CompTIA SecAI+ CY0-001: AI Governance, Risk, and Compliance

Topic snapshot

Sample questions

These questions are original IT Mastery practice items aligned to this topic area. They are designed for self-assessment and are not official exam questions.

Question 1

Topic: AI Governance, Risk, and Compliance

A company is piloting an AI assistant to prioritize access-review tickets for security analysts. Governance policy requires similar evidence to be scored consistently across employee groups. Review the monitoring sample and choose the best interpretation.

Exhibit: Pilot monitoring sample

Model rationales often cite “unusual wording” in translated notes.

Options:

• A. The model is showing signs of model theft.

• B. Bias may be unfairly affecting ticket prioritization.

• C. Translated tickets show a higher true security risk.

• D. Manual reviewers should stop checking low-risk tickets.

Best answer: B

Explanation: This is a bias risk because the AI system is treating comparable cases differently for a group-related characteristic: translated wording. The manual confirmation rates are nearly the same, so the higher high-risk rate is not supported by the observed security outcomes. In a GRC context, the next governance concern is unfair operational impact, such as unnecessary scrutiny, delayed access reviews, or inconsistent analyst workload for one employee population. The pilot should trigger bias assessment, model or prompt adjustment, and monitoring before production use. The key takeaway is that uneven AI outputs become a governance risk when they unfairly influence analysis or decisions.

• True-risk assumption fails because the confirmation rates are similar, so the higher AI score rate is not evidence of greater actual risk.
• Model theft is unsupported because the exhibit shows unfair scoring behavior, not unauthorized copying or extraction of the model.
• Stopping review is unsafe because the finding calls for bias investigation, not reduced validation of AI-driven prioritization.

Question 2

Topic: AI Governance, Risk, and Compliance

A bank’s public-facing AI chatbot incorrectly tells several customers that fraud claims are “probably their fault” and refuses to provide escalation steps. Screenshots are spreading on social media. Monitoring shows no customer PII disclosure, no abnormal token usage, and no evidence of model theft. For the executive incident summary, which risk category is the BEST fit?

Options:

• A. Data sovereignty violation

• B. Model theft

• C. AI cost overrun

• D. Reputational loss

Best answer: D

Explanation: Reputational loss is the primary risk when AI behavior, outputs, or misuse can reduce public trust in the organization. In this scenario, the harm comes from visible customer-facing chatbot responses that appear unfair, unhelpful, and poorly governed. The stem explicitly rules out common competing risks: no PII disclosure, no abnormal usage cost signal, and no evidence that the model was stolen. The executive summary should identify the business impact that best matches the facts: public loss of confidence caused by AI output.

• Data sovereignty does not fit because the stem gives no cross-border data handling or residency issue.
• Model theft is unsupported because monitoring found no evidence of unauthorized model access or exfiltration.
• Cost overrun is ruled out because token usage is normal and the incident is about public trust.

Question 3

Topic: AI Governance, Risk, and Compliance

A security team is preparing to deploy an AI assistant that triages reported phishing emails and can trigger mailbox quarantine. The pilot shows acceptable average accuracy, but classifications vary during peak submission periods and confidence drops on multilingual emails. Corporate responsible AI policy requires reliability and safety validation under expected operating conditions before autonomous disruptive actions are enabled. Which action is the BEST professional decision?

Options:

• A. Enable autonomous quarantine because average pilot accuracy is acceptable

• B. Rely on user appeals after quarantine to detect unsafe decisions

• C. Keep human approval and validate reliability under peak and multilingual conditions

• D. Limit production use to English emails to improve consistency metrics

Best answer: C

Explanation: Reliability and safety require the AI system to perform consistently under the conditions it is expected to face, not just to show acceptable average performance. Here, peak-volume behavior and multilingual messages are normal operating conditions, and both revealed inconsistent or lower-confidence behavior. Because quarantine is disruptive, the safer governance decision is to keep a human approval gate while validating the model against those conditions, monitoring confidence and error patterns, and defining acceptance criteria before enabling autonomy.

The key takeaway is that responsible AI deployment should match the level of automation to demonstrated reliability and operational risk.

• Average accuracy trap fails because aggregate pilot results do not address inconsistent behavior during known peak-load and multilingual conditions.
• Scope reduction trap fails because excluding multilingual emails hides an expected operating condition instead of validating safe performance.
• Appeals-first trap fails because relying on post-impact correction allows unsafe disruptive actions before reliability is proven.

Question 4

Topic: AI Governance, Risk, and Compliance

A company is preparing to deploy an internal LLM assistant that summarizes security incidents. Corporate policy requires documented data-use restrictions, human review for high-impact recommendations, and audit evidence before any AI system is approved for production. Which action should the AI governance engineer take first to operationalize this requirement?

