AIGP Artificial Intelligence Governance Professional Questions and Answers

The most challenging aspect of managing a data access request in this scenario is dealing with unstructured data that cannot be easily disentangled from other data, including information about other individuals. Unstructured data, such as free-text inputs or social media posts, often lacks a clear structure and may be intermingled with data from multiple individuals, making it difficult to isolate the specific data related to the requester. This complexity poses significant challenges in complying with data access requests under privacy laws. Reference: AIGP Body of Knowledge on Data Subject Rights and Data Management.

The EU AI Act outlines what must be included intechnical documentationfor high-risk systems. These requirements are designed to supportconformity assessment, transparency, and traceability.

From theAI Governance in Practice Report 2025:

“It mandates drawing up technical documentation… must include a general description of the AI system, the intended purpose, and a detailed description of the elements and development process.” (p. 34)

“Documentation… includes training, testing, evaluation procedures, andappropriateness of performance metrics.” (p. 34–35)

Therisk management systemis addressed separately through arisk management plan, not within the technical documentation itself.

Thus:

A, C, and Dare explicitly required in thetechnical documentation.

B, while important, is part of therisk management process, not a required section oftechnical documentation.

According to the GDPR, individuals have the right to not be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects them. However, there are exceptions to this right, one of which is when the decision is based on the data subject ' s explicit consent. This means that if an individual explicitly consents to the automated decision-making process, there is no requirement for human intervention to confirm or replace the decision. This exception ensures that individuals can have control over automated decisions that affect them, provided they have given clear and informed consent.

The 1956 Dartmouth summer research project on AI is best known as a meeting focused on the founding of the AI field. This conference is historically significant because it marked the formal beginning of artificial intelligence as an academic discipline. The term " artificial intelligence " was coined during this event, and it laid the foundation for future research and development in AI.

Machine learning (ML) is a subset of artificial intelligence (AI) where systems use data to learn and improve over time without being explicitly programmed. Option B accurately describes machine learning by stating that systems can automatically improve from experience through predictive patterns. This aligns with the fundamental concept of ML where algorithms analyze data, recognize patterns, and make decisions with minimal human intervention. Reference: AIGP BODY OF KNOWLEDGE, which covers the basics of AI and machine learning concepts.

To evaluate the effectiveness of an AI-based ad recommendation tool, the most relevant metric is the output data, specifically assessing the delta between the prediction and actual ad clicks. This metric directly measures the tool ' s accuracy and effectiveness in making accurate recommendations that lead to user engagement. While monitoring algorithmic patterns and input data can provide insights into the model ' s behavior and targeting accuracy, and GPU performance can indicate the robustness and efficiency of the tool, the primary indicator of effectiveness for an ad recommendation tool is how well it predicts actual ad clicks.

Developing a social media presence for a non-profit is best served by non-AI solutions. This task primarily involves content creation, community engagement, and strategic planning, which are effectively managed by human expertise and traditional marketing tools. AI is more suitable for tasks requiring automation, large-scale data analysis, and personalized recommendations, such as e-commerce personalization, forecasting cost overruns, or automating customer service responses. Reference: AIGP Body of Knowledge on AI Use Cases and Applications.

The correct answer is D because the company has already addressed several key responsible AI principles, including fairness through discrimination risk mitigation, robustness through adversarial and edge-case testing, and reliability via repeatability testing. However, there is no indication that the company has addressed transparency, which involves providing clear information about how the model operates, how pricing decisions are made, and how outputs may affect consumers. Transparency is a critical AI governance principle, especially in consumer-facing applications like dynamic pricing, where decisions can significantly impact individuals. Governance frameworks emphasize that users and stakeholders should be informed about AI-driven decisions and their implications. Without transparency, even technically sound and fair systems may lack trustworthiness and fail to meet regulatory or ethical expectations.

Biometric data in the U.S. refers to data that relates to measurable biological and behavioral characteristics that can be used to identify an individual. Examples include fingerprints, facial recognition, iris scans, and behavior-based data like gait or keystrokes.

