AIGP Artificial Intelligence Governance Professional Questions and Answers

The correct answer isD.Keystroke dynamics, used to identify individuals, fallunder biometricdata, which isa specialcategory of personaldata underthe GDPR and other frameworks.

From the AI Governance in Practice Report2025:

“Keystroke dynamics may constitute biometric data if used to uniquely identify an individual… Biometric data is classified as special category personal data and requires higher protection standards.”

Also reflected in ILT Participant Guide:

“Biometric data, such as facial images, voiceprints, iris scans or keystroke patterns, are treated as special category data when they are used for the purpose of uniquely identifying individuals.”

The best reason for GVC to offer students the choice to utilize generative AI in limited, defined circumstances is to enable students to learn how to use AI as a supportive educational tool. By integrating AI in a controlled manner, students can learn the practical applications of AI and develop skills to use AI responsibly and effectively in their educational pursuits.

The 1956 Dartmouth summer research project on AI is best known as a meeting focused on the founding of the AI field. This conference is historically significant because it marked the formal beginning of artificial intelligence as an academic discipline. The term "artificial intelligence" was coined during this event, and it laid the foundation for future research and development in AI.

The NIST AI Risk Management Framework outlines several characteristics of trustworthy AI, including being secure and resilient, explainable and interpretable, and accountable and transparent. While being tested and effective is important, it is not explicitly listed as a characteristic of trustworthy AI in the NIST framework. The focus is more on the system's ability to function safely, securely, and transparently in a way that stakeholders can understand and trust. Reference: AIGP Body of Knowledge, NIST AI RMF section.

The correct answer isD. Transparency obligations under data protection laws, such as GDPR and most AI governance frameworks, require thatusers whose data is being processedbe directly informed.

From the AIGP ILT Guide (Privacy Module):

“The user privacy notice must be updated to explain the nature of automated processing, the logic involved, and the significance and consequences for the data subject.”

Also, per AI Governance in Practice Report2025(Part III):

“Transparency obligations apply throughout the lifecycle of AI… Individuals must be informed about automated decision-making and profiling that may impact them.”

Unlike internal policies or general privacy notices,the user privacy noticeprovides direct transparency to theindividual data subjectsaffected by AI processing.

===========

To mitigate the risk of reputational harm from using an AI hiring tool, XYZ Corp should rigorously test the AI tool both before and after deployment. Pre-deployment testing ensures the tool works correctly and does not introduce bias or other issues. Post-deployment testing ensures the tool continues to operate as intended and adapts to any changes in data or usage patterns. This approach helps to identify and address potential issues proactively, thereby reducing the risk of reputational harm. Ensuring the vendor assumes responsibility for damages (B) does not address the root cause of potential issues, selecting the most economical tool (C) may compromise quality, and continuing manual screening (D) defeats the purpose of using the AI tool​​​​.

If it is possible to provide a rationale for a specific output of an AI system, that system can best be described as explainable. Explainability in AI refers to the ability to interpret and understand the decision-making process of the AI system. This involves being able to articulate the factors and logic that led to a particular output or decision. Explainability is critical for building trust, enabling users to understand and validate the AI system's actions, and ensuring compliance with ethical and regulatory standards. It also facilitates debugging and improving the system by providing insights into its behavior.

According to the Canadian Artificial Intelligence and Data Act, high-impact AI systems must notify the Minister of Innovation, Science and Industry upon initial deployment. This requirement ensures that the authorities are aware of the deployment of significant AI systems and can monitor their impacts and compliance with regulatory standards from the outset. This initial notification is crucial for maintaining oversight and ensuring the responsible use of AI technologies. Reference: AIGP Body of Knowledge, domain on AI laws and standards.

The common types of machine learning include supervised learning, unsupervised learning, reinforcement learning, and deep learning. Cognitive learning is not a type of machine learning; rather, it is a term often associated with the broader field of cognitive science and psychology. Reference: AIGP BODY OF KNOWLEDGE and standard AI/ML literature.

