APMG AI Project Governance Framework (AIPGF) Foundation Quick Review
Quick Review for APMG AI Project Governance Framework (AIPGF) Foundation candidates, covering governance concepts, AI project controls, risks, lifecycle decisions, and practice focus areas.
Quick Review purpose
This Quick Review is for candidates preparing for the APMG International APMG AI Project Governance Framework (AIPGF) Foundation, exam code AIPGF Foundation. Use it to refresh the main governance ideas before moving into topic drills, mock exams, and detailed explanations.
The Foundation-level focus is usually not “how to build the most advanced AI model.” It is closer to:
- How AI projects should be governed from idea to operation.
- How risk, ethics, data, assurance, accountability, and benefits fit together.
- How AI project governance differs from ordinary technology project control.
- Which decision points require evidence, escalation, or independent review.
- How to avoid confusing technical model activity with organizational governance.
This page is PM Mastery practice support and is not affiliated with APMG International.
Core exam mindset
For the APMG AI Project Governance Framework (AIPGF) Foundation, keep this mental model in mind:
AI project governance is the decision and control system that ensures an AI initiative remains valuable, lawful, ethical, safe, explainable, accountable, and operationally sustainable.
A strong answer usually connects business purpose, risk, data, model behavior, human oversight, evidence, and accountability.
A weak answer often focuses only on model accuracy, technical delivery, or speed of implementation.
High-yield governance themes
| Theme | What to remember | Common exam trap |
|---|---|---|
| Business justification | AI must solve a real business problem and deliver measurable value. | Treating AI adoption as valuable simply because it uses AI. |
| Accountability | Named people or governance bodies must own decisions, risks, and outcomes. | Assuming the data science team is accountable for all consequences. |
| Data governance | Data quality, provenance, consent, representativeness, and security matter before model work starts. | Starting model development before checking whether data is usable or appropriate. |
| Risk-based control | Higher-impact AI requires stronger controls, assurance, and oversight. | Applying the same governance depth to every AI use case. |
| Responsible AI | Fairness, transparency, explainability, privacy, safety, and human oversight are governance concerns. | Treating ethics as a communication issue rather than a design and control issue. |
| Lifecycle governance | Governance continues after deployment through monitoring, incident handling, change control, and retirement. | Thinking governance ends at go-live. |
| Assurance | Evidence should support decisions at key gates. Independent review may be needed for higher-risk uses. | Relying only on developer claims or vendor statements. |
| Benefits realization | The project should track whether expected benefits actually occur. | Measuring only technical performance, not business outcomes. |
AI project governance lifecycle
Use the lifecycle view to answer many scenario questions. Ask: Where are we in the project, what decision is being made, what evidence is needed, and who should be accountable?
flowchart LR
A[Idea and opportunity] --> B[Business case and risk screening]
B --> C[Data and feasibility assessment]
C --> D[Design, build, or procure]
D --> E[Validation and assurance]
E --> F[Deployment decision]
F --> G[Operational monitoring]
G --> H[Change, incident, or retirement decision]
Lifecycle review table
| Stage | Governance focus | Evidence to look for | Candidate trap |
|---|---|---|---|
| Idea and opportunity | Define problem, users, intended outcomes, and why AI is appropriate. | Problem statement, expected benefits, stakeholder impact, initial risk view. | Choosing AI before confirming the business problem. |
| Business case | Compare value, cost, risk, feasibility, and alternatives. | Benefits case, cost estimates, risk register, governance approach. | Ignoring non-AI alternatives that may be simpler or safer. |
| Risk screening | Identify potential harm, legal exposure, operational impact, and ethical concerns. | AI risk assessment, impact assessment, escalation criteria. | Treating risk screening as a one-time checklist. |
| Data assessment | Confirm data quality, access rights, lineage, bias risk, and representativeness. | Data inventory, data quality checks, source approvals, privacy/security review. | Assuming large data volume means good data. |
| Design or procurement | Choose solution approach, controls, acceptance criteria, and supplier responsibilities. | Design records, model approach, supplier due diligence, control design. | Buying a vendor tool without clarifying accountability. |
| Development/configuration | Build or configure under controlled methods and traceable decisions. | Development logs, experiment records, version control, design decisions. | Allowing uncontrolled model or prompt changes. |
| Testing and validation | Test performance, robustness, bias, security, explainability, and user impact. | Test results, validation reports, acceptance evidence. | Treating accuracy as the only acceptance criterion. |
| Deployment approval | Decide whether the AI system is ready for controlled release. | Go-live recommendation, residual risk acceptance, monitoring plan, support model. | Deploying a pilot as if it were production-ready. |
| Operation | Monitor outcomes, drift, incidents, usage, user feedback, and benefits. | Monitoring dashboard, incident log, benefits review, change records. | Assuming model behavior remains stable after go-live. |
| Change or retirement | Control changes, retraining, decommissioning, and replacement. | Change approvals, retraining evidence, retirement plan, audit trail. | Updating models without revalidating impact. |
What makes AI project governance different?
