Basic Concept: Before implementing any security controls for an AI system, especially in a highly regulated sector such as healthcare, a risk assessment must first be conducted to understand the specific threats, vulnerabilities, regulatory obligations, and compliance requirements. CompTIA SecAI+ Study Guide emphasizes risk assessment as the foundational first step in any AI security program.
Why C is Correct: A risk assessment identifies what assets need protection, what threats exist, what regulations apply such as HIPAA for healthcare AI, and what the potential impact of various failure modes would be. In healthcare, this is especially critical given the sensitivity of patient records and strict regulatory requirements. The risk assessment results then inform and prioritize all subsequent security control implementations.
Why A is Wrong: Implementing prompt firewalls is a technical security control appropriate after risks have been identified and prioritized. Deploying controls before conducting a risk assessment may address the wrong threats or miss critical vulnerabilities.
Why B is Wrong: Role-based access management is a security control that should be designed based on identified roles and access requirements discovered during risk assessment. It is an implementation step, not the first step.
Why D is Wrong: Using a secure communication channel is a specific technical control for data in transit. While important, it addresses only one specific risk and should be implemented as part of a comprehensive security strategy informed by a prior risk assessment.
Submit