The correct answer isD.Emotion recognition in the workplaceis flagged asunacceptable or highly restrictedunder the EU AI Act due to its intrusive nature and potential for misuse.

From the AIGP ILT Guide – EU AI Act Training Module:

“AI systems that monitor individuals’ emotions in the workplace or educational settings are listed among prohibited or strictly limited practices under Article 5.”

AI Governance in Practice Report2025supports this interpretation:

“Emotion recognition systems, especially in sensitive contexts such as employment or education, raise significant concerns under EU fundamental rights law and are likely to be restricted.”

Other uses listed—such as emergency response or emotion detection in healthcare—may fall underlawful and beneficial uses, especially whenjustified by public interest.

===========

In the United States, the use of AI hiring tools must comply with anti-discrimination laws, accessibility laws, and privacy laws to avoid increasing liability. Anti-discrimination laws (A) ensure that hiring practices do not unlawfully discriminate against protected classes. Accessibility laws (C) require that hiring tools are accessible to all applicants, including those with disabilities. Privacy laws (D) govern the handling of personal data during the hiring process. Product liability laws (B), however, typically apply to the safety and reliability of physical products and would not generally increase liability specifically related to the responsible use of AI hiring tools in the employment context​​​​.

The correct answer isA. While TEVV is important inlater lifecycle phases, it isnot the primary considerationwhen evaluating and prioritizinguse cases.

From the AIGP Body of Knowledge – Use Case Assessment Module:

“Use case evaluation focuses on value, impact, fairness, and accessibility—technical testing considerations come later.”

ILT Guide confirms:

“Organizations should first assess whether the AI system provides equitable outcomes and aligns with stakeholder expectations. TEVV is part of implementation, not initial prioritization.”

Thus,Ais not a top-level consideration during use caseselection.

The OECD's Ethical AI Governance Framework aims to ensure that AI development and deployment are carried out ethically while fostering innovation. The framework includes principles like transparency, accountability, and human rights protections to prevent societal harm. It does not focus solely on technical design or post-deployment monitoring (C), nor does it establish industry-specific requirements (B). While explainability is important, the primary goal is to balance innovation with ethical considerations (D).

The correct answer isA. Pre- and post-deployment testing ensuresbias, accuracy, and fairnessare evaluated and corrected as needed, which isessential for reputational risk mitigation.

From the AIGP Body of Knowledge:

“Testing AI systems before and after deployment is critical to ensure performance, fairness, and compliance. Failing to do so may result in reputational damage and legal exposure.”

AI Governance in Practice Report2025(Bias/Fairness and Risk Sections):

“System impact assessments, testing, and post-deployment monitoring are necessary to identify and mitigate risks… This supports both compliance and public trust.”

Testing is proactive, unlike indemnification (which transfers risk after damage), or requiring manual review (which defeats automation).

The correct answer isA. While location of processors may have implications (such as for data transfers under GDPR), thereis noabsoluterequirement thatthird-party processors be based in the same country.

From the AI Governance in Practice Report2025and ILT Guide:

“Data controllers are responsible for ensuring that third-party processors have adequate protections, but not necessarily that they reside in the same jurisdiction. What is required is legal safeguards (e.g., SCCs) for international transfers, not same-country location.”

In contrast, DPIAs, DSARs, and implementation of technical/organizational safeguardsare explicitlyrequired underGDPR and responsible AI frameworks.

===========

The correct answer isC.Registration in the EU databaseis an obligation ofprovidersof high-risk AI systems—not distributors.

From the AIGP ILT Guide – Roles & Obligations Module:

“Distributors must verify CE marking, ensure instructions for use are provided, inform authorities of risks, and take corrective action when necessary. However, registration duties in the EU database lie with the provider.”

Also from the AI Governance in Practice Report2025:

“The AI Act differentiates responsibilities for developers, providers, importers, and distributors. Only providers of high-risk systems are obligated to register their systems in the EU AI Database.”

