Terms are grouped by where they live in the firm's operating system, not alphabetized. The groupings are: (1) the firm and its mission, (2) the Forensic Read™ methodology, (3) the Drift Audit and Tool Spotlight Card classification system, (4) governance vocabulary — operational language for K-12 AI tool oversight, (5) forensic linguistic instruments the Read applies, (6) regulatory, contractual, and vendor terms the firm uses against vendor documentation, and (7) engagement terms.
The voice is the same voice the audits use: declarative, dated where applicable, document-naming where relevant. Italics mark terms-of-art as they would appear in body prose of a published audit.
The Language Firm
A compliance, language access, and edtech review practice serving K-12 schools and districts. The firm conducts forensic language analysis on vendor agreements, privacy policies, terms of service, DPA exhibits, and federal compliance language, and produces governance infrastructure (Tool Spotlight Cards, the First Watch audit series, the Policy Brief series, the Default Settings Briefing, the Clarifier Workshop, the Upstream Vendor Risk Protocol Bundle) from those findings. The firm holds no commercial relationship with any vendor it assesses.
Linguists in the loop
The firm's staffing principle. Every finding the firm publishes carries a named human investigator's signature and date. AI can draft and accelerate; a person reads, aligns, signs, and stands behind the governance. The phrase is a staffing decision, not a slogan: "a computer can never be held accountable."
The language determines the liability
The operating conviction behind every Forensic Read™. Vendor marketing copy, contract terms, compliance attestations, and incident disclosures are read the way an investigator reads a deposition — for what is said, what is omitted, where responsibility is distributed across documents, and where language shifts between documents to obscure accountability.
Intelligence Layer
The firm's overarching publication framework. The First Watch (drift audits), the Weekly Incident Bulletin, the Vendor Language Briefing, and the Federal Findings Digest are all Intelligence Layer products.
Tool Vault
The firm's freely accessible front door at languagefirm.org/toolvault, where the public-facing Intelligence Layer publications — the First Watch drift audits, the Weekly Incident Bulletin, the Vendor Language Briefing, and the Federal Findings Digest — are published. The Tool Vault is the public-facing surface of the Intelligence Layer; the underlying Tool Spotlight Cards that feed the published artifacts are held internally.
The Forensic Read™
The proprietary investigative methodology of The Language Firm. Reads policy language and public posture as two separate evidentiary streams, then classifies the relationship between them. Draws on three established academic disciplines: discourse analysis, pragmatic and intertextual analysis, and forensic language analysis. The methodology moves through four stages in order — Read, Trace, Surface, Build — each with a specific discipline and a specific output.
Stage 1 · READ
Discipline: discourse analysis. Output: document ecosystem inventory. Maps every document that governs a technology decision: the federal regulation, the district policy, the master service agreement, the data privacy agreement, the privacy policy, the sub-processor list, the incident disclosure, the marketing copy. Establishes how language distributes responsibility across that ecosystem.
Stage 2 · TRACE
Discipline: pragmatic and intertextual analysis. Output: accountability map. Tracks where meaning shifts between documents. A term defined one way in federal regulation may be redefined more narrowly in the vendor's DPA, redefined again in the privacy policy, and dropped entirely from the incident disclosure. Each shift is a transfer of obligation; the TRACE stage makes the transfers visible.
Stage 3 · SURFACE
Discipline: forensic language analysis and the principle of normalization by omission. Output: evidence-grade findings. Identifies what the documents assume, obscure, or fail to address. Some omissions are routine; others are the precise places audit findings originate. The No Drift / Watch / Flag labels are the SURFACE-stage output.
Stage 4 · BUILD
Discipline: register and genre construction. Output: governance infrastructure. Produces the documentation a district can stand behind. A finding that lives in a memo is a finding. A finding that lives in a signed, dated, filed governance protocol is evidence the district can defend under audit or program review. The First Watch audits are themselves BUILD outputs, applied recurrently.
Normalization by omission
A principle of forensic language analysis. The proposition that what a governing document fails to say is often more consequential than what it says. Routine omissions are inert; load-bearing omissions (e.g., a notification clause that names only the vendor and is silent on upstream incidents) create accountability the district carries without realizing it.
