AAIR Exam Dumps - Isaca AI Risk Questions and Answers

AI supply chain risk arises when external models or datasets are tampered with, have undisclosed characteristics, or cannot be traced to trusted origins. End-to-end provenance and audit trails address these risks by enabling verification of integrity and origin at every stage of the supply chain.

Why A is Correct: According to ISACA AAIR supply chain risk management guidance, verifiable provenance and audit trails are the most important supply chain protection mechanism. Provenance documentation traces the origin, handling, and transformation history of every externally sourced AI artifact—enabling the organization to verify that models and datasets have not been tampered with, that data sources are legitimate, and that the supply chain has not been compromised. Without provenance, organizations cannot distinguish trustworthy from compromised artifacts.

Why B is Wrong: Indemnity clauses assign financial liability after harm occurs. They provide legal recourse but do not prevent supply chain attacks or help the organization verify artifact integrity before deployment.

Why C is Wrong: Training method documentation provides useful technical context but does not verify that the actual artifacts delivered match the documentation. Documentation can be falsified; provenance verification with cryptographic integrity checks cannot.

Why D is Wrong: A vendor risk manager provides governance oversight and relationship management. While important for managing vendor relationships, a single contact point does not substitute for technical provenance verification of every artifact in the supply chain.

AI model reproducibility—the ability to recreate identical or near-identical outputs in different environments—depends on having access to the exact training data, model weights, and configurations used to produce a given model version. Training dataset snapshots are foundational to this capability.

Why B is Correct: The ISACA AAIR model documentation and auditability guidance identifies capturing and archiving complete training dataset snapshots as essential for reproducibility. To reproduce a model's outputs in another environment, the development team must be able to reconstruct the exact training conditions—including the precise dataset used. Without archived snapshots, datasets evolve and the original training conditions become impossible to recreate.

Why A is Wrong: Manual review of outputs validates accuracy for a specific deployment but does not address reproducibility across environments. Manual review cannot substitute for the technical artifacts needed to recreate a model.

Why C is Wrong: Continuous performance monitoring detects behavioral changes in production but does not enable reproduction of the model in alternative environments. Monitoring is forward-looking, while reproducibility is about reconstructing past conditions.

Why D is Wrong: AI-specific change management processes control how models are modified and deployed but do not capture the training artifacts needed for environmental reproduction. Change management governs transitions; reproducibility requires data preservation.

Multi-jurisdictional AI deployment requires jurisdiction-specific compliance strategies because privacy and data protection laws vary significantly across countries. A one-size-fits-all approach frequently fails to meet local requirements, while post-deployment remediation creates legal exposure during the gap period.

Why B is Correct: According to ISACA AAIR guidance, the best approach to multi-jurisdictional compliance is to tailor controls to each relevant statutory framework before deployment and maintain audit trails that demonstrate adherence. This proactive, documented approach reduces legal exposure, satisfies regulatory examination requirements, and enables the organization to demonstrate accountability—a key requirement of frameworks like GDPR.

Why A is Wrong: Post-deployment remediation means the organization is non-compliant during deployment, which creates immediate regulatory exposure. Iterative fixes after harm has occurred are inadequate for protecting individuals or the organization.

Why C is Wrong: Uniform global policies cannot satisfy jurisdictions with conflicting requirements—some laws mandate data residency within borders, making cross-border transfer impossible regardless of encryption strength.

Why D is Wrong: Restricting disclosure of model operations conflicts with transparency requirements embedded in many privacy laws, including GDPR's right to explanation. IP protection cannot override regulatory disclosure obligations.

Control selection for AI systems requires balancing the effectiveness and cost of proposed controls against the potential losses or harms the controls are designed to prevent. This cost-benefit analysis ensures resources are allocated proportionately to risk reduction value.

Why C is Correct: The ISACA AAIR control selection guidance identifies the cost-benefit analysis of control effectiveness versus potential business losses as the most important mitigation control determination factor. Implementing controls that cost more than the risk they mitigate represents inefficient risk management; failing to implement cost-effective controls that prevent large losses represents inadequate risk management. This proportionality assessment is the foundation of risk-based control selection.