Distributors focus onverification and communication, not formal registration.

Under the EU AI Act, organizations that develop and deploy high-risk AI systems are required to provide several key disclosures to ensure transparency and accountability. These include the human oversight measures employed, how individuals can contest decisions made by the AI system, and informing individuals that an AI system is being used. However, there is no specific requirement to disclose the exact locations where data is stored. The focus of the Act is on the transparency of the AI system's operation and its impact on individuals, rather than on the technical details of data storage locations.

Supervised learning is a subcategory of AI and machine learning where labeled datasets are used to train algorithms. This process involves feeding the algorithm a dataset where the input-output pairs are known, allowing the algorithm to learn and make predictions or decisions based on new, unseen data. Reference: AIGP BODY OF KNOWLEDGE, which describes supervised learning as a model trained on labeled data (e.g., text recognition, detecting spam in emails)​​.

The highest concern for individual teachers using generative AI to ensure students learn the course material is model accuracy. Ensuring that the AI-generated content is accurate and relevant to the curriculum is crucial for effective learning. If the AI model produces inaccurate or irrelevant content, it can mislead students and hinder their understanding of the subject matter.

According to the GDPR, individuals have the right to not be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects them. However, there are exceptions to this right, one of which is when the decision is based on the data subject's explicit consent. This means that if an individual explicitly consents to the automated decision-making process, there is no requirement for human intervention to confirm or replace the decision. This exception ensures that individuals can have control over automated decisions that affect them, provided they have given clear and informed consent.

The EU AI Act explicitly prohibits the use of AI systems for social scoring by public authorities, as it can lead to discrimination and unfair treatment of individuals based on their social behavior or perceived trustworthiness. While AI can be used to promote equitable distribution of welfare benefits, manage border control, and even detect an individual's intent for law enforcement purposes (within strict regulatory and ethical boundaries), implementing social scoring systems is not permissible under the Act due to the significant risks to fundamental rights and freedoms.

To protect the company's intellectual property, the most pertinent contractual provision is ensuring that the AI provider will defend and indemnify the company against infringement claims. This clause means the provider will take responsibility for any intellectual property disputes that arise, thereby safeguarding the company from potential legal and financial repercussions related to the use of the tool. Other options, while beneficial, do not directly address the protection of intellectual property. This concept is detailed in the contractual best practices section of the IAPP AIGP Body of Knowledge.

The AI risk that would not have been identified during the procurement process based on the categories of information requested by the third-party consultant is security. The consultant focused on accuracy rates, diversity of training data, and system functionality, which pertain to performance and fairness but do not directly address the security aspects of the AI system. Security risks involve ensuring that the system is protected against unauthorized access, data breaches, and other vulnerabilities that could compromise its integrity. Reference: AIGP Body of Knowledge on AI Security and Risk Management.

The EU AI Act outlines what must be included intechnical documentationfor high-risk systems. These requirements are designed to supportconformity assessment, transparency, and traceability.

From theAI Governance in Practice Report2025:

“It mandates drawing up technical documentation… must include a general description of the AI system, the intended purpose, and a detailed description of the elements and development process.” (p. 34)

“Documentation… includes training, testing, evaluation procedures, andappropriateness of performance metrics.” (p. 34–35)

Therisk management systemis addressed separately through arisk management plan, not within the technical documentation itself.

Thus:

A, C, and Dare explicitly required in thetechnical documentation.

B, while important, is part of therisk management process, not a required section oftechnical documentation.

The November 2023 White House Executive Order provides guidance that governmental agencies should limit access to specific uses of generative AI. This means that generative AI tools should be used in a controlled manner, where their applications are restricted to well-defined, approved use cases that ensure the security, privacy, and ethical considerations are adequately addressed. This approach allows for the benefits of generative AI to be harnessed while mitigating potential risks and abuses.

AI governance frameworks consistently define the“unique characteristics”of AI that create novel governance challenges.