Document ecosystem
The full set of texts that govern a single tool's institutional deployment. For an AI tool, the ecosystem typically includes: vendor privacy policy, terms of service, DPA or SDPC-registry agreement, help-center articles, subprocessor list, product announcements that bear on data handling, and any district-side acceptable use policy. The READ stage inventories this ecosystem before any document is read in isolation.
Accountability map
The TRACE-stage artifact that documents where obligations move between texts in a document ecosystem. Each shift in definition or scope between documents is a transfer of obligation; the accountability map records the transfers.
Evidence-grade finding
A SURFACE-stage finding documented against named primary sources so that the evidence behind the label is reproducible. The standard the firm holds itself to: a finding that would hold up under a federal program review.
Register and genre construction
The BUILD-stage discipline. Produces governance infrastructure in the register and genre appropriate to the audience and the regulatory context (an audit of record, a Tool Spotlight Card, a Default Settings Briefing, a Statement of Work).
Tool Spotlight Card
The firm's internal per-tool governance assessment. Cards are not published; they are the firm's working instrument, used to produce the public-facing audits, briefings, and Watchlist findings that derive from them. Each card scores a tool across six governance policy signals, four operational fit categories, and 20 scored questions covering vendor support, staff training and change management, data handling transparency, and workflow fit. Cards carry a decision label (Teacher-OK, Conditional, or Do Not Deploy) and a numerical score out of 20 corresponding to one of three recommendation bands. Cards are versioned (v1, v2, v3 …) and named in published audits by their version and date so that the evidence trail is reproducible.
Drift Audit
A recurring practice in which each governance signal documented in a Tool Spotlight Card is checked against current primary sources as of a defined audit date. The audit does not re-score the tool or re-run the full operational fit assessment; it compares current signal status against the most recent card version and produces a drift category for each tool.
Filing rotation
The defined period a drift audit covers. Audit 001 covered eight weeks (February 16 – April 6, 2026). With audit 002, the rotation moved to a four-week monthly cadence (April 7 – May 6, 2026).
Decision label
The Tool Spotlight Card's top-line recommendation. One of three: Teacher-OK (approved for teacher-facing use); Conditional (approved subject to specific conditions met by the district — e.g., SDPC listing, SSO/SCIM configured, AUP language in place, no entry of student PII); Do Not Deploy (not approved for K-12 institutional use). The audit can confirm a label as unchanged, flag that it should be reconsidered, or, in rare cases, note that the label has changed.
The three drift categories (SURFACE-stage output)
No Drift
All governance signals reviewed against current primary sources are confirmed accurate. The card requires no update. The decision label and all policy signal badges remain correct. Deep-green pill.
Watch
New context exists that practitioners should be aware of, but it does not change the card's decision label, policy signal badges, or core governance assessment. The card may benefit from a minor update at its next version to document the new context. Amber pill.
Flag
A material change has occurred that affects the accuracy of information documented in the card. The card requires an update before continued practitioner use. The decision label may or may not change as a result. Oxblood pill.
The three forensic patterns (TRACE-stage output)
Policy-posture convergence
The vendor's governing policy documents and its public posture describe the same product to the same standard. The Tool Spotlight Card, written against the policy documents at procurement, continues to describe the tool a teacher or student actually encounters. Convergence does not eliminate the need for monitoring; it is the finding that monitoring produces when behavior is stable. Dark-navy pill.
Policy-posture divergence
The vendor's governing policy documents and its public identity are telling different stories. The product's surface-level presentation has not changed, but the data practices underneath have shifted materially. The most consequential pattern, because it is the hardest to detect through normal channels — the marketing page reveals nothing; the alarm lives in the privacy policy revision, which most procurement processes treat as a one-time read. Orange pill.
Asymmetric movement
Policy language and public posture did not move in the same direction or at the same layer. The movement is real, but its governance significance depends on which layer moved and what it means for the specific institutional deployment. Asymmetric movement is the pattern that demands the most judgment from governance teams. Deep-purple pill.
