ISACA AAIR Sample Questions & Practice Test

ISACA Advanced in AI Risk Management (AAIR) is a focused route for professionals who need to govern AI risks across strategy, lifecycle, accountability, controls, monitoring, and third-party use.

These original sample questions preview the risk-reasoning style a full IT Mastery route should use. They are not official ISACA exam questions.

What this route should test

• connecting AI use cases to risk appetite, control ownership, and business value
• evaluating lifecycle controls from design through deployment and monitoring
• recognizing risk in third-party AI services and shadow AI use
• choosing proportionate controls for higher-impact AI decisions

Sample Exam Questions

Question 1

Topic: risk appetite

A business unit wants to use AI for automated loan-decline recommendations. What should risk management confirm first?

• A. Whether the model name is short
• B. Whether the use case fits risk appetite, legal obligations, governance, and control expectations
• C. Whether the team can bypass approval to move faster
• D. Whether monitoring can be postponed indefinitely

Best answer: B

Explanation: High-impact AI use cases require explicit alignment to risk appetite, obligations, governance, controls, and accountability.

Question 2

Topic: AI inventory

Why maintain an inventory of AI systems?

• A. To replace all model testing
• B. To publish every prompt publicly
• C. To avoid assigning accountability
• D. To identify owners, use cases, data sources, risk level, and review requirements

Best answer: D

Explanation: An AI inventory supports governance, prioritization, risk assessment, control ownership, and regulatory readiness.

Question 3

Topic: lifecycle risk

Which lifecycle stage should include model validation before production use?

• A. Deployment readiness or pre-production review
• B. Only retirement
• C. Only marketing
• D. Never, because AI self-validates

Best answer: A

Explanation: Validation before production helps confirm that the model behaves acceptably for the intended use, risk level, data, and control environment.

Question 4

Topic: shadow AI

Employees use unsanctioned AI tools with company data. What is the best risk response?

• A. Ignore the behavior because AI tools are popular
• B. Encourage unrestricted copying of customer data
• C. Establish approved tools, data-use rules, monitoring, training, and escalation
• D. Delete all acceptable-use policies

Best answer: C

Explanation: Shadow AI is a governance and data-risk issue. A practical response provides safe approved options and clear boundaries.

Question 5

Topic: third-party risk

A vendor AI platform processes regulated data. What should be assessed?

• A. Only the price discount
• B. Data handling, security controls, contractual terms, audit rights, subprocessor use, and exit options
• C. Only the vendor’s social media presence
• D. Whether the tool has a catchy name

Best answer: B

Explanation: Third-party AI risk includes confidentiality, compliance, resilience, transparency, and dependency management.

Question 6

Topic: model drift

An AI model performs well at launch but degrades as customer behavior changes. What risk process addresses this?

• A. No review after launch
• B. Deleting historic metrics
• C. Treating launch approval as permanent assurance
• D. Ongoing monitoring with thresholds, owner review, and retraining or retirement decisions

Best answer: D

Explanation: AI risk management must account for drift. Monitoring and review determine when performance or risk has moved outside tolerance.

Question 7

Topic: accountability

A failed AI decision affects customers, but no business owner is assigned. What is the governance weakness?

• A. Unclear accountability
• B. Excessive transparency
• C. Too much testing
• D. Too many backups

Best answer: A

Explanation: AI systems need named owners responsible for use, controls, risk acceptance, monitoring, and remediation.

Question 8

Topic: impact assessment

Which use case usually requires stronger AI risk controls?

• A. A spelling suggestion for a public blog post
• B. A non-sensitive image crop suggestion
• C. AI recommendations that affect employment, credit, benefits, or access to services
• D. A meeting-room name generator

Best answer: C

Explanation: Higher-impact decisions can affect rights, access, finances, or legal obligations. They require stronger governance, testing, oversight, and documentation.

Question 9

Topic: control proportionality

A low-risk internal AI tool summarizes public news articles. What is the best control approach?

• A. Apply no controls at all
• B. Apply proportionate controls for data use, accuracy expectations, and user disclosure
• C. Use the same controls as a high-impact credit model in every detail
• D. Hide the tool from management

Best answer: B

Explanation: Controls should match risk. Low-risk use still needs basic rules, but high-impact processes require deeper assurance.

Question 10

Topic: risk acceptance

Who should accept residual AI risk after controls are implemented?

• A. A random user
• B. The AI model itself
• C. No one
• D. An appropriate business or risk owner with authority and evidence

Best answer: D

Explanation: Residual risk acceptance should be explicit, documented, and made by an accountable owner with authority.

Question 11

Topic: transparency

Users interact with an AI assistant that gives compliance-related recommendations. What should be clear?

• A. That AI is involved, what the assistant can and cannot do, and when human review is required
• B. That all AI output is guaranteed correct
• C. That users cannot question results
• D. That source data is irrelevant

Best answer: A

Explanation: Transparency helps users understand limitations, appropriate reliance, escalation, and accountability.

Question 12

Topic: policy

What is the best role of an enterprise AI policy?

• A. Replace all technical testing
• B. Approve every possible AI use automatically
• C. Define approved uses, prohibited uses, governance roles, data rules, control expectations, and escalation paths
• D. Remove responsibility from business owners

Best answer: C

Explanation: AI policy provides consistent expectations. It must be supported by procedures, controls, monitoring, and ownership.