AAISM ISACA Advanced in AI Security Management (AAISM) Exam Questions and Answers

According to AAISM’s data life-cycle model, data preparation is the phase where raw data is transformed into a model-ready format. The materials describe this phase as including “cleaning, encoding, formatting, feature engineering, and other transformations required for model consumption.” This directly matches the scenario where a team formats user information to be readable by an AI model. Data minimization (A) is about reducing data to the minimum necessary for the stated purpose. Data collection (C) focuses on acquiring data from different sources. Data normalization (D) is a specific technique (often a sub-activity within preparation) that adjusts numeric values to a common scale; it is narrower than the broader concept of preparation. Therefore, the activity described is correctly associated with data preparation, which the AAISM framework clearly positions before training and evaluation.

In the AAISM™ guidance, vendor management for AI adoption highlights that large AI providers often resist contractual changes, particularly when customers seek to impose stricter security, transparency, or ethical obligations. The official study materials emphasize that while organizations must evaluate AI risk and build internal expertise, the primary challenge lies in negotiating acceptable contractual terms with dominant AI vendors who may not be willing to adjust their standardized agreements. This resistance limits the ability of organizations to enforce oversight, bias controls, and compliance requirements contractually.

AAISM states that AI risk signals, thresholds, and model logic must be governed through strict validation and change control processes. Disabling key risk indicators without formal review or testing directly reflects a failure in:

• AI model validation

• Change management

• Governance oversight

This aligns precisely with option D.

Lack of dashboards (C) affects monitoring but does not explain disabled risk signals. Computing resources (A) would not cause intentional disabling. Reliance on consultants (B) is not connected to improper internal model changes.

AAISM guidance states that when adopting AI, the most important step is to conduct a risk assessment and update the enterprise risk register. This ensures AI-specific risks are identified, documented, and integrated into the organization’s existing governance structures. Benchmarking peers provides context but does not address internal risk. Implementing methodologies and frameworks are important, but they precede or follow the assessment process. The decisive step that connects adoption to enterprise risk governance is updating the risk register with AI-specific risks.

For executive security and governance reporting, AAISM prioritizes risk- and harm-oriented KPIs that reflect safety, reliability, and responsible behavior of AI systems. Error rate (safety/quality signal) and bias detection (fairness/compliance signal) provide leading indicators of model risk, potential user harm, and regulatory exposure—key interests for a CISO. Explainability and F1 (A) are model performance/interpretability metrics; customer effort/retention (B) are business CX metrics; response time/throughput (C) are operational SRE metrics. While valuable, they are secondary to risk-centric KPIs for CISO oversight.

When preventive input hardening isn’t feasible for LLMs, AAISM prescribes compensating detective and corrective controls—notably human review and annotation of outputs prior to downstream action—to reduce harm from prompt injection. Output-side review gates prevent untrusted instructions from propagating, enable rapid suppression/feedback loops, and provide labeled examples for subsequent model hardening. IAM (B) is necessary but does not mitigate injection in content; reviewing inputs (C) is less effective than auditing what the model is about to act on; fine-tuning for validation (D) is helpful long-term but is not an immediate compensating control when robust input validation is impractical.

AAISM defines cryptographic tracking and verification as the best control for ensuring the integrity of training data. By applying hashing and verification methods, organizations can confirm that datasets remain unaltered and authentic throughout collection, storage, and processing. Collecting only necessary data, proper storage, or clear documentation all support governance and compliance, but they do not guarantee that the data has not been tampered with. Integrity is specifically ensured by cryptographic verification techniques.

AAISM states that human oversight is the strongest control for hallucination risks, especially in high-impact decisions. Humans validate outputs, correct errors, and override unsafe model responses.

Automated validation (C) helps but cannot fully detect hallucinations. Chunking (B) improves information handling but not hallucination mitigation. Content enrichment (D) does not reduce hallucinations.

AAISM emphasizes that the right to audit is the most critical contractual safeguard when outsourcing AI services. This allows the contracting organization to independently verify that the vendor is applying appropriate protections to training data, meeting compliance obligations, and upholding privacy requirements. Pseudonymization is a technical method, monitoring is operational, and certifications provide external assurance, but none give the direct, enforceable oversight that audit rights provide. In vendor contracts, the right to audit is the primary safeguard for data protection and governance.