According to definitions and discussions from theAI Governance in Practice Report 2025and U.S. privacy frameworks:

“Biometric data includes physical and behavioral human characteristics that can be used to digitally identify a person to grant access to systems, devices, or data. Examples include facial images, iris patterns, gait analysis, and voice recognition.” (Report context based on common frameworks in U.S. AI law and the use of biometrics in AI governance.)

Here’s how the options relate:

A. Iris scans– These are physical biometric identifiers.

B. Walking gait– Behavioral biometric used increasingly in surveillance and identification.

C. Keystroke dynamics– Behavioral biometric based on typing patterns.

D. GPS location of a user ' s fitness watch– This isnotbiometric data. It islocation data, which may be sensitive or personal, but not biometric.

The correct answer isD – Privacy impact assessments (PIAs). These aredirectly adaptablefor identifying risks in AI systems, particularly around data usage, bias, and individual impacts.

From the AIGP ILT Guide – Risk Management Module:

“PIAs and DPIAs are existing tools used in privacy compliance that can be extended to evaluate the risks of AI, including fairness, explainability, and legality.”

AI Governance in Practice Report 2025 further explains:

“Organizations can adapt privacy impact assessments to evaluate the ethical, legal, and technical risks posed by AI systems. They provide a structured and recognized method.”

PIAs are preferable over general security practices (like pen testing) which do not address algorithmic bias or legal compliance directly.

===========

For the artist to receive copyright protection, the most effective approach is to demonstrate that the final artwork includes sufficient creative input by the artist. By updating or altering the images in a way that reflects the artist ' s personal creativity, the artist can claim originality, which is a core requirement for copyright protection under U.S. law. The other options do not directly address the originality and creative input required for copyright. This is highlighted in the sections on copyright protection in the IAPP AIGP Body of Knowledge.

When an AI system causessignificant false positives, especially in sensitive contexts likefraud detection, the priority is tohalt harmful activityand perform a full assessment. Continued use without understanding the fault may cause furthercustomer harmand legal exposure.

From theAI Governance in Practice Report 2025:

“Incident management plans should enable identification, escalation, and system rollback to prevent continued harm from malfunctioning AI systems.” (p. 12, 35)

When the accuracy of a model deteriorates, the best first step is to conduct champion/challenger testing. This involves deploying a new model (challenger) alongside the current model (champion) to compare their performance. This method helps identify if the new model can perform better under current conditions without immediately discarding the existing model. It provides a controlled environment to test improvements and understand the reasons behind the deterioration. This approach is preferable to directly replacing the model, performing audits, or running red-teaming exercises, which may be subsequent steps based on the findings from the champion/challenger testing.

The correct answer is C. This option concerns consent, which is generally a privacy, transparency, or institutional governance issue rather than a copyright issue. Copyright risk in AI governance usually relates to whether protected third party works were used in model training, whether generated outputs may reproduce copyrighted expression, and whether content is created without proper attribution or clear ownership boundaries. That makes options A, B, and D directly relevant to copyright and intellectual property concerns. In contrast, whether students must expressly consent deals with notice, fairness, and lawful or ethical use in an educational environment. For AIGP exam purposes, it is important to separate intellectual property risks from privacy and data protection obligations, even when both appear in the same classroom or organizational AI use case.

The NIST AI Risk Management Framework outlines several characteristics of trustworthy AI, including being secure and resilient, explainable and interpretable, and accountable and transparent. While being tested and effective is important, it is not explicitly listed as a characteristic of trustworthy AI in the NIST framework. The focus is more on the system ' s ability to function safely, securely, and transparently in a way that stakeholders can understand and trust. Reference: AIGP Body of Knowledge, NIST AI RMF section.