Why A is Wrong: Risk awareness training is an important enabler of effective risk management but is an organizational capability development activity rather than a control selection criterion. Training supports controls but does not determine which controls to implement.

Why B is Wrong: Control performance baselines and compliance reporting requirements are governance and compliance management activities. While necessary for control monitoring, they describe how controls are measured after selection, not how controls are selected in the first place.

Why D is Wrong: Computational complexity is a technical characteristic of the AI system that influences implementation considerations but is not the primary driver of control selection. The most computationally complex system still requires controls proportionate to its risk profile, not its technical architecture.

AI-driven technical support systems rely on accurate, current knowledge to resolve user issues. Model drift causes the system to diverge from real-world conditions, producing inaccurate outputs that erode user trust, increase escalations, and potentially cause harm if incorrect technical guidance is followed.

Why A is Correct: According to ISACA AAIR validation guidance, inaccurate outputs from model drift represent the greatest risk in a technical support AI because they directly compromise the system's core function—providing correct technical guidance. Inaccurate outputs lead to unresolved issues, potential system damage from wrong instructions, and reputational harm. Unlike the other options, drift-driven inaccuracy affects every user interaction and cannot be remediated without model updates.

Why B is Correct Context: Infrequent training dataset updates are a contributing cause of model drift and are a serious concern, but they are an input factor rather than the manifest risk itself. The concern is the resulting inaccuracy.

Why C is Wrong: Encryption is a security control for data in storage and transit. While important for confidentiality, it does not affect the accuracy of AI outputs or the system's ability to provide correct technical guidance.

Why D is Wrong: Excessive manual sampling is a testing methodology concern that may reduce testing coverage efficiency. However, it represents a process inefficiency rather than a direct risk to output quality—the model's accuracy is the greater concern.

Data poisoning attacks involve malicious modification of training data to degrade model performance or introduce backdoors. With multiple external data sources, the attack surface for introducing poisoned data is broad and requires proactive, continuous detection at the ingestion stage.

Why B is Correct: The ISACA AAIR adversarial AI guidance identifies continuous monitoring and anomaly detection at the data ingestion pipeline as the most effective defense against data poisoning. By monitoring incoming data in real time for statistical anomalies, unexpected distributions, or known poisoning patterns, organizations can detect and block malicious data before it contaminates training datasets. This preventive approach is superior to reactive detection after poisoning has occurred.

Why A is Wrong: Reactive data integrity reviews triggered by model drift occur after poisoning has already affected model behavior. By this stage, the model may have been deployed and made harmful decisions. Prevention during ingestion is superior to post-drift investigation.

Why C is Wrong: Model code and deployment artifact controls address security of the software pipeline but do not protect training data from external poisoning. Data integrity requires data-layer controls, not code security.

Why D is Wrong: Regularization reduces overfitting to training noise but does not detect or prevent deliberate poisoning attacks. A sufficiently targeted poisoning attack can introduce systematic bias that regularization techniques cannot mitigate.

API integration with external AI services creates data transmission pathways between the organization and external systems. Customer support contexts involve sensitive personal data—account information, contact details, inquiry content—that may be transmitted through these API connections.

Why B is Correct: The ISACA AAIR security and privacy guidance identifies unauthorized disclosure of sensitive data through insecure API connections as the greatest risk in multi-service AI integration. APIs can be vulnerable to interception, inadequate authentication, or misconfiguration. In a customer support context, exposure of personal data via API vulnerabilities creates privacy violations, regulatory liability, and reputational harm—all more severe than the other listed concerns.

Why A is Wrong: Bias and inaccuracy in chatbot responses are real quality risks but represent service quality issues rather than security or privacy breaches. Inaccurate responses are visible and correctable; data breaches may go undetected.