AAISM technical coverage identifies recall as the metric that specifically measures a model’s ability to capture all true positive cases out of the total actual positives. A high recall means the system minimizes false negatives, ensuring that relevant instances are not overlooked. Precision instead measures correctness among predicted positives, specificity focuses on true negatives, and the F1 score balances precision and recall but does not by itself indicate the completeness of capturing positives. The official study guide defines recall as the most direct metric for evaluating how well a model identifies all relevant positive cases, making it the correct answer.

According to AAISM, decision trees provide the highest explainability because their structure clearly shows how inputs map to decisions. This is essential in HR applications subject to fairness, bias, and compliance requirements.

SVMs (A) and gradient boosting (D) are less interpretable. Neural networks (B) are explicitly listed as low-explainability models.

Evasion attacks manipulate inputs to induce misclassification while leaving the model unchanged. AAISM prescribes adversarial robustness controls, with adversarial training as a primary measure: incorporate adversarially perturbed examples into training/validation to harden decision boundaries and improve resilience across threat models (e.g., Lp-bounded perturbations). Monitoring (A) is detective, not preventive. Restricting parameter access (C) protects confidentiality but does not mitigate input-space attacks. Differential privacy (D) addresses training data leakage, not robustness to adversarial inputs.

The most direct preventative control against data poisoning is robust data validation/ingestion gating: provenance checks, schema and constraint validation, anomaly/outlier screening, label consistency tests, and whitelist/blacklist source controls before data reaches training pipelines. Larger datasets (A) don’t inherently prevent poisoning; monitoring (C) is detective; updating a foundation model (D) does not address tainted inputs entering the pipeline.

AAISM prescribes human-in-the-loop (HITL) controls as the primary safeguard for high-impact generative AI use cases to mitigate hallucination risk. Human oversight ensures critical outputs are reviewed, corrected, and approved before use, with accountability, escalation, and documented decision trails. Automated validators and enrichment help reduce errors but are secondary; recursive chunking is a prompting tactic, not a governance control.

AAISM states that an AI management system policy provides organizational structure by:

• defining AI objectives

• aligning governance

• outlining accountability

• defining roles, responsibilities, and guiding principles

Regulatory compliance (C) is a part of governance but not the overall purpose. Accuracy (B) and environmental impact (A) are narrower focus areas.

AAISM defines data poisoning as the insertion of malicious or corrupted data into training (or fine-tuning) pipelines to degrade or bias model behavior, thereby compromising output integrity in production. While poisoning occurs during development/training (C), its primary objective is the downstream integrity impact on predictions/outputs (D). Options A and B relate to confidentiality threats (e.g., inversion or leakage), not poisoning.

AAISM identifies fairness constraints (e.g., constrained optimization, debiasing objectives, conditional generation controls, and post-processing calibrations) as the most direct, measurable method to mitigate disparate outcomes in generative systems. While data augmentation can help with coverage, and adversarial training improves robustness, fairness constraints explicitly target distributional fairness and outcome equity in generated content, aligning with governance and compliance goals.

The highest-priority fit criterion for introducing a new AI security capability is alignment to the organization’s established control objectives and program architectures. Control objectives encode what must be achieved (e.g., detection coverage, response timeliness, accountability, auditability) and are the basis for requirements traceability across governance, risk, and technical controls. Ensuring the tool’s capabilities directly satisfy those objectives provides architectural fit, policy conformance, and measurable assurance. While integration (e.g., SIEM), detection features (e.g., real-time anomaly detection), and orchestration are important, they are secondary to proving the tool maps to—and can be verified against—the control objectives that define the program’s intended outcomes.

AAISM materials specify that the composition of an AI red team must be tailored to the organization’s AI use cases. The purpose of red-teaming is to simulate realistic adversarial conditions aligned with the actual applications of AI. For example, testing a generative model requires different expertise than testing a fraud detection system. While resource availability, compliance requirements, and time-to-market pressures are practical considerations, they are secondary to aligning team expertise with use case scenarios. The most important factor is therefore the AI use cases themselves.

AAISM specifies that when AI systems process sensitive or high-impact data (e.g., financial, identity, health), accuracy thresholds become critical risk indicators. Inaccurate predictions can cause harm, regulatory non-compliance, discrimination, or financial loss.