The GDPR privacy principles that this scenario violates are Purpose Limitation and Data Minimization. Purpose Limitation requires that personal data be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Data Minimization mandates that personal data collected should be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. In this case, collecting extensive personal information (e.g., IP address, location, gender) and potentially using it beyond the necessary scope for the app ' s functionality could violate these principles by collecting more data than needed and possibly using it for purposes not originally intended.

The correct answer isC. Thechoice of architecture(e.g., neural networks vs. decision trees) is typically part of thedesign and developmentphase, not the initial planning.

From the AIGP Body of Knowledge – AI Lifecycle Module:

“Planning involves scoping, context definition, stakeholder identification, governance planning, and assumptions—not yet model selection.”

Confirmed in the ILT Participant Guide:

“Design decisions such as architecture or algorithm type come after planning—usually during development based on technical feasibility and data availability.”

An AI system that maintains its level of performance within defined acceptable limits despite real-world or adversarial conditions is described as resilient. Resilience in AI refers to the system ' s ability to withstand and recover from unexpected challenges, such as cyber-attacks, hardware failures, or unusual input data. This characteristic ensures that the AI system can continue to function effectively and reliably in various conditions, maintaining performance and integrity. Robustness, on the other hand, focuses on the system ' s strength against errors, while reliability ensures consistent performance over time. Resilience combines these aspects with the capacity to adapt and recover.

The correct answer is A because the most immediate governance step when a significant AI issue is identified is to formally log the incident within the organization’s incident management system. AI governance frameworks emphasize structured incident response processes to ensure issues are properly documented, tracked, escalated, and addressed in a controlled manner. Logging the incident triggers established workflows, including investigation, stakeholder notification, and remediation planning. While notifying stakeholders, auditing the system, or retraining the model are important follow-up actions, they should occur after the issue is formally recorded and managed through governance channels. This ensures accountability, traceability, and consistent handling of risks, particularly in cases involving bias and potential discrimination.

The best human oversight mechanism for the police department to implement is for a police officer to consider the AI recommendation as part of the criminal investigation. This ensures that the AI system ' s output is used as a tool to aid human decision-making rather than replace it. The police officer should integrate the AI ' s insights with other evidence and contextual information to make informed decisions, maintaining a balance between technological aid and human judgment. Reference: AIGP Body of Knowledge on AI Integration and Human Oversight.

Private LLMs offer advantages likecustomizability,reduced hallucination,confidentiality, andalignment with enterprise-specific tasks, but theydo not inherently reduce the time or effortneeded fordata validation or verification— which remains an essential step regardless of model privacy.

From the AI risk and quality sections:

“Ensuring the quality of the data… is highly contextual and must be validated regardless of the model’s deployment environment.” (p. 17)

B, C, Dare legitimate benefits of private LLMs.

Ais incorrect — validation still requires time and resources.

Under the EU regulations, particularly the GDPR, banks using AI for decision-making must inform users about the use of AI and provide mechanisms for users to contest decisions. This is part of ensuring transparency and accountability in automated processing. Explicit consent under the privacy directive (A) and disclosing under the Digital Services Act (B) are not specifically required in this context. An adequacy decision is related to data transfers outside the EU (C).

Supervised learning is a subcategory of AI and machine learning where labeled datasets are used to train algorithms. This process involves feeding the algorithm a dataset where the input-output pairs are known, allowing the algorithm to learn and make predictions or decisions based on new, unseen data. Reference: AIGP BODY OF KNOWLEDGE, which describes supervised learning as a model trained on labeled data (e.g., text recognition, detecting spam in emails)​​.

The correct answer isB. AllowingPIIto be freely entered into prompts without safeguards is considered amajor privacy and security riskand is not a responsible governance practice.

From the AIGP ILT Guide – Generative AI & Third-Party Risk Management:

“Use of personal or sensitive information in AI prompts can result in unintended exposure, regulatory breaches, and downstream liability.”

The AI Governance in Practice Report 2025 highlights:

“PII should be minimized or protected by design. Prompt engineering should prevent entry of personally identifiable data unless legally and technically safeguarded.”

