Cheat sheet

IAPP AIGP Cheat Sheet

Foundations of AI Governance

19-24%of exam

Laws, Standards + Frameworks

22-27%of exam

Governing AI Development

25-29%of exam

AI LifecycleDevelopment ControlsData GovernanceImpact AssessmentTesting + Red Team

Governing Deployment + Use

25-29%of exam

Deployment GovernanceMonitoring + OversightVendor ReviewHuman OversightPost-market

Quick Facts

Exam
AIGP
Credential
AI Governance Professional
Questions
100 (85 scored)
Time
2 hr 45 min
Pass
300/500 scaled
Fee
$649 / $799
Format
MCQ, Pearson VUE
Blueprint
Feb 2 2026

Responsible AI Pillars

Fair Accountable Transparent Safe Explainable Robust Private

Fair: no unjust biasAccountable: named ownerTransparent: discloseSafe: reliableExplainable: reasonsRobust: resilientPrivate: protect data

Provider vs Deployer

Provider

  • Develops system
  • Places on market
  • Most obligations

Deployer

  • Uses the system
  • Under own authority
  • Operational duties

Builds vs uses

AI + ML Types

AI
Machines mimic cognition
ML
Learns from data
Supervised
Labeled training data
Unsupervised
Finds hidden patterns
Reinforcement
Reward-based learning
Deep learning
Layered neural networks
Generative AI
Creates new content
GPAI
Broad general-purpose model

Supervised vs Unsupervised

Supervised

  • Labeled data
  • Known outputs
  • Classify, predict

Unsupervised

  • Unlabeled data
  • Find patterns
  • Cluster, group

Labeled vs unlabeled

Responsible AI

Fairness
Avoid unjust bias
Accountability
Named responsible owners
Transparency
Disclose AI use
Explainability
Reasons for decisions
Safety
Reliable, secure operation
Human-centric
Serves people
Robustness
Withstands errors, attacks
Privacy
Protect personal data

Generative vs Discriminative

Generative

  • Creates new content
  • Learns distribution
  • LLMs, images

Discriminative

  • Classifies inputs
  • Draws boundaries
  • Spam, fraud

Creates vs classifies

Governance Roles

Provider
Develops, places system
Deployer
Uses under authority
Developer
Builds the model
Distributor
Makes available downstream
Importer
Brings into market
User
Operates the system
Subject
Person affected

Transparency vs Explainability

Transparency

  • Disclose AI use
  • Open about system
  • Users informed

Explainability

  • Reasons for output
  • Interpretable decisions
  • Why this result

Disclose vs explain

Why Govern AI

Probabilistic
Outputs not deterministic
Opacity
Black-box reasoning
Drift
Performance degrades over time
Bias
Skewed, unfair outputs
Autonomy
Acts without humans
Scale
Harms multiply fast

NIST AI RMF Functions

Govern | Map | Measure | Manage

Govern: culture + policyMap: context + risksMeasure: analyze + trackManage: prioritize + act

NIST RMF vs ISO 42001

NIST AI RMF

  • Voluntary framework
  • Govern Map Measure Manage
  • Flexible guidance

ISO/IEC 42001

  • Certifiable standard
  • Management system
  • Auditable AIMS

Framework vs standard

EU AI Act Tier Picker

  1. Manipulates, exploits peopleUnacceptable(Banned)
  2. Government social scoringUnacceptable(Banned)
  3. Hiring, credit, biometricsHigh-risk(Strict duties)
  4. Chatbot or deepfakeLimited(Disclose AI)
  5. Spam filter, game AIMinimal(No rules)
  6. Foundation modelGPAI(Model duties)

EU AI Act Tiers

Unacceptable
Banned practicesProhibited
High-risk
Strict obligations
Limited
Transparency duties
Minimal
No extra rules
GPAI
General-purpose obligations
Banned examples
Social scoring, manipulation

EU AI Act Tiers

Unacceptable | High | Limited | Minimal

Unacceptable: bannedHigh: strict dutiesLimited: transparencyMinimal: free

Framework Picker

  1. Build AI management systemISO/IEC 42001
  2. Voluntary risk processNIST AI RMF
  3. Define AI termsISO/IEC 22989
  4. Run AI impact assessmentISO/IEC 42005
  5. High-level policy principlesOECD Principles
  6. AI risk guidanceISO/IEC 23894