AI projects share many features with ordinary technology projects, but several issues create extra governance pressure.
| Area | Traditional project concern | AI-specific governance concern |
|---|---|---|
| Requirements | Are requirements complete and approved? | Are intended and prohibited uses clear enough to control model behavior? |
| Data | Is data available? | Is data appropriate, lawful, representative, secure, and fit for model use? |
| Testing | Does the system meet requirements? | Does the model behave acceptably across cases, groups, edge conditions, and changing data? |
| Change control | Are system changes approved? | Are model retraining, parameter changes, prompt changes, and data changes governed? |
| Accountability | Who owns the system? | Who owns decisions made or supported by the AI system? |
| Transparency | Is documentation sufficient? | Can affected stakeholders understand, challenge, or trust outputs where needed? |
| Operations | Is the service stable? | Is model performance, drift, misuse, and unintended impact monitored? |
| Supplier management | Does the vendor deliver to contract? | Can vendor model behavior, data usage, explainability, and updates be governed? |
Key governance decision points
Foundation questions often test whether you know the right decision at the right time.
1. Should this be an AI project?
Good governance asks whether AI is justified, not just whether AI is possible.
Use AI when:
- The business problem is well understood.
- The expected value justifies cost and risk.
- Suitable data or model capabilities are available.
- The organization can govern, monitor, and support the solution.
- Human roles, escalation paths, and accountability can be defined.
Be cautious when:
- The problem is vague.
- Stakeholders want AI mainly for innovation optics.
- Data rights or quality are unclear.
- Potential harm is high and controls are immature.
- The organization cannot explain, monitor, or challenge outputs.
2. Build, buy, or adapt?
| Option | Governance advantage | Governance concern |
|---|---|---|
| Build internally | More control over design, data, documentation, and validation. | Requires capability, cost, and disciplined lifecycle controls. |
| Buy from supplier | Faster access to capability and specialist expertise. | Supplier opacity, contractual gaps, update control, and accountability risk. |
| Adapt/configure existing tool | Can reduce time and cost. | Hidden assumptions, inherited bias, prompt/configuration drift, unclear limitations. |
A common exam trap is assuming that buying a solution transfers risk to the supplier. It usually does not. The organization using the AI system still needs governance over purpose, deployment, monitoring, and impact.
3. Pilot or production?
A pilot should explore feasibility and risk. Production requires operational controls.
| Pilot evidence | Production evidence |
|---|---|
| Feasibility results | Validated acceptance criteria |
| Limited-user feedback | Support and incident process |
| Early risk assessment | Residual risk approval |
| Data suitability check | Monitoring and drift plan |
| Prototype documentation | Change control and audit trail |
| Initial benefits hypothesis | Benefits measurement approach |
Do not treat a proof of concept as production-ready just because it produces impressive outputs.
4. Approve, reject, or escalate?
Escalation is likely when:
- Potential harm to individuals or groups is significant.
- Legal, privacy, safety, or ethical questions are unresolved.
