Pass the Isaca AI-Centric Security Management AAISM Questions and answers with CertsForce

AAISM defines data poisoning as the intentional manipulation of training data so that the learned model behaves incorrectly (e.g., skewed lending approvals/denials) while appearing valid. The correct simulation in red-team exercises is to corrupt or seed the training set with adversarial examples or mislabeled records to induce biased or erroneous decision boundaries. Encrypting inputs (A) is unrelated; output noise (B) describes perturbation of predictions, not training; model weight theft (C) is model extraction, not poisoning.

When AI systems make consequential decisions over sensitive data, AAISM requires explicit performance thresholds tied to decision quality—i.e., accuracy (and related error/false-rate limits) aligned to business risk appetite and regulatory expectations. Availability and latency are important service metrics, but decision integrity and error bounds are primary risk drivers in sensitive contexts. Establishing, monitoring, and enforcing minimum accuracy thresholds (with subgroup performance checks) is essential to reduce harm, ensure fairness/compliance, and support auditability.

Bias in AI models primarily stems from limitations or imbalances in training data. The AAISM study materials emphasize that the most effective way to mitigate this risk is through diverse data sourcing strategies that ensure coverage across demographics, scenarios, and contexts. Access controls protect data security, not fairness. Data reconciliation ensures accuracy but does not address representational imbalance. Cryptographic hashing preserves integrity but has no impact on bias mitigation. To reduce systemic unfairness, the critical control is sourcing diverse and representative data.

An AI impact assessment is a governance instrument that must address potential impacts on people and society, including environmental and societal consequences. This review determines downstream effects (e.g., fairness, safety, rights, sustainability) before and during deployment, supporting accountability and compliance. While TEVV activities (testing, evaluation, validation, verification) and security control self-assessments are integral to assurance and security management, the defining obligation of an impact assessment is to evaluate potential societal and environmental outcomes and associated mitigations. Model reproducibility is a technical quality attribute but is not the mandatory core of an impact assessment.