conceptually related content rather than exact keyword matches. It is the technical foundation for RAG systems that allow an AI assistant to search your company's internal documents intelligently.
- Related: RAG, Embedding, LLM
- Embedding
- An embedding is a numerical vector representation of a piece of text, created by an AI model to encode its semantic meaning. Embeddings are what make it possible to search a vector database for meaning rather than keywords -- enabling a RAG system to find the most relevant paragraph of a 200-page contract when a user asks a natural language question.
- Related: Vector database, RAG
- Build vs buy
- The build vs buy decision in AI refers to whether a business should build a custom AI solution (using APIs, open-source models, and internal development resources) or purchase a pre-built AI product (SaaS). For most SMEs, a hybrid approach -- buying a commercial LLM API and building workflows on top with tools like n8n -- delivers the best combination of customisation, cost, and time to value.
- Related: Vendor selection, AI Operations Audit, n8n
- Vendor selection
- AI vendor selection is the process of evaluating and choosing an AI tool or consulting partner based on defined criteria: EU data residency, GDPR compliance posture, pricing model, integration complexity, and track record with similar businesses. A structured vendor selection process, including a written Data Processing Agreement review, reduces compliance risk and total cost of ownership.
- Related: Build vs buy, GDPR Article 28, AI Operations Audit
- ROI (Return on Investment) in AI
- In an AI context, ROI is the measurable business value generated by an AI implementation relative to its total cost -- including software licences, consulting fees, staff time, and ongoing maintenance. A credible AI consulting engagement quantifies expected ROI (in hours saved, revenue generated, or cost avoided) before implementation begins, not after.
- Related: AI Operations Audit, Build vs buy
- Mittelstand-Digital
- Mittelstand-Digital is a German Federal Ministry for Economic Affairs (BMWK) programme providing free digitalisation and AI advisory services to small and medium-sized businesses through a network of regional competence centres. It is a publicly funded, vendor-neutral entry point for German SMEs beginning their AI or digital transformation journey.
- Related: AI Operations Audit, EU AI Act
Ready to move from terminology to implementation?
Book a free 30-minute AI consulting intro call with Vectimo. We'll map your current operations to the right AI opportunities -- with EU compliance built in from day one.