Across the OECD AI Principles, NIST AI RMF, ISO/IEC 42001, and the EU AI Act, the key characteristics requiring governance are:

Autonomy– AI systems act without direct human intervention and take context-dependent decisions.

Adaptability– AI systems learn, evolve, and update their behavior over time, making outputs non-deterministic.

These traits fundamentally distinguish AI from traditional software and shape all major governance activities (risk assessment, monitoring, assurance, accountability, alignment, etc.).

Below is why each option is correct or incorrect:

A. Autonomy — NOT selected

Reason:

Autonomy is repeatedly cited as one of the defining characteristics that necessitates governance.

NIST AI RMF references the risks ofautonomous behavior.

ISO/IEC 42001 emphasizes governance controls for “systems operating with varying levels of autonomy.”

Thus,Autonomy IS a unique characteristic, so it isnotan answer.

B. Automation — SELECTED

Reason:

“Automation” is not a unique AI property. Automation predates AI and applies to robotics, scripts, business process automation, etc.

AI governance literature doesnotclassify automation as a unique AI-specific characteristic.

Automation is aresultof AI, but not adistinguishing property.

Therefore,Automation is correctly selected as NOT a unique AI characteristic.

C. Adaptability — NOT selected

Reason:

Adaptability (systems that update, learn, or change behavior) is recognized universally as a core distinctive trait of AI.

EU AI Act emphasizes governance requirements for “adaptive systems.”

NIST AI RMF highlights “learning and emergent behavior.”

Thus,Adaptability IS a unique characteristic, so it shouldnotbe chosen as an exception.

D. Speed and scale — SELECTED

Reason:

While AI can operate at high speed and scale,these are not unique characteristics of AI.

Traditional computing systems, cloud workloads, and automation pipelines operate at similar scale.

AI governance documents mention speed/scale as arisk amplifier, not a defining characteristic.

Therefore,Speed and scaleshould be selected.

E. Superintelligence — SELECTED

Reason:

“Superintelligence” is not a characteristic of current AI systems and isnot referenced as a governance-relevant attributein mainstream policy documents (OECD, NIST, ISO, EU AI Act).

It is speculative rather than a defining feature.

Therefore, it is correctly chosen as NOT a unique characteristic requiring governance today.

When notifying an accused perpetrator, the police officer should provide information about how the individual was identified by the AI system. This transparency is crucial for maintaining trust and ensuring that the accused understands the basis of the charges against them. Information about the accuracy, how to oppose the charges, and the composition of the training data, while potentially relevant, do not directly address the immediate need for the accused to understand the specific process that led to their identification. Reference: AIGP Body of Knowledge on AI Transparency and Explainability.

When an AI system causessignificant false positives, especially in sensitive contexts likefraud detection, the priority is tohalt harmful activityand perform a full assessment. Continued use without understanding the fault may cause furthercustomer harmand legal exposure.

From theAI Governance in Practice Report2025:

“Incident management plans should enable identification, escalation, and system rollback to prevent continued harm from malfunctioning AI systems.” (p. 12, 35)

Private LLMs offer advantages likecustomizability,reduced hallucination,confidentiality, andalignment with enterprise-specific tasks, but theydo not inherently reduce the time or effortneeded fordata validation or verification— which remains an essential step regardless of model privacy.

From the AI risk and quality sections:

“Ensuring the quality of the data… is highly contextual and must be validated regardless of the model’s deployment environment.” (p. 17)

B, C, Dare legitimate benefits of private LLMs.

Ais incorrect — validation still requires time and resources.

To maintain fairness in a deployed system, it is crucial to monitor for data drift that may affect performance and accuracy. Data drift occurs when the statistical properties of the input data change over time, which can lead to a decline in model performance. Continuous monitoring and updating of the model with new data ensure that it remains fair and accurate, adapting to any changes in the data distribution. Reference: AIGP Body of Knowledge on Post-Deployment Monitoring and Model Maintenance.

