ISACA moved the Advanced in AI Risk certification to general availability on April 15, 2026, and with it came the first exam content outline carrying real domain weights: 37, 21, and 42 percent. The credential is roughly three months old as I write this. Almost nobody holds it yet, and the pool of honest, first-person pass reports is close to empty. That scarcity is the risk if you want a proven track record before you commit, and it is the opportunity if you would rather be early than late.
TL;DR
- You need a qualifying credential to sit at all. AAIR gates on one active credential from a list of roughly 25, including CISA, CISM, CRISC, CGEIT, CDPSE, CISSP, CGRC, and PMI-RMP. No qualifying cert, no exam.
- 90 scenario questions in 150 minutes, about 100 seconds each, scored on a scaled 200 to 800 range with a passing mark of 450.
- Three domains, unevenly weighted. AI Risk Program Management carries 42 percent, AI Risk Governance and Framework Integration 37 percent, and AI Life Cycle Risk Management only 21 percent.
- Cost is $459 for ISACA members and $599 for non-members, per the official isaca.org page, plus a $50 application fee after your scores post.
- This is a risk-program exam, not an AI-engineering exam. If you expect to be tested on model architectures instead of NIST AI RMF, the EU AI Act, and ISO/IEC 42001, you will misallocate your study time.
- Community signal is thin because the cert is new and first-person accounts are scarce. Treat any pass rate or difficulty claim you find online with skepticism.
- Practice is where you build the judgment this format rewards. Start with the CertCompanion AAIR question bank, 30 questions free, and aim for 80 to 90 percent before you book.
What the AAIR actually measures
Strip away the marketing and AAIR is a test of one skill: can you run an AI risk program inside a real organization. Not can you fine-tune a model, not can you explain transformer internals. Can you identify AI-specific risk scenarios, choose treatments, select and validate controls, then report all of it to people who sign off on budgets.
ISACA built the credential for the GRC and IT-risk crowd, which is why the prerequisite list is anchored around CRISC-style credentials rather than anything AI-native. The mental model that transfers cleanly is enterprise risk management: identify, assess, treat, monitor, report. What does not transfer for free is the AI-specific texture layered on top of that skeleton.
Training data and model behavior are entangled in ways traditional software risk never had to account for. Models drift after deployment. Attacks can target the training set instead of production infrastructure.
The exam sits at that intersection. It assumes you already think in risk registers and control frameworks, then it asks whether you can apply that thinking to systems that behave unlike anything in your existing register. That is the whole game.
AAIR exam at a glance
| Item | Value |
|---|---|
| Cost | Member: $459 USD / Non-Member: $599 USD (plus $50 application fee after passing) |
| Duration | 150 minutes (2.5 hours) |
| Questions | 90 scenario-based multiple choice |
| Passing Score | 450 on a 200–800 scaled score |
| Format | Computer-based, delivered by PSI |
| Validity / CPE | No fixed expiry; annual CPE reporting including 10 AI-domain hours; 5 years from passing to apply |
| Testing | PSI test center or online remote proctoring |
| Retake Policy | Up to 4 attempts per rolling 365 days, with escalating waiting periods |
| Prerequisite | One active qualifying credential (about 25 accepted, e.g. CRISC, CISA, CISM, CISSP) |
| Exam Version | GA since April 15, 2026 (post-beta) |
One note on pricing. ISACA's official page lists $459 for members and $599 for non-members as of publication; older pre-launch figures still circulate on third-party sites, and the official page is the number that counts.
The format is worth dwelling on. Ninety questions across 150 minutes gives you roughly 100 seconds each, which is generous next to many technical exams. Multiple sources make the same point, and it matches ISACA's sibling exams: time pressure is not the primary challenge here. The difficulty lives in the judgment each scenario demands.
A typical item hands you an organizational situation and asks for the best risk response: a vendor whose training-data provenance cannot be verified, say, or a model whose outputs have started drifting. Four of the options will look defensible. Only one is the strongest answer in context.
Then there is scoring. The 450 pass mark sits on a scaled 200 to 800 range, not a raw percentage. This trips people up: 450 out of 800 is not "get 56 percent of questions right." Scaled scoring weights items by difficulty, so a clean pass means scoring comfortably above the line, ideally across every domain, rather than squeaking over the aggregate.
And remember the timeline. AAIR ran a beta through late 2025, with beta approval closing around December 16, 2025, then went GA on April 15, 2026. Everything you are reading about it, including this post, describes a credential with barely a quarter of history behind it.