- Model behavior cannot be adequately tested or explained for the use case.
- Residual risk exceeds agreed tolerance.
- There is disagreement about accountability or acceptable use.
- A supplier cannot provide enough evidence for responsible operation.
Responsible AI concepts to review
Responsible AI principles are not just ideals. In project governance, they become controls, evidence, decisions, and monitoring requirements.
| Principle | Governance question | Example evidence |
|---|---|---|
| Accountability | Who is responsible for decisions, outcomes, risks, and remediation? | RACI, decision log, named risk owners, approval records. |
| Transparency | Can relevant stakeholders understand that AI is used and why? | User notices, documentation, explanation approach, stakeholder communications. |
| Explainability | Can outputs be explained to the level needed for the context? | Explanation method, model documentation, decision rationale. |
| Fairness | Are outcomes checked for inappropriate bias or unequal impact? | Bias testing, representative data review, fairness criteria. |
| Privacy | Is personal or sensitive data used appropriately and protected? | Data protection review, access controls, minimization evidence. |
| Security | Is the AI system protected against misuse, leakage, and attack? | Security review, threat assessment, access management, logging. |
| Robustness | Does the system perform reliably under expected and edge conditions? | Stress tests, robustness tests, monitoring thresholds. |
| Human oversight | Are humans involved where judgment, appeal, or intervention is required? | Human-in-the-loop design, escalation route, override process. |
| Contestability | Can affected users challenge or seek review of outcomes where appropriate? | Appeals process, support route, decision review procedure. |
| Sustainability | Are operational cost, resource use, and long-term maintainability considered? | Cost model, operational plan, retirement plan. |
Data governance quick review
Data is one of the most tested governance areas because weak data undermines model quality, legality, fairness, and trust.
Data questions to ask
| Question | Why it matters |
|---|---|
| Where did the data come from? | Establishes provenance, rights, quality, and trust. |
| Was the data collected for a compatible purpose? | Reduces privacy, consent, and misuse risk. |
| Is the data representative of the intended population or operating environment? | Reduces bias and poor real-world performance. |
| Is the data complete and accurate enough? | Prevents unreliable model behavior. |
| Are sensitive attributes present or inferable? | Supports fairness, privacy, and ethical assessment. |
| Who can access the data? | Controls confidentiality and misuse. |
| How is data updated? | Supports monitoring, retraining, and drift management. |
| What data must be retained or deleted? | Supports auditability, privacy, and lifecycle control. |
Common data traps
- Assuming more data automatically means better AI.
- Ignoring data lineage because the model appears to work.
- Using historical data without considering historical bias.
- Testing only on data that resembles training data too closely.
- Failing to separate training, validation, and test data.
- Ignoring whether data use is compatible with stakeholder expectations.
- Treating synthetic or anonymized data as automatically risk-free.
- Allowing uncontrolled production data to feed model updates.
Model and AI system concepts
A Foundation candidate does not usually need to be a data scientist, but must understand enough to govern model decisions.
| Concept | Quick meaning | Governance relevance |
|---|---|---|
| Model | A learned or configured mechanism that produces outputs from inputs. | Must be documented, tested, monitored, and controlled. |
| Algorithm | A method or procedure for processing data. | Not all algorithms are AI, and algorithm choice affects risk. |
| Training data | Data used to create or tune a model. | Poor or biased training data can produce poor or biased outcomes. |
| Validation data | Data used to tune and compare model options. | Helps avoid overfitting to training data. |
| Test data | Data used to assess final performance. | Supports acceptance decisions. |
| Inference | The model producing an output from new input. | Operational controls apply at this point. |
| Drift | Change in data, relationships, or environment that affects performance. | Requires monitoring and possible retraining or withdrawal. |
| Explainability | Ability to provide understandable reasons for outputs. | Important for trust, challenge, accountability, and compliance. |
| Human-in-the-loop | Human reviews or approves AI outputs before action. | Useful control, but only effective if humans have authority and competence. |
| Human-on-the-loop | Human monitors AI operation and can intervene. | Useful for operational oversight. |
| Automation bias | Human tendency to over-trust automated outputs. | Requires training, interface design, and challenge culture. |
Testing and validation
Testing should match the risk and intended use of the AI system.