Availability (D) is important but secondary to correctness in sensitive decision scenarios. Response time (B) and accessibility ratings (A) do not outweigh the need for accurate, reliable predictions.

AAISM indicates that white-box testing allows evaluators full visibility into:

• internal logic

• weights

• decision pathways

• model architecture

This makes it ideal for understanding how decisions are made.

Black box (B) provides no internal visibility. Red/blue team tests (A, D) focus on security, not decision mechanics.

Restoring end user trust during incident handling requires visible, immediate assurance that system outcomes are safe and appropriate. AAISM prescribes human oversight and approval gates for high-risk AI decisions, with human validation of outputs before use as a primary control to maintain trust while technical remediation is underway. Prioritization (A) and monitoring (B) aid operations but do not directly rebuild user confidence in outcomes. Post-incident improvements (D) are essential for long-term assurance but do not provide the immediate trust restoration that supervised, human-validated outputs deliver.

AAISM states that HR systems performing candidate evaluation must prioritize training data fairness, representativeness, and bias mitigation because biased HR decisions carry regulatory, ethical, and litigation risks.

Backups (B) and encryption (D) relate to availability and confidentiality, not fairness. Conformity assessments (C) are helpful but secondary.

AAISM emphasizes that the primary objective of responsible AI is to establish and maintain trust in AI-driven decisions and predictions. Trust is achieved through transparency, accountability, fairness, and governance. While confidentiality and integrity are critical technical objectives, they are not the overarching purpose of responsible AI service provision. Autonomy and learning ability are features of AI, but without trust, adoption and compliance falter. The correct answer is that responsible AI services must focus on building trust in AI outcomes.

AAISM’s risk management guidance notes that the most effective application of AI in incident response is in automating triage activities. AI systems can rapidly analyze logs, alerts, and telemetry to prioritize incidents, reducing response times and allowing human analysts to focus on critical issues. Streamlining testing and improving playbooks are valuable but secondary benefits. Ensuring chain of custody is critical for legal admissibility of evidence but is primarily a human and process-driven control, not AI’s strength. The greatest efficiency and effectiveness comes from AI-driven triage automation.

The AAISM study material highlights blockchain as a control mechanism for managing deepfake risk because it provides immutable verification of digital media provenance. By anchoring original data signatures on a blockchain, organizations can verify authenticity and detect tampered or synthetic content. Data tagging helps organize but does not guarantee authenticity. MFA and adaptive authentication strengthen identity security but do not address content manipulation risks. Blockchain’s immutability and traceability make it the recognized technology for mitigating deepfake challenges.

AAISM emphasizes that the primary and most severe risk of uncontrolled generative AI usage is data leakage, including:

• confidential data

• regulated personal data

• intellectual property

While hallucinations (A) are harmful, they do not cause direct data loss. Lack of monitoring (C) is a secondary risk. Policy violations (D) occur because of lack of controls but do not outweigh the impact of leaked sensitive data.

The first action, before any processing of personal data for AI-driven profiling and targeted communications, is to establish a lawful basis for processing. Under AAISM-aligned privacy governance, explicit and informed consent is prioritized for new or sensitive uses such as interest profiling and targeted marketing. Consent ensures purpose limitation, transparency, and user control prior to model ingestion and campaign activation. Training teams, updating terms of service, or verifying contact details are important, but they do not provide legal authority to process data; therefore, they follow after consent is obtained.

Model drift occurs when the statistical properties of input data and/or the relationship between features and outcomes change over time, causing degraded model performance. The AAISM guidance classifies data-centric causes (distribution shift, concept drift, and contamination) as the primary drivers and highlights that malicious contamination of training or incremental learning data (data poisoning) is a direct, high-likelihood driver of observable drift in production because it changes the effective data-generating process the model learns from. In contrast:

• Perfect knowledge is an attacker capability descriptor, not a drift cause.

• Membership inference targets privacy of the training set and does not inherently shift data distributions.

• Model stealing targets IP/confidentiality; it does not change the victim model’s data distribution or decision boundary in situ.

AAISM defines data poisoning as the intentional manipulation of training data so that the learned model behaves incorrectly (e.g., skewed lending approvals/denials) while appearing valid. The correct simulation in red-team exercises is to corrupt or seed the training set with adversarial examples or mislabeled records to induce biased or erroneous decision boundaries. Encrypting inputs (A) is unrelated; output noise (B) describes perturbation of predictions, not training; model weight theft (C) is model extraction, not poisoning.