Who should take the AAIR, and who should wait
The prerequisite is a hard gate, not a suggestion, so start there. You must hold one active qualifying credential from ISACA's list, which runs to roughly 25 options. The ISACA-native ones are CISA, CISM, CRISC, CGEIT, and CDPSE. The broader designations include CISSP, CGRC, CIA, PMI-RMP, and a long tail of accounting credentials like the U.S. CPA, ACCA, and CA ANZ.
The single most common early stumble, across every prep guide I read, is administrative rather than academic: people try to register with a lapsed credential and get blocked at the eligibility check. Confirm yours is active first.
AAIR fits you if you already hold one of those credentials and AI risk is becoming part of what your employer actually pays you to do. CRISC holders whose organizations are staring down EU AI Act obligations, NIST AI RMF adoption, or an ISO/IEC 42001 push are the clearest fit. If you brief executives on enterprise risk and maintain risk registers, and AI systems are now landing in both, this credential maps to your day job.
Who should wait? Anyone without a qualifying prerequisite, full stop, since you literally cannot sit. Also anyone with zero AI exposure in their current or target role, and anyone who wants salary-uplift proof before committing.
That proof does not exist yet, and pretending otherwise would be dishonest. My read: AAIR is a role-fit and early-mover play right now, not a guaranteed raise.
The three domains, decoded
ISACA numbers the domains in a specific order that does not track their weights, so read the percentages carefully. The exam assesses 23 distinct task and skill statements across the three areas combined.
Domain 1, AI Risk Governance and Framework Integration (37%)37%
This is the frameworks-and-accountability domain, and it is the second-heaviest at 37 percent. The official outline lists six areas: AI models, frameworks, strategies, and use cases; AI organizational processes and alignment; AI ownership, oversight, and accountability; AI policies, procedures, and organizational training; AI regulatory compliance and legal considerations; and AI trustworthiness, ethical and societal implications including ESG.
This is where the named frameworks earn their keep. NIST AI RMF, with its four functions of Govern, Map, Measure, and Manage, maps directly onto this domain. So does ISO/IEC 42001, the first certifiable AI management system standard, and the EU AI Act's risk-tier structure.
If you cannot fluently place a scenario inside one of those frameworks, this domain will hurt. The regulatory-compliance subtopic in particular rewards candidates who have actually read the source texts rather than a summary of a summary.
The accountability and oversight piece is subtler than it looks. Knowing that AI needs an owner is trivial; the exam wants you to reason about who that owner should be, what oversight structure fits a given organization, and how policy and training reinforce it. Governance questions are rarely about naming a framework. They are about applying one.
Domain 2, AI Life Cycle Risk Management (21%)21%
The smallest domain by a wide margin at 21 percent, and the one closest to the technical end of the exam without ever becoming an engineering test. Four areas: AI design, development or procurement, and documentation; AI model training, testing, and validation; AI implementation, maintenance, and decommissioning; and AI data and asset management.
The framing to hold onto is that every lifecycle stage creates risk decisions, and the exam tests whether you can spot the right one at each stage. What data can lawfully train the model. How validation should gate deployment.
What monitoring belongs in production. When and how a model gets decommissioned, and what happens to its data and artifacts afterward. These are governance and control questions dressed in lifecycle vocabulary.
Candidates from deep technical backgrounds sometimes over-read this domain, expecting to be quizzed on training mechanics. The outline points the other way, toward documentation, validation gates, and asset management. At 21 percent, it is also the domain where over-investing your study hours costs you the most elsewhere. Understand it well, but do not let it eat your calendar.
Domain 3, AI Risk Program Management (42%)42%
The single largest domain, 42 percent of the exam, and in my view the one that decides whether you pass. Six areas, and they read like an AI-flavored risk-management lifecycle: AI risk scenario identification and assessment covering threats, vulnerabilities, and attacks; AI risk treatment strategies; AI controls management across evaluation, selection, and validation; AI risk metrics, monitoring, and reporting; AI supply chain risk management for third-party resources; and AI incident response, business impact analysis, business continuity, and disaster recovery.
Domain 3 is where this exam gets real. The structure mirrors classic enterprise risk management, the kind ISO 31000 codifies generically, which is exactly why CRISC-style thinking transfers here better than anywhere else on the exam.
The AI-specific twist is in the threat catalog. AI risk scenarios include data poisoning, adversarial inputs, model inversion, and supply-chain exposure through third-party or pre-trained models whose provenance you cannot fully see. You are not asked to execute or prevent these attacks. You are asked to assess and treat them, then pick controls that hold up.