A, C, and D are established best practices under responsible AI procurement and use.

===========

The EU AI Act outlines specific penalties and enforcement mechanisms to ensure compliance with its regulations. Among these, fines for violations of banned AI applications can be as high as €35 million or 7% of the global annual turnover of the offending organization, whichever is higher. Proportional caps on fines are applied to SMEs and startups to ensure fairness. General Purpose AI rules are to apply after a 6-month period as a specific provision to ensure that stakeholders have adequate time to comply. However, there is no provision for an " AI Pact " acting as a transitional bridge until the regulations are fully enacted, making option C the correct answer.

The correct answer isD. GPS location data isnot biometric data—it is consideredgeolocation data, which is personal data butnot biometricunder most U.S. laws.

From the AIGP ILT Guide (Data Privacy Module):

“Biometric data includes measurable biological or behavioral characteristics such as iris scans, facial recognition, voice prints, and keystroke patterns when used for identification.”

AI Governance in Practice Report 2025 (Privacy and Data Protection section):

“Location data, while sensitive, is not considered biometric unless it’s tied to a uniquely identifyingbiological trait.”

Thus,GPS location data, while potentially sensitive, is not classified as biometric.

Data aggregators are third parties that collect and license data from various sources. They are responsible for ensuring thelawful collectionandproper usage rightsof the data they distribute — especially when such data is used to train foundational AI models.

From theAI Governance in Practice Report 2025:

“As organizations have neither proximity to how third-party data was first collected nor direct control over the data governance practices of third parties, an organization can benefit from carrying out its own legal due diligence and third-party risk management.” (p. 19)

“Legal due diligence may include verification of the personal data ' s lawful collection by the databroker...” (p. 19)

This confirms thatdata aggregatorsbear the legal and ethical burden to verify that data has been lawfully collected and is appropriately licensed for use, including in AI training.

A. The marketing agencyandD. its clientmay use data, but they rely on upstream providers for its lawful origin.

B. The tech companymay train the model but depends on lawful sourcing by data aggregators.

The primary purpose of an AI impact assessment is to anticipate and manage the potential risks and harms of an AI system. This includes identifying the possible negative outcomes and implementing measures to mitigate these risks. This process helps ensure that AI systems are developed and deployed in a manner that is ethically and socially responsible, addressing concerns such as bias, fairness, transparency, and accountability. The assessment often involves a thorough evaluation of the AI system ' s design, data inputs, outputs, and the potential impact on various stakeholders. This approach is crucial for maintaining public trust and adherence to regulatory requirements.

The White House Blueprint for an AI Bill of Rights focuses on protecting civil rights, privacy, and ensuring AI systems are safe and effective. It includes principles like data privacy (D), human alternatives (A), and safe and effective systems (C). However, it does not specifically address high-risk mitigation standards as a distinct category (B).

Retraining an LLM (Large Language Model) is primarily done to improve or maintain its performance as data changes over time, to fine-tune it for specific use cases, and to incorporate new data interpretations to enhance accuracy and relevance. However, ensuring interpretability of the model ' s predictions is not typically a reason for retraining. Interpretability relates to how easily the outputs of the model can be understood and explained, which is generally addressed through different techniques or methods rather than through the retraining process itself. References to this can be found in the IAPP AIGP Body of Knowledge discussing model retraining and interpretability as separate concepts.

When notifying an accused perpetrator, the police officer should provide information about how the individual was identified by the AI system. This transparency is crucial for maintaining trust and ensuring that the accused understands the basis of the charges against them. Information about the accuracy, how to oppose the charges, and the composition of the training data, while potentially relevant, do not directly address the immediate need for the accused to understand the specific process that led to their identification. Reference: AIGP Body of Knowledge on AI Transparency and Explainability.

Importers of high-risk AI systems into the EU havespecific responsibilitiesunder the EU AI Act. They arenotthe parties responsible for affixing the CE marking or providing technical documentation—but they must verify that these have been done by the provider.

