Free Isaca AAIA Practice Exam with Questions & Answers

Ensuring AI model resilience against external threats involves validating that the model is configured to resist attacks, such as adversarial inputs, data poisoning, or misuse. The AAIA™ Study Guide emphasizes configuration testing as a crucial control to simulate threat scenarios and assess robustness.

“Model configuration testing simulates real-world threat conditions to validate model resilience. This includes testing against adversarial attacks, input manipulation, and exposure of sensitive outputs.”

While access monitoring (C) and anonymization (A) reduce risks, they don’t actively validate model behavior under threat conditions. Therefore, D offers the most effective resilience measure.

The AAIA™ Study Guide emphasizes that AI implementations introduce dynamic and non-deterministic elements into systems, increasing the risk associated with changes. A comprehensive, AI-specific risk assessment is therefore the most critical component of a change management program to ensure that updates, retraining, or parameter adjustments do not introduce vulnerabilities or unintended consequences.

“Risk assessments tailored to AI are crucial because changes to models, training data, or infrastructure can affect performance, ethical compliance, or expose the system to new threats. A standard IT change review is often insufficient.”

While having a governance committee (A) and reviewing documentation (B) are important supporting practices, only option C directly mitigates the core risks of AI system change. Ethics training (D) supports awareness but is not directly tied to change control.

To assess compliance with intellectual property (IP) and data rights, the IS auditor must review documented data usage agreements that specify ownership, licensing, consent, and limitations of use. The AAIA™ Study Guide underscores the importance of verifying that the data used to train or feed AI models is obtained and utilized within legal and contractual boundaries.

“Auditors must review data usage agreements to validate whether the organization has appropriate rights to use, distribute, or transform data inputs, especially where third-party or sensitive data is involved.”

While open-source usage (C) is a concern, only B provides legal clarity. Metrics (A) and logs (D) reflect performance—not legal compliance.

Accountability for data management (option D) is the most crucial consideration. The AAIA™ Study Guide emphasizes that “clear roles, responsibilities, and ownership for data management activities are central to trustworthy AI systems, as they ensure compliance, traceability, and the consistent application of policies and controls.”

Retention, portability, and data training practices are important, but accountability is foundational for the enforcement and monitoring of all other governance practices.

Supervised learning is a foundational type of machine learning in which the model is trained on a labeled dataset. According to the AAIA™ Study Guide, labeled data includes input features along with the correct output, enabling the model to learn the mapping function accurately.

“In supervised learning, models learn from input-output pairs provided in the training data. This method enables predictive modeling tasks such as classification and regression.”

Unlabeled data (A) is used in unsupervised learning; clustered data (B) is a technique rather than a data type; and randomized data (D) refers to distribution strategy, not labeling. Hence, labeled data is the correct answer.

Ensuring that AI tools are trained on properly licensed and documented data sets is critical to avoiding copyright infringement and legal exposure. The AAIA™ Study Guide emphasizes using platforms with certified and traceable training data to meet ethical and legal standards.

“Organizations must verify the provenance and licensing of data used to train AI systems. Platforms that certify data sources reduce the risk of using protected intellectual property without consent.”

Manual review (A) is resource-intensive and may not detect embedded copyright violations. Labeling (C) is not sufficient for legal protection. Suspension (D) may be excessive without first attempting remediation. Thus, B is the most strategic and effective recommendation.

In the case of a potential data exposure through AI model outputs, the first and most responsible action from an auditing and risk standpoint is to halt further risk propagation. According to the AAIA™ Study Guide, immediate containment is vital, especially when regulatory and reputational risks are high.

“Upon detection of a data breach risk, AI models should be immediately disabled from public or partner use, and all relevant parties should be notified as part of a responsible disclosure and containment strategy.”

While options A and D are longer-term remediation steps and B is investigative, none of them provide the urgent containment that is best practice in such a breach context.

Generative AI systems, particularly those based on transformer models, produce outputs using probabilistic computations. As a result, even when given the same input data, these models may generate different outputs depending on sampling strategies (e.g., temperature, top-k sampling).

“Generative AI operates probabilistically, meaning that outputs can vary with each run based on stochastic sampling techniques. This variability is expected and must be accounted for in risk-sensitive environments like finance.”

While A and B refer to limitations and architecture, and D is unrelated to logic, C directly explains the output inconsistency.

Data cleaning is a foundational task in the AI development lifecycle. The AAIA™ Study Guide identifies data quality—ensuring completeness, accuracy, consistency, and correctness—as critical to building effective and unbiased AI systems. Cleaning the data involves removing duplicates, correcting errors, addressing missing values, and standardizing formats.

“Data cleaning is a prerequisite for effective training and evaluation. Poor-quality data leads to inaccurate or misleading model outputs, increasing operational and ethical risks.”

While training (D) is essential, it must occur only after the data has been adequately prepared. Stratification (A) supports certain modeling approaches but is secondary to data integrity. Therefore, C is the most important task at the data-gathering stage.

In the context of AI-driven audit planning, the AAIA™ Study Guide identifies incomplete or inaccurate data as the most significant risk. If the data input into AI tools is missing, outdated, or inconsistent, the model's suggestions for risk prioritization or control testing will be flawed.

“Audit planning supported by AI tools is only as strong as the underlying data. Incomplete data may cause incorrect risk assessments or misallocate audit resources, undermining audit effectiveness.”

While scope creep and cost are common concerns in project management, and limited AI knowledge can be mitigated through training, only incomplete data directly impacts the validity of audit planning outputs.