Options:

• A. Tune the model to improve summary accuracy

• B. Add a generic disclaimer to all model responses

• C. Grant SOC analysts direct access to raw incident data

• D. Define approval gates, evidence requirements, and control owners

Best answer: D

Explanation: An AI governance engineer is responsible for turning AI policy, risk, and compliance requirements into operational controls that delivery teams can follow and auditors can verify. In this scenario, the policy already states required outcomes: data-use restrictions, human review, and audit evidence before production. The governance engineer should define the approval workflow, required evidence, control ownership, and checkpoints so the AI system cannot move to production without satisfying those requirements.

Model tuning may improve quality, but it does not operationalize governance. A disclaimer is weak assurance and does not enforce review, data restrictions, or auditability.

• Model tuning addresses performance, not governance gates or compliance evidence.
• Raw data access may increase data exposure and does not implement the stated restrictions.
• Generic disclaimers do not enforce human review, access limits, or audit evidence.

Question 5

Topic: AI Governance, Risk, and Compliance

A financial services company is piloting an AI agent that triages fraud alerts and performs containment actions. Review the workflow trace and choose the best interpretation and next action.

Exhibit: Workflow trace

Alert: suspected account takeover
Model confidence: 0.61
Agent action: disabled customer account
Agent action: pushed merchant blocklist update
Human approval required: false
Rollback plan: not configured
Post-action review: weekly sample only

Options:

• A. Increase the model confidence threshold only.

• B. Expand the agent’s access to reduce containment latency.

• C. Classify the issue as a data-retention governance gap.

• D. Pause autonomous actions and add approval and rollback controls.

Best answer: D

Explanation: Autonomous-system risk occurs when an AI system can make or execute impactful decisions without appropriate human oversight, approval gates, or operational safeguards. In this trace, the agent disables customer accounts and updates a merchant blocklist at moderate confidence, with no human approval and no rollback plan. Those actions can disrupt customers and business operations, so the immediate governance response is to pause or restrict autonomy until safeguards are in place. A higher confidence threshold may help, but it does not address the missing approval and rollback controls.

• Threshold-only fix is incomplete because confidence tuning does not provide oversight or recovery for high-impact actions.
• Expanded access increases excessive agency and operational blast radius under the same weak controls.
• Data-retention framing misses the visible issue: autonomous privileged actions without safeguards.

Question 6

Topic: AI Governance, Risk, and Compliance

A fintech company uses an AI model to place automated temporary holds on accounts flagged for fraud. Fairness audit labels are available only for monitoring, not for model input. What is the best next action based on the exhibit?

Exhibit: Weekly monitoring summary

Governance rule: Material disparity in adverse outcomes requires review before automated adverse actions continue.

Options:

• A. Accept the model because it does not use fairness audit labels as inputs.

• B. Tune the model only to improve overall fraud-detection accuracy.

• C. Route Group C holds to human review and investigate fairness before resuming automation.

• D. Remove group-level monitoring to avoid collecting sensitive audit evidence.

Best answer: C

Explanation: Fairness requires checking whether an AI system creates unequal or unjustified outcomes across users, groups, or cases, even when protected or sensitive attributes are not used as model inputs. The exhibit shows Group C has about three times the hold rate of the other groups and a much higher appeal-overturn rate, suggesting the automated decision may be disproportionately and incorrectly affecting that group. Because the governance rule requires review before automated adverse actions continue, the safest action is to add human review for affected adverse decisions and investigate the disparity using fairness metrics, data quality checks, and model evaluation. Overall model performance or absence of protected-class inputs does not resolve outcome disparity.

• No input label defense fails because disparate outcomes can occur through proxies or data imbalance even without explicit sensitive fields.
• Overall accuracy focus fails because aggregate performance can hide unfair error rates for a subgroup.
• Removing monitoring fails because fairness evidence is needed for governance, auditability, and remediation.

Question 7

Topic: AI Governance, Risk, and Compliance

A production AI ticket-classification service is under abuse during business hours. The model weights and training dataset have not changed.

Evidence:
- API calls: 18x normal from one client token
- Impact: latency and inference cost spike
- Last release: gateway rate limit disabled
- Model eval: no data drift or accuracy regression
- Needed: restore controls, verify monitoring, roll back if needed

Which role should lead the immediate deployment and maintenance remediation?

Options:

• A. Data governance lead

• B. MLOps engineer

• C. Machine learning engineer

• D. AI policy owner

Best answer: B

Explanation: The evidence points to production abuse and an operational control failure, not a model-design or training problem. An MLOps engineer is responsible for deploying and maintaining AI systems in production, including release pipelines, monitoring, scaling, rollback, rate limits, and endpoint reliability controls. A machine learning engineer is more focused on model development tasks such as feature engineering, training, tuning, validation, and improving model performance. Since the model has no drift or accuracy regression and the urgent fix is to restore the gateway control and validate monitoring, the operational role should lead remediation while coordinating with security.

• Model retraining is not supported because the evidence shows no drift, no weight change, and no accuracy regression.
• Data governance is less direct because the issue is endpoint abuse and release control, not data ownership or lineage.
• Policy ownership can set requirements, but it does not normally execute production rollback or gateway-control restoration.

