APMG AI Project Governance Framework (AIPGF) Practitioner Exam Blueprint

Practical exam blueprint for the APMG International AIPGF Practitioner exam, covering AI project governance, risk, roles, assurance, and scenario readiness.

How to use this exam blueprint

Use this checklist to prepare for the APMG International APMG AI Project Governance Framework (AIPGF) Practitioner exam, code AIPGF Practitioner. The goal is not to memorize isolated definitions. At Practitioner level, you should be able to apply AI project governance concepts to scenarios, choose appropriate actions, identify governance gaps, and decide what artifact, role, control, or escalation path is needed.

Work through each readiness area and mark it:

StatusMeaning
ReadyYou can apply the topic to a scenario without relying on notes.
ReviewYou understand the concept but miss details, role ownership, or artifact updates.
WeakYou recognize the term but cannot confidently decide what to do in a scenario.
Not startedYou need structured study before attempting scenario practice.

Use this as an independent exam blueprint alongside your APMG International AIPGF Practitioner study materials and any official guidance available to you.

Topic-area readiness map

Readiness areaWhat to reviewPractitioner-ready means you can…Typical evidence or artifact
AI project governance purposeWhy AI projects need explicit governance beyond standard project controlsExplain the governance problem in a scenario and connect it to accountability, risk, value, ethics, and assuranceGovernance approach, terms of reference, decision log
Framework applicationHow the AI Project Governance Framework is applied and tailoredSelect proportionate governance actions for low-risk, high-risk, experimental, operational, or regulated contextsTailored governance plan, lifecycle controls
Roles and accountabilitiesSponsor, project board or governance body, project manager, AI/data specialists, risk/compliance, users, suppliers, assurance rolesIdentify who should decide, advise, approve, escalate, or perform a controlRACI, role descriptions, escalation path
Business case and valueStrategic fit, benefits, costs, risk exposure, assumptions, ethical acceptabilityTest whether the AI initiative remains justified as evidence changesBusiness case, benefits profile, value measures
AI project lifecycleInitiation, discovery, design, build, test, deployment, monitoring, closure or transitionPlace governance controls at the right stage and avoid treating delivery as a one-time technical buildStage/gate records, delivery roadmap
Predictive, agile, and hybrid deliveryHow governance is maintained across different delivery approachesTailor controls without either over-governing innovation or under-governing material riskTailoring decision, backlog controls, gate criteria
Data governanceData provenance, quality, consent or permission, lineage, access, retention, representativeness, biasSpot data-related governance gaps before model development or deploymentData management plan, data quality assessment
Model and solution governanceModel selection, validation, performance criteria, explainability, versioning, human oversightDecide what evidence is needed before approving use of an AI solutionModel documentation, validation results
Responsible and ethical AIFairness, transparency, accountability, safety, human impact, contestability, misuseBalance value delivery with responsible use and stakeholder impactEthics review, impact assessment, decision record
Risk managementAI-specific and project risks, controls, owners, responses, residual riskDistinguish risk, issue, assumption, dependency, and change in a scenarioRisk register, issue log, control plan
Compliance and policy alignmentOrganizational policies, legal or regulatory constraints, auditability, recordsIdentify when specialist advice or formal review is requiredCompliance review, audit trail
Stakeholder engagementImpacted users, affected communities, sponsors, operational teams, data owners, customer groupsChoose engagement actions that reduce resistance and improve responsible adoptionStakeholder map, communication plan
Assurance and qualityIndependent review, validation, acceptance criteria, test evidence, governance checksRecognize when confidence is insufficient and further assurance is neededAssurance plan, test report, acceptance record
Change controlChanges to scope, data, model, risk appetite, operating model, supplier termsDecide whether a change needs approval, impact analysis, or escalationChange request, impact assessment
Deployment and operational monitoringTransition to live use, performance drift, incidents, feedback, retraining, withdrawalExplain how governance continues after deploymentMonitoring plan, incident log, service controls
Supplier and third-party AIVendor claims, black-box models, data sharing, service dependency, contractual controlsChallenge weak supplier assurance and identify evidence neededSupplier assessment, contract controls
Documentation and audit trailRecording decisions, rationale, approvals, assumptions, exceptionsIdentify what should be documented and why it matters for accountabilityDecision log, exception report, lessons learned

Practitioner-level “can you do this?” checklist

Governance and tailoring

  • Explain why an AI initiative may require stronger governance than a conventional technology project.
  • Identify which governance controls are proportionate to project risk, complexity, novelty, and impact.
  • Decide when governance should be embedded in agile ceremonies, formal stage gates, or both.
  • Recognize when a pilot, proof of concept, or experiment has become a governed project.
  • Distinguish advisory review from approval authority.
  • Identify when a decision should be made by the project manager, sponsor, governance board, risk/compliance function, or specialist expert.
  • Explain why governance is not only a start-up activity; it continues through deployment and operation.
  • Spot weak governance language such as “the technical team will handle it” when accountability is unclear.

