Enterprise Risk Management (ERM) provides the strategic framework within which all organizational risks—including AI risks—should be managed. When AI risk management operates in isolation, it loses connection to enterprise strategy, risk appetite, and cross-functional control objectives.
Why A is Correct: The ISACA AAIR curriculum identifies strategic control alignment as a foundational ERM integration requirement. When AI risk operates independently, controls may conflict with or duplicate enterprise controls, risk appetite thresholds may differ, and AI risks cannot be aggregated or prioritized alongside other organizational risks. This misalignment creates blind spots at the enterprise level and undermines coherent strategic risk management.
Why B is Wrong: Inconsistent regulatory reporting is a compliance concern but is a downstream consequence of poor governance rather than the greatest organizational risk from separation. Regulatory gaps can often be patched operationally without full integration.
Why C is Wrong: Training cost increases represent a financial efficiency concern unrelated to the governance challenge of separate risk management functions. ROI impacts are not driven by organizational structure of risk management.
Why D is Wrong: Redundant documentation is an operational inefficiency, not a strategic risk. Duplicated records are wasteful but do not threaten organizational strategy or expose the enterprise to unmanaged risk.
Submit