AAISM frameworks highlight output-based controls, including output filtering, restriction validation, and policy-aligned guardrails as primary defenses for AI agents with high privileges. Ensuring the agent does not output unauthorized instructions or sensitive data directly mitigates misuse.

Allowing user configuration (B) increases risk. Prohibiting manipulation entirely (C) is impractical. Reducing human oversight (D) increases system abuse potential.

Differential privacy aims to protect the privacy of any single individual’s data contribution while still enabling useful aggregate learning and statistical analysis. Noise mechanisms are calibrated so that results remain informative for modeling (e.g., fraud patterns) without revealing whether any particular person’s data was included or enabling inference about them. Accuracy, speed, and compute efficiency can be secondary considerations, but the primary objective is privacy protection with utility preserved.

In the operational phase, AAISM emphasizes continuous monitoring of models for performance, stability, robustness, drift, data quality, security events, and policy compliance. This includes telemetry, thresholds, alerts, incident response for AI failures, and evidence collection for audits. Alignment to business needs is established earlier in planning/governance; algorithmic optimization and feedback collection are supporting activities, but the primary operational objective is live monitoring and assurance to keep risk within tolerance.

AAISM states that the most effective short-term mitigation for unintentional data leakage into public AI tools is targeted, role-based AI security awareness, focused on:

• what data cannot be entered

• consequences of leakage

• real-world scenarios employees face

An acceptable-use policy (C) is necessary but insufficient alone. Blocking LLMs (D) may reduce access but does not change user behavior and may cause shadow AI usage. Generic phishing training (B) does not address AI misuse risks.

AAISM prioritizes training data suitability—lawful sourcing, provenance, quality, representativeness, and safety—especially in health-related applications. The correctness and appropriateness of training data determine clinical safety, reduction of harmful outputs, and compliance with data protection/sector obligations. Larger models or more data do not compensate for inappropriate or low-quality datasets; tuning is secondary to ensuring the right data with rigorous curation, labeling quality, and guardrails aligned to patient safety requirements.

AAISM’s risk management content describes red-teaming in generative AI as focused on deliberately crafting adversarial prompts to test whether the model produces unexpected or undesired outputs that violate safety, integrity, or compliance standards. The goal is not to stress system performance or randomly disrupt outputs, but rather to uncover vulnerabilities in how the model responds to manipulative inputs. This allows organizations to improve resilience against prompt injection, jailbreaking, or harmful content generation. The correct answer is therefore generate outputs that are unexpected using adversarial inputs.

AAISM prescribes targeted, role-based, scenario-driven training aligned to policy and job tasks as the highest-impact near-term intervention for human-factor AI risks. By mapping concrete “do/don’t” behaviors (e.g., what data may/may not be pasted into public chatbots, required redaction steps, approved tools, verification of outputs) to specific roles, organizations rapidly reduce incident likelihood and harmful actions.

• A (blocking) is a technical containment option but is not an awareness-initiative control and may cause workarounds; AAISM treats it as complementary, not a substitute for behavior change.

• B generic modules fail to address the specific misuse pattern.

• D signatures provide attestations without ensuring comprehension or changed behavior.

AAISM identifies continuous monitoring of AI outputs—especially generative outputs—as the most effective security control, ensuring that violations, unsafe responses, data leakage, and policy-breaking behavior are detected and corrected.

A kill switch (C) is a last-resort measure, not a primary control. Exceeding benchmarks (A) does not ensure relevance. Validating training data (D) is important but insufficient for generative output risks.

AAISM identifies executive sponsorship and senior management buy-in as the foremost success factor for AI initiatives. It secures resources, resolves cross-functional conflicts, sets risk appetite, and enforces adherence to governance and controls. Model cards (A), risk registers (B), and lifecycle data mapping (C) are vital practices within the program, but without top-level commitment, adoption, funding, and accountability often fail.

