Free Practice Questions for Isaca AAISM Exam

Answer : A

According to AAISM lifecycle management guidance, the best justification for disabling an AI system immediately is the detection of excessive model drift. Drift results in outputs that are no longer reliable, accurate, or aligned with intended purpose, creating significant risks. Performance slowness and overly detailed outputs are operational inefficiencies but not critical shutdown triggers. Insufficient training should be addressed before deployment rather than after. The trigger for immediate deactivation in production is excessive drift compromising reliability.

AAISM Exam Content Outline -- AI Governance and Program Management (Model Drift Management)

AI Security Management Study Guide -- Disabling AI Systems

Answer : A

AAISM materials identify explainability and transparency as the greatest challenge when models operate as ''black boxes'' where inner logic is opaque. Inability to interpret how results are produced undermines the trust of business users, customers, regulators, and auditors. Explainability is emphasized as a critical governance requirement, because without it, ethical validation, accountability, and regulatory compliance are at risk. Assigning risk owners or measuring transaction times are operational concerns, but they do not address the core trust deficit caused by lack of visibility. The greatest challenge in this situation is therefore the loss of end-user trust due to insufficient explainability.

AAISM Study Guide -- AI Governance and Program Management (Transparency and Explainability)

ISACA AI Security Management -- Ethical and Trust Considerations

Answer : A

The AAISM framework specifies that the primary metric of effectiveness in vendor management is the vendor's compliance with AI-related requirements defined in contracts and governance frameworks. This provides measurable assurance that vendors adhere to agreed-upon privacy, security, and ethical standards. Reviews of threat reports, training results, or research participation are supplemental and may support continuous improvement, but they do not establish compliance accountability. Governance requires a direct focus on whether contractual and regulatory obligations are being fulfilled. Therefore, vendor compliance with AI requirements is the most important monitoring focus.

AAISM Study Guide -- AI Risk Management (Third-Party Risk Oversight)

ISACA AI Security Management -- Vendor Compliance Monitoring

Answer : B

AAISM study materials stress that weak access controls are the most easily exploited vulnerability in AI systems. Without strong access restrictions, adversaries can directly query, extract, manipulate, or overload models, leading to data leakage or compromised outputs. While inaccurate generalizations, DoS vulnerabilities, or susceptibility to input manipulation are serious, they typically require more effort or specific conditions. Weak access control provides the most direct and immediate entry point for attackers. As such, it is identified as the most easily exploited vulnerability.

AAISM Exam Content Outline -- AI Risk Management (Access and Authentication Vulnerabilities)

AI Security Management Study Guide -- Exploitable Weaknesses in AI Systems

Answer : C

In AI governance frameworks, credit scoring is treated as a high-risk application. For such systems, the highest-priority safeguard is human oversight to ensure fairness, accountability, and prevention of bias in automated decisions.

The AI Security Management (AAISM) domain of AI Governance and Program Management emphasizes that high-impact AI systems require explicit governance structures and human accountability. Human-in-the-loop design ensures that final decisions remain the responsibility of human experts rather than being fully automated. This is particularly critical in financial contexts, where biased outputs can affect individuals' access to credit and create compliance risks.

Official ISACA AI governance guidance specifies:

High-risk AI systems must comply with strict requirements, including human oversight, transparency, and fairness.

The purpose of human oversight is to reduce risks to fundamental rights by ensuring humans can intervene or override an automated decision.

Bias controls are strengthened by requiring human review processes that can analyze outputs and prevent unfair discrimination.

Why other options are not the highest priority:

A . Regular updates improve accuracy but do not guarantee fairness or ethical decision-making. Model drift can introduce new bias if not governed properly.

B . Appeals mechanisms are important for accountability, but they operate after harm has occurred. Governance frameworks emphasize prevention through human oversight in the decision loop.

D . Restricting criteria to ''objective metrics'' is insufficient, as even objective data can contain hidden proxies for protected attributes. Bias mitigation requires monitoring, testing, and human oversight, not only feature restriction.

AAISM Domain Alignment:

Domain 1 -- AI Governance and Program Management: Ensures accountability, ethical oversight, and governance structures.

Domain 2 -- AI Risk Management: Identifies and mitigates risks such as bias, discrimination, and lack of transparency.

Domain 3 -- AI Technologies and Controls: Provides the technical enablers for implementing oversight mechanisms and bias detection tools.

Reference from AAISM and ISACA materials:

AAISM Exam Content Outline -- Domain 1: AI Governance and Program Management (roles, responsibilities, oversight).

ISACA AI Governance Guidance (human oversight as mandatory in high-risk AI applications).

Bias and Fairness Controls in AI (human review and intervention as a primary safeguard).