An AI system’sfunction,industry, anddeployment locationdefine itsrisk profile, which directly influences theinternal governance structuresan organization must put in place.

From theAI Governance in Practice Report2025:

“There are many challenges and potential solutions for AI governance, each with unique proximityand significance based on an organization’s role, footprint, broader risk-governance profile and maturity.” (p. 4)

“AI governance starts with defining the corporate strategy for AI… and formulating policy standards and operational procedures to reflect industry, use case, and location.” (p. 11)

A– Organizational accountability is broader and not directly scoped by industry or function.

C– Diversity of data sources is tied to data strategy.

D– Explainability is more influenced by model type, not use context.

The most challenging aspect of managing a data access request in this scenario is dealing with unstructured data that cannot be easily disentangled from other data, including information about other individuals. Unstructured data, such as free-text inputs or social media posts, often lacks a clear structure and may be intermingled with data from multiple individuals, making it difficult to isolate the specific data related to the requester. This complexity poses significant challenges in complying with data access requests under privacy laws. Reference: AIGP Body of Knowledge on Data Subject Rights and Data Management.

Conformity assessmentsare a core requirement under theEU AI Actfor high-risk systems and serve to confirm that the AI meetsregulatory, safety, and ethical standardsbefore it is put into production.

From theAI Governance in Practice Report2025:

“Conformity assessments… ensure that systems comply with legal requirements, safety criteria, and intended purpose before being placed on the market.” (p. 34)

“They are a critical step to demonstrate safety and trustworthiness in AI deployment.” (p. 35)

Model disgorgement is the technique used to remove the effects of improperly used data from an ML system. This process involves retraining or adjusting the model to eliminate any biases or inaccuracies introduced by the inappropriate data. It ensures that the model's outputs are not influenced by data that was not meant to be used or was used incorrectly. Reference: AIGP Body of Knowledge on Data Management and Model Integrity.

Forcustomizable, interpretable modelsthat allow organizations toretain control and avoid vendor lock-in,classic ML models(e.g., regression, decision trees, random forests) are optimal.

From theAI Governance in Practice Report2025:

“Organizations seeking transparency, customizability, and control often prefer classic ML models due to their flexibility and ease of governance.” (p. 33)

AandCmay have limited transparency and are often tied to specific providers.

Dinvolves ongoing costs and limited model control.

A privacy impact assessment (PIA) can be effectively leveraged to create an AI impact assessment. A PIA evaluates the potential privacy risks associated with the use of personal data and helps in implementing measures to mitigate those risks. Since AI systems often involve processing large amounts of personal data, the principles and methodologies of a PIA are highly applicable and can be extended to assess broader impacts, including ethical, social, and legal implications of AI. Reference: AIGP Body of Knowledge on Impact Assessments.

Biometric data in the U.S. refers to data that relates to measurable biological and behavioral characteristics that can be used to identify an individual. Examples include fingerprints, facial recognition, iris scans, and behavior-based data like gait or keystrokes.

According to definitions and discussions from theAI Governance in Practice Report2025and U.S. privacy frameworks:

“Biometric data includes physical and behavioral human characteristics that can be used to digitally identify a person to grant access to systems, devices, or data. Examples include facial images, iris patterns, gait analysis, and voice recognition.” (Report context based on common frameworks in U.S. AI law and the use of biometrics in AI governance.)

Here’s how the options relate:

A. Iris scans– These are physical biometric identifiers.

B. Walking gait– Behavioral biometric used increasingly in surveillance and identification.

C. Keystroke dynamics– Behavioral biometric based on typing patterns.

D. GPS location of a user's fitness watch– This isnotbiometric data. It islocation data, which may be sensitive or personal, but not biometric.

Importers of high-risk AI systems into the EU havespecific responsibilitiesunder the EU AI Act. They arenotthe parties responsible for affixing the CE marking or providing technical documentation—but they must verify that these have been done by the provider.

