Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. AAISM

ISACA AAISM Exam Questions
ISACA Advanced in AI Security Management (Page 5 )

Updated On: 21-Feb-2026
Page 3 of 19
PDF with 255 Questions

Which of the following should be done FIRST when developing an acceptable use policy for generative AI?

  1. Determine the scope and intended use of AI
  2. Review AI regulatory requirements
  3. Consult with risk management and legal
  4. Review existing company policies

Answer(s): A

Explanation:

According to the AAISM framework, the first step in drafting an acceptable use policy is defining the scope and intended use of the AI system. This ensures that governance, regulatory considerations, risk assessments, and alignment with organizational policies are all tailored to the specific applications and functions the AI will serve. Once scope and intended use are clearly defined, legal, regulatory, and risk considerations can be systematically applied. Without this step, policies risk being generic and misaligned with business objectives.


Reference:

AAISM Study Guide ­ AI Governance and Program Management (Policy Development Lifecycle)

ISACA AI Governance Guidance ­ Defining Scope and Use Priorities



A model producing contradictory outputs based on highly similar inputs MOST likely indicates the presence of:

  1. Poisoning attacks
  2. Evasion attacks
  3. Membership inference
  4. Model exfiltration

Answer(s): B

Explanation:

The AAISM study framework describes evasion attacks as attempts to manipulate or probe a trained model during inference by using crafted inputs that appear normal but cause the system to generate inconsistent or erroneous outputs. Contradictory results from nearly identical queries are a typical symptom of evasion, as the attacker is probing decision boundaries to find weaknesses. Poisoning attacks occur during training, not inference, while membership inference relates to exposing whether data was part of the training set, and model exfiltration involves extracting proprietary parameters or architecture. The clearest indication of contradictory outputs from similar queries therefore aligns directly with the definition of evasion attacks in AAISM materials.


Reference:

AAISM Study Guide ­ AI Technologies and Controls (Adversarial Machine Learning and Attack Types)

ISACA AI Security Management ­ Inference-time Attack Scenarios



Which of the following recommendations would BEST help a service provider mitigate the risk of lawsuits arising from generative AI's access to and use of internet data?

  1. Activate filtering logic to exclude intellectual property flags
  2. Disclose service provider policies to declare compliance with regulations
  3. Appoint a data steward specialized in AI to strengthen security governance
  4. Review log information that records how data was collected

Answer(s): A

Explanation:

The AAISM materials highlight that one of the primary legal risks with generative AI systems is the unauthorized use of copyrighted or intellectual property­protected data drawn from internet sources. To mitigate lawsuits, the most effective recommendation is to implement filtering logic that actively excludes data flagged for intellectual property risks before ingestion or generation.
While disclosing compliance policies, appointing governance roles, or reviewing logs are supportive measures, they do not directly prevent the core liability of using restricted content. The study guide explicitly emphasizes that proactive filtering and data governance controls are the most effective safeguards against legal disputes concerning content origin.


Reference:

AAISM Exam Content Outline ­ AI Risk Management (Legal and Intellectual Property Risks)

AI Security Management Study Guide ­ Generative AI Data Governance



Which of the following is the BEST approach for minimizing risk when integrating acceptable use policies for AI foundation models into business operations?

  1. Limit model usage to predefined scenarios specified by the developer
  2. Rely on the developer's enforcement mechanisms
  3. Establish AI model life cycle policy and procedures
  4. Implement responsible development training and awareness

Answer(s): C

Explanation:

The AAISM guidance defines risk minimization for AI deployment as requiring a formalized AI model life cycle policy and associated procedures. This ensures oversight from design to deployment, covering data handling, bias testing, monitoring, retraining, decommissioning, and acceptable use. Limiting usage to developer-defined scenarios or relying on vendor mechanisms transfers responsibility away from the organization and fails to meet governance expectations. Training and awareness support cultural alignment but cannot substitute for structured lifecycle controls. Therefore, the establishment of a documented lifecycle policy and procedures is the most comprehensive way to minimize operational, compliance, and ethical risks in integrating foundation models.


Reference:

AAISM Study Guide ­ AI Governance and Program Management (Model Lifecycle Governance)

ISACA AI Security Guidance ­ Policies and Lifecycle Management



Which of the following metrics BEST evaluates the ability of a model to correctly identify all true positive instances?

  1. F1 score
  2. Recall
  3. Precision
  4. Specificity

Answer(s): B

Explanation:

AAISM technical coverage identifies recall as the metric that specifically measures a model's ability to capture all true positive cases out of the total actual positives. A high recall means the system minimizes false negatives, ensuring that relevant instances are not overlooked. Precision instead measures correctness among predicted positives, specificity focuses on true negatives, and the F1 score balances precision and recall but does not by itself indicate the completeness of capturing positives. The official study guide defines recall as the most direct metric for evaluating how well a model identifies all relevant positive cases, making it the correct answer.


Reference:

AAISM Study Guide ­ AI Technologies and Controls (Evaluation Metrics and Model Performance)

ISACA AI Security Management ­ Model Accuracy and Completeness Assessments






Post your Comments and Discuss ISACA AAISM exam dumps with other Community members:

Join the AAISM Discussion