Generative AI capabilities and the associated risk landscape evolve rapidly. Governance policies and controls must be refreshed through a structured, regular process rather than reactively or only when compliance requirements change.

Why A is Correct: According to ISACA AAIR, establishing a regular review cadence with codified reassessment procedures is the most robust approach because it creates a systematic, predictable process for keeping governance current. By documenting when and how policies will be reviewed—including triggers for ad hoc review (new deployments, incidents, regulatory changes)—the organization ensures governance never stagnates regardless of external pressures.

Why B is Wrong: Regulatory alignment is an important input to governance refresh but represents a reactive, external-trigger approach. Relying primarily on regulatory signals means governance lags behind organizational AI changes not covered by new regulations.

Why C is Wrong: Centralizing authority in executive and technical leadership creates decision bottlenecks and reduces the operational agility needed to keep pace with rapidly evolving AI deployments. Distributed governance with clear escalation paths is more effective.

Why D is Wrong: Annual reviews are too infrequent for generative AI tools, which may see significant capability changes and risk profile shifts multiple times per year. Annual compliance audits cannot keep governance current in a rapidly evolving AI environment.