ISACA · AAISM
Validates the ability to manage AI security across three domains: AI governance and program management, AI risk management including threats and supply chain issues, and AI technologies and controls, covering security architecture design and model lifecycle management.
Questions
600
Duration
150 minutes
Passing Score
450/800
Difficulty
AssociateLast Updated
Feb 2026
Use this AAISM practice exam to prepare for ISACA Advanced in AI Security Management (AAISM) with realistic questions, detailed explanations, and focused study modes. The practice bank includes 600 questions for ISACA AAISM, so you can review the exam steadily instead of relying on one long cram session.
As you practice, pay extra attention to patterns in your missed answers. Start with short sessions to identify weak areas, then move into timed quizzes once your accuracy is consistent.
The explanations are especially useful when you want to connect exam wording to the responsibilities and scenarios described in the official certification guidance. Use the free preview first, then unlock the full question bank when you are ready to build a complete study routine.
The ISACA Advanced in AI Security Management (AAISM) is the first and only AI-centric security management certification, launched by ISACA in August 2025. It validates a security professional's ability to manage enterprise-wide AI adoption while identifying, assessing, monitoring, and mitigating AI-specific risks. The credential covers three interconnected practice areas: AI governance and program management, AI risk management including supply chain and threat landscape considerations, and AI technologies and controls encompassing security architecture, data lifecycle management, and safety controls for AI systems.
AAISM was developed in direct response to the accelerating pace of AI tool adoption in enterprises, which frequently outpaces organizational policy and security frameworks. Rather than replacing existing security credentials, it layers AI-domain expertise on top of proven security management foundations. The exam tests 22 core competencies spanning governance frameworks, vendor oversight, incident response for AI systems, and security architecture design specific to AI model lifecycles.
AAISM is exclusively designed for experienced IT security professionals who already hold an active CISM (Certified Information Security Manager) or CISSP (Certified Information Systems Security Professional) credential — these are hard prerequisites, not recommendations. Candidates should also have hands-on experience assessing, implementing, and maintaining AI systems within an enterprise context.
The certification is well-suited for security managers, CISOs, security architects, and risk advisors who are responsible for governing or advising on AI adoption within their organizations. It targets professionals seeking to formalize and validate their AI security expertise as organizations increasingly integrate AI into critical operations, and who need to bridge the gap between traditional security management practices and emerging AI-specific threat landscapes.
Candidates must hold an active CISM or CISSP certification at the time of exam registration — this is a mandatory requirement with no exceptions. There is no formal application process prior to registering for the exam, but ISACA expects candidates to have demonstrated experience in security or advisory roles and some practical expertise with AI systems, including assessing AI risks and implementing or maintaining AI-driven solutions.
While no specific number of years of experience is mandated beyond what CISM or CISSP already require, the exam content assumes familiarity with enterprise security governance, risk management frameworks, and at least a working knowledge of AI technologies, data pipelines, and machine learning model lifecycles. Professionals newer to AI who hold CISM or CISSP should supplement their candidacy with hands-on AI exposure before attempting the exam.
The AAISM exam consists of 90 multiple-choice questions and must be completed within 150 minutes (2.5 hours). It is delivered as a computer-based exam, available either at authorized PSI testing centers worldwide or via live remote proctoring. Note that residents of India, Mainland China, and Hong Kong are restricted to in-person testing at PSI centers and cannot use remote proctoring.
The passing score is 450 on a scale of 800. Exam registration is continuous with no application windows — candidates can register at any time and have a 12-month eligibility window from the date of registration to schedule and sit the exam. Exams can be scheduled up to 90 days in advance and as early as 48 hours after payment is confirmed. The member exam fee is US$459 and the non-member fee is US$599, plus a US$50 application processing fee required after passing to obtain the certification.
AAISM positions certified professionals as specialized experts at the intersection of enterprise security management and artificial intelligence — a niche that is rapidly growing in organizational demand as AI adoption accelerates across industries. The credential supplements the widely respected CISM and CISSP certifications with validated AI-specific expertise, making holders distinctly qualified for roles such as AI Security Manager, Chief AI Security Officer, Security Architect (AI/ML), and AI Risk Advisor. It also strengthens the candidacy of existing CISOs and security directors who need to demonstrate governance competence over AI-driven business transformation.
ISACA has positioned AAISM as the definitive credential for security managers navigating AI governance — a role that did not exist at scale five years ago but is now embedded in enterprise risk and compliance programs globally. As regulators in the EU (AI Act) and other jurisdictions codify AI security and governance requirements, certified professionals are increasingly sought to operationalize compliance. While specific salary benchmarks for AAISM holders are not yet widely published given the credential's 2025 launch, it builds directly on CISM and CISSP — both of which consistently rank among the highest-paying IT certifications globally — and adds a premium AI specialization layer that is expected to command meaningful salary differentiation in the market.
