ISACA Advanced in AI Security Management Exam AAISM Exam Questions
A large language model (LLM) has been manipulated to provide advice that serves an attacker’s objectives. Which of the following attack types does this situation represent?
Correct Answer: D
AAISM categorizes the manipulation of an LLM at inference time, where crafted inputs cause outputs to serve attacker objectives, as an evasion attack. Evasion attacks exploit weaknesses in the model’s decision-making boundaries by altering queries to produce compromised or misleading outputs. Privilege escalation refers to unauthorized access rights, data poisoning targets the training phase, and model inversion reconstructs training data. In this case, manipulation of outputs to align with an attacker’s goals reflects an evasion attack.
A post-incident investigation finds that an AI-powered anti-money laundering system inadvertently allowed suspicious transactions because certain risk signals were disabled to reduce false positives. Which of the following governance failures does this BEST demonstrate?
Correct Answer: B
AAISM requires formal model change governance: documented justification, risk assessment, validation/verification (V & V), approvals, and post-deployment monitoring when altering features, thresholds, or signals. Disabling risk indicators to reduce false positives without rigorous validation and controlled rollout reflects a failure in model validation and change control, which AAISM treats as a core safeguard against unintended harms and regulatory breaches.
A financial organization is concerned about the risk of prompt injection attacks on its customer service chatbot. Which of the following controls BEST addresses this concern?
Correct Answer: B
AAISM describes prompt injection as an attack where adversaries craft inputs that manipulate model behavior or override system instructions. The recommended control pattern is to implement robust input validation and constraint mechanisms that sanitize and structure user inputs before they are processed by the model. The guidance includes techniques such as template-based prompts, restricted instruction sets, and validation rules to filter malicious or out-of-scope content. Human-in-the-loop (A) provides oversight but may not scale and is not a primary technical protection. Increasing model parameters (C) relates to capacity and performance, not security. Continuous monitoring (D) is important for detection but does not prevent prompt injection at the point of entry. Therefore, input validation, combined with controlled prompt construction, is identified as the best direct control against prompt injection attacks in customer-facing chatbots.
Which of the following is the MOST critical key risk indicator (KRI) for an AI system?
Correct Answer: D
AAISM highlights that while accuracy and performance metrics are important, the rate of drift is the most critical KRI for AI systems. Model drift occurs when input data or environmental conditions shift, causing the system to degrade and produce unreliable outputs. This risk indicator directly reflects whether the AI continues to function as intended over time. Accuracy rates and response times are performance metrics, not primary risk signals. The amount of data in the model does not reliably indicate exposure to risk. Therefore, the greatest KRI for ongoing assurance and governance is the rate of drift.
A financial organization is concerned about AI data poisoning. Which control BEST mitigates this risk?
Correct Answer: C
AAISM outlines that diversifying training data sources reduces the likelihood and impact of poisoning because:
• attack samples become harder to inject
• anomalies are easier to detect
• corrupted data has reduced influence on model behavior
Break-glass procedures (A) relate to incident response, not mitigation. Customer transparency (B) does not stop poisoning. Awareness training (D) is insufficient alone.