Pass the Isaca AI-Centric Security Management AAISM Questions and answers with CertsForce

AAISM prescribes risk-based, human-in-the-loop orchestration for safety-critical or regulated actions. A tiered automation strategy that gates autonomy by incident severity, data sensitivity, and regulatory requirements ensures accountability, auditability, and proportionality, satisfying governance obligations. Full autonomy (A) risks non-compliance; simply mirroring legacy workflows (B) may not meet current obligations; broad auto-containment (C) lacks necessary oversight controls.

AAISM stresses AI-specific change management as essential for vendor-driven or system-driven updates. Proper change control includes:

• impact assessments

• ethical review

• risk evaluation

• approval checkpoints

• rollback plans

An MSA (A) supports contracts but does not manage operational change. Shared responsibility (C) describes roles, not change control. Data minimization (D) reduces exposure but doesn't control model updates.

The AAISM framework identifies intellectual property (IP) violations as the most significant inherent risk in deploying generative AI. These systems often rely on large-scale internet data for training, which may inadvertently contain copyrighted or proprietary material. This creates legal and reputational exposure when outputs reproduce or reference protected content. While employee training gaps, asset vulnerabilities, and ROI concerns are relevant risks, they are not inherent to generative models themselves. The greatest inherent risk tied directly to generative AI adoption is the possibility of violating intellectual property rights.

AAISM emphasizes that the primary value of AI security risk assessments is prioritizing risks based on likelihood, impact, and business relevance.

Updating the register (A) is administrative. Privacy controls (B) are one category of mitigation. Funding (D) is possible but not the primary purpose.

AAISM guidance states that when adopting AI, the most important step is to conduct a risk assessment and update the enterprise risk register. This ensures AI-specific risks are identified, documented, and integrated into the organization’s existing governance structures. Benchmarking peers provides context but does not address internal risk. Implementing methodologies and frameworks are important, but they precede or follow the assessment process. The decisive step that connects adoption to enterprise risk governance is updating the risk register with AI-specific risks.

AAISM states that the strongest control against bias is ensuring representative, diverse, and inclusive training data. This directly minimizes skew and systemic underrepresentation.

Complex architectures (B) do not reduce bias and may exacerbate it. Reducing updates (C) increases drift. More labels (D) improves supervision quality but does not inherently solve bias if the data itself is skewed.

Bias in AI models primarily stems from limitations or imbalances in training data. The AAISM study materials emphasize that the most effective way to mitigate this risk is through diverse data sourcing strategies that ensure coverage across demographics, scenarios, and contexts. Access controls protect data security, not fairness. Data reconciliation ensures accuracy but does not address representational imbalance. Cryptographic hashing preserves integrity but has no impact on bias mitigation. To reduce systemic unfairness, the critical control is sourcing diverse and representative data.

Hidden triggers are adversarial backdoors planted in AI models, activated only by specific inputs. The AAISM materials specify that the best mitigation is to use adversarial training, which deliberately exposes the model to potential trigger inputs during training so it can learn to neutralize or resist them. Retraining with diverse data reduces bias but does not address hidden triggers. Differential privacy is focused on privacy preservation, not adversarial resilience. Monitoring outputs can help with detection but is reactive rather than preventative. The proactive solution highlighted in the study guide is adversarial training.

The AAISM governance framework notes that in multi-party AI ecosystems, the greatest challenge is ensuring clear accountability for AI outputs. When models from different parties interact, responsibility for errors, bias, or harmful recommendations can be unclear, leading to disputes and compliance gaps. While aggregate risk assessment and error identification are significant, they are secondary to the fundamental governance requirement of establishing transparent lines of responsibility. Without defined accountability, no stakeholder can reliably manage or mitigate risks. Therefore, the greatest challenge in such a distributed architecture is responsibility for AI outputs.

Per AAISM’s ML lifecycle controls, hyperparameter tuning is performed on the validation set, reserving the test set strictly for final, unbiased performance estimation. The training set is used to fit parameters; the validation set guides model selection and hyperparameter optimization; the test set is untouched until the end to prevent leakage and optimistic bias. “Configuration” is not a dataset type in the lifecycle split.