Browse Certification Practice Tests by Exam Family

GARP Risk and AI Practice Test

May 1, 2026

Try 12 GARP Risk and AI sample questions and practice-test preview prompts on model risk, governance, explainability, data quality, validation, monitoring, controls, and AI risk scenarios.

On this page

GARP Risk and AI is a useful early update-request page for candidates interested in artificial intelligence risk, model governance, controls, validation, explainability, and financial-risk use cases.

This page includes 12 original sample questions for initial review. They are not official GARP questions and do not reproduce a live exam; they are designed to preview the AI-risk governance, control, and model-risk reasoning that a full Finance Prep route would need to support.

What this route should test

  • identifying AI model risk, data risk, operational risk, and governance gaps
  • choosing control, validation, monitoring, or escalation steps for AI systems
  • separating AI opportunity from model-risk evidence
  • applying risk-management discipline to finance and enterprise AI scenarios

Sample Exam Questions

These questions focus on AI-risk decision points: governance ownership, validation, data controls, explainability, monitoring, and escalation. They are written for risk candidates, not for software implementation certification.

Question 1

Topic: AI model governance

A financial institution deploys an AI model for customer segmentation, but the business owner cannot identify model purpose, approved use, owner, validation status, or monitoring metrics. What is the strongest governance concern?

  • A. AI models never require documentation because they learn from data
  • B. The model is not clearly controlled within a model inventory and governance process
  • C. Customer segmentation is not a risk-management issue
  • D. Governance begins only after a regulatory complaint

Best answer: B

Explanation: AI models should have clear ownership, purpose, approved use, validation status, limitations, and monitoring. A model inventory and governance process help prevent uncontrolled use, drift, and accountability gaps.

Question 2

Topic: explainability

A credit model produces accurate historical predictions, but staff cannot explain the main drivers of declined applications to compliance or affected customers. What risk is most relevant?

  • A. Settlement risk
  • B. Foreign-exchange risk
  • C. Custody risk
  • D. Explainability and decision-transparency risk

Best answer: D

Explanation: Strong performance metrics do not eliminate explainability obligations. Credit, compliance, and customer-impact decisions often require understandable reasons, challenge, and governance evidence.

Question 3

Topic: data drift

An AI fraud model performs well for six months, then false positives rise after customer behaviour changes. What should the risk team suspect first?

  • A. Data or concept drift may have changed the relationship between inputs and outcomes
  • B. The model has become risk-free because it has more history
  • C. Fraud risk has disappeared
  • D. The monitoring threshold should be removed

Best answer: A

Explanation: AI models can degrade when populations, products, fraud patterns, or economic conditions change. Monitoring should detect drift and trigger review, recalibration, or replacement when performance deteriorates.

Question 4

Topic: generative AI output risk

A team uses a generative AI tool to draft market commentary. The draft includes a confident statement about a security that is not supported by source material. What is the main control need?

  • A. Publish quickly because confidence indicates accuracy
  • B. Remove all human review so the tool can scale
  • C. Require source verification, review, and approval before external use
  • D. Treat generated text as legal advice

Best answer: C

Explanation: Generative AI can produce fluent but unsupported output. Controls should include source checking, human review, approval workflows, and restrictions on external or client-facing use.

Question 5

Topic: independent validation

A vendor provides an AI risk-scoring model and says its proprietary design cannot be reviewed. What should the firm do before high-impact use?

  • A. Accept the vendor claim because proprietary models cannot create firm risk
  • B. Use the model only for the riskiest decisions so benefits are larger
  • C. Skip validation if the contract includes a warranty
  • D. Perform appropriate due diligence, validation, limitation assessment, and monitoring despite vendor restrictions

Best answer: D

Explanation: Third-party models still create user-firm risk. If full transparency is limited, the firm should still assess purpose, data, performance, limitations, controls, contractual rights, and monitoring evidence before relying on the model.

Question 6

Topic: bias and fairness

An AI model’s approval rate differs materially across protected customer groups, and the difference cannot be explained by documented risk factors. What is the best next step?

