Isaca ISACA Advanced in AI Audit (AAIA) AAIA Question # 30 Topic 4 Discussion
AAIA Exam Topic 4 Question 30 Discussion:
Question #: 30
Topic #: 4
An IS auditor is evaluating a large language model (LLM) before deployment. Which of the following is the MOST secure way to manage agency for the model?
A.
Use LLMs to manage data feeds and sources.
B.
Ensure authorization and privilege checks are performed independently of the LLM.
C.
Ensure the LLM is trained on adversarial datasets.
D.
Rely on LLMs to automatically manage authorization and privilege checks.
" Agency " refers to the model ' s ability to take actions or access data. LLMs are non-deterministic and can be tricked via " prompt injection " to ignore their internal rules. Therefore, " Authorization and privilege checks " must be performed by a separate, deterministic security layer that is " independent of the LLM. " According to the ISACA AAIA™ Study Guide, you should never allow an AI to decide its own permissions (Option D) or those of other systems. If a user asks an AI to delete a file, the AI should simply " request " the deletion, and a standard, non-AI security system should check if the user has the right to do so. This maintains the " Principle of Least Privilege " and prevents unauthorized actions via model manipulation.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit