AI governance across diverse applications requires frameworks flexible enough to accommodate varying risk profiles, regulatory environments, and operational contexts while maintaining consistent governance standards. Rigid or overly centralized approaches reduce operational effectiveness.
Why B is Correct: The ISACA AAIR framework advocates for adaptable governance frameworks that can be scaled and tailored to specific AI use cases. A risk-based, adaptable framework applies more rigorous controls to high-risk applications while allowing operational flexibility for lower-risk uses. This balance enables innovation while maintaining appropriate risk oversight—a core principle of proportionate AI governance.
Why A is Wrong: Single-regulation compliance focus creates compliance tunnel vision that may miss material risks not covered by that regulation. AI governance must address the full risk landscape, not just one regulatory framework.
Why C is Wrong: External consultants provide periodic independent assurance, not governance. Relying on external reviews for governance would be episodic rather than continuous, creating governance gaps between review cycles.
Why D is Wrong: Centralized decision-making creates operational bottlenecks and slows AI deployment. Effective governance delegates decision authority appropriately while maintaining oversight, rather than centralizing all decisions in a single function.
Submit