AAISM Exam Dumps - Isaca AI-Centric Security Management Questions and Answers

AAISM identifies robust data validation and anomaly detection on incoming training data as the primary defense against data poisoning. These controls detect corrupted, manipulated, or adversarial samples before they enter the training pipeline.

Diverse data (A) is helpful but not protective against poisoning. More complexity (B) does not mitigate poisoning and can worsen vulnerability. More features (D) increases attack surface.

AAISM identifies the operational phase as the stage where the AI system is actively deployed and requires continuous monitoring of performance, drift, security, and reliability.

Business alignment (B) belongs to planning and design. Optimization (A) and user feedback (D) are part of development or improvement cycles, not primary operational objectives.

AAISM explains that secure aggregation ensures the server only sees aggregated model updates—not individual client contributions—so privacy is preserved even if the server is breached.

Encryption (A) is semi-correct but still allows the server to decrypt. Differential privacy (B) is separate. Isolation (D) does not guarantee confidentiality.

For regulated data such as patient information, AAISM requires provable data lifecycle closure at decommissioning. The authoritative evidence is a certificate of destruction (covering primary, replicas, backups, and caches) retained per the organization’s records retention policy. While testing backups and auditing access (A), updating policies (B), and doing post-destruction risk assessment (C) are valuable practices, documented destruction attestation is the primary compliance proof point that the data was disposed of in accordance with regulatory and contractual obligations.

AAISM prescribes risk-based, human-in-the-loop orchestration for safety-critical or regulated actions. A tiered automation strategy that gates autonomy by incident severity, data sensitivity, and regulatory requirements ensures accountability, auditability, and proportionality, satisfying governance obligations. Full autonomy (A) risks non-compliance; simply mirroring legacy workflows (B) may not meet current obligations; broad auto-containment (C) lacks necessary oversight controls.

According to AAISM, decision trees provide the highest explainability because their structure clearly shows how inputs map to decisions. This is essential in HR applications subject to fairness, bias, and compliance requirements.

SVMs (A) and gradient boosting (D) are less interpretable. Neural networks (B) are explicitly listed as low-explainability models.

AAISM materials specify that the composition of an AI red team must be tailored to the organization’s AI use cases. The purpose of red-teaming is to simulate realistic adversarial conditions aligned with the actual applications of AI. For example, testing a generative model requires different expertise than testing a fraud detection system. While resource availability, compliance requirements, and time-to-market pressures are practical considerations, they are secondary to aligning team expertise with use case scenarios. The most important factor is therefore the AI use cases themselves.

AAISM’s technical control guidance emphasizes that when using open-source libraries, the best safeguard for integrity is to scan the packages for malware before installation. This ensures that compromised or malicious code does not enter the AI system environment. Maintaining lists aids consistency but not security. Always using the latest versions may introduce unverified vulnerabilities. Retraining models addresses functionality but not software integrity. Therefore, the strongest protective measure is pre-installation malware scanning of open-source packages.

AAISM emphasizes that the primary objective of responsible AI is to establish and maintain trust in AI-driven decisions and predictions. Trust is achieved through transparency, accountability, fairness, and governance. While confidentiality and integrity are critical technical objectives, they are not the overarching purpose of responsible AI service provision. Autonomy and learning ability are features of AI, but without trust, adoption and compliance falter. The correct answer is that responsible AI services must focus on building trust in AI outcomes.

When setting RPOs and RTOs for AI systems, especially generative AI, the critical factor is the restoration of training data and model artifacts within the recovery window. Without this, restored systems may function inaccurately or incompletely, undermining business continuity.

AAISM risk management principles emphasize:

Recovery objectives must align with data protection requirements for both training and inference data.

The ability to restore large-scale training datasets is primary, since downtime without them leads to operational and compliance risks.

Computational efficiency and hardware consistency are secondary considerations, but not the primary drivers of RPO/RTO definitions.

Thus, ensuring backup and restore capabilities of training datasets directly within RTO is the primary requirement.