The incident-response and continuity subtopic deserves flagging. An AI system producing wrong outputs is a genuinely different incident from a data breach: attribution is murkier, remediation may mean retraining, and the regulatory blast radius can be hard to scope in advance. One prep vendor has publicly argued that candidates should weight study time toward Domain 3 because of its 42 percent share. That is a single vendor's marketing angle rather than corroborated candidate testimony, so hold it loosely, but the math behind it is hard to argue with.
Ranking the domains by difficulty, my analysis
Here is where I want to be explicit: what follows is my own analysis, built from the domain weights, the ECO subtopics, and what does or does not transfer from CRISC and CISM-style risk thinking. It is not community data. No meaningful pool of first-person difficulty reports exists yet for a credential this young, so treat this as a reasoned prediction, not a verdict.
Hardest to secure: Domain 3, AI Risk Program Management (42%). Not because any single concept is brutal, but because of leverage. It is the largest slice with the most subtopics, and its AI-specific threat material, poisoning, adversarial inputs, supply-chain provenance, is genuinely new territory even for seasoned risk professionals. The risk-process backbone transfers from CRISC; the AI threat catalog and AI incident-response nuances do not. When 42 percent of your score rides on the domain with the most novel content, it earns the top of this ranking by weight alone.
Middle: Domain 1, AI Risk Governance and Framework Integration (37%). This one is heavy but more learnable, because so much of it rests on external documents you can study directly and for free. NIST AI RMF, ISO/IEC 42001, and the EU AI Act are all readable primary sources, and the transfer from governance-track thinking is decent. The trap is depth: the exam wants applied framework reasoning, not recall, and candidates who skim the frameworks instead of internalizing them will find the applied questions slippery. Still, the path to competence here is clearer than in Domain 3.
Most approachable: Domain 2, AI Life Cycle Risk Management (21%). Lowest weight, tightest scope, four subtopics. The lifecycle structure is intuitive to anyone who has managed an asset from procurement to decommissioning, and the content is more concrete than the governance domain's judgment calls. It can still bite candidates who over-technicalize it, but pound for pound it is the domain most likely to reward focused study. My advice: learn it solidly, then reinvest the saved hours into Domain 3.
Add it up and the shape is clear. Domains 3 and 1 together are 79 percent of the exam. Domain 2 is 21 percent. Your study calendar should look roughly like that split, not like an even three-way division.
Where candidates will lose points
I want to be careful here, because there is no deep well of AAIR post-mortems to draw failure patterns from. What follows blends the structural signals in the exam design with patterns that recur across ISACA's scenario-based credentials. Read it as informed anticipation, not as documented candidate experience.
Treating AAIR as an AI-technical exam. The most predictable miss. Candidates from engineering backgrounds prepare on model architectures, training mechanics, maybe some Python, and walk into an exam that wants risk judgment. Deep implementation knowledge is not a competitive edge here. It can even mislead you toward technically-correct-but-strategically-wrong answers.
Ignoring the named frameworks. If you cannot reason inside NIST AI RMF, ISO/IEC 42001, and the EU AI Act's risk tiers, Domain 1 alone will cost you real points, and framework thinking bleeds into Domain 3 as well. These are free to study. There is no excuse for arriving without them.
Weak risk-program fundamentals. Domain 3 assumes you can run a risk lifecycle: identify, assess, treat, select controls, monitor, report. Candidates who have credentials but limited hands-on risk-program exposure sometimes know the vocabulary without the reflexes. The scenario format exposes that gap fast.
Misreading the passing score. Plenty of people will see 450 out of 800 and mentally file it as "just over half." Scaled scoring does not work that way. Aim to clear the line in each domain, not to average your way across it.
Skipping the distractor analysis. ISACA scenario questions routinely include options that are reasonable, just not best. If you practice by checking whether you got the right answer without studying why the near-misses fail, you are leaving the most valuable part of the practice on the table.
How to prepare
Start with practice, not reading. The scenario format is the whole difficulty of this exam, and you cannot build judgment by highlighting a manual.
CertCompanion first. Work the CertCompanion AAIR question bank from early in your prep, with 30 questions free to calibrate before you commit. Use it two ways: to surface which domains are shaky, and to rehearse applying frameworks to organizational scenarios under something like real conditions.