The AAISM framework specifies that when adopting third-party AI tools, the right to audit is the most critical contractual and governance safeguard. This ensures that the organization can independently verify compliance with security, privacy, and ethical requirements throughout the lifecycle of the tool. Terms and conditions provide general usage guidance but often limit liability rather than ensuring transparency. Industry certifications may indicate good practice but do not substitute for direct verification. Roundtable testing is useful for evaluation but lacks enforceability. Only the contractual right to audit provides formal assurance that the tool operates in accordance with organizational policies and external regulations.

AAISM defines data poisoning as directly capable of causing model drift because corrupted training data shifts the statistical distribution, leading to degraded or unsafe performance.

Model stealing (A) extracts model behavior but does not cause drift. Perfect knowledge (B) is an attacker capability, not an attack causing drift. Membership inference (D) attacks privacy, not performance.

AAISM identifies output review and annotation as the most practical compensating control when robust input validation cannot be applied.

Output moderation detects:

• maliciously influenced responses

• unsafe outputs

• security-policy violations

IAM (B) does not mitigate prompt injection itself. Human review of inputs (C) is unrealistic at scale. Fine-tuning (A) cannot guarantee full prevention.

In AAISM, usage of AI for activities involving personal data and profiling, such as personalized advertising, is explicitly mapped to stringent regulatory and compliance requirements (e.g., data protection, consent, profiling limitations, fairness obligations). The material notes that these activities may trigger “heightened regulatory scrutiny, mandatory impact assessments, and potential penalties for non-compliance.” While reputational (B), fraud (A), and commercial (C) risks are all relevant, the primary, non-optional constraint is compliance with applicable regulations governing personal data, automated profiling, and targeted content. Failure in this area can lead not only to reputational harm but also to legal sanctions, enforced remediation, and operational restrictions. Therefore, regulatory risk is identified as the most important consideration when deploying generative AI for personalized advertising.

AAISM emphasizes that when introducing innovative AI systems, organizations reduce security and compliance risk by following a phased adoption approach. This allows incremental deployment, controlled testing, and gradual scaling while monitoring risks in real time. Re-evaluating risk appetite and evaluating compliance are important governance steps but do not directly mitigate risks during implementation. Seeking third-party advice can add expertise but does not provide the structured control that phased integration offers. The most effective risk management approach for AI innovation is to adopt a phased rollout strategy.

Data splitting partitions a labeled dataset into training, validation, and test subsets to enable unbiased model tuning and evaluation. Training (A) consumes the training split; annotating (B) adds labels; learning (D) is a general term for model optimization, not a data management step.

AAISM describes GANs as effective for synthetic data generation to augment scarce or imbalanced security datasets. In anomaly IDS contexts, GANs can create realistic synthetic attack traffic and edge-case behaviors that improve detector sensitivity and robustness. While labeled “real” data is valuable, the specific advantage of a GAN-integrated pipeline is the capability to generate adversarially realistic synthetic intrusions for training and stress testing. Automated rules are a signature-based paradigm and do not leverage GAN strengths; validation sets are for evaluation, not primary improvement of anomaly coverage.

AAISM stresses that AI tools must align with the organization’s existing control objectives and governance requirements, ensuring consistency with risk management, detection philosophy, and operational processes.

Integration with SIEM (D) is important but secondary. Anomaly detection (B) is a feature, not an architectural requirement. Automated orchestration (A) is optional.

The AAISM material frames an AI impact assessment as broader than a technical model review. It emphasizes that governance of AI includes assessing societal, environmental, and human-rights impacts in addition to organizational risk. The official guidance notes that high-level impact assessments must explicitly consider “potential consequences for individuals, communities, and the environment” as part of responsible AI governance. Activities such as testing/validation (A) and reproducibility (B) are critical in the development lifecycle but are not, by themselves, sufficient to constitute an impact assessment. A CSA (C) is focused on security controls, which is narrower than overall impact. The mandatory element that differentiates an AI impact assessment is the assessment of environmental and societal consequences, making option D the correct answer in alignment with governance expectations.

AAISM emphasizes supplier assurance through contractual obligations as the foundational control for AI supply chain risk. Contracts should require verifiable evidence of secure development practices (e.g., secure SDLC, model and data provenance documentation, SBOM/MBOM where applicable, vulnerability disclosure, patch SLAs, audit rights, incident notification, and regulatory compliance assertions). This creates enforceable, continuous assurance beyond point-in-time tests.

• A is necessary but reactive and limited to your environment.

• B addresses performance, not supply chain security.

