What is covered on the AAIR exam?
The ISACA Advanced in AI Risk™ (AAIR™) exam consists of 90 questions covering three areas, all testing your ability to address real-world AI related opportunities and challenges.
ISACA’S commitment
The domains, subtopics and tasks are the results of extensive research, feedback and validation from subject matter experts and prominent industry leaders from around the globe.
Job practice areas tested for and validated by an AAIR certification
37% DOMAIN 1 – AI RISK GOVERNANCE AND FRAMEWORK INTEGRATION
1A AI Models, Frameworks, Strategies, and Use Cases
1B AI Organizational Processes and Alignment
1C AI Ownership, Oversight, and Accountability
1D AI Policies, Procedures, and Organizational Training
1E AI Regulatory Compliance and Legal Considerations
1F AI Trustworthiness, Ethical and Societal Implications (e.g., ESG)
21% DOMAIN 2 – AI LIFE CYCLE RISK MANAGEMENT
2A AI Design, Development/Procurement, and Documentation
2B AI Model Training, Testing, and Validation
2C AI Implementation, Maintenance, and Decommissioning
2D AI Data and Asset Management
42% DOMAIN 3 – AI RISK PROGRAM MANAGEMENT
3A AI Risk Scenario Identification and Assessment (e.g., threats, vulnerabilities, and attacks)
3B AI Risk Treatment Strategies
3C AI Controls Management (e.g., Evaluation, Selection, Validation)
3D AI Risk Metrics, Monitoring, and Reporting
3E AI Supply Chain Risk Management (e.g., third party resources)
3F AI Incident Response, BIA, Business Continuity, and Disaster Recovery
OTHER SKILLS TESTED
- Evaluate risk related to AI models/solutions including design, suitability, algorithms, training, drift, and AI life cycle.
- Facilitate the integration of AI risk management into an enterprise risk management framework and risk programs.
- Develop and implement an AI risk management framework, including roles and accountability, AI risk policies and procedures, and acceptable risk tolerance levels.
- Conduct risk assessments to identify and classify risks associated with AI.
- Develop and recommend risk treatment strategies for identified AI risks.
- Assess compliance with applicable AI-related regulations, laws, frameworks, standards, and guidelines.
- Integrate AI risk considerations into existing governance programs.
- Integrate AI risk considerations into existing risk register and control taxonomies.
- Evaluate AI use cases based on the organization's risk appetite.
- Monitor and test organizational processes to identify AI risks.
- Collaborate with stakeholders to develop and integrate AI risk concepts into enterprise-wide awareness training.
- Capture AI risk considerations in enterprise risk metrics and reporting (e.g., board, management, operations).
- Conduct and/or evaluate threat and vulnerability assessments on AI projects/programs.
- Collaborate with stakeholders to integrate AI risk scenarios into the enterprise incident management program.
- Continuously assess and monitor the risk landscape for emerging AI risk.
- Evaluate controls to manage AI-related risk within the organization's risk tolerance.
- Advise on AI-related risk within contracts and service agreements, including data usage and intellectual property.
- Evaluate AI risk as part of supply chain risk management.
- Collaborate with stakeholders to address AI trustworthiness and impacts including ethics, bias, privacy, safety, and environmental, social, and governance (ESG) implications.
- Leverage AI to support the risk management program (e.g., risk profile, reporting, evaluation, risk models, and analysis).
- Integrate AI-related risk considerations into the change management process.
- Incorporate AI-related risk considerations into incident response, BIAs, the BCP, and DRP.
- Assess human oversight controls at critical decision points for risk and AI impact.
Getting ready for the exam
ISACA offers a variety of exam preparation resources including group training, self-paced training and study resources to help you prepare for your certification exam. Choose what works for your schedule and your studying needs.