Business case, benefits, and value

  • Connect the AI solution to a defined business problem rather than a technology objective.
  • Identify assumptions in the business case that depend on data quality, user adoption, model performance, or operational readiness.
  • Decide whether benefits remain credible after new risks, costs, delays, or stakeholder concerns emerge.
  • Recognize when an AI initiative should pause, pivot, scale back, or seek renewed approval.
  • Distinguish benefit measures from model performance measures.
  • Explain why a high technical score does not automatically prove business value.
  • Identify benefits that require organizational change, not just model deployment.

Data governance

  • Check whether the data source is known, authorized, relevant, and fit for purpose.
  • Identify gaps in data lineage, representativeness, labelling, quality, or completeness.
  • Recognize bias risks in training data, test data, historic decisions, proxy variables, or underrepresented groups.
  • Decide when data issues should be escalated before model development continues.
  • Explain why using “available data” is not the same as using “appropriate data.”
  • Identify controls for access, privacy, retention, security, and permitted use.
  • Recognize when additional data review is needed before deployment or scaling.

Model, solution, and assurance

  • Distinguish model development evidence from independent assurance evidence.
  • Identify whether acceptance criteria are business-based, risk-based, and operationally meaningful.
  • Recognize when explainability is necessary for trust, auditability, or decision challenge.
  • Decide when a human-in-the-loop, human-on-the-loop, or automated decision model needs extra governance.
  • Identify when model performance, fairness, safety, or reliability evidence is insufficient.
  • Explain why production monitoring is required even after successful testing.
  • Recognize model drift, data drift, concept drift, and operational changes as governance concerns.
  • Identify when retraining, rollback, suspension, or redesign may be needed.

Risk, ethics, and controls

  • Classify AI risks by source: data, model, process, people, supplier, compliance, security, ethics, reputation, or operations.
  • Distinguish inherent risk from residual risk after controls.
  • Match a risk response to the scenario: avoid, reduce, transfer, accept, escalate, or exploit an opportunity.
  • Recognize when residual risk exceeds agreed tolerance or authority.
  • Identify ethical concerns even when the project is technically feasible.
  • Decide when affected stakeholders need consultation or additional communication.
  • Recognize that “no explicit law prohibits it” is not the same as “governance approval is justified.”
  • Link controls to evidence, not vague assurances.

Stakeholders, adoption, and change

  • Identify stakeholders affected by the AI-enabled process, including users who may not be project sponsors.
  • Explain the difference between informing stakeholders and involving them in governance-relevant decisions.
  • Decide when resistance signals a communication issue, training need, ethical concern, or benefits risk.
  • Identify operational changes required for adoption: process redesign, training, support, monitoring, escalation, and accountability.
  • Recognize when stakeholder trust is harmed by poor transparency or unclear recourse.
  • Explain how user feedback should feed into governance, not only product improvement.

Supplier and third-party checks

  • Challenge vendor claims that are unsupported by evidence.
  • Identify data ownership, access, retention, security, and usage concerns in supplier arrangements.
  • Recognize black-box AI governance risks.
  • Decide when independent validation or additional contractual controls are needed.
  • Identify dependencies on vendor monitoring, updates, service levels, or model changes.
  • Explain why outsourcing development does not outsource organizational accountability.

Scenario and decision-point checks

Practitioner questions often test judgment: what should be done next, who should act, what record should be updated, and whether the governance response is proportionate.