Why C is Wrong: Customer dissatisfaction from operational delays is a service quality and business risk. It is a manageable consequence of performance issues rather than the greatest risk from API-based AI integration.

Why D is Wrong: Insufficient training datasets affect model quality but are a development concern addressed during the model selection phase. They do not represent the primary operational risk of deploying multi-service API integrations in production.

AI models that learn from live data streams continuously update their parameters based on incoming data. This creates two specific risks: the model's behavior may drift from its validated state as data patterns change (data drift), and adversaries may deliberately introduce malicious data to manipulate the model's learning (data poisoning).

Why D is Correct: According to ISACA AAIR adaptive model risk guidance, implementing automated monitoring for both data drift and data poisoning is the most comprehensive response to live-learning model risks. Automated monitoring operates continuously at the speed of the data stream, detecting statistical changes in input distributions (drift signals) and anomalous data patterns (poisoning signals) in real time—enabling timely intervention before either risk materializes into harmful behavior.

Why A is Wrong: Defense-in-depth for model access controls who can interact with the model but does not address risks arising from the data the model learns from. Access controls are necessary but insufficient for managing adaptive learning risks.

Why B is Wrong: Restricting data sources reduces learning breadth, potentially undermining the model's adaptive capability that creates its value. Periodic inspections are too infrequent for live-learning systems where risks can emerge between inspection cycles.

Why C is Wrong: Dynamic performance thresholds detect output degradation after drift has occurred. While useful as a safety net, this reactive monitoring does not prevent drift or detect poisoning early enough for the live-learning risk context.

Threat actor profiling characterizes the motivations, capabilities, and likely attack methods of potential adversaries. In AI risk management, understanding who the likely attackers are and what they seek enables the design of controls specifically matched to the actual threat landscape.

Why B is Correct: According to ISACA AAIR threat-based risk management guidance, the most important reason for threat actor profiling is to tailor controls to adversary motivations and capabilities. Different threat actors—nation-state attackers, criminal organizations, competitors, insiders, activists—have different objectives (espionage vs. financial gain vs. disruption), capabilities (sophisticated vs. opportunistic), and methods. Controls calibrated to actual threat actor profiles are significantly more effective than generic controls that may not address the specific threats the organization actually faces.

Why A is Wrong: Aligning AI threats with IT control taxonomy is a governance integration activity that improves control consistency but does not capture the threat actor-specific tailoring value of profiling. Taxonomy alignment is an administrative benefit; threat-tailored controls are a security effectiveness benefit.

Why C is Wrong: Response metrics for cybersecurity incidents are developed for incident management planning. Threat actor profiling informs control design and incident response strategies but is not primarily used to develop response metrics.

Why D is Wrong: Prioritizing external threats over internal threats is a security strategy choice that threat actor profiling does not prescribe. Many AI attacks, including insider threats and social engineering, are internal. Profiling should result in appropriate prioritization based on actual threat likelihood, not a blanket prioritization of external threats.

AI governance across diverse applications requires frameworks flexible enough to accommodate varying risk profiles, regulatory environments, and operational contexts while maintaining consistent governance standards. Rigid or overly centralized approaches reduce operational effectiveness.

Why B is Correct: The ISACA AAIR framework advocates for adaptable governance frameworks that can be scaled and tailored to specific AI use cases. A risk-based, adaptable framework applies more rigorous controls to high-risk applications while allowing operational flexibility for lower-risk uses. This balance enables innovation while maintaining appropriate risk oversight—a core principle of proportionate AI governance.

Why A is Wrong: Single-regulation compliance focus creates compliance tunnel vision that may miss material risks not covered by that regulation. AI governance must address the full risk landscape, not just one regulatory framework.

Why C is Wrong: External consultants provide periodic independent assurance, not governance. Relying on external reviews for governance would be episodic rather than continuous, creating governance gaps between review cycles.

Why D is Wrong: Centralized decision-making creates operational bottlenecks and slows AI deployment. Effective governance delegates decision authority appropriately while maintaining oversight, rather than centralizing all decisions in a single function.