5 sample questions with answers and explanations. Start a practice session to test yourself across all 600 questions.
Preview — answers shown1. An organization discovers employees using 400 plus different unsanctioned AI tools, with an average lifespan of 400 days before detection. Analysis shows 68 percent of employees use free-tier AI via personal accounts. What is the PRIMARY security risk that Shadow AI poses to the organization? (Select one!)
Explanation
Data leakage and IP exposure represents the primary security risk of Shadow AI, with research showing organizations experience 670,000 dollars higher breach costs when Shadow AI is involved. Employees inputting sensitive company data into unsanctioned tools creates uncontrolled data exposure and potential IP theft. Licensing costs are a business concern but not the primary security risk. Bandwidth consumption is an IT operations issue. Productivity concerns are management issues, not security risks that could result in data breaches or regulatory violations.
2. A security team implements drift detection for a production fraud detection model using statistical monitoring. The system detects that input feature distributions have changed significantly but the relationship between features and fraud outcomes remains stable. Which type of drift has occurred and what is the appropriate response? (Select one!)
Explanation
Data drift (covariate shift) occurs when input feature distributions change while the underlying relationship between inputs and outputs remains stable. The appropriate response is to continue monitoring performance metrics because the model may still make accurate predictions despite changed input distributions. Retraining should only occur if actual performance degradation is observed, avoiding unnecessary retraining costs. Concept drift involves changes in the input-output relationship itself, which is explicitly stated as not occurring in this scenario. Prediction drift refers to changes in output distributions, not input features. Removing drifted features would discard potentially valuable information and is not appropriate when the features retain their predictive relationship to outcomes despite distribution changes.
3. An organization using MITRE ATLAS framework for AI threat modeling must map a recent incident where attackers systematically queried a machine learning model API to recreate its functionality and intellectual property. Which MITRE ATLAS technique ID corresponds to this attack? (Select one!)
Explanation
AML.T0024 (Exfiltration via ML Inference API) describes model extraction attacks where attackers systematically query an ML API to recreate model functionality and steal intellectual property. MITRE ATLAS provides a knowledge base with 15 tactics, 66 techniques, and 46 sub-techniques specific to AI/ML threats. Mitigations include rate limiting, query auditing, and model watermarking. AML.T0043 covers crafting adversarial examples for evasion rather than extraction. AML.T0051 addresses prompt injection attacks on LLMs. AML.T0020 focuses on training data poisoning rather than model extraction through API queries.
4. An AI security engineer designs architecture for a multi-tenant SaaS platform using NVIDIA A100 GPUs for customer model training. The platform must provide hardware-level isolation between competing pharmaceutical companies. Which NVIDIA technology provides cryptographic-level separation of GPU compute resources? (Select one!)
Explanation
NVIDIA Confidential Computing provides hardware-based Trusted Execution Environments with cryptographic protection, offering the strongest isolation for multi-tenant GPU workloads. This technology ensures competing pharmaceutical companies cannot access each other's data or model information at the hardware level. Multi-Instance GPU partitions A100 GPUs but provides resource isolation rather than cryptographic confidentiality protection. GPU Operator with Kubernetes RBAC provides orchestration-level access control but relies on software enforcement. Container isolation provides process-level separation but does not offer hardware-backed cryptographic guarantees required for highly sensitive competitive workloads.
5. During TEVV activities for a medical diagnosis AI system, the validation team discovers the model performs with 95 percent accuracy on training data but only 78 percent accuracy on independent test datasets from different hospitals. What problem has the TEVV process identified? (Select one!)
Explanation
Overfitting occurs when a model learns training data patterns too specifically and fails to generalize to new data, exactly matching the described scenario where training accuracy is high but test accuracy drops significantly. Underfitting would show poor performance on both training and test data. Data poisoning would cause specific misclassifications rather than general poor generalization. Concept drift occurs over time in production, not between training and initial test datasets.
Certified Information Security Manager (CISM)
CISM · 1196 questions
Certified Information Systems Auditor (CISA)
CISA · 895 questions
Certified in Risk and Information Systems Control (CRISC)
CRISC · 761 questions
Certified Data Privacy Solutions Engineer (CDPSE)
CDPSE · 749 questions
IoT Fundamentals Certificate
IoT-Fund · 630 questions
IT Audit Fundamentals Certificate
IT-Audit-Fund · 627 questions
$17.99
One-time access to this exam