If the scenario says…Think about…Better exam-ready response
The team wants to proceed because early model results are promisingTechnical evidence may not cover business, ethical, operational, or risk readinessConfirm acceptance criteria, assurance evidence, risk status, and approval path before scaling
The data source is convenient but poorly documentedProvenance, permission, quality, representativeness, lineagePause or condition progress until data governance evidence is sufficient
Stakeholders are concerned about fairnessBias, transparency, consultation, impact, challenge routesEngage affected groups, assess fairness risk, document decisions, update controls
A senior stakeholder wants a rapid deploymentGovernance pressure, risk appetite, authority, assurance shortcutsEscalate if necessary; do not bypass mandatory risk or assurance controls
A supplier says its model is proprietary and cannot be explainedBlack-box risk, assurance alternatives, contractual evidence, operational accountabilityRequest sufficient evidence, validation, monitoring, and decision accountability
The model performs well in test but poorly after launchDrift, environment change, monitoring thresholds, incident responseTrigger operational governance, investigate, update risk and issue logs, decide rollback or remediation
A change request adds a new data sourcePrivacy, bias, data quality, security, consent, model validityPerform impact assessment before approval
Users are bypassing the AI-enabled processAdoption risk, usability, trust, training, process fitInvestigate root cause, update change plan, reassess benefits and controls
The project is agile and iterating quicklyGovernance must be embedded, not skippedUse lightweight but explicit decision points, backlog controls, definitions of done, and review evidence
The business case assumes productivity gainsBenefits realization depends on operating model and adoptionValidate assumptions, define measures, plan transition, monitor benefits
A risk has materializedIt is now an issue, not only a riskUpdate issue log, assess impact, activate response, escalate if beyond authority
A new policy constraint appears lateCompliance and governance impactReassess scope, risk, acceptance criteria, and approval route

AI governance issue triage workflow

Use this mental workflow when a scenario introduces a new risk, issue, data concern, stakeholder objection, or assurance gap.

    flowchart TD
	    A[New concern appears in scenario] --> B{Is it a risk, issue, change, or decision?}
	    B --> C[Risk: uncertain future event]
	    B --> D[Issue: current problem]
	    B --> E[Change: requested alteration]
	    B --> F[Decision: approval or direction needed]
	    C --> G[Assess impact, likelihood, owner, response]
	    D --> H[Assess actual impact, urgency, owner, resolution path]
	    E --> I[Assess impact on scope, value, risk, data, model, controls]
	    F --> J[Identify authority, evidence needed, options]
	    G --> K{Within tolerance and authority?}
	    H --> K
	    I --> K
	    J --> K
	    K -->|Yes| L[Act, document, monitor]
	    K -->|No| M[Escalate with evidence and recommendation]
	    L --> N[Update relevant artifact]
	    M --> N

Artifact checklist: know what to update and why

Artifact or recordUse in AI project governanceUpdate when…
Business caseConfirms continued justification and valueBenefits, costs, risks, assumptions, or strategic fit change
Benefits profile or benefits planDefines expected value and measuresDelivery approach, adoption assumptions, or operational outcomes change
Governance planDefines decision rights, reviews, controls, tailoringRisk level, delivery approach, supplier model, or project complexity changes
Stakeholder mapIdentifies affected and influential partiesNew impacted groups, resistance, ethical concerns, or adoption barriers emerge
Communication and engagement planPlans stakeholder involvement and messagingTrust, transparency, training, or consultation needs change
Risk registerRecords uncertain events and responsesNew AI, data, supplier, compliance, or operational risks are identified
Issue logTracks current problems requiring actionA risk materializes or live operation exposes a defect
Assumption logRecords unproven planning assumptionsEvidence confirms, weakens, or invalidates an assumption
Dependency logTracks dependencies outside direct controlData access, supplier deliverables, policy decisions, or platform readiness shift
Decision logPreserves rationale and accountabilityGovernance body approves, rejects, defers, or conditions a decision
Change requestFormalizes proposed changesScope, model, data source, process, acceptance criteria, or operating use changes
Data management planGoverns data sourcing, use, quality, access, retentionData source, usage, access, quality controls, or retention requirements change
Model or solution documentationDescribes model purpose, design, limits, performance, and controlsModel version, training data, assumptions, thresholds, or intended use changes
Validation and test reportProvides evidence of fitness for intended useNew evidence, test failure, defect, drift, or changed acceptance criteria appear
Assurance reportProvides independent or structured review evidenceGovernance confidence is challenged or approval requires further evidence
Operational monitoring planDefines live controls and thresholdsDeployment scope, environment, user behavior, model performance, or risk changes
Incident or escalation recordDocuments operational problems and responsesHarm, failure, security event, policy breach, or serious stakeholder impact occurs
Lessons learned recordCaptures improvement for future governanceClosure, major phase end, incident review, or governance retrospective occurs

