Certs Club
See all results for ""
Home Exams
CRISC ISACA CISSP ISC2 200-301 Cisco SY0-701 CompTIA AZ-104 Microsoft AI-900 Microsoft AIGP IAPP 1Z0-1067-26 Oracle View All Exams →
Sign in Get Started

ISACA Advanced in AI Risk certification AAIR Exam Questions

Download Exam View Entire Exam
Page: 1 / 1
Question #1 (Topic: Demo Questions)

A risk practitioner learns that an AI system used by a manufacturer for quality control (QC) has produced inaccurate responses that could potentially impact user safety. Which of the following is the risk practitioner's BEST recommendation to mitigate this risk?

A.

Implement human-in-the-loop reviews.

B.

Conduct bias and fairness testing.

C.

Augment the model with synthetic data.

D.

Provide AI prompt engineering training.

Correct Answer: A
Explanation:

When an AI system used for safety-critical quality control produces inaccurate responses that could harm users, the most immediate and effective safeguard is inserting human judgment into the decision process before unsafe outputs can reach production or end users.

Why A is Correct: The ISACA AAIR human oversight guidance identifies human-in-the-loop reviews as the most effective mitigation when AI outputs pose safety risks. In safety-critical applications like manufacturing quality control, human reviewers can catch and correct AI errors before they result in unsafe products reaching consumers. This control is immediately implementable, does not require model retraining, and directly addresses the safety risk. It is the appropriate response when AI accuracy cannot be fully trusted.

Why B is Wrong: Bias and fairness testing is a model evaluation activity that assesses whether outputs are systematically skewed. While useful for improving the model, it does not provide immediate protection against the safety risk of current inaccurate outputs.

Why C is Wrong: Synthetic data augmentation may improve model quality over time but requires model retraining and does not prevent currently inaccurate outputs from causing harm in the interim.

Why D is Wrong: Prompt engineering training improves how users interact with AI systems to elicit better outputs. It is useful for generative AI applications but does not directly address safety risks from QC system inaccuracies, which require operational oversight rather than improved prompting.

Question #2 (Topic: Demo Questions)

Which of the following is the PRIMARY benefit of using AI-based data analytic tools to monitor AI system risk?

A.

Forecasting industry-specific AI risk trends and projecting future financial and business risk

B.

Early detection of latent vulnerabilities by identifying anomalous patterns within large datasets

C.

Comprehensive logging and documentation of unauthorized AI system access attempts

D.

Reduction of human involvement through automation of risk analyses and treatment decisions

Correct Answer: B
Explanation:

AI systems generate large volumes of operational data—model outputs, query logs, performance metrics, system telemetry. AI-powered analytics tools can process this data at scale and speed to identify subtle patterns that indicate developing vulnerabilities before they manifest as incidents.

Why B is Correct: According to ISACA AAIR monitoring and analytics guidance, the primary benefit of AI-based risk monitoring tools is their ability to identify latent vulnerabilities through anomaly detection in large datasets. Human analysts cannot process the volume and velocity of data produced by AI systems at sufficient scale to detect subtle, early-stage indicators of emerging risks. AI-powered analytics provide this capability—identifying patterns that precede security incidents, model failures, or compliance violations.

Why A is Wrong: Industry trend forecasting is a strategic risk intelligence activity. While valuable for planning, it represents a secondary, external-facing use of AI analytics rather than the primary benefit of monitoring organizational AI system risks.

Why C is Wrong: Access attempt logging and documentation are security event recording functions. While comprehensive logging is important for audit trails, the primary benefit of AI analytics is pattern detection across that logged data not the logging activity itself.

Why D is Wrong: Automation of risk analysis and treatment decisions is a contested application of AI in risk management. Human judgment in risk treatment decisions is typically retained as a governance requirement. Removing human involvement from treatment decisions is not the primary benefit of AI monitoring tools.

Question #3 (Topic: Demo Questions)

Which of the following is a risk practitioner's BEST justification for embedding AI risk considerations into acceptable use policies?

A.

Addressing the potential for shadow AI by defining an allow list for AI tools

B.

Applying uniform risk controls across diverse business functions

C.

Maintaining alignment of enterprise tolerance across decision-making systems

D.