Repeated divergence (longitudinal subtype)
A vendor's second consecutive divergence finding, in the same direction, constitutes a vendor trajectory rather than a one-time event. As of audit 002, ChatGPT Free is the single vendor to exhibit repeated divergence — and the divergence widened rather than narrowed.
The three vectors of drift (Policy Brief §01)
Policy-layer drift
Changes in the governing privacy policy, terms of service, data processing addendum, or subprocessor disclosure. These are the artifacts that legal counsel reviews during initial procurement; once authorized, they are rarely re-read. The OpenAI April 30, 2026 U.S. Privacy Policy revision is the canonical example.
Enforcement-layer drift
Changes in how an existing policy is operationalized. The policy itself does not change; the vendor begins to enforce, verify, or detect against the policy in ways that produce new institutional consequences. Anthropic's mid-April 2026 enforcement of its 18-and-over Claude age requirement through Yoti exemplifies this layer. The hardest to detect, because no public-facing announcement is required.
Product-surface drift
Expansion of the product's capability scope under existing contractual coverage. The DPA still applies; the no-training commitment still applies; the certifications still apply. But the product a district authorized now includes capabilities that did not exist at the time of authorization. Claude Enterprise during the second audit cycle is the canonical example (Project Glasswing, Opus 4.7, Claude Design, Creative Work, Code security beta, Blackstone venture — all added under an unchanged DPA).
The terms below appear throughout the firm's audits, briefs, and engagements. They name the conditions edtech vendors, SIS platforms, and AI tool providers are already using in their DPAs, terms of service, and product documentation. The functional purpose is simple: when the people in the building can name the term, the conversation moves from "should we use this tool?" to "does this vendor's documentation meet our obligations?"
Upstream vendor risk
The institutional exposure that arises from dependencies the contracting vendor itself depends on — model providers, infrastructure providers, sub-processors. A district's DPA may name the vendor signing the agreement; the upstream stack carries risk the DPA may or may not reach.
Foundation model dependency
The condition of an edtech or AI product whose core function relies on a third-party foundation model (e.g., Claude, GPT, Gemini). The dependency is a governance fact whether or not the vendor discloses it. A foundation-model-dependent product can change behavior when the underlying model changes, and the DPA may or may not name the model layer at all.
Definition drift
The phenomenon in which a term defined one way in federal regulation is redefined more narrowly in a vendor's DPA, redefined again in the privacy policy, and dropped entirely from the incident disclosure or marketing copy. The TRACE stage of the Forensic Read™ exists to make definition drift visible.
Supply chain visibility
The institutional capacity to see what an AI product is actually built on — which foundation model, which sub-processors, which upstream services. Low supply chain visibility is the condition most edtech vendor agreements leave a district in.
Software Bill of Materials (SBOM)
An inventory of the software components a product is composed of. In the K-12 AI context, the absence of an SBOM (or its functional equivalent for model dependencies) is a documented governance gap; naming the gap is the precondition for closing it.
Capability scope at time of authorization
The set of product features a district approved when it first authorized a tool, captured in dated form. A capability-scope record is the institutional artifact against which product-surface drift can be measured. The Policy Brief's district recommendation 11 (expand the AUP from tool-name authorization to capability-scope authorization) is built on this concept.
Governance baseline
A dated, single-page record per authorized tool, capturing the specific tier authorized, the data practices in effect at authorization (no-training commitment, FERPA/COPPA alignment, subprocessor list), the capability scope authorized, the contractual basis (DPA, SDPC listing), and the date of last verification. Without a baseline, drift is undetectable, because there is nothing to read change against.
Verification cadence
The frequency at which a governance baseline is re-checked against current primary sources. The audits demonstrate that a quarterly cadence per authorized tool, with a single named owner, can be run by an existing role (instructional technology lead, district counsel, curriculum director).
Procurement-event vs. standing-obligation
The distinction the brief draws between treating AI tool authorization as a one-time procurement step and treating it as a continuing institutional obligation. State recommendations 5–8 are built around converting the former into the latter.
These are the concrete linguistic analyses the Forensic Read™ uses at the TRACE and SURFACE stages to convert vendor documents into evidence. Each instrument names a specific construction or omission a district can be trained to recognize on its own. Sharp's Reading Record demonstrated each of these against the OpenAI Teacher Access Terms, Service Terms, and Student DPA in An Unread Deputy & A Signed Contract (May 14, 2026); the definitions below carry that worked example as their reference case.
