An organization implementing an LLM application sees unexpected cost increases due to excessive computational resource usage. Which vulnerability is MOST likely in need of mitigation?
Correct Answer: C
AAISM categorizes unbounded consumption (also known as "resource exhaustion" or "infinite queries") as an AI-specific vulnerability where attackers (or faulty prompts) trigger excessive computation, leading to high costs and degraded service. This aligns precisely with unexpected large compute bills. Excessive agency (A) refers to unsafe autonomy, while disclosure (B) and prompt leakage (D) do not relate to compute overuse. References: AAISM Study Guide - AI Abuse and Unbounded Consumption Risk.
Question 62
Which of the following is the MOST effective defense against cyberattacks that alter input data to avoid detection by the model?
Correct Answer: B
Evasion attacks manipulate inputs to induce misclassification while leaving the model unchanged. AAISM prescribes adversarial robustness controls, with adversarial training as a primary measure: incorporate adversarially perturbed examples into training/validation to harden decision boundaries and improve resilience across threat models (e.g., Lp-bounded perturbations). Monitoring (A) is detective, not preventive. Restricting parameter access (C) protects confidentiality but does not mitigate input-space attacks. Differential privacy (D) addresses training data leakage, not robustness to adversarial inputs. References:AI Security Management™ (AAISM) Body of Knowledge: Adversarial ML-Evasion vs. Poisoning; Robustness and Resilience Controls; Adversarial Training.AAISM Study Guide: Model Hardening Techniques; Evaluation of Robust Accuracy; Security Testing with Adversarial Examples.
Question 63
Which of the following approaches BEST enables the separation of sensitive and shareable data to prevent an AI chatbot from inadvertently disclosing confidential information?
Correct Answer: C
AAISM materials describe data segregation and segmented access as core technical controls to prevent unintended information disclosure by AI systems. Siloing refers to logically or physically separating data into distinct repositories or contexts, ensuring that sensitive datasets are not available to components or applications that only require non-sensitive information. This is directly aligned with preventing a chatbot from accessing or mixing confidential data with general conversational content. Zero Trust (A) is an overarching security architecture principle, focusing on identity and continuous verification; it does not by itself guarantee separation of data. Sandboxing (B) isolates processes but is less about fine-grained data separation. Containerization (D) packages applications and their dependencies, again not necessarily solving the specific problem of mixing sensitive and non-sensitive datasets. Siloing is explicitly highlighted as a way to prevent cross-context leakage in AI use cases. References: AI Security Management™ (AAISM) Study Guide - Technical Controls for AI Data Protection; Data Segregation and Access Boundaries.
Question 64
What is the PRIMARY purpose of a dedicated AI management system policy?
Correct Answer: D
AAISM states that an AI management system policy provides organizational structure by: * defining AI objectives * aligning governance * outlining accountability * defining roles, responsibilities, and guiding principles Regulatory compliance (C) is a part of governance but not the overall purpose. Accuracy (B) and environmental impact (A) are narrower focus areas. References: AAISM Study Guide - AI Management System Policies; Governance Framework Requirements.
Question 65
A retail organization implements an AI-driven recommendation system that utilizes customer purchase history. Which of the following is the BEST way for the organization to ensure privacy and comply with regulatory standards?
Correct Answer: B
According to the AI Security Management™ (AAISM) study framework, compliance with privacy and regulatory standards must begin with a formalized process of identifying, documenting, and maintaining applicable obligations. The guidance explicitly notes that organizations should maintain a comprehensive register of legal and regulatory requirements to ensure accountability and alignment with privacy laws. This register serves as the foundation for all governance, risk, and control practices surrounding AI systems that handle personal data. Maintaining such a register ensures that the recommendation system operates under the principles of privacy by design and privacy by default. It allows decision-makers and auditors to trace every AI data processing activity back to relevant compliance obligations, thereby demonstrating adherence to laws such as GDPR, CCPA, or other jurisdictional mandates. Other measures listed in the options contribute to good practice but do not achieve the same direct compliance outcome. Retraining models improves technical accuracy but does not address legal obligations. Oversight committees are valuable but require the documented register as a baseline to oversee effectively. Indefinite storage of customer data contradicts regulatory requirements, particularly the principle of data minimization and storage limitation. AAISM Domain Alignment: This requirement falls under Domain 1 - AI Governance and Program Management, which emphasizes organizational accountability, policy creation, and maintaining compliance documentation as part of a structured governance program. References from AAISM and ISACA materials: AAISM Exam Content Outline - Domain 1: AI Governance and Program Management AI Security Management Study Guide - Privacy and Regulatory Compliance Controls ISACA AI Governance Guidance - Maintaining Registers of Applicable Legal Requirements