From theAI Governance in Practice Report 2025:

“Importers must verify that the appropriate conformity assessment has been carried out, the technical documentation is available, and the CE marking has been affixed.” (p. 34–35)

Thus:

A. Provide technical documentation– done by theprovider.

B. Affix the CE marking–provider ' sresponsibility.

C. Verify the Declaration of Conformity–importer obligation.

D. Conduct a DPIA– relevant under data protection laws,not requiredunder the EU AI Act forimporters.

The correct answer isB – Procedural. TheOECD Framework for Classifying AI Systemscategorizescodes of conduct and collective agreementsasprocedural toolsbecause they guide internal governance and decision-making processes.

From the AIGP ILT Participant Guide – Global Governance Models:

“Procedural tools include internal codes of conduct, collective agreements, and procedural audits that guide governance without necessarily involving technical measurement.”

AI Governance in Practice Report 2025 elaborates:

“These procedural tools support internal accountability mechanisms and ethics compliance frameworks… they are part of soft governance.”

These toolsdo not measure or analyze technical performance, hence they arenot technical or analytic.

===========

The correct answer is.C This action ties directly into principles of data minimization, purpose limitation, and lawfulness of processing, which are central to privacy and AI governance.

From the AIGP Body of Knowledge, Section on Privacy Considerations:

“Personal data must only be processed for specified and lawful purposes. Organizations must consider whether they have a legal basis for processing such data under data protection laws like the GDPR or CCPA.”

Additionally, AI Governance in Practice Report 2025 emphasizes:

“One of the most significant challenges when designing and developing AI systems is ensuring the data used is appropriate for the intended purpose… Managing unnecessary data, especially data that may contain sensitive attributes, can increase risk.”

===========

The correct answer is C because it follows a structured, risk-based AI governance approach aligned with best practices and regulatory expectations. AI governance frameworks emphasize identifying and assessing risks through probability and severity analysis before deployment. This allows organizations to prioritize the most critical risks, such as bias and discrimination in loan approvals. Applying a risk mitigation hierarchy ensures that controls are implemented proactively rather than reactively. Only after risks are assessed and mitigated should pilot testing occur to validate system performance in a controlled environment. Other options either delay risk assessment until after deployment or focus on limited aspects like benchmarking or explainability without addressing core risk management principles. A proactive, risk-first approach is essential for compliance, fairness, and responsible AI deployment.

The failures in semi-autonomous vehicles due to sensors misinterpreting environmental surroundings, such as sunlight, are examples of brittleness. Brittleness in AI systems refers to their inability to handle variations in input data or unexpected conditions, leading to failures when the system encounters situations that were not adequately covered during training. These systems perform well under specific conditions but fail when those conditions change. Reference: AIGP Body of Knowledge on AI System Robustness and Failures.

The correct answer is D because one of the most significant risks associated with generative AI is the potential leakage of sensitive, confidential, or proprietary information. AI governance frameworks emphasize data protection, confidentiality, and secure data handling as critical organizational responsibilities. When employees input sensitive data into generative AI tools, especially external or third-party systems, that information may be stored, reused, or exposed unintentionally. This creates legal, regulatory, and reputational risks. As a result, organizations may restrict or prohibit generative AI use to prevent unauthorized data disclosure. The other options relate to operational or business considerations, which are not primary governance drivers. Protecting sensitive information aligns with core AI governance principles such as privacy, security, and risk mitigation, making it the strongest justification for such a policy.

The correct answer is A because developing a social media presence typically does not require AI and can be effectively achieved through traditional digital marketing strategies, content planning, and manual engagement. AI governance principles emphasize that organizations should first determine whether AI is necessary or proportionate to the problem being solved. Using AI where simpler, deterministic, or human-driven solutions suffice can introduce unnecessary complexity, cost, and risk. In contrast, options B, C, and D involve tasks such as campaign optimization, personalization, and automation, which benefit significantly from AI capabilities like pattern recognition, predictive analytics, and natural language processing. Responsible AI governance encourages a “fit-for-purpose” approach, ensuring AI is only deployed when it provides clear added value over non-AI alternatives.