• D is a good isolation/validation practice but does not create vendor accountability across the lifecycle.

AAISM governance guidance emphasizes that stakeholder buy-in is sustained when the measurable value of AI initiatives is clearly communicated. Value demonstrations include:

• improved efficiency

• reduced cost

• reduced risk

• business growth

Training (B) and risk optimization (C) are important but do not guarantee stakeholder support. A roadmap (D) guides planning but does not secure buy-in.

AAISM highlights that while accuracy and performance metrics are important, the rate of drift is the most critical KRI for AI systems. Model drift occurs when input data or environmental conditions shift, causing the system to degrade and produce unreliable outputs. This risk indicator directly reflects whether the AI continues to function as intended over time. Accuracy rates and response times are performance metrics, not primary risk signals. The amount of data in the model does not reliably indicate exposure to risk. Therefore, the greatest KRI for ongoing assurance and governance is the rate of drift.

AAISM prescribes Preparation as the foundational phase of AI incident response. The first priority is to form and empower a cross-functional incident response (IR) team with AI/ML expertise (security, data science, product, legal/compliance). Only once the accountable team exists can you define playbooks, communications, containment/eradication steps, recovery processes, and escalation paths. Without a designated team, procedures and channels lack ownership and effectiveness.

According to the AAISM framework, prompt injection is the act of deliberately crafting malicious or manipulative inputs to override, bypass, or exploit the model’s intended controls. In this case, the attacker is targeting the integrity of the model’s outputs by exploiting weaknesses in how it interprets and processes prompts. Jailbreaking is a subtype of prompt injection specifically designed to override safety restrictions, while evasion attacks target classification boundaries in other ML contexts, and remote code execution refers to system-level exploitation outside of the AI inference context. The most accurate classification of this attack is prompt injection.

When AI systems make consequential decisions over sensitive data, AAISM requires explicit performance thresholds tied to decision quality—i.e., accuracy (and related error/false-rate limits) aligned to business risk appetite and regulatory expectations. Availability and latency are important service metrics, but decision integrity and error bounds are primary risk drivers in sensitive contexts. Establishing, monitoring, and enforcing minimum accuracy thresholds (with subgroup performance checks) is essential to reduce harm, ensure fairness/compliance, and support auditability.

AAISM emphasizes strong contractual restrictions on how vendors use customer data, especially prohibiting vendors from using customer inputs to train or fine-tune shared models.

This protects against:

• data leakage

• intellectual property exposure

• regulatory violations

• shadow training of external models

Log sharing (B) and query limits (D) are operational controls but do not directly prevent data misuse. Unlimited retraining (A) has no relevance to security.

AAISM guidance clearly states that the most effective way to mitigate data bias is through diverse training data that fairly represents all relevant populations, scenarios, and contexts. Simplified models may reduce complexity but do not remove bias. Unstructured data sets may introduce new errors without addressing fairness. Securing training data protects confidentiality and integrity but does not resolve representational imbalance. Therefore, the best practice for reducing bias in ML is diversification of training datasets.

The AAISM technical controls framework emphasizes data validation as the primary safeguard against data poisoning attacks. Poisoning occurs when attackers insert malicious or corrupted data into training sets. Validation techniques verify the quality, authenticity, and consistency of input data before training, preventing compromised samples from corrupting the model. Restoration helps after compromise, watermarking protects ownership, and intrusion detection monitors networks rather than data quality. The most effective preventive measure is data validation.

In AI governance frameworks, credit scoring is treated as a high-risk application. For such systems, the highest-priority safeguard is human oversight to ensure fairness, accountability, and prevention of bias in automated decisions.

The AI Security Management™ (AAISM) domain of AI Governance and Program Management emphasizes that high-impact AI systems require explicit governance structures and human accountability. Human-in-the-loop design ensures that final decisions remain the responsibility of human experts rather than being fully automated. This is particularly critical in financial contexts, where biased outputs can affect individuals’ access to credit and create compliance risks.

Official ISACA AI governance guidance specifies:

High-risk AI systems must comply with strict requirements, including human oversight, transparency, and fairness.

The purpose of human oversight is to reduce risks to fundamental rights by ensuring humans can intervene or override an automated decision.

Bias controls are strengthened by requiring human review processes that can analyze outputs and prevent unfair discrimination.