From theAI Governance in Practice Report2025:

“Importers must verify that the appropriate conformity assessment has been carried out, the technical documentation is available, and the CE marking has been affixed.” (p. 34–35)

Thus:

A. Provide technical documentation– done by theprovider.

B. Affix the CE marking–provider'sresponsibility.

C. Verify the Declaration of Conformity–importer obligation.

D. Conduct a DPIA– relevant under data protection laws,not requiredunder the EU AI Act forimporters.

When the accuracy of a model deteriorates, the best first step is to conduct champion/challenger testing. This involves deploying a new model (challenger) alongside the current model (champion) to compare their performance. This method helps identify if the new model can perform better under current conditions without immediately discarding the existing model. It provides a controlled environment to test improvements and understand the reasons behind the deterioration. This approach is preferable to directly replacing the model, performing audits, or running red-teaming exercises, which may be subsequent steps based on the findings from the champion/challenger testing.

Testing data is a subset of data used to provide a robust evaluation of a final model. After training the model on training data, it is essential to test its performance on unseen data (testing data) to ensure it generalizes well to new, real-world scenarios. This step helps in assessing the model's accuracy, reliability, and ability to handle various data inputs. Reference: AIGP Body of Knowledge on Model Validation and Testing.

Ensuringoversight and auditabilityrequires that the organization hassufficient access to data, documentation, and model internalsor outputs necessary for evaluation.

From theAI Governance in Practice Report2025:

“Access to technical documentation and system internals is essential to enable effective auditing, conformity checks, and accountability mechanisms.” (p. 11, 34)

Ais about liability, not auditability.

Bmatters for IP rights, not oversight.

Crelates to lifecycle responsibility but doesn’t guarantee audit access.

The primary concern for a company adopting a policy prohibiting the use of generative AI is the risk of accidental disclosure of confidential and proprietary information. Generative AI tools can inadvertently leak sensitive data during the creation process or through data sharing. This risk outweighs the other reasons listed, as protecting sensitive information is critical to maintaining the company’s competitive edge and legal compliance. This rationale is discussed in the sections on risk management and data privacy in the IAPP AIGP Body of Knowledge.

Feature selection is the most important element of feature engineering to mitigate potential bias in an AI system. This process involves choosing the most relevant and representative features from the data set, which directly affects the model’s performance and fairness. By carefully selecting features, data scientists can reduce the influence of biased or irrelevant attributes, ensuring that the AI system is more accurate and equitable. Proper feature selection helps in eliminating biases that might stem from socio-demographic factors or other sensitive variables, leading to a more balanced and fair AI model. Reference: AIGP Body of Knowledge on Fairness in AI and Feature Engineering.

Differential privacy is a technique used to ensure that the inclusion or exclusion of a single data point does not significantly affect the outcome of any analysis, providing a way to mathematically prove that no specific piece of training data has more than a negligible effect on the model or its output. This is achieved by introducing randomness into the data or the algorithms processing the data. In the context of training large language models (LLMs), differential privacy helps in protecting individual data points while still enabling the model to learn effectively. By adding noise to the training process, differential privacy provides strong guarantees about the privacy of the training data.

Utilizing synthetic data to offset the lack of patient data is an efficient solution that balances privacy concerns with the need for sufficient data to train the model. Synthetic data can be generated to simulate real patient data while avoiding the privacy issues associated with using actual patient data. This approach allows for the development and testing of the AI algorithm without compromising patient privacy, and it can be refined with real data as it becomes available. Reference: AIGP Body of Knowledge on Data Privacy and AI Model Training.

While transparency is encouraged,publicly disclosing forecasts of secondary harmsisnot a required or standard practicefor internal performance evaluation. Risk assessments and reporting typically remaininternal or shared with regulators.

From theAI Governance in Practice Report2025:

“Organizations must assess secondary risks… but disclosure is subject to context, regulatory requirements, and risk management discretion.” (p. 30)