Acceptable use policies (AUPs) govern how employees interact with organizational systems and tools. Embedding AI risk considerations into AUPs ensures that AI-related behaviors align with the organization's risk appetite and tolerance thresholds.
Why C is Correct: According to ISACA AAIR governance principles, the best justification for embedding AI risk in AUPs is maintaining consistent enterprise risk tolerance across all AI-driven decision-making. When risk tolerances are codified in AUPs, employees understand what AI behaviors are permissible, and deviation from these boundaries triggers escalation. This enterprise-wide alignment prevents individual business units from accepting risks that exceed organizational thresholds.
Why A is Wrong: Shadow AI mitigation through allow lists is a specific technical control mechanism, not the primary governance justification for AUP integration. It addresses unauthorized tool use rather than risk tolerance alignment.
Why B is Wrong: Applying uniform risk controls across diverse business functions is a compliance approach that may not be appropriate—different functions may legitimately have different risk profiles. The goal is tolerance alignment, not control uniformity.
Why D is Wrong: Assigning accountability to business unit leadership is a governance structure decision. AUPs define behavioral expectations, not organizational accountability assignments, which are addressed through RACI frameworks and policy governance.
Submit