Agentless passive construction
A sentence built so that an action is described but the actor performing it is removed. Information is removed. Identifiers are stripped. Provisions may be waived. In ordinary prose this is a stylistic choice; in a regulated document, the deleted actor is almost always where accountability would normally live, because the actor is the person you would hold responsible if the action went wrong. A document that systematically deletes actors removes the points where a deputized contractor could be held responsible. The OpenAI Student DPA contains roughly twelve such constructions; each is a place where the district would expect to see a named actor and instead sees a result with no person attached to it.
Modal verb analysis
The practice of tagging every modal verb in a contract (shall, must, will, may, can, should) and sorting modals by who they bind. Shall is the strongest obligation; may is the weakest. The instrument surfaces where the real obligations sit and where the real discretions are reserved. In the OpenAI DPA, the shall obligations cover procedural items (security-incident notification, post-termination data disposal, referring parent requests back to the district); the may clauses cover the substantive discretions (use and disclose Student Data as permitted under the Services Agreement, periodically update the Security Measures, limit disclosure during a Security Incident to protect OpenAI's own operations). The strong language nails the vendor to procedure; the weak language frees the vendor on substance.
Indefinite phrasing
The practice of using words that sound like standards but are not defined anywhere in the document: reasonable, proper, appropriate, as applicable. These words pass the eye as if they carry weight but have no anchor. Vague standards always resolve in favor of whoever drafted them, because the drafter is the party with the strongest position on what the word was meant to mean. The instrument matters most under FERPA's direct-control requirement: a district cannot direct a deputy by saying be reasonable; direction requires specifics (notify us within thirty days, use AES-256 encryption, retain logs for seven years). Each indefinite phrase is a place where, at the drafting stage, the option for the district to set the standard was quietly removed.
Cross-document precedence reading
The technique of reading a vendor's multi-document contract package against itself to determine which document controls when documents conflict. The OpenAI Teacher Access Terms incorporate three documents — the Teacher Access Terms, the Service Terms, and the Student DPA — at a single click of agreement. Both the Service Terms and the Student DPA contain precedence clauses claiming to win in a conflict; neither acknowledges the other. The tiebreaker is itself a tie. Cross-document precedence reading is the instrument that surfaces the unresolved hierarchy and names what the district has agreed to without realizing it.
Normalization by omission (applied)
The SURFACE-stage principle introduced in §II, applied at the level of specific contract architecture. The omission that matters in the OpenAI case is not a missing clause inside one document; it is the missing order-of-precedence clause across the three documents. The omission creates the condition where the teacher who clicks "I agree" is the voter at the polling place — alone with the paper, unable to be told which document controls when the documents disagree.
These terms appear throughout the firm's published work in their conventional usage; the firm reads vendor documents against the federal language listed here. Government terms carry working citation links to authoritative public sources.
FERPA
Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g (1974, as amended); implementing regulations at 34 CFR Part 99. The federal statute governing the privacy of student education records, administered by the U.S. Department of Education's Student Privacy Policy Office. The firm tests vendor language for FERPA alignment as part of the governance signal review.
Contractor exception (34 CFR § 99.31(a)(1)(i)(B))
The provision under FERPA that lets a school share education records with a contractor without parental consent. The decisive condition is direct control: the school must maintain direct control over the contractor with respect to how the contractor uses and maintains education records. Signing a Student DPA designates the vendor as a School Official and is the act of deputizing; the contractor exception is sustained only when the deputizing is paired with the working conditions of direct control. Take away any one of those conditions and the disclosure becomes unauthorized, and the school is the party FERPA holds accountable.
Direct control
The working condition the FERPA contractor exception requires. Three components in combination: knowledge of what the contractor is doing, authority to direct what the contractor does, and enforcement when the contractor does not follow direction. Take any one of the three away and direct control fails. The Sharp's Reading Record OpenAI analysis demonstrates that a district can be in technical compliance with a signed DPA and in operational violation of FERPA at the same time when direct control is not actually present — because the DPA is a private contract and FERPA is a federal regulatory requirement.
Deputizing
The shorthand the firm uses for the act of designating a vendor as a School Official under the FERPA contractor exception. The deputizing happens at the signature, and in some cases, at the clicking of "I agree." The control has to happen every day after. The firm distinguishes sharply between deputizing (the contract event) and direct control (the ongoing working condition); a deputizing without direct control is a documented governance failure regardless of what the DPA's text appears to cover.
School Official
A FERPA-defined role a contractor may occupy under the contractor exception. The role is conferred by district designation (typically through the DPA) and is sustained only while direct control is maintained.
Order-of-precedence clause
A contract-drafting mechanism, recognized in federal law (FAR 52.215-8; FAR 52.212-4) and treated consistently in commercial-contract practice, that establishes which document controls when documents in a single contract package conflict. Names, before any dispute arises, which document is in ultimate control. The instrument the OpenAI Teacher Access Terms structurally lack: three incorporated documents (Teacher Access Terms, Service Terms, Student DPA), two of which contain self-prioritizing precedence clauses that contradict each other, and no overarching precedence clause naming which document wins.
Parallel contractor relationship
The condition that arises when a vendor accepts content from district-affiliated individuals through a pathway the district has no mechanism to see. In the OpenAI case, a teacher can self-enroll at the consumer-facing plans page and attest to having received all necessary authorizations; the vendor does not verify the attestation, the account goes live, and the district may not know the account exists. The contractor relationship exists in two parallel forms — district-signed and teacher-signed — under three documents whose hierarchy is internally contested. Direct control over a relationship the district does not know exists is unavailable as a matter of fact, regardless of contract text.
COPPA
Children's Online Privacy Protection Act, 15 U.S.C. §§ 6501–6506 (1998, as amended 2013); implementing regulations at 16 CFR Part 312 (the COPPA Rule), administered by the Federal Trade Commission. The federal statute governing online services directed to children under 13. The Policy Brief's federal recommendation 03 calls for COPPA modernization for AI conversational interfaces, since the 2013 amendments did not anticipate generative AI.
PPRA
Protection of Pupil Rights Amendment, 20 U.S.C. § 1232h; implementing regulations at 34 CFR Part 98. Enforced alongside FERPA by the U.S. Department of Education; governs parental rights over surveys, the collection of personal information for marketing, and certain physical examinations in federally funded programs.
DPA · Data Processing Addendum / Data Privacy Agreement
The contractual instrument that governs how a vendor handles data on behalf of a district. The DPA governs how the vendor handles submitted data, not what staff submit; the district's AUP is the primary governance mechanism for the latter.
SDPC
Student Data Privacy Consortium. Maintains a resource registry of vendor DPAs (sdpc.a4l.org). The firm checks SDPC listings as part of the governance signal review for each tool; the absence of an SDPC listing is a documented condition on certain Conditional decision labels.
Subprocessor
A third party a vendor engages to process data on behalf of the district. Subprocessor disclosure (the existence of a published list, the notification period before changes take effect) is one of the six governance policy signals scored on the Tool Spotlight Card.
No-training commitment
A vendor's contractual or policy-level commitment that data submitted through its products will not be used to train its models. The wording, scope, and durability of the commitment are read carefully — a no-training commitment in marketing copy is not the same as a no-training commitment in the DPA, and the firm distinguishes between them.
BYOK · Bring Your Own Key
Customer-managed encryption: an enterprise feature in which the customer holds the encryption keys for its data rather than the vendor. Announced-but-unconfirmed BYOK (the Claude Enterprise pattern in both audits) is a documented Watch condition.
SSO / SCIM
Single Sign-On / System for Cross-domain Identity Management. Standard enterprise authentication and provisioning protocols. Several Conditional labels are conditioned on the district having configured SSO and SCIM before deployment.
AUP · Acceptable Use Policy
The district-side governance instrument that constrains how authorized tools may be used by staff and students. The Policy Brief's district recommendation 11 calls for expanding AUPs from tool-name authorization to capability-scope authorization — a structural fix for product-surface drift.