Why other options are not the highest priority:

A. Regular updates improve accuracy but do not guarantee fairness or ethical decision-making. Model drift can introduce new bias if not governed properly.

B. Appeals mechanisms are important for accountability, but they operate after harm has occurred. Governance frameworks emphasize prevention through human oversight in the decision loop.

D. Restricting criteria to “objective metrics” is insufficient, as even objective data can contain hidden proxies for protected attributes. Bias mitigation requires monitoring, testing, and human oversight, not only feature restriction.

AAISM Domain Alignment:

Domain 1 – AI Governance and Program Management: Ensures accountability, ethical oversight, and governance structures.

Domain 2 – AI Risk Management: Identifies and mitigates risks such as bias, discrimination, and lack of transparency.

Domain 3 – AI Technologies and Controls: Provides the technical enablers for implementing oversight mechanisms and bias detection tools.

References from AAISM and ISACA materials:

AAISM Exam Content Outline – Domain 1: AI Governance and Program Management (roles, responsibilities, oversight).

ISACA AI Governance Guidance (human oversight as mandatory in high-risk AI applications).

Bias and Fairness Controls in AI (human review and intervention as a primary safeguard).

AAISM highlights that post-incident remediation and demonstrating lessons learned is essential to restoring trust. Governance guidance specifies that stakeholders regain confidence only when organizations show clear corrective actions, transparency, and improvements to prevent recurrence.

Validating outputs (B) supports accuracy but is not trust-restoring. Monitoring (C) and prioritization (D) relate to operations, not trust rebuilding.

AAISM directs that when harmful or biased behavior is observed in a production AI system, the organization should enter a formal incident/variance handling workflow that begins with root cause analysis (RCA) to identify the source of deviation (data drift, concept drift, feature leakage, pipeline changes, control failures) and determine proportionate risk treatments. Immediate retraining (Option A) without RCA risks reinforcing the same bias; audits (Option C) are key activities within RCA rather than the action that frames the response; a kill switch (Option D) is reserved for conditions where risk exceeds the defined tolerances and immediate harm prevention is required.

AAISM classifies learning paradigms by the presence of labeled targets. Creating categories (labels) and training on them is supervised learning, where input features are mapped to known outputs and optimization minimizes prediction error against ground truth. Unsupervised (B) discovers structure without labels; reinforcement (A) optimizes behavior via rewards; “machine learning” (C) is the broad field, not the specific technique.

According to AAISM risk management guidance, the greatest risk in AI applications handling personal communication data is inadequate parameter controls, which may allow unintended access, manipulation, or leakage of sensitive information. Plug-ins that interact with emails must enforce strict parameter validation and security restrictions to prevent unauthorized or manipulated inputs. While vulnerability scanning, format incompatibility, and API rate limiting are valid concerns, they are secondary. The primary risk is a lack of strong parameter controls that could expose sensitive content.

AAISM materials emphasize that the most effective preventive safeguard is to ensure input sanitization. Preventive controls stop malicious or malformed inputs from reaching the model in the first place, thereby reducing the likelihood of prompt injection, evasion, or poisoning at inference time. Model output monitoring is a detective control, not preventive. Penetration testing is an assessment technique rather than a safeguard. Differential privacy protects data privacy but does not prevent adversarial input manipulation. Therefore, the most important preventive safeguard in a new AI product is robust input sanitization.

AAISM highlights that uncontrolled access to generative AI in critical systems introduces the highest level of risk, as such models can:

• expose sensitive data

• execute unintended actions

• be manipulated through injected prompts

• cause operational instability

Monitoring (A) is important but not the core risk. Bias (B) is significant but secondary in critical systems. Regulatory enhancements (C) are indirect.

AAISM states that anonymization is not permanent and may be reversible through re-identification attacks. The first action should be to evaluate and measure the actual privacy risk through:

• adversarial re-identification testing

• privacy audits

• monitoring for misuse

This provides the factual basis needed before making destructive or operational decisions.

Access control (D) is important but not the FIRST step. Deleting datasets (B) is premature. Assuming anonymization is permanent (A) violates AI privacy principles.

