ISACA Advanced in AI Risk (AAIR) Practice Test

AAIR is intended for experienced IT risk and advisory professionals who already hold a recognized risk or security certification and are seeking to extend their expertise into AI-specific risk management. Eligible professionals must hold at least one active credential from the following: CISA, CISM, CRISC, CGEIT, CDPSE (ISACA credentials), or CRMP, CRMA, CGRC, CISSP, CERP, CRCM, or PMI-RMP (global designations). Because the program does not cover foundational IT risk concepts, it is best suited for mid-to-senior-level practitioners who already operate in risk management, compliance, governance, or advisory roles and need structured knowledge to address AI's unique risk profile.

Typical candidates include IT Risk Managers, Enterprise Risk Officers, AI Governance Leads, Chief Risk Officers, and Compliance Managers working in industries where AI adoption is accelerating—such as financial services, healthcare, technology, and government. It is also relevant for consultants who advise organizations on responsible AI adoption and integration strategies.

Candidates must hold at least one active qualifying credential at the time of application. Accepted ISACA credentials include CISA, CISM, CRISC, CGEIT, and CDPSE. Globally recognized designations that also qualify include CRMP, CRMA, CGRC, CISSP, CERP, CRCM, and PMI-RMP. These prerequisites are non-negotiable, as the AAIR program is explicitly designed to build on existing foundational IT risk knowledge rather than introduce it.

Beyond holding a qualifying credential, candidates should have practical professional experience working in IT risk management, AI governance, compliance, or a closely related advisory function. Familiarity with enterprise risk frameworks (such as COBIT, NIST, or ISO 31000), AI concepts including machine learning and generative AI models, and cross-functional risk communication will help candidates engage effectively with the curriculum and exam content.

The AAIR exam consists of scenario-based multiple-choice questions delivered in a proctored setting. The exam duration is 150 minutes. Scoring uses a scaled scoring model with a maximum score of 800 points, and the passing score is 450 out of 800—consistent with the scoring methodology used across ISACA's Advanced AI certification suite. The exact number of scored questions has not been published by ISACA as of the time of writing, as the certification is currently completing its beta phase ahead of a full Q2 2026 launch.

ISACA's Advanced AI exams are delivered online with remote proctoring available. Exam fees are estimated at approximately USD 575 for ISACA members and USD 760 for non-members, with an additional USD 50 application fee and annual maintenance fees of USD 45 (members) and USD 85 (non-members). Candidates are advised to check the official ISACA credentialing page for confirmed question counts, delivery options, and final pricing once the exam officially launches.

• 1.Domain 1 – AI Risk Governance and Framework Integration: Covers the establishment and integration of AI risk governance structures within enterprise risk frameworks. Candidates are expected to understand how to align AI risk policies with organizational strategy, embed AI considerations into existing risk management frameworks (such as COBIT, NIST AI RMF, ISO 31000), and ensure board and executive-level accountability for AI risk. Exact weighting has not yet been published by ISACA.
• 2.Domain 2 – AI Risk Program Management: Focuses on designing, implementing, and managing an end-to-end AI risk program. Topics include AI risk identification and classification, risk appetite and tolerance setting for AI initiatives, cross-functional collaboration with AI development and business teams, risk communication, and reporting to stakeholders. Exact weighting has not yet been published by ISACA.
• 3.Domain 3 – AI Life Cycle Risk Management: Addresses risk at each phase of the AI lifecycle—from data acquisition and model development through deployment, monitoring, and decommissioning. Candidates must demonstrate ability to evaluate AI-specific vulnerabilities (e.g., model bias, data poisoning, adversarial attacks), conduct AI impact assessments, and apply controls appropriate to each lifecycle stage. Exact weighting has not yet been published by ISACA.

• Review the ISACA AI Risk Management framework materials and the NIST AI Risk Management Framework (AI RMF 1.0), as these are foundational references for the governance and program management domains.
• Leverage your existing CRISC, CISM, or equivalent credential study materials to reinforce enterprise risk concepts, then map those concepts to AI-specific scenarios covered in AAIR's three domains.
• Enroll in ISACA's official AAIR Online Review Course once it launches—this on-demand course is purpose-built for the exam and developed by the same organization that writes the test.
• Practice with ISACA's official Questions, Answers & Explanations (QA&E) database, which will offer 200+ scenario-based items. Focus on understanding the reasoning behind correct answers, not just memorizing them.
• Study real-world AI governance frameworks and case studies—including the EU AI Act, OECD AI Principles, and published AI risk incidents—to develop the scenario-based reasoning skills that ISACA's advanced exams emphasize.
• Join the ISACA community forums and local chapter discussions focused on AI risk to connect with other AAIR candidates and stay current with evolving AI risk guidance and regulatory developments.
• Once ISACA publishes the official AAIR Exam Content Outline (expected ahead of the Q2 2026 launch), use it as a checklist to identify and close knowledge gaps across all three domains before scheduling your exam.

As organizations across industries accelerate AI adoption, demand for professionals who can rigorously manage AI-related risks is growing rapidly. AAIR holders are positioned for roles such as AI Risk Manager, Enterprise AI Governance Lead, Chief Risk Officer, AI Compliance Manager, and senior risk consultant specializing in responsible AI. These roles are emerging in regulated industries—including financial services, healthcare, and government—where AI governance requirements are being codified through regulations such as the EU AI Act and U.S. executive orders on AI.

Salary data for AI risk professionals in the United States ranges from approximately USD 90,000 to over USD 210,000 annually, depending on role, industry, and geography. ISACA-certified professionals have historically commanded a salary premium of 10–20% over non-certified peers, according to the Robert Half Salary Guide and Global Knowledge IT Skills and Salary Report. AAIR complements existing ISACA credentials—particularly CRISC—by adding a specialized AI risk layer that distinguishes holders in a market where general IT risk expertise is common but AI-specific risk governance skills remain scarce.