| Test area | What it checks | Weak answer pattern |
|---|---|---|
| Functional performance | Does the system produce useful outputs? | Looking only at headline accuracy. |
| Robustness | Does performance hold under variation, edge cases, or noisy inputs? | Testing only ideal examples. |
| Bias and fairness | Are outcomes inappropriate for protected or vulnerable groups? | Assuming bias is absent because sensitive fields were removed. |
| Explainability | Can decisions be explained at the needed level? | Claiming a black box is acceptable in every context. |
| Security | Can the model or system be attacked, manipulated, or leaked? | Treating AI security as ordinary application security only. |
| User acceptance | Can users understand and use the system responsibly? | Assuming users will challenge AI outputs without training. |
| Operational readiness | Can the system be supported, monitored, and changed safely? | Approving go-live based on model test results alone. |
| Benefits | Does the system improve the targeted outcome? | Confusing technical performance with business value. |
Accuracy is not enough
High model accuracy may still be unacceptable if:
- Errors are concentrated in vulnerable groups.
- False positives or false negatives have serious consequences.
- Users cannot understand limitations.
- Outputs cannot be challenged.
- The model performs poorly when conditions change.
- The business process cannot absorb the AI output responsibly.
- Benefits do not justify operational risk.
AI risk categories
| Risk category | Example | Governance response |
|---|---|---|
| Strategic risk | AI project does not support organizational objectives. | Strong business case, portfolio review, benefits tracking. |
| Data risk | Data is poor quality, biased, unlawfully used, or insecure. | Data assessment, access control, lineage documentation. |
| Model risk | Model is inaccurate, unstable, biased, or hard to explain. | Validation, explainability review, model monitoring. |
| Operational risk | Users misuse outputs or processes fail. | Training, process design, escalation routes, support model. |
| Ethical risk | System causes unfair, opaque, or harmful outcomes. | Impact assessment, responsible AI controls, stakeholder review. |
| Legal/regulatory risk | Requirements are not identified or met. | Compliance review, legal input where relevant, evidence retention. |
| Security risk | Model, prompts, data, or outputs are attacked or leaked. | Threat assessment, controls, logging, incident process. |
| Supplier risk | Vendor tool is opaque or changed without control. | Due diligence, contractual controls, assurance evidence. |
| Reputational risk | Public trust is damaged by inappropriate AI use. | Communications, approval gates, monitoring, incident response. |
| Change risk | Users resist, over-trust, or bypass the system. | Change management, training, adoption measures. |
Governance roles and responsibilities
Foundation questions often test role clarity. The exact role names may vary by organization, but the governance logic is consistent.
| Role or group | Primary governance concern | Should not be confused with |
|---|---|---|
| Sponsor or senior responsible owner | Owns business justification, strategic fit, benefits, and major risk acceptance. | Day-to-day model development. |
| Project board or steering group | Makes key decisions, resolves escalations, and confirms continued viability. | Performing detailed technical validation. |
| Project manager | Coordinates delivery, plans, risks, issues, resources, and governance activities. | Owning all AI ethical or technical decisions personally. |
| Product owner or business owner | Defines business need, usage context, and operational value. | Approving technical risk without expert input. |
| Data owner | Authorizes and governs data use, quality expectations, and stewardship. | Building the model. |
| Data scientist or AI engineer | Designs, trains, configures, tests, and documents model behavior. | Owning business accountability for outcomes. |
| Risk, compliance, legal, or privacy specialists | Advise on obligations, risk controls, and evidence. | Replacing accountable business decision-makers. |
| Security specialist | Reviews threats, access, confidentiality, and resilience. | Validating business benefits. |
| Independent assurance or review function | Challenges evidence and confirms controls for higher-risk decisions. | Managing delivery. |
| Operational owner | Runs the live service, monitors performance, handles incidents and changes. | Assuming the project team remains responsible forever. |
| Users and affected stakeholders | Provide practical feedback and reveal real-world impact. | Being a substitute for formal approval. |
| Supplier or vendor | Provides contracted capability, information, and support. | Taking over the customer organization’s accountability. |
Accountability rule of thumb
- Technical teams can recommend.