The correct answer isB. According to responsible AI practices,pre-deployment testingto ensurethe model behaves as expected and aligns with organizational requirements is critical.

From the AIGP ILT Guide:

“Testing for unacceptable outcomes such as toxicity, discrimination, or hallucinations should be included in the AI governance life cycle, particularly during development and prior to deployment.”

Also emphasized in the AI Governance in Practice Report 2025:

“Organizations must verify legal and regulatory compliance, monitor performance, and mitigate risksprior to deployment.”

Testing the model tomeet safety and appropriateness standardsis more proactive and preventive than relying solely on user reporting or requesting documentation.

===========

Before offering an AI solution in the EU market, a Canadian company must take several steps to comply with the EU AI Act. These steps include establishing a risk and quality management system (B), engaging a third-party auditor to perform a bias audit (C), and drawing up technical documentation and instructions for use (D). However, there is no requirement to register the AI solution in a public EU database (A). This registration step is not specified as part of the compliance requirements under the EU AI Act for such solutions​​​​.

The White House Executive Order of November 2023 designates the National Institute of Standards and Technology (NIST) as the responsible body for creating guidelines to conduct red-teaming tests of AI systems. NIST is tasked with developing and providing standards and frameworks to ensure the security, reliability, and ethical deployment of AI systems, including conducting rigorous red-teaming exercises to identify vulnerabilities and assess risks in AI systems.

Testing results need to bedocumented thoroughlyto ensuretraceability, accountability, and compliance. This is central to enabling audits, investigations, or regulatory inquiries into the system’s development and performance.

From theAI Governance in Practice Report 2025:

“Documentation and recordkeeping are essential components… to demonstrate AI system compliance, trace system behavior, and support audits and conformity assessments.” (p. 34–35)

“Maintaining audit trails across development and deployment enables transparency and accountability.” (p. 12)

AandBare benefits, but not theprimary governance justification.

D– Limiting future testing is not a recommended goal.

The November 2023 White House Executive Order provides guidance that governmental agencies should limit access to specific uses of generative AI. This means that generative AI tools should be used in a controlled manner, where their applications are restricted to well-defined, approved use cases that ensure the security, privacy, and ethical considerations are adequately addressed. This approach allows for the benefits of generative AI to be harnessed while mitigating potential risks and abuses.

In the selection and implementation of the AI hiring tool, involving Finance and Legal is crucial. The Finance team is essential for assessing cost implications, budget considerations, and financial risks. The Legal team is necessary to ensure compliance with applicable laws and regulations, including those related to data privacy, employment, and anti-discrimination. Involving these stakeholders ensures a comprehensive evaluation of both the financial viability and legal compliance of the AI tool, mitigating potential risks and aligning with organizational objectives and regulatory requirements.

Utilizing synthetic data to offset the lack of patient data is an efficient solution that balances privacy concerns with the need for sufficient data to train the model. Synthetic data can be generated to simulate real patient data while avoiding the privacy issues associated with using actual patient data. This approach allows for the development and testing of the AI algorithm without compromising patient privacy, and it can be refined with real data as it becomes available. Reference: AIGP Body of Knowledge on Data Privacy and AI Model Training.

Performing an impact assessment is the best step to mitigate the possibility of discrimination before training and testing the AI solution. An impact assessment, such as a Data Protection Impact Assessment (DPIA) or Algorithmic Impact Assessment (AIA), helps identify potential biases and discriminatory outcomes that could arise from the AI system. This process involves evaluating the data and the algorithm for fairness, accountability, and transparency. It ensures that any biases in the data are detected and addressed, thus preventing discriminatory practices and promoting ethical AI deployment. Reference: AIGP Body of Knowledge on Ethical AI and Impact Assessments.

