Pass the Isaca AI-Centric Security Management AAISM Questions and answers with CertsForce

AAISM defines cryptographic tracking and verification as the best control for ensuring the integrity of training data. By applying hashing and verification methods, organizations can confirm that datasets remain unaltered and authentic throughout collection, storage, and processing. Collecting only necessary data, proper storage, or clear documentation all support governance and compliance, but they do not guarantee that the data has not been tampered with. Integrity is specifically ensured by cryptographic verification techniques.

AAISM guidance highlights data minimization as a critical practice for addressing both security and privacy concerns. By ensuring that only the minimum necessary data is collected and retained, the organization reduces the risk of sensitive information being exposed or misused during training. Data augmentation expands data but does not mitigate privacy risk. Classification organizes data but does not limit exposure. Data discovery helps locate sources but does not directly reduce risks. The control that directly aligns with privacy-by-design principles is data minimization.

AAISM materials emphasize that the most effective preventive safeguard is to ensure input sanitization. Preventive controls stop malicious or malformed inputs from reaching the model in the first place, thereby reducing the likelihood of prompt injection, evasion, or poisoning at inference time. Model output monitoring is a detective control, not preventive. Penetration testing is an assessment technique rather than a safeguard. Differential privacy protects data privacy but does not prevent adversarial input manipulation. Therefore, the most important preventive safeguard in a new AI product is robust input sanitization.

According to AAISM privacy governance guidance, the primary reason for conducting a PIA is to analyze how personal data is collected, processed, shared, and retained by an AI system. This analysis ensures compliance with privacy laws, mitigates risks to individuals, and informs necessary safeguards. Identifying regulations is part of compliance but is secondary to analyzing actual data handling. Building customer confidence is an outcome, not the main purpose. Checking for poisoned data relates to data quality, not privacy assessment. The fundamental purpose of a PIA is therefore to analyze the handling of personal data.

AAISM defines automation bias as the tendency of individuals to over-rely on AI-generated outputs even when contradictory real-world evidence is available. In this scenario, the driver ignores traffic signs and follows the AI’s instructions, showing blind reliance on automation. Selection bias relates to data sampling, reporting bias refers to misrepresentation of results, and confirmation bias involves interpreting information to fit pre-existing beliefs. The most accurate description is automation bias.

AAISM training guidance specifies that social engineering is the awareness topic most impacted by AI-enabled risks. With generative AI and deepfake technologies, attackers can create highly convincing phishing messages, synthetic voices, or fake executive requests, increasing the sophistication of social engineering attacks. Clean desk policies, insider threat awareness, and authentication procedures remain relevant but are not directly altered by AI advancements. The most likely revision to employee awareness programs in the AI era is therefore enhanced social engineering awareness.

AAISM materials emphasize that the primary ethical concern with generative AI is the risk to information integrity. Generative models can create content that appears authentic but is fabricated, misleading, or manipulated. This undermines trust in information ecosystems and can have wide-reaching social, legal, and organizational impacts. While confidentiality breaches and bias are concerns, they are not the central ethical issue inherent to generative models. Availability is less relevant in this context. The most pressing concern is that generative AI may compromise the integrity of information.

In AAISM governance guidance, risk documentation is described as the structured record that defines the organization’s risk appetite and tolerance levels for AI initiatives. By outlining acceptable levels of risk, documentation ensures decision-makers can approve, monitor, and adjust AI projects within defined boundaries. While it may also serve audit functions, technical analysis, or communication to stakeholders, its primary role is to formalize risk acceptance thresholds and integrate them into governance and decision-making. This aligns directly with the governance requirement to align AI adoption with organizational risk appetite.

The AAISM framework identifies intellectual property (IP) violations as the most significant inherent risk in deploying generative AI. These systems often rely on large-scale internet data for training, which may inadvertently contain copyrighted or proprietary material. This creates legal and reputational exposure when outputs reproduce or reference protected content. While employee training gaps, asset vulnerabilities, and ROI concerns are relevant risks, they are not inherent to generative models themselves. The greatest inherent risk tied directly to generative AI adoption is the possibility of violating intellectual property rights.

According to AAISM study guidance, the most direct and effective way to obtain large volumes of diverse data for application testing is through open-source data repositories. These repositories provide freely available, well-documented, and often standardized data that supports testing and benchmarking in a compliant manner. Model cards document AI behavior but do not provide data. Incorporating search content may introduce legal, privacy, and quality risks. Data augmentation is useful for expanding existing sets but does not provide the breadth or size required when starting with insufficient data. The recommended best practice for sourcing large testing datasets is therefore the use of open-source repositories.