A sensible benchmark is to aim for 80 to 90 percent on practice sets before you book the exam. Consistently under that? Find the domain that is dragging you and go back to the source material for it, rather than grinding questions blindly.
ISACA's official stack, as supplements. ISACA publishes an AAIR Review Manual and an official Online Review Course, both aligned to the exam content outline. There is also an official Questions, Answers and Explanations (QAE) database with a couple hundred items, which is the closest look at ISACA's own question style. If you learn better in a structured, live setting, ISACA runs an official virtual workshop that bundles the manual, the QAE database, and the exam fee.
Treat all of these as reinforcement around your practice, not as the main event. Use the exam content outline itself as your authoritative checklist: every subtopic listed should be something you can reason about before you schedule.
The frameworks, straight from the source. All three named frameworks can be read in the original, and the NIST and EU materials cost nothing. This is the highest-return reading you can do for Domain 1, and it pays off in Domain 3 too.
One warning. ISACA maintains a zero-tolerance policy on braindumps and leaked questions, with score nullification and certification revocation on the table. Skip the dump sites entirely. They are a fast route to losing both the exam fee and the credential.
Study timeline by background
There is no solid first-person study-hour data for AAIR yet, so treat everything in this table as an estimate. For reference points: one vendor course clocks in around 18 to 20 hours of self-paced content spread over five to six weeks, and ISACA's official virtual workshop runs 16 live CPE hours. Some candidates will need far more than either. Anchor to your own diagnostic scores, not to these rows.
| Background | Estimated preparation | Notes |
|---|---|---|
| Active CRISC or equivalent with hands-on AI governance or AI risk work | 3–5 weeks (limited data) | Risk-program instincts transfer; main gaps are AI-specific threats and the regulatory frameworks |
| Active qualifying credential, general IT-risk background, limited AI exposure | 6–10 weeks (limited data) | Most time goes to Domain 3's AI threat catalog and Domain 1's frameworks |
| Strong technical AI background but light on formal risk-program experience | 8–12 weeks (limited data) | AI knowledge helps; the work is reframing it as risk management and building the risk-lifecycle reflexes Domain 3 assumes |
These ranges will move with how comfortable you are reading ISACA's scenario questions and how current you are on the regulatory landscape. Start with a practice diagnostic, then set your timeline from where you actually land.
Exam-day tactics
Scheduling. AAIR runs through PSI, either at a physical test center or via online remote proctoring, and registration is continuous with no fixed windows. You can schedule as early as 48 hours after you pay the registration fee, and as far as 90 days out. So do not register on Monday expecting to sit on Tuesday. Rescheduling is allowed without penalty if you do it at least 48 hours before your appointment; miss that window and you forfeit the fee.
Remote versus test center. Remote proctoring means a clean desk and ID verification, plus a quiet room with no interruptions for two and a half hours. Test centers remove the environment risk but add travel. Pick the one whose failure modes you can actually control, and log in or arrive early either way for PSI check-in.
Pacing. With about 100 seconds per question, the clock is on your side more than in most technical exams. Use that margin deliberately. When a long scenario question threatens to swallow five minutes, flag it and move on rather than stalling. The generous timing only helps if you do not burn it all on two or three items.
Reading the scenarios. These questions reward a specific discipline: eliminate the options that address only part of the problem, the ones that are tactically fine but strategically off, and the ones that apply generic risk logic while ignoring the AI-specific angle. What survives that filter, the most complete and most AI-aware response, is usually the intended answer.
After you pass: CPE, career, and where AAIR sits
Passing is not the finish line; it is the point where the application starts. After your official scores release, you submit your certification application through your ISACA account and pay a one-time $50 application fee. You have up to five years from passing to do this, though there is little reason to wait. Your underlying qualifying credential must stay active throughout, because AAIR is layered on top of it, not independent of it.
Maintenance runs on CPE. ISACA requires annual CPE reporting starting the calendar year after you certify, and specifically calls for 10 CPE hours per year in the AI domain, on top of the Code of Professional Ethics and keeping your prerequisite credential current. ISACA lists the annual maintenance fee at $45 for members and $85 for non-members.
On career: I will be blunt that AAIR is too new for anyone to honestly claim it lifts your salary by a specific amount. What I can point to is demand for the adjacent role. ZipRecruiter's 2026 data puts the average AI Risk Manager salary around $111,556 a year, with a typical band roughly in the $90,000 to $129,000 range. That is a role-level figure, not an AAIR-holder figure, and no credible source yet ties a number to the credential itself.