Question 8

Topic: AI Governance, Risk, and Compliance

A security team is reviewing an AI service deployment issue and needs to assign primary ownership for remediation.

Exhibit: Workflow trace

Model version: fraud-v8
Offline validation: passed by ML team
Canary deployment: failed
Failure point: container health checks and autoscaling config
Monitoring gap: drift and latency alerts not routed
Rollback: manual intervention required

Which role should be the primary owner for fixing the issues shown in the exhibit?

Options:

• A. Data governance lead

• B. AI ethics reviewer

• C. Machine learning engineer

• D. MLOps engineer

Best answer: D

Explanation: A machine learning engineer primarily focuses on model design, training, feature work, tuning, and validation. An MLOps engineer focuses on operationalizing the model: CI/CD, model serving, deployment pipelines, monitoring, alerting, rollback, scaling, and production reliability. In the exhibit, the model already passed offline validation, but the failure is in canary deployment health checks, autoscaling, alert routing, and rollback. Those are production operations and lifecycle maintenance responsibilities, so they align with MLOps ownership rather than model development ownership.

The key distinction is whether the problem is about improving the model itself or safely running and maintaining it in production.

• Model development is tempting because a model version is named, but the trace says offline validation already passed.
• Data governance would matter for lineage, access, or retention issues, not container health checks or alert routing.
• Ethics review would address fairness, transparency, or responsible AI concerns, not deployment reliability controls.

Question 9

Topic: AI Governance, Risk, and Compliance

A security analyst finds that several engineers are pasting customer support tickets into a personal AI chatbot to summarize defects before sprint planning. The tickets may contain PII, the chatbot is not in the approved AI inventory, and the company policy requires approved tools to enforce data retention, logging, and DLP controls. What is the BEST professional decision?

Options:

• A. Treat it as shadow AI and route it through the AI governance process

• B. Block all AI summarization tools across engineering

• C. Approve the workflow because summarization is low risk

• D. Allow use if engineers remove obvious names before submission

Best answer: A

Explanation: Shadow AI is the use of unapproved AI tools or models outside the organization’s governance, security, and monitoring controls. In this scenario, engineers are sending potentially sensitive customer data to a personal chatbot that is not inventoried and does not meet required retention, logging, or DLP controls. The best decision is to classify the activity as shadow AI, stop or contain the unsanctioned use, and route the workflow through the approved governance process so the business need can be evaluated safely. The goal is not to ban useful AI outright; it is to bring the use case under sanctioned controls.

• Manual redaction is insufficient because it does not restore approved logging, retention, DLP, or vendor governance.
• Low-risk assumption fails because ticket data may contain PII and the tool bypasses required controls.
• Blanket blocking may be disproportionate because an approved summarization workflow could meet the business need securely.

Question 10

Topic: AI Governance, Risk, and Compliance

A security governance team is triaging AI intake requests. Which next action best fits the AI risk analyst’s responsibility?

Exhibit: AI intake record

Intake ID: HR-27
Use case: LLM ranks employees for promotion readiness
Data: performance reviews and accommodation notes
Integration: external AI service; pilot starts in 2 weeks
Impact: managers will use scores in promotion discussions
Open items: no risk rating, compliance review, or operational fallback plan

Options:

• A. Let the business owner run the pilot and document feedback.

• B. Route the intake to an AI risk analyst before the pilot.

• C. Have the SOC add monitoring after production launch.

• D. Assign a prompt engineer to improve the ranking instructions.

Best answer: B

Explanation: An AI risk analyst should evaluate proposed AI use cases when they could create material business, security, compliance, or operational risk. This intake includes sensitive HR data, an external AI service, employment-impacting outputs, and missing risk controls before a near-term pilot. Those facts make it inappropriate to proceed based only on business feedback, prompt quality, or post-launch monitoring. The risk analyst’s review should occur before the pilot so governance can assess data handling, regulatory exposure, decision impact, vendor risk, fallback procedures, and required safeguards.

• Business-only pilot fails because feedback does not address sensitive-data handling or employment-decision risk before use.
• Prompt tuning is too narrow because better instructions do not replace risk evaluation or compliance review.
• Post-launch monitoring is too late because the unresolved risks should be assessed before the pilot begins.

Continue with full practice

Use the CompTIA SecAI+ CY0-001 Practice Test page for the full IT Mastery practice bank, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.

Try CompTIA SecAI+ CY0-001 on Web View CompTIA SecAI+ CY0-001 Practice Test

Related focused pages

• Free CompTIA SecAI+ CY0-001 Full-Length Practice Exam
• Basic AI Concepts Related to Cybersecurity
• Securing AI Systems
• AI-Assisted Security

Free review resource

Read the CompTIA SecAI+ CY0-001 Cheat Sheet for compact concept review before returning to timed practice.