Pass the Isaca AI-Centric Security Management AAISM Questions and answers with CertsForce

In AAISM governance guidance, risk documentation is described as the structured record that defines the organization’s risk appetite and tolerance levels for AI initiatives. By outlining acceptable levels of risk, documentation ensures decision-makers can approve, monitor, and adjust AI projects within defined boundaries. While it may also serve audit functions, technical analysis, or communication to stakeholders, its primary role is to formalize risk acceptance thresholds and integrate them into governance and decision-making. This aligns directly with the governance requirement to align AI adoption with organizational risk appetite.

AAISM identifies executive sponsorship and senior management buy-in as the foremost success factor for AI initiatives. It secures resources, resolves cross-functional conflicts, sets risk appetite, and enforces adherence to governance and controls. Model cards (A), risk registers (B), and lifecycle data mapping (C) are vital practices within the program, but without top-level commitment, adoption, funding, and accountability often fail.

AAISM prioritizes preventive controls at the point of use for generative AI, specifically input-governance and DLP controls that block or redact confidential, regulated, or high-risk data before it can be sent to external models. Audits, pre-deployment tests, and regulatory conformance are necessary but do not themselves prevent an employee from pasting sensitive content into prompts. Enforcing input restrictions, pattern-based redaction, policy-aware controls, and allow-lists for approved contexts provides the highest assurance of preventing exposure.

The AAISM study materials highlight that AI-powered security tools provide the greatest benefit by reducing false positives in monitoring and access control systems. This improves efficiency, prevents alert fatigue, and enables security teams to focus on true threats. While timely analysis and incident response are benefits, they are not unique to AI-based tools and can be achieved with traditional methods. AI also does not remove the need for data classification, as classification underpins governance and compliance. The standout advantage is the improved accuracy and reduced false positives provided by AI.

AAISM notes that high-security industries (e.g., aerospace) should prefer private, controlled environments with restricted data exposure. Developing a private LLM for non-critical workloads minimizes operational and security risk while enabling innovation.

Public LLMs for critical functions (C) violate safety expectations. Purchased datasets (D) introduce unknown provenance. Outsourcing (B) increases third-party risk.

AAISM explains that prompt injection attacks are best mitigated by:

• strict input validation

• templated prompts

• controlled context windows

• guardrail enforcement

These prevent malicious instructions from overriding system prompts.

Audits (A) are periodic, not preventive. Manual review (B) is not scalable. Monitoring (D) detects issues but does not block injection.