Under the EU AI Act, organizations that develop and deploy high-risk AI systems are required to provide several key disclosures to ensure transparency and accountability. These include the human oversight measures employed, how individuals can contest decisions made by the AI system, and informing individuals that an AI system is being used. However, there is no specific requirement to disclose the exact locations where data is stored. The focus of the Act is on the transparency of the AI system ' s operation and its impact on individuals, rather than on the technical details of data storage locations.

The primary reason the EU is considering updates to its Product Liability Directive is to address digital services and connected products. The current directive does not adequately cover the complexities and challenges posed by modern digital and connected technologies. By updating the directive, the EU aims to ensure that it remains relevant and effective in addressing the liabilities associated with these advanced products, ensuring consumer protection and fair market practices in the digital age.

Random forest algorithms are classified as discriminative models. Discriminative models are used to classify data by learning the boundaries between classes, which is the core functionality of random forest algorithms. They are used for classification and regression tasks by aggregating the results of multiple decision trees to make accurate predictions.

Feature selection is the most important element of feature engineering to mitigate potential bias in an AI system. This process involves choosing the most relevant and representative features from the data set, which directly affects the model’s performance and fairness. By carefully selecting features, data scientists can reduce the influence of biased or irrelevant attributes, ensuring that the AI system is more accurate and equitable. Proper feature selection helps in eliminating biases that might stem from socio-demographic factors or other sensitive variables, leading to a more balanced and fair AI model. Reference: AIGP Body of Knowledge on Fairness in AI and Feature Engineering.

The GDPR ' s transparency principle requires that when personal data is processed for automated decision-making, including profiling, data subjects must be informed about the existence of such automated decision-making. Additionally, they must be provided with meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for them. This requirement ensures that data subjects are fully aware of how their personal data is being used and the potential impacts, thereby promoting transparency and trust in the processing activities.

The best reason for GVC to offer students the choice to utilize generative AI in limited, defined circumstances is to enable students to learn how to use AI as a supportive educational tool. By integrating AI in a controlled manner, students can learn the practical applications of AI and develop skills to use AI responsibly and effectively in their educational pursuits.

The correct answer isC.Registration in the EU databaseis an obligation ofprovidersof high-risk AI systems—not distributors.

From the AIGP ILT Guide – Roles & Obligations Module:

“Distributors must verify CE marking, ensure instructions for use are provided, inform authorities of risks, and take corrective action when necessary. However, registration duties in the EU database lie with the provider.”

Also from the AI Governance in Practice Report 2025:

“The AI Act differentiates responsibilities for developers, providers, importers, and distributors. Only providers of high-risk systems are obligated to register their systems in the EU AI Database.”

Distributors focus onverification and communication, not formal registration.

Differential privacy is a technique used to ensure that the inclusion or exclusion of a single data point does not significantly affect the outcome of any analysis, providing a way to mathematically prove that no specific piece of training data has more than a negligible effect on the model or its output. This is achieved by introducing randomness into the data or the algorithms processing the data. In the context of training large language models (LLMs), differential privacy helps in protecting individual data points while still enabling the model to learn effectively. By adding noise to the training process, differential privacy provides strong guarantees about the privacy of the training data.

The correct answer isA. Pre- and post-deployment testing ensuresbias, accuracy, and fairnessare evaluated and corrected as needed, which isessential for reputational risk mitigation.

From the AIGP Body of Knowledge:

“Testing AI systems before and after deployment is critical to ensure performance, fairness, and compliance. Failing to do so may result in reputational damage and legal exposure.”

AI Governance in Practice Report 2025 (Bias/Fairness and Risk Sections):

“System impact assessments, testing, and post-deployment monitoring are necessary to identify and mitigate risks… This supports both compliance and public trust.”

Testing is proactive, unlike indemnification (which transfers risk after damage), or requiring manual review (which defeats automation).