  • A. Ignore the result if the aggregate accuracy score is high
  • B. Investigate potential bias, data issues, feature effects, and remediation options
  • C. Increase the model threshold for all applicants without analysis
  • D. Delete all records of the test

Best answer: B

Explanation: Aggregate accuracy can hide unfair or unlawful outcomes. The appropriate response is investigation, documentation, challenge, remediation, and governance review, not suppression or blind adjustment.

Question 7

Topic: human oversight

A firm uses AI to flag suspicious activity, but investigators approve every AI recommendation without review because the model is usually right. What is the concern?

  • A. Human oversight has become a rubber stamp rather than an effective control
  • B. Suspicious-activity review should never use technology
  • C. AI flags automatically satisfy all compliance obligations
  • D. The model should be treated as a board member

Best answer: A

Explanation: Human oversight must be meaningful. If staff automatically accept model output, errors, drift, bias, or changing typologies can pass through controls without challenge.

Question 8

Topic: monitoring

Which metric set is most useful for ongoing monitoring of a deployed AI model?

  • A. Launch-date accuracy only
  • B. The number of presentation slides used to approve the model
  • C. Performance, drift, exception rates, override rates, incidents, and outcome fairness where relevant
  • D. Vendor brand recognition only

Best answer: C

Explanation: Monitoring should track whether the model still performs within approved limits and whether outcomes remain acceptable. Launch approval is not enough for models that operate in changing environments.

Question 9

Topic: third-party AI risk

A business unit connects a client-data workflow to an external AI tool without legal, privacy, security, or model-risk review. What is the most appropriate risk response?

  • A. Approve it retroactively because innovation should not be slowed
  • B. Treat it as only a procurement issue
  • C. Ask the vendor to promise verbally that data is safe
  • D. Stop or contain the use, assess data handling and control obligations, and route it through third-party and model-risk review

Best answer: D

Explanation: Third-party AI use can create privacy, security, contractual, operational, and model-risk exposure. The response should contain uncontrolled use and route the tool through the proper review process.

Question 10

Topic: model inventory

Why is an AI model inventory useful for risk management?

  • A. It replaces validation and monitoring
  • B. It helps the firm know what models exist, who owns them, how they are used, and which controls apply
  • C. It proves every AI model is low risk
  • D. It is useful only for software developers, not risk teams

Best answer: B

Explanation: A model inventory supports accountability, tiering, validation, monitoring, retirement, and regulatory response. It does not eliminate the need for controls, but it makes those controls possible.

Question 11

Topic: prompt and data leakage

An employee pastes confidential client information into a public generative AI service to summarize a file. What is the primary risk?

  • A. Potential leakage or unauthorized use of confidential information
  • B. Reduced office electricity cost
  • C. Lower bond duration
  • D. Elimination of operational risk

Best answer: A

Explanation: Public AI services may process, retain, or expose sensitive data depending on terms and configuration. Firms need clear rules, approved tools, training, and technical controls for confidential information.

Question 12

Topic: AI risk appetite

A firm wants to use AI for low-impact internal summarization and high-impact credit decisions under the same approval standard. What is the best governance response?

  • A. Use the lowest standard for both because both use AI
  • B. Ban all AI because one use case is high impact
  • C. Tier AI use cases by impact, risk, and control needs
  • D. Approve high-impact use first because it has the largest potential benefit

Best answer: C

Explanation: AI governance should be risk-based. Low-impact support tools and high-impact customer or financial decisions may require different validation, review, monitoring, explainability, privacy, and approval controls.

Risk and AI quick checklist

  • Can you separate model risk, data risk, privacy risk, bias risk, operational risk, and third-party risk?
  • Can you identify the next control step: inventory, validation, monitoring, escalation, human review, or containment?
  • Can you explain why high accuracy does not eliminate governance, explainability, and fairness concerns?
Revised on Monday, May 18, 2026
FRM Part II
SCR