AAISM Exam Dumps - Isaca AI-Centric Security Management Questions and Answers

AAISM identifies fairness constraints (e.g., constrained optimization, debiasing objectives, conditional generation controls, and post-processing calibrations) as the most direct, measurable method to mitigate disparate outcomes in generative systems. While data augmentation can help with coverage, and adversarial training improves robustness, fairness constraints explicitly target distributional fairness and outcome equity in generated content, aligning with governance and compliance goals.

Third-party audit reports provide independent assurance that the vendor’s stated controls are designed and operating effectively against recognized criteria. Such attestations (e.g., audit/assurance frameworks) are traceable, repeatable, and verifiable, and they support supply-chain risk reviews and contractual assurance. Internal red-team reports are not independent, industry “peer reviews” are not control attestations, and whitepapers are marketing/educational materials without evidence of control operation.

AAISM defines data poisoning as directly capable of causing model drift because corrupted training data shifts the statistical distribution, leading to degraded or unsafe performance.

Model stealing (A) extracts model behavior but does not cause drift. Perfect knowledge (B) is an attacker capability, not an attack causing drift. Membership inference (D) attacks privacy, not performance.

Effective AI BCP requires validation through exercises and controlled failover tests to prove recovery objectives can be met in practice. Merely documenting backups (Option D), hardening access (Option B), or improving monitoring (Option A) does not confirm that the AI stack—data pipelines, feature stores, model registries, inference services, and dependent infrastructure—can actually fail over and recover within RTO/RPO. AAISM prescribes periodic BCP/DR testing (including model artifact restoration, configuration reconstitution, dependency failover, and data pipeline continuity) to verify readiness and identify gaps before real incidents.

The model card is a governance artifact that communicates intended use, performance characteristics, limitations, fairness considerations, and ethical notes of an ML model.

AAISM governance materials highlight that stakeholder trust comes from transparency and explainability. While hyperparameters and data quality controls are technical details, they lack stakeholder-facing clarity. Model prototyping is part of development but not a governance record.

Model cards are explicitly recommended to:

Provide explainability and context for decision-making.

Demonstrate governance, transparency, and compliance.

Enable stakeholders (regulators, auditors, business leaders) to trust the system.

Therefore, the model card is the artifact that best enhances trust.

AAISM emphasizes that the right to audit is the most critical contractual safeguard when outsourcing AI services. This allows the contracting organization to independently verify that the vendor is applying appropriate protections to training data, meeting compliance obligations, and upholding privacy requirements. Pseudonymization is a technical method, monitoring is operational, and certifications provide external assurance, but none give the direct, enforceable oversight that audit rights provide. In vendor contracts, the right to audit is the primary safeguard for data protection and governance.

In the operational phase, AAISM emphasizes continuous monitoring of models for performance, stability, robustness, drift, data quality, security events, and policy compliance. This includes telemetry, thresholds, alerts, incident response for AI failures, and evidence collection for audits. Alignment to business needs is established earlier in planning/governance; algorithmic optimization and feedback collection are supporting activities, but the primary operational objective is live monitoring and assurance to keep risk within tolerance.

The most effective SOC application of AI is in detecting subtle, hard-to-find attack patterns that reduce false negatives.

AAISM technical control guidance notes that AI in SOCs is best applied to:

Enhance detection accuracy and sensitivity to anomalies.

Assist analysts in identifying hidden patterns that traditional rule-based systems miss.

Augment—not replace—human decision-making for high-confidence outcomes.

Options B and C incorrectly shift responsibility entirely to AI, which contradicts governance principles requiring human oversight. Option D is useful for efficiency, but the primary effectiveness comes from improving detection quality.

Therefore, the most effective use is to reduce false negatives and detect subtle attacks.

AAISM frameworks highlight output-based controls, including output filtering, restriction validation, and policy-aligned guardrails as primary defenses for AI agents with high privileges. Ensuring the agent does not output unauthorized instructions or sensitive data directly mitigates misuse.

Allowing user configuration (B) increases risk. Prohibiting manipulation entirely (C) is impractical. Reducing human oversight (D) increases system abuse potential.

AAISM highlights fine-tuning foundational models as one of the most effective strategies for reducing hallucination risk. By tailoring the model with domain-specific, curated, and verified datasets, organizations can reduce the frequency of irrelevant or fabricated outputs. Testing and validation help evaluate risks but do not directly minimize hallucinations. Training on larger datasets may improve generalization but does not guarantee accuracy. Developer training in AI risk supports governance but is not a technical control against hallucinations. The best mitigation is fine-tuning to align the chatbot with trusted, context-specific knowledge.