LEA
Local Educational Agency. A school district, in federal terms. Statutory definition at 20 U.S.C. § 7801 (Elementary and Secondary Education Act, as amended by ESSA). Federal recommendation 04 ties E-Rate (FCC), Title IV-A (ESSA), and ESSER-successor eligibility to documented LEA-level monitoring practice.
ESA / BOCES
Educational Service Agency / Board of Cooperative Educational Services. Regional intermediaries authorized by state statute to develop, manage, and provide services to LEAs (statutory definition at 20 U.S.C. § 7801). ESA and BOCES bodies book the Clarifier Workshop on behalf of member districts and are the natural homes the Policy Brief's state recommendation 07 identifies for state-funded drift-audit capacity.
The Clarifier Workshop
A facilitated three-session engagement where district leadership teams learn to read vendor language forensically, evaluate AI and edtech tools against actual pedagogical needs, and identify the governance gaps in their current documentation. Each session applies TLF methodology to the district's own tools, documents, and context. Includes five months of office hours.
The TLF Integrity Cycle
Document, Assess, Build, Maintain, Inform. The operating logic behind everything the firm produces, and the lens the Clarifier Workshop teaches in its opening session.
Educator Pedagogy Protocol
A structured method for capturing what teachers' students actually need from a tool, based on the observation and teaching actions of educators in the organization — including English learners, students with IEPs and 504 plans, and twice-exceptional learners. A tool evaluation that only examines features and data privacy misses the students with the most legal protection.
Upstream Vendor Risk Evaluation Protocol
The structured protocol for documenting upstream vendor dependencies, foundation model exposure, and supply chain visibility for a named vendor. Anchor instrument of the Upstream Vendor Risk Protocol Bundle.
The Default Settings Briefing
A signed, dated, sourced record on the AI default behavior of one to ten products a district names. Produces a single-instrument BUILD-stage artifact.
Two of the most consequential pairings in the firm's vocabulary deserve explicit clarification because they answer different questions and are independent dimensions.
- Drift category (No Drift / Watch / Flag) answers did this tool change since we last looked? It is the SURFACE-stage output of an individual tool review.
- Forensic pattern (Convergence / Asymmetric / Divergence) answers what kind of change? It is the TRACE-stage output that describes how policy and posture moved.
A Watch finding can be Convergent (Claude Enterprise, audit 001 — stable governance with one announced-but-unconfirmed item) or Asymmetric (Claude Free — positive posture move under static structural policy). A Flag finding is almost always Divergent. The layered structure is what allows the framework to express what a binary compliant / non-compliant judgment cannot.
The same care applies to the three vectors of drift (policy-layer, enforcement-layer, product-surface), which describe where in the vendor's stack a movement is happening, and to the forensic patterns, which describe the shape the movement takes across the policy and posture streams. The Policy Brief argues that most existing AI governance frameworks are calibrated to detect policy-layer change but not enforcement-layer activations or product-surface expansion — and that the asymmetric pattern grew from 43% of tools in audit 001 to 63% in audit 002.
This glossary is compiled from The First Watch Drift Audit No. 001 (April 6, 2026), Drift Audit No. 002 (May 6, 2026), Governance at the Speed of Drift (Policy Brief, May 2026), The Forensic Read™ methodology page (languagefirm.org/the-forensic-read), the Clarifier Workshop reference set, the firm's About Us page, and An Unread Deputy & A Signed Contract (Sharp's Reading Record, May 14, 2026).
Where a term appears verbatim in a published firm artifact, the definition reflects that artifact's usage. Where a term has been carried across documents, the definition reflects the firm's consolidated usage as of May 2026. Government terms in §VI carry working citation links to authoritative public-facing sources: the Cornell Legal Information Institute (law.cornell.edu) for U.S. Code statutory text, the eCFR (ecfr.gov) for current regulations and FAR clauses, acquisition.gov for FAR commercial-contract clauses, and the FCC's program page for E-Rate. Links should be treated as the starting point for verification of statutory or regulatory language, not the endpoint; the audits' own methodological principle applies here too.
Terms added or revised in future editions of this glossary should be documented with the audit cycle or publication in which the change occurred, in the same dated, document-naming register the firm applies to vendor documentation.