An organization plans to apply an AI system to its business, but developers find it difficult to predict system results due to lack of visibility to the inner workings of the AI model. Which of the following is the GREATEST challenge associated with this situation?
Correct Answer: A
AAISM materials identify explainability and transparency as the greatest challenge when models operate as "black boxes" where inner logic is opaque. Inability to interpret how results are produced undermines the trust of business users, customers, regulators, and auditors. Explainability is emphasized as a critical governance requirement, because without it, ethical validation, accountability, and regulatory compliance are at risk. Assigning risk owners or measuring transaction times are operational concerns, but they do not address the core trust deficit caused by lack of visibility. The greatest challenge in this situation is therefore the loss of end-user trust due to insufficient explainability. References: AAISM Study Guide - AI Governance and Program Management (Transparency and Explainability) ISACA AI Security Management - Ethical and Trust Considerations
Question 12
Which strategy is MOST effective for penetration testers assessing an AI model against membership inference attacks?
Correct Answer: B
AAISM specifies that membership inference attacks often exploit unusually high confidence scores when the model encounters data points used during training. Penetration testers identify vulnerability by analyzing model confidence behavior across known and unknown samples. Synthetic data (A) does not test inference leakage. Disabling logs (C) removes evidence and reduces visibility. Test-set accuracy (D) is unrelated. References: AAISM Study Guide - AI Privacy Attacks; Membership Inference Testing Techniques.
Question 13
Which of the following is the BEST way to ensure role clarity and staff effectiveness when implementing AI- assisted security monitoring tools?
Correct Answer: B
AAISM directs that AI adoption in security operations be governed through explicit operating models and RACI-mapped responsibilities spanning security operations, data science/ML, platform engineering, privacy, and compliance. Role clarity comes from updating the security program to codify AI-specific responsibilities (model monitoring, incident handling for AI failures, data governance, change control for models, bias /fairness reviews, supplier assurance) rather than deferring implementation, outsourcing core accountability, or relying on generic certifications. This ensures measurable accountability, reduces hand-off risk, and aligns day-to-day SOC practices with AI control objectives. References:* AI Security Management™ (AAISM) Body of Knowledge: AI Governance Operating Model; Roles & Responsibilities; RACI for AI-enabled Security Operations* AAISM Study Guide: Program Governance, Control Objective Mapping to SOC Workflows; Cross-Functional Ownership for AI Controls
Question 14
Which of the following BEST enables an organization to strengthen information security controls around the use of generative AI applications?
Correct Answer: B
For generative AI, the primary enterprise security exposure is data and content exfiltration or policy violations at output, including leakage of sensitive data, toxic content, or regulatory non-compliance. AAISM prescribes policy-aligned output monitoring (e.g., DLP checks, PII/PHI detection, toxicity/safety filters, watermark /attribution checks) integrated into inference gateways to enforce organizational policies and evidence compliance. Exceeding benchmarks (A) is not a control; training-data validation (C) may be infeasible with third-party LLMs; and kill switches (D) are essential contingency controls but do not continuously strengthen everyday security posture. References: AI Security Management™ (AAISM) Body of Knowledge - GenAI Governance and Guardrails; Output Filtering and DLP Controls; Policy Enforcement at Inference. AAISM Study Guide - Monitoring & Auditing of GenAI; Gateway Patterns for Safe Use; Control Effectiveness Measures.
Question 15
The PRIMARY purpose of adopting and implementing AI architecture as part of an organizational AI program is to:
Correct Answer: C
An AI architecture, within program governance, exists to align AI system components and lifecycle processes with business goals and policy constraints. Architecture provides the organizing structure linking strategy, capabilities, processes, data, models, controls, and assurance so that AI outcomes are traceable to business value, risk appetite, and compliance expectations. Efficiency, speed, and threat analysis are important architectural qualities, but they are not the primary purpose; the primary purpose is strategic and governance alignment so that technical choices and controls consistently realize organizational objectives. References:* AI Security Management (AAISM) Body of Knowledge: AI Program Architecture - alignment of capabilities, processes, and controls to business objectives* AI Security Management Study Guide: Architecture-driven governance, traceability from business goals to technical and control design