AI-specific risk checklist

Risk areaQuestions to askScenario cues
Data provenanceDo we know where the data came from and whether it may be used?“Legacy data,” “scraped data,” “third-party dataset,” “no owner identified”
Data qualityIs the data complete, accurate, timely, relevant, and suitable for the intended use?Missing values, inconsistent labels, stale data, untested source
Bias and fairnessCould the data or model disadvantage groups or reinforce historic patterns?Complaints, uneven outcomes, proxy variables, underrepresented users
Privacy and confidentialityAre personal, sensitive, or confidential data protected and used appropriately?New data source, broader access, external supplier, live customer data
SecurityCould the AI system, data pipeline, model, or outputs be attacked or misused?External access, prompt misuse, data leakage, weak controls
ExplainabilityCan decisions or recommendations be understood at the level needed?High-impact decisions, user challenge, audit requirement, black-box model
Human oversightIs human review meaningful, timely, trained, and accountable?“Human approves automatically,” “no appeal route,” “too many alerts”
ReliabilityDoes the model perform consistently in relevant conditions?Test-only success, new environment, edge cases, unstable outputs
DriftCould performance degrade after deployment?Changing customer behavior, new data patterns, operational process change
MisuseCould the tool be used outside intended scope?Informal workarounds, uncontrolled access, unclear user guidance
Supplier dependencyCan the organization govern vendor changes, outages, and evidence?Proprietary model, limited transparency, vendor-managed updates
Compliance and policyAre applicable policies and obligations understood?New jurisdiction, new use case, sensitive decision area
Reputation and trustCould failure damage stakeholder confidence?Public-facing use, vulnerable groups, media sensitivity, opaque decisions
Operational readinessCan the business support, monitor, and respond after go-live?No runbook, no owner, no monitoring thresholds, no incident route

Roles, accountability, and escalation checks

You should know the role names and responsibilities used in your AIPGF Practitioner materials. For scenario practice, focus on what each role is expected to contribute and when escalation is justified.

Role or stakeholder typeTypical governance concernCandidate readiness check
Project sponsor or executive ownerContinued justification, benefits, funding, business riskCan you decide when the sponsor must reapprove or redirect the project?
Governance board or steering groupDecision authority, tolerances, escalation, assurance confidenceCan you identify decisions that exceed the project manager’s authority?
Project managerDelivery control, coordination, risk and issue management, reportingCan you choose the next management action and artifact update?
Product owner or business leadValue, prioritization, user needs, acceptanceCan you balance user value against risk and control requirements?
Data owner or data stewardData suitability, permission, quality, lineage, accessCan you spot when data ownership or approval is missing?
AI/model specialistTechnical design, model performance, limitations, validation supportCan you distinguish expert advice from governance approval?
Risk, compliance, legal, or policy adviserIndependent advice on obligations, risk exposure, controlsCan you identify when specialist input is needed before proceeding?
Assurance or audit roleIndependent confidence, evidence review, governance complianceCan you identify when assurance evidence is insufficient?
Operational ownerLive service, monitoring, incidents, support, user processCan you decide whether deployment readiness is adequate?
Supplier or vendorExternal capability, data handling, model updates, service supportCan you identify retained accountability and supplier control gaps?
End users and affected stakeholdersAdoption, trust, usability, impact, fairnessCan you identify when engagement is a governance need, not a communication afterthought?

Delivery approach and tailoring checklist

Delivery contextGovernance focusWatch for this trap
Early discovery or proof of conceptClarify purpose, data permission, experiment boundaries, decision criteriaTreating a proof of concept as exempt from governance because it is “only a trial”
Predictive projectFormal decision points, defined scope, stage approvals, documented controlsAssuming stage approval is enough without AI-specific evidence
Agile deliveryGovernance embedded in backlog, acceptance criteria, reviews, definitions of done, sprint evidenceConfusing speed with permission to skip assurance
Hybrid deliveryFormal governance for risk and value, iterative delivery for learningDuplicating controls without clarifying which decision forum has authority
High-impact AI useStronger assurance, stakeholder involvement, explainability, monitoring, escalationApproving on technical performance alone
Low-impact internal automationProportionate controls, clear ownership, data checks, monitoringEither over-engineering governance or ignoring cumulative risk
Supplier-led solutionContractual controls, evidence, auditability, data terms, operational handoverAssuming vendor certification or confidence removes project accountability
Live operational AIMonitoring, drift response, incident management, retraining or withdrawal decisionsTreating go-live as the end of governance