Financial services and healthcare are the sectors most often named as driving early hiring, largely on EU AI Act and framework-adoption pressure. Read the salary as evidence the underlying job market is real, not as a promise about what AAIR will pay you.
Where does AAIR fit against its siblings? ISACA now runs three Advanced in AI credentials that share the same $459/$599 fee and the same 90-question PSI format, right down to the 450/800 passing score. What separates them is audience, enforced through prerequisites.
AAIA, Advanced in AI Audit, is built for auditors and is anchored around CISA, with qualifying audit and accounting credentials such as CIA and CPA variants also accepted. AAISM, Advanced in AI Security Management, is built for security managers and gates on CISM or CISSP; I dug into that one separately in the AAISM exam guide. AAIR, the newest of the three, is the risk and GRC entry, resting on CRISC-style credentials.
The selection rule that keeps showing up is sensible: choose by what your employer actually pays you to do. Audit and evaluate controls, take AAIA; defend infrastructure, take AAISM; brief executives on enterprise risk and own the risk register, take AAIR. Prestige is the wrong axis to pick on.
Frequently asked questions
Is the AAIR worth it? It is worth pursuing if you already hold a qualifying credential and AI risk is becoming part of your actual role, or if your organization must align with the EU AI Act, NIST AI RMF, or ISO/IEC 42001. Because it launched in April 2026, there is no track record proving holders earn more. The value case today rests on role fit and early-mover credibility, not proven ROI. If AI is not part of your work, wait.
What are the AAIR prerequisites? You must hold one active qualifying credential from a list of roughly 25. The ISACA options include CISA, CISM, CRISC, CGEIT, and CDPSE; the broader set includes CISSP, CGRC, CIA, PMI-RMP, and several accounting designations such as the U.S. CPA and ACCA. The credential must be active, not lapsed, at registration. This is the most common early blocker, so confirm your status before you pay.
How hard is the AAIR exam? Reliable difficulty data does not exist yet given how new it is. Structurally, the challenge is judgment, not speed: 100 seconds per question is generous, but each scenario asks for the best risk response among plausible options. Candidates who treat it as an AI-engineering test, or who skip the NIST, ISO, and EU frameworks, will likely find it harder than expected.
How much does the AAIR exam cost? ISACA's official page lists $459 for members and $599 for non-members, plus a one-time $50 application fee paid after your scores release. Budget for study materials on top of that if you plan to use ISACA's manual or question database. If you are close to the member and non-member gap, ISACA membership can offset much of the difference for a single sitting.
Does AAIR expire? There is no fixed expiry cycle for the credential itself. You maintain it with annual CPE reporting, including 10 AI-domain hours per year, plus adherence to ISACA's ethics code and an active underlying credential. Let the prerequisite lapse and your AAIR is at risk. Separately, you have five years from passing the exam to submit your certification application.
How many questions is the AAIR exam? Ninety scenario-based multiple-choice questions, delivered by PSI in a 150-minute window, which works out to about 100 seconds per question on average. Scoring is scaled from 200 to 800 with a passing mark of 450. The 90-question count is confirmed on ISACA's official exam content outline.
AAIR vs AAISM? Same fee, same 90-question format, same 450/800 passing score, different audience. AAISM targets security managers and requires an active CISM or CISSP. AAIR targets IT-risk and GRC professionals and gates on CRISC-style credentials. Pick by your role: securing AI infrastructure points to AAISM, running an enterprise AI risk program points to AAIR.
What happens if I fail the AAIR? ISACA's general retake policy allows up to four attempts in a rolling 365-day period from your first sitting. You wait 30 days after the first attempt before retaking, then 90 days after the second, and 90 days after the third. Each retake is a fresh registration and fee, so a failed first attempt gets expensive quickly; build enough practice-score evidence before you book that a retake stays hypothetical.
AAIR is a narrow, deliberately scoped credential for people already doing risk work who now have to fold AI into it. Its newness cuts both ways: there is no community consensus to lean on, no salary data to point to, and no long trail of pass reports, but there is also room to be early in a space that regulation is actively pushing employers into. If you hold a qualifying credential and AI risk is landing on your desk, it is a reasonable bet; if you are missing the prerequisite or the role fit, it is not. Study the frameworks and respect Domain 3's weight, then build your judgment on scenarios rather than definitions before you ever schedule.
Put your AAIR readiness to the test with the CertCompanion AAIR question bank, 30 questions free, and find out where you stand before you book.