- Risk and compliance teams can advise and challenge.
- Suppliers can provide evidence and contractual commitments.
- Governance bodies and accountable business owners decide whether risk is acceptable.
Governance artifacts to recognize
| Artifact | Purpose |
|---|---|
| Business case | Explains why the AI initiative is worth doing. |
| Governance plan | Defines decision points, roles, controls, reporting, and assurance. |
| Stakeholder map | Identifies affected groups, decision-makers, users, and consultation needs. |
| AI risk assessment | Identifies and rates AI-specific and project risks. |
| Data assessment | Checks data source, quality, rights, representativeness, and security. |
| Impact assessment | Evaluates potential effects on people, processes, rights, fairness, or safety. |
| Model documentation | Records model purpose, assumptions, limitations, data, and performance. |
| Acceptance criteria | Defines what must be true before approval or deployment. |
| Test and validation report | Provides evidence that the system has been evaluated appropriately. |
| Decision log | Records important decisions, rationale, approvers, and conditions. |
| Risk register | Tracks risks, owners, actions, and status. |
| Monitoring plan | Defines metrics, thresholds, review frequency, and escalation routes. |
| Incident response plan | Explains how AI-related failures, misuse, or harm will be handled. |
| Change control record | Tracks changes to data, model, prompts, configuration, or operating process. |
| Benefits realization plan | Defines how expected benefits will be measured after deployment. |
| Retirement plan | Controls withdrawal, replacement, data retention, and user transition. |
Controls across the AI project
Controls should be proportionate to risk. Low-risk internal productivity tools may not need the same assurance as high-impact automated decisions, but both still need governance.
| Control type | Examples | Best use |
|---|---|---|
| Preventive controls | Approval gates, access limits, design standards, prohibited-use rules. | Stop unsuitable AI use before harm occurs. |
| Detective controls | Monitoring, audit logs, bias checks, anomaly detection, user feedback. | Identify problems during testing or operation. |
| Corrective controls | Incident response, rollback, retraining, user notification, remediation. | Restore control after failure or harm. |
| Directive controls | Policies, standards, training, playbooks, decision rules. | Guide consistent behavior across teams. |
| Assurance controls | Independent review, evidence checks, supplier audits, validation sign-off. | Confirm governance is working. |
Human oversight and automation
Human oversight is valuable only if it is designed realistically.
| Oversight pattern | Description | Governance concern |
|---|---|---|
| Human-in-the-loop | Human approves or rejects AI output before action. | Human must have time, skill, authority, and meaningful information. |
| Human-on-the-loop | Human monitors AI operation and intervenes when needed. | Monitoring thresholds and escalation routes must be clear. |
| Human-out-of-the-loop | AI acts without routine human intervention. | Requires stronger assurance, monitoring, and risk acceptance. |
| Human-over-the-loop | Humans set policy and review system-level performance. | Must not be used to hide lack of operational control. |
Automation bias trap
A human reviewer is not an effective control if they:
- Always accept AI recommendations.
- Do not understand limitations.
- Lack authority to override outputs.
- Face time pressure that makes review superficial.
- Cannot see the evidence needed to challenge the AI.
Explainability and transparency
Do not treat explainability as a single technical feature. It depends on audience and use case.
| Audience | What they may need |
|---|---|
| Senior decision-makers | Risk, benefits, limitations, assurance conclusions. |
| Operators and users | How to use outputs, when to challenge, escalation triggers. |
| Affected individuals | Clear information about AI involvement and review options where relevant. |
| Technical teams | Model behavior, data, parameters, error patterns, monitoring results. |
| Assurance or audit teams | Evidence trail, control design, validation results, decision rationale. |
A simple model is not automatically better, but higher-risk decisions usually require a level of explanation that supports trust, challenge, and accountability.
