Pass the Isaca AI-Centric Security Management AAISM Questions and answers with CertsForce

AAISM governance practices emphasize automation as the most effective way to maintain comprehensive, accurate, and scalable data classification and inventory management. An automated data cataloging tool integrated with all repositories ensures continuous visibility, reduces human error, and supports regulatory compliance. Centralized teams and manual processes provide oversight but cannot achieve the same scale and consistency. Periodic audits detect issues but are reactive rather than proactive. For effective governance, the best solution is automated cataloging integrated across data repositories.

Business continuity and disaster recovery (BC/DR) exercises for AI must validate that critical AI components (feature stores, model registries, inference services, pipelines) operate within agreed recovery objectives during failover and restoration. Monitoring and evaluating model performance and stability during DR tests provides objective evidence that AI services remain functional, accurate, and reliable under contingency conditions, thereby validating the AI stack end-to-end.

Option A focuses on retraining during outages (a niche scenario) rather than validating service continuity for production inference. Option B is security testing, not BC/DR validation. Option C tests data loss handling but does not comprehensively validate AI service behavior across failover and recovery.

According to AAISM technical content, supervised learning models reduce false positives by learning from historical labeled data that distinguishes between legitimate activity and actual threats. This training enables the model to recognize patterns and improve its discrimination ability over time. Grouping patterns (A) describes clustering, an unsupervised method. Real-time feature engineering (B) and generating new labeled data (D) are advanced techniques but not the fundamental supervised learning approach. The essence of supervised learning is leveraging labeled data to minimize misclassification, including false positives.

AAISM recommends aligning AI adoption with organizational risk appetite by limiting blast radius, protecting sensitive data, and staging adoption in lower-risk domains first. Building a private LLM for non-critical functions preserves data control, enables tighter governance (access control, logging, evaluation), and confines any model errors away from safety- or mission-critical operations. A public LLM for critical functions (A) is misaligned with a high-assurance posture; buying open-market datasets (B) raises provenance and licensing risk; third-party access (C) can be appropriate but still introduces vendor/visibility limits and data residency concerns that may not meet aerospace security needs.

AAISM identifies supervised learning as involving:

• labeled categories

• ground-truth datasets

• model training with known outcomes

This aligns exactly with categorizing data and training on labeled datasets.

Reinforcement (B) involves reward feedback loops. Unsupervised (C) uses unlabeled data. "Machine learning" (D) is too broad and not a specific technique.

AAISM states that an AI management system policy provides organizational structure by:

• defining AI objectives

• aligning governance

• outlining accountability

• defining roles, responsibilities, and guiding principles

Regulatory compliance (C) is a part of governance but not the overall purpose. Accuracy (B) and environmental impact (A) are narrower focus areas.

AAISM’s technical control guidance emphasizes that when using open-source libraries, the best safeguard for integrity is to scan the packages for malware before installation. This ensures that compromised or malicious code does not enter the AI system environment. Maintaining lists aids consistency but not security. Always using the latest versions may introduce unverified vulnerabilities. Retraining models addresses functionality but not software integrity. Therefore, the strongest protective measure is pre-installation malware scanning of open-source packages.

Restricting access to sensitive data and artifacts (e.g., training data, feature stores, model weights, prompts, system designs) using least-privilege, segregation, encryption, and monitoring is the most effective way to protect trade secrets throughout the AI lifecycle. Patents require public disclosure, trademarks protect branding (not secrets), and output watermarks help provenance/abuse deterrence but do not secure underlying proprietary know-how.

AAISM identifies fairness constraints as a direct mechanism to mitigate and control model bias by embedding fairness requirements into optimization objectives during training.

Data augmentation (B) helps but is not a primary anti-bias control. Adversarial training (C) focuses on robustness, not fairness. Minimization (A) reduces data, often making bias worse.

According to AAISM technical controls, the element of security frameworks that directly safeguards output integrity is ensuring that bias-related risks are maintained within acceptable ranges. This ensures that AI results remain consistent, fair, and reliable, preserving trust in outputs. Ethical awareness, architectural disclosure, and legal responsibilities are governance practices but do not directly secure output integrity. Output integrity is primarily protected through bias management and ongoing evaluation of fairness and accuracy.