Common weak areas and traps

Weak areaWhat often goes wrongHow to correct it in exam scenarios
Governance vs deliveryCandidates choose a delivery task when the scenario needs a governance decisionAsk: who has authority, what evidence is missing, and what record must be updated?
Risk vs issueA current problem is treated as a future uncertaintyIf it has happened, manage it as an issue and assess impact immediately
Technical performance vs business valueHigh accuracy is treated as enough for approvalCheck benefits, acceptance criteria, stakeholder impact, controls, and operational readiness
Data availability vs data suitabilityData exists, so the team assumes it is usableCheck provenance, quality, permission, representativeness, and intended use
Ethics as a late reviewEthical concerns are considered only before go-liveIntegrate ethics into initiation, design, testing, deployment, and monitoring
Human oversightA human is nominally present but cannot meaningfully challenge the AI outputCheck competence, authority, time, workflow design, and escalation route
Supplier assuranceVendor statements are accepted without evidenceRequest validation, documentation, contractual controls, and monitoring arrangements
Agile misunderstandingAgile delivery is treated as reduced governanceTailor governance into iterative work; do not remove accountability
Escalation extremesCandidates escalate everything or nothingEscalate when tolerance, authority, policy, risk appetite, or stakeholder impact requires it
Documentation gapsDecisions are made informallyRecord rationale, evidence, approvals, exceptions, and residual risk
Deployment readinessTesting success is treated as operational readinessCheck monitoring, support, incident response, user training, ownership, and benefits tracking
Bias handlingBias is treated as only a data science problemInclude stakeholder impact, fairness measures, governance review, and decision accountability
Acceptance criteriaCriteria focus only on model metricsInclude business, risk, ethical, operational, and user acceptance criteria
Change impactA change to data or model is treated as a routine technical updateReassess risk, validation, compliance, benefits, and approval needs

Scenario prompts for self-testing

Use these prompts to rehearse Practitioner-level reasoning. For each one, answer: what is the issue, who should act, what should be updated, and what is the next governance step?

PromptWhat a strong answer should consider
A project team wants to use historic approval data, but no one knows whether past decisions were biased.Data bias risk, fairness review, data owner involvement, risk register update, possible redesign or additional controls
A sponsor asks the team to skip independent validation to meet a launch date.Assurance need, risk tolerance, escalation, decision authority, documented exception or refusal
A supplier refuses to provide detail on model changes after deployment.Contractual control, supplier dependency, operational monitoring, auditability, retained accountability
Users say the AI recommendation is hard to challenge.Transparency, human oversight, appeal route, user training, process design, stakeholder trust
A model’s performance drops after a change in customer behavior.Drift monitoring, issue management, remediation, rollback, retraining, updated operational controls
The business case promises reduced processing time, but staff are not trained on the new workflow.Benefits risk, change management, training plan, adoption measures, operational readiness
The team adds a new external dataset during an agile iteration.Change impact, data governance, privacy/security review, validation, backlog and risk updates
A proof of concept produces useful outputs and the business starts using them informally.Governance boundary breach, operational risk, approval route, monitoring, user controls
A risk owner accepts residual risk without clear authority.Risk appetite, delegated authority, escalation, decision log, governance body approval
Stakeholder feedback reveals possible harm to a vulnerable user group.Ethical impact, stakeholder engagement, fairness assessment, escalation, possible pause or redesign

Final-week checklist

Seven to five days before the exam

  • Re-read your AIPGF Practitioner materials with a focus on application, not terminology alone.
  • Build a one-page map of roles, decision rights, artifacts, and escalation routes.
  • Review how AI project governance differs from general project governance.
  • Practice classifying scenario facts as risk, issue, assumption, dependency, change, or decision.
  • Create a personal list of weak topics: data governance, ethics, assurance, supplier controls, monitoring, or tailoring.

Four to two days before the exam

  • Work through scenario-style questions and explain why each wrong option is less suitable.
  • For every practice question, identify the artifact that would need updating.
  • Practice “what should happen next?” decision making.
  • Review common traps around pilots, agile delivery, black-box models, and stakeholder impact.
  • Rehearse concise definitions for key terms, but connect each definition to a scenario action.

Day before the exam

  • Review your weakest readiness areas rather than rereading everything.
  • Recheck role responsibilities and escalation logic.
  • Revisit artifacts: business case, governance plan, risk register, issue log, change request, data plan, validation evidence, monitoring plan.
  • Practice a few short scenario prompts and state the next governance step out loud.
  • Stop heavy study early enough to preserve focus for scenario judgment.

Exam-day mental checklist

  • Read the scenario for governance facts before choosing an answer.
  • Ask: is this a risk, issue, change, decision, or assurance gap?
  • Ask: who has authority to act or approve?
  • Ask: what evidence is missing?
  • Ask: what artifact should be updated?
  • Prefer proportionate governance over both uncontrolled speed and unnecessary bureaucracy.
  • Watch for answers that sound technically impressive but ignore accountability, risk, stakeholders, or value.

Practical next step

Choose three weak readiness areas from the tables above and practice applying them to short scenarios. For each scenario, write a four-part answer: decision needed, responsible role, artifact update, and governance rationale. That habit is a strong final-review bridge from knowing the AIPGF concepts to applying them on the APMG International APMG AI Project Governance Framework (AIPGF) Practitioner exam.