The AAISM study content emphasizes that data quality management is a central pillar of AI risk reduction. Missing data introduces bias and undermines predictive accuracy if not addressed systematically. The most effective remediation is to apply statistical imputation and related methods to fill in or adjust for missing values in a way that minimizes bias and preserves data integrity. Retraining on flawed data does not solve the underlying issue. Deleting outliers may harm model robustness, and hyperparameter tuning optimizes model mechanics but cannot resolve missing information. Therefore, the proper corrective technique for missing data is the application of statistical methods to reduce bias.

For regulated data such as patient information, AAISM requires provable data lifecycle closure at decommissioning. The authoritative evidence is a certificate of destruction (covering primary, replicas, backups, and caches) retained per the organization’s records retention policy. While testing backups and auditing access (A), updating policies (B), and doing post-destruction risk assessment (C) are valuable practices, documented destruction attestation is the primary compliance proof point that the data was disposed of in accordance with regulatory and contractual obligations.

AAISM stresses that AI-enabled security programs require updated governance structures, including defined cross-functional roles across security, data, development, and operations teams.

Role clarity emerges from updated policies, responsibilities, and oversight—not from delaying adoption (A), outsourcing (D), or simply training (B).

AAISM requires that control selection be threat-led and context-specific, aligning AI threats to the organization’s existing enterprise control catalogs (security, privacy, resilience) and augmenting them with AI-specific safeguards where coverage is insufficient. This ensures consistency with the risk appetite, removes duplication, and closes AI-unique gaps (e.g., prompt injection, data leakage from context windows, model misuse). Generic reliance on vendors or uncustomized external frameworks does not ensure fit-for-purpose coverage, and deferring control selection to post-deployment contradicts proactive risk treatment.

When an AI system experiences an attack after being in production for an extended period, the most effective mitigation strategy is to update the deployed training data with new adversarial data. This process strengthens the model’s resilience by retraining it to recognize and resist attack vectors that were previously unknown or unaccounted for. According to the AI Security Management™ (AAISM) framework, risk mitigation for AI systems must address model robustness through adversarial retraining, data quality improvement, and model lifecycle hardening rather than relying solely on reactive measures.

Why Option B is Correct:

Incorporating adversarial examples into the training set enhances the system’s ability to correctly classify and withstand malicious inputs.

This approach directly mitigates the vulnerability exploited in the attack and supports a proactive, continuous risk management cycle.

Why Other Options Are Incorrect:

Option A: Monitoring helps detect suspicious activity but does not resolve the underlying vulnerability.

Option C: Concealing confidence scores may reduce model transparency but does not address the attack mechanism or its root cause.

Option D: Implementing access controls protects the model’s architecture but does not improve model robustness against input manipulation attacks.

Exact Extract from Official AAISM Study Guide:

“AI risk management requires continuous improvement following incidents. After an adversarial or data poisoning event, the preferred risk treatment involves retraining the model using adversarial data and updated datasets to enhance robustness. This ensures the AI model adapts to evolving threat landscapes rather than merely restricting access or obscuring outputs.”

AAISM requires formal change management for AI systems, including vendor-initiated changes: pre-approval, documented impact assessment (ethics/compliance/performance), regression testing, sign-off by accountable owners, and traceable release records. While MSAs (A) and shared responsibility models (B) set contractual/role baselines, they do not enforce per-change approvals. Data minimization (C) reduces exposure but does not control model substitutions.

AAISM stresses that AI systems and their supporting infrastructure must be explicitly included in disaster recovery and continuity planning, since disruptions to models, feature stores, or pipelines can halt critical business functions.

Explainability (A) and retraining (B) are operational improvements, not continuity mechanisms. Multi-zone redundancy (D) improves availability but does not represent complete BCP integration.

AAISM emphasizes that data governance over the full AI life cycle is foundational. The official content describes effective AI data management as including documented procedures for: (1) how data is sourced, (2) how lineage is tracked from origin to model, and (3) how data quality is validated and monitored. This ensures transparency, accountability, and auditability, which are especially critical in regulated areas like credit assessments. While hashing identifiers (B) and encryption/access controls (C) are important privacy and security mechanisms, they are partial controls within a broader governance framework and do not, on their own, establish end-to-end life-cycle management. Limiting training to structured data (D) is a design choice and may reduce risk but is neither sufficient nor required as a best practice. Option A directly reflects AAISM’s prescribed governance controls for AI data throughout its life cycle.