Supplier and third-party AI governance
When AI capability is supplied externally, governance must cover both contract and operational reality.
Supplier questions to review
- What data will the supplier access, store, process, or learn from?
- Can the supplier explain model purpose, limitations, and update approach?
- Who approves model changes, version updates, or configuration changes?
- What evidence is available for validation, security, bias, and reliability?
- What happens if the supplier changes terms, features, or model behavior?
- How are incidents, vulnerabilities, or harmful outputs reported?
- Can the organization exit or replace the supplier safely?
- What audit, assurance, or reporting rights exist?
Supplier traps
- Believing supplier certification or reputation removes the need for local governance.
- Accepting “commercial confidentiality” as a reason for no assurance evidence at all.
- Failing to control automatic updates.
- Ignoring data reuse by the supplier.
- Not defining service levels for AI-specific failures.
- Not planning for vendor lock-in or model withdrawal.
Generative AI governance points
If a scenario involves generative AI, prompts, chatbots, summarization, or content generation, add these review points.
| Risk | Governance response |
|---|---|
| Hallucinated or fabricated output | Require verification, confidence handling, source grounding, and user training. |
| Confidential data leakage | Restrict inputs, configure data handling, educate users, log appropriately. |
| Prompt injection | Apply security testing, content controls, input/output filtering, monitoring. |
| Inappropriate content | Define prohibited outputs, safety filters, review processes. |
| Copyright or intellectual property concern | Review data sources, output use, licensing, and policy constraints. |
| Over-reliance by users | Set usage rules, disclaimers, human review, and escalation paths. |
| Uncontrolled prompt changes | Version prompts, test changes, and include them in change control. |
| Weak audit trail | Log key interactions, decisions, approvals, and evidence proportionate to risk. |
Do not answer as if generative AI is automatically unsuitable. The better governance answer is usually to classify risk, define controls, validate use, and monitor operation.
Benefits realization
AI projects can appear successful technically while failing commercially or operationally. Benefits governance keeps attention on the original purpose.
| Benefit type | Example measure |
|---|---|
| Efficiency | Reduced processing time, reduced manual effort, faster response. |
| Quality | Fewer errors, better consistency, improved decision support. |
| Customer or user experience | Faster service, improved accessibility, higher satisfaction. |
| Risk reduction | Better detection, fewer incidents, improved compliance evidence. |
| Revenue or value | Increased conversion, improved targeting, new capability. |
| Knowledge support | Better search, summarization, insight discovery. |
Benefits traps
- Counting model accuracy as a benefit by itself.
- Measuring savings before considering support and assurance costs.
- Ignoring user adoption.
- Ignoring negative side effects, such as increased appeals or manual review.
- Failing to define a baseline before deployment.
- Continuing a project after benefits no longer justify risk.
Monitoring after deployment
AI systems need ongoing observation because data, behavior, users, and operating environments change.
| Monitoring area | What to watch |
|---|---|
| Model performance | Accuracy, precision/recall where relevant, error rates, confidence patterns. |
| Data drift | Changes in input data distribution or quality. |
| Concept drift | Changes in the relationship between inputs and expected outputs. |
| Fairness | Different outcomes across groups or use contexts. |
| User behavior | Over-reliance, workarounds, misuse, unexpected usage patterns. |
| Incidents | Harmful outputs, failures, security events, complaints. |
| Business outcomes | Whether expected benefits are being realized. |
| Supplier changes | Model updates, feature changes, service changes. |
| Cost and capacity | Usage cost, latency, resource demands, support burden. |
Monitoring decision rule
Monitoring should define:
- What is measured.
- Who reviews it.
- How often it is reviewed.
- What threshold triggers action.
- What action is taken.
- Who has authority to pause, rollback, retrain, or retire the system.