Frameworks + Standards

NIST AI RMF
Voluntary risk framework
ISO/IEC 42001
AI management system
ISO/IEC 22989
AI terminology
ISO/IEC 23894
AI risk guidance
ISO/IEC 42005
AI impact assessment
OECD
AI principles

Laws Applying to AI

Privacy law
GDPR, personal data
IP + copyright
Training data rights
Anti-discrimination
No biased outcomes
Consumer protection
No deceptive claims
Product liability
Harm from defects
Employment law
Hiring, screening rules

GDPR + AI

Lawful basis
Required before processing
Purpose limitation
Stated use only
Data minimization
Collect least needed
DPIA
Privacy impact assessment
Privacy by design
Built-in protection
Article 22
Automated decision rights

AI Lifecycle Stages

Scope | Design | Data | Train | Test | Release | Monitor

Scope: use-caseDesign: architectureData: governTrain: fit modelTest: validateRelease: readinessMonitor: post-market

AI Impact vs DPIA

AI Impact Assessment

  • Broad AI harms
  • ISO/IEC 42005
  • Whole lifecycle

DPIA

  • Privacy risks only
  • GDPR Article 35
  • Personal data

AI harms vs privacy

Lifecycle Control Picker

  1. Starting a projectImpact assessment
  2. Choosing training dataData governance
  3. Before releaseModel card
  4. Stress-test for harmRed teaming
  5. After deploymentPost-market monitoring
  6. Performance decaysDrift detection

AI Lifecycle

Use-case
Define problem, scope
Design
Architecture, requirements
Data
Source, prepare, govern
Train
Fit the model
Test
Validate, evaluate
Release
Readiness decision
Deploy
Put into use
Monitor
Track live performance

Development Controls

Impact assessment
Identify harms early
Data provenance
Origin of data
Model card
Documents model details
Red teaming
Adversarial testing
Threat modeling
Map attack paths
Bias testing
Measure disparate impact

Data Governance

Provenance
Where data originated
Lineage
How data transformed
Quality
Accurate, complete, current
Fit for purpose
Relevant, representative
Lawful rights
Permission to use
Labeling
Accurate ground truth

HITL vs HOTL

HITL

  • Human approves action
  • In the loop
  • Blocks bad output

HOTL

  • Human monitors
  • On the loop
  • Intervenes if needed

Approve vs monitor

Deployment Governance

Deployment decision
Go / no-go
Vendor review
Third-party due diligence
Deployment controls
Guardrails, usage limits
Post-market monitoring
Watch after launch
Incident response
Handle failures
Deactivation
Safe shutdown plan

Monitoring + Oversight

Human oversight
People can intervene
HITL
Human in loop
HOTL
Human on loop
Drift detection
Catch model decay
Logging
Record decisions, events
Audit trail
Traceable accountability
Feedback
User, subject reporting

Common Traps

Provider vs Deployer

Provider builds, places Deployer uses it

NIST vs EU AI Act

NIST is voluntary EU AI Act binding

Transparency vs Explainability

Transparency = disclosure Explainability = reasoning

ISO 42001 vs 42005

42001 = management system 42005 = impact assessment

Bias vs Fairness

Bias = the skew Fairness = the goal

GPAI vs High-risk

GPAI = model tier High-risk = use tier

Last Minute

  1. 1.Pass = 300 of 500
  2. 2.100 questions, 85 scored
  3. 3.2 hr 45 min appointment
  4. 4.Provider builds; deployer uses
  5. 5.EU tiers: unacceptable to minimal
  6. 6.RMF = Govern Map Measure Manage
  7. 7.ISO 42001 = AI management system
  8. 8.NIST voluntary; EU AI Act binding
  9. 9.Supervised = labeled; unsupervised = patterns
  10. 10.Transparency = disclose; explainability = why
  11. 11.DPIA = privacy impact only
  12. 12.Human oversight always required
Same family resources

Explore More IAPP Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.