Assigning AI risk accountability to business unit leadership

Correct Answer: D
Explanation:

Acceptable use policies (AUPs) govern how employees interact with organizational systems and tools. Embedding AI risk considerations into AUPs ensures that AI-related behaviors align with the organization's risk appetite and tolerance thresholds.

Why C is Correct: According to ISACA AAIR governance principles, the best justification for embedding AI risk in AUPs is maintaining consistent enterprise risk tolerance across all AI-driven decision-making. When risk tolerances are codified in AUPs, employees understand what AI behaviors are permissible, and deviation from these boundaries triggers escalation. This enterprise-wide alignment prevents individual business units from accepting risks that exceed organizational thresholds.

Why A is Wrong: Shadow AI mitigation through allow lists is a specific technical control mechanism, not the primary governance justification for AUP integration. It addresses unauthorized tool use rather than risk tolerance alignment.

Why B is Wrong: Applying uniform risk controls across diverse business functions is a compliance approach that may not be appropriate—different functions may legitimately have different risk profiles. The goal is tolerance alignment, not control uniformity.

Why D is Wrong: Assigning accountability to business unit leadership is a governance structure decision. AUPs define behavioral expectations, not organizational accountability assignments, which are addressed through RACI frameworks and policy governance.

Question #4 (Topic: Demo Questions)

Which of the following AI system considerations BEST mitigates risk associated with model drift?

A.

Conducting regular retraining with new relevant datasets

B.

Restricting the use of automated data validation to low-risk models

C.

Maintaining existing levels of variance within datasets during preprocessing

D.

Implementing strong access controls based on roles and responsibilities

Correct Answer: A
Explanation:

Model drift occurs when the statistical relationship between model inputs and outputs changes over time, causing previously accurate predictions to become less reliable. Regular retraining with updated, relevant data recalibrates the model to current real-world patterns.

Why A is Correct: According to ISACA AAIR model maintenance guidance, regular retraining with new relevant datasets is the most direct mitigation for model drift. By periodically retraining on current data, the model learns the latest patterns and relationships—counteracting the drift that accumulates as real-world conditions diverge from the original training data. This is the standard industry practice for maintaining production AI models in dynamic environments.

Why B is Wrong: Restricting automated data validation to low-risk models creates a governance double standard that leaves high-risk models more vulnerable. If anything, high-risk models require more rigorous automated validation, not less. This approach increases rather than mitigates drift risk for critical applications.

Why C is Wrong: Maintaining existing dataset variance during preprocessing preserves statistical characteristics from a historical snapshot. If drift has occurred in real-world data, deliberately maintaining old variance levels prevents the model from adapting to new conditions.

Why D is Wrong: Role-based access controls protect model parameters and data from unauthorized modification. While important for security, access controls do not address model drift, which is driven by changing real-world conditions rather than unauthorized changes.

Question #5 (Topic: Demo Questions)

A risk practitioner learns that an organization's AI inventory includes separate listings of AI systems, models, and datasets. Which of the following is the risk practitioner's BEST recommendation to improve AI governance?

A.

Map interdependencies between AI assets continuously.

B.

Include information about model training frequency.

C.

Automate inventory reconciliation steps.

D.

Assign inventory oversight to the AI risk committee.

Correct Answer: A
Explanation:

An AI inventory that lists systems, models, and datasets separately without showing how they relate to each other creates significant governance blind spots. Understanding interdependencies is critical for comprehensive risk assessment and impact analysis.

Why A is Correct: The ISACA AAIR framework emphasizes that AI governance requires understanding how AI components interact. Mapping interdependencies reveals which datasets feed which models, which systems depend on which models, and how failures cascade across the AI ecosystem. Continuous mapping ensures this understanding remains current as the AI landscape evolves, enabling accurate risk assessment, change impact analysis, and incident response.

Why B is Wrong: Training frequency is a useful operational metric but represents a single attribute addition to inventory records. It does not address the fundamental governance gap of disconnected asset listings.

Why C is Wrong: Automating reconciliation improves inventory maintenance efficiency but does not resolve the architectural problem of separate, unlinked asset listings. An automated process applied to siloed data still produces siloed results.

Why D is Wrong: Assigning oversight to a committee addresses governance accountability but does not improve the quality or utility of the inventory itself. Oversight without integrated data still leaves governance gaps.

Download Exam
Page: 1 / 1
Next Page