Change control for AI systems
AI change is broader than software change.
| Change type | Why it matters |
|---|---|
| New training data | Can change model behavior and bias profile. |
| Model retraining | May improve performance but can introduce new errors. |
| Prompt changes | Can materially change generative AI behavior. |
| Feature changes | May affect fairness, explainability, and performance. |
| Threshold changes | Can alter false positive/false negative balance. |
| Supplier model update | May change outputs without internal development activity. |
| Business process change | Can change how AI outputs affect people. |
| User group expansion | May expose the model to populations it was not validated for. |
Common mistake: treating AI retraining as routine maintenance. It may require renewed testing, approval, and communication.
Auditability and evidence
Governance requires an evidence trail. If a question asks what should support an approval decision, choose the answer that includes documented evidence rather than informal confidence.
High-value evidence includes:
- Approved business case.
- Risk assessment and risk acceptance.
- Data source and quality evidence.
- Model or system documentation.
- Validation and test results.
- Responsible AI assessment.
- Stakeholder consultation where appropriate.
- Supplier due diligence.
- Security and privacy review.
- Monitoring and incident plan.
- Decision log with rationale.
Weak evidence includes:
- “The model performed well in a demo.”
- “The supplier says it is compliant.”
- “The project team is confident.”
- “Users liked the prototype.”
- “The technology is widely used elsewhere.”
Common exam traps and how to avoid them
| Trap | Better exam approach |
|---|---|
| Equating AI governance with technical model development. | Governance is about decisions, accountability, controls, evidence, and outcomes. |
| Assuming the highest-accuracy model is always best. | Consider risk, fairness, explainability, cost, robustness, and business fit. |
| Treating ethical review as optional or late-stage. | Responsible AI should be considered from idea through operation. |
| Believing pilots do not need governance. | Pilots still need scope, data controls, risk screening, and learning objectives. |
| Assuming anonymization removes all privacy risk. | Re-identification, inference, and context can still create risk. |
| Treating human review as automatic risk reduction. | Human oversight must be meaningful and supported. |
| Ignoring operations after go-live. | Monitoring, incident handling, change control, and benefits review are essential. |
| Letting suppliers own accountability. | Suppliers provide services and evidence; the using organization still governs use. |
| Confusing transparency with full technical disclosure. | Transparency should be appropriate to audience and decision context. |
| Overlooking affected stakeholders. | AI governance considers people affected by system outputs, not just project sponsors. |
| Treating all AI uses the same. | Governance should be proportionate to risk and impact. |
| Forgetting retirement. | AI systems need controlled withdrawal when no longer suitable. |
Scenario-question method
When you see a scenario, work through this quick sequence.
flowchart TD
A[Read the scenario] --> B[Identify lifecycle stage]
B --> C[Identify main risk or decision]
C --> D[Ask who is accountable]
D --> E[Ask what evidence is needed]
E --> F[Choose proportionate governance action]
Five-question checklist
What decision is being made? Start, continue, approve, deploy, change, pause, escalate, or retire?
What is the main governance concern? Value, data, risk, ethics, security, supplier, assurance, operation, or benefits?
Who should own or approve it? Sponsor, board, project manager, data owner, risk specialist, operational owner, or supplier?
What evidence is missing? Business case, validation, impact assessment, monitoring plan, supplier evidence, or risk acceptance?
What is proportionate? Avoid both under-governance and unnecessary bureaucracy.
Fast comparison: good vs weak governance answers
| If the answer says… | It is likely… |
|---|---|
| “Proceed because the model has high accuracy.” | Too narrow. Look for broader governance evidence. |
| “Escalate because residual risk exceeds tolerance.” | Stronger governance logic. |
| “The supplier is responsible, so internal review is unnecessary.” | Usually weak. Accountability remains with the using organization. |
| “Define acceptance criteria before validation.” | Strong. Testing needs a target. |
| “Monitor after deployment for drift and unintended outcomes.” | Strong. AI governance continues in operation. |
| “Remove sensitive attributes, so fairness risk is solved.” | Weak. Bias can remain through proxies. |
| “Use a human reviewer without changing process or training.” | Weak. Human oversight must be meaningful. |
| “Document rationale and decision ownership.” | Strong. Governance requires traceability. |
| “Deploy the pilot because users liked it.” | Weak. Production readiness requires more evidence. |
| “Review data provenance and permitted use before model development.” | Strong. Data governance starts early. |
Quick terminology check
| Term | Review meaning |
|---|---|
| Governance | System of direction, control, accountability, and decision-making. |
| Assurance | Confidence supported by evidence that controls and outcomes are adequate. |
| Residual risk | Risk remaining after controls are applied. |
| Risk appetite or tolerance | Amount and type of risk an organization is willing to accept. |
| Impact assessment | Structured assessment of potential effects on people, operations, rights, or obligations. |
| Bias | Systematic distortion or unfairness in data, design, or outcomes. |
| Drift | Change that reduces model reliability or suitability over time. |
| Audit trail | Records that allow decisions and actions to be traced. |
| Acceptance criteria | Conditions that must be met before approval. |
| Explainability | Ability to provide understandable reasons for model outputs or behavior. |
| Transparency | Openness about AI use, purpose, limitations, and governance. |
| Accountability | Clear ownership of decisions, risks, and outcomes. |
Last-week review plan
Use this sequence before mock exams.
Day 1: Governance foundations
- Review lifecycle stages.
- Memorize the difference between delivery, governance, assurance, and operations.
- Practice questions on accountability and decision gates.
Day 2: Data and model risk
- Review data provenance, quality, representativeness, and permitted use.
- Practice topic drills on data risk, model validation, drift, and bias.
- Read detailed explanations carefully, especially when two answers seem plausible.
Day 3: Responsible AI
- Review fairness, transparency, explainability, privacy, security, robustness, and human oversight.
- Practice scenario questions that involve affected stakeholders or high-impact decisions.
Day 4: Supplier, deployment, and monitoring
- Review vendor accountability, production readiness, monitoring, incident management, and change control.
- Practice questions on pilot-to-production decisions.
Day 5: Mixed mock exam
- Take a timed mock exam.
- Review every missed question by identifying the lifecycle stage, risk, accountable role, and missing evidence.
- Create a short list of recurring traps.
How to use question-bank practice effectively
For the APMG International APMG AI Project Governance Framework (AIPGF) Foundation exam code AIPGF Foundation, question-bank practice is most useful when you do more than memorize answers.
Use original practice questions in three passes:
Topic drills Work by subject: lifecycle, data, risk, responsible AI, roles, assurance, monitoring, suppliers.
Mixed practice Mix topics so you learn to identify the issue from the scenario, not from the drill title.
Mock exams Practice timing, review weak areas, and study detailed explanations for why the wrong answers are wrong.
When reviewing explanations, ask:
- Did I miss the lifecycle stage?
- Did I choose a technical answer when the question wanted governance?
- Did I ignore accountability?
- Did I overlook evidence or assurance?
- Did I understate operational monitoring?
- Did I assume the supplier carried the risk?
- Did I focus on accuracy instead of responsible outcomes?
Final quick check before practice
Before starting your next mock exam or topic drill, make sure you can answer these without notes:
- Why is AI project governance more than model development?
- What evidence should support a deployment decision?
- Why is data governance needed before model building?
- Why is high accuracy not enough?
- What makes human oversight meaningful?
- Why does governance continue after go-live?
- How should supplier AI risk be controlled?
- What should happen when residual risk is too high?
- Who remains accountable for AI use in the organization?
- How do monitoring, change control, and retirement fit into the lifecycle?
Next step: use this Quick Review as your checklist, then move into PM Mastery practice with topic drills, original practice questions, mock exams, and detailed explanations to test whether you can apply the governance concepts under exam conditions.
Continue in PM Mastery
Use this Quick Review as a final concept map, then move into PM Mastery for focused topic drills, mixed practice sets, timed mock exams, and detailed explanations. The practice questions are original PM Mastery practice items; they are not official APMG questions, copied live-exam content, or exam dumps.