Foundations of AI Governance
19-24%of exam
Laws, Standards + Frameworks
22-27%of exam
Governing AI Development
25-29%of exam
Governing Deployment + Use
25-29%of exam
Quick Facts
- Exam
- AIGP
- Credential
- AI Governance Professional
- Questions
- 100 (85 scored)
- Time
- 2 hr 45 min
- Pass
- 300/500 scaled
- Fee
- $649 / $799
- Format
- MCQ, Pearson VUE
- Blueprint
- Feb 2 2026
Responsible AI Pillars
Fair Accountable Transparent Safe Explainable Robust Private
Provider vs Deployer
Provider
- Develops system
- Places on market
- Most obligations
Deployer
- Uses the system
- Under own authority
- Operational duties
Builds vs uses
AI + ML Types
- AI
- Machines mimic cognition
- ML
- Learns from data
- Supervised
- Labeled training data
- Unsupervised
- Finds hidden patterns
- Reinforcement
- Reward-based learning
- Deep learning
- Layered neural networks
- Generative AI
- Creates new content
- GPAI
- Broad general-purpose model
Supervised vs Unsupervised
Supervised
- Labeled data
- Known outputs
- Classify, predict
Unsupervised
- Unlabeled data
- Find patterns
- Cluster, group
Labeled vs unlabeled
Responsible AI
- Fairness
- Avoid unjust bias
- Accountability
- Named responsible owners
- Transparency
- Disclose AI use
- Explainability
- Reasons for decisions
- Safety
- Reliable, secure operation
- Human-centric
- Serves people
- Robustness
- Withstands errors, attacks
- Privacy
- Protect personal data
Generative vs Discriminative
Generative
- Creates new content
- Learns distribution
- LLMs, images
Discriminative
- Classifies inputs
- Draws boundaries
- Spam, fraud
Creates vs classifies
Governance Roles
- Provider
- Develops, places system
- Deployer
- Uses under authority
- Developer
- Builds the model
- Distributor
- Makes available downstream
- Importer
- Brings into market
- User
- Operates the system
- Subject
- Person affected
Transparency vs Explainability
Transparency
- Disclose AI use
- Open about system
- Users informed
Explainability
- Reasons for output
- Interpretable decisions
- Why this result
Disclose vs explain
Why Govern AI
- Probabilistic
- Outputs not deterministic
- Opacity
- Black-box reasoning
- Drift
- Performance degrades over time
- Bias
- Skewed, unfair outputs
- Autonomy
- Acts without humans
- Scale
- Harms multiply fast
NIST AI RMF Functions
Govern | Map | Measure | Manage
NIST RMF vs ISO 42001
NIST AI RMF
- Voluntary framework
- Govern Map Measure Manage
- Flexible guidance
ISO/IEC 42001
- Certifiable standard
- Management system
- Auditable AIMS
Framework vs standard
EU AI Act Tier Picker
- Manipulates, exploits people→Unacceptable(Banned)
- Government social scoring→Unacceptable(Banned)
- Hiring, credit, biometrics→High-risk(Strict duties)
- Chatbot or deepfake→Limited(Disclose AI)
- Spam filter, game AI→Minimal(No rules)
- Foundation model→GPAI(Model duties)
EU AI Act Tiers
- Unacceptable
- Banned practicesProhibited
- High-risk
- Strict obligations
- Limited
- Transparency duties
- Minimal
- No extra rules
- GPAI
- General-purpose obligations
- Banned examples
- Social scoring, manipulation
EU AI Act Tiers
Unacceptable | High | Limited | Minimal
Framework Picker
- Build AI management system→ISO/IEC 42001
- Voluntary risk process→NIST AI RMF
- Define AI terms→ISO/IEC 22989
- Run AI impact assessment→ISO/IEC 42005
- High-level policy principles→OECD Principles
- AI risk guidance→ISO/IEC 23894
Frameworks + Standards
- NIST AI RMF
- Voluntary risk framework
- ISO/IEC 42001
- AI management system
- ISO/IEC 22989
- AI terminology
- ISO/IEC 23894
- AI risk guidance
- ISO/IEC 42005
- AI impact assessment
- OECD
- AI principles
Laws Applying to AI
- Privacy law
- GDPR, personal data
- IP + copyright
- Training data rights
- Anti-discrimination
- No biased outcomes
- Consumer protection
- No deceptive claims
- Product liability
- Harm from defects
- Employment law
- Hiring, screening rules
GDPR + AI
- Lawful basis
- Required before processing
- Purpose limitation
- Stated use only
- Data minimization
- Collect least needed
- DPIA
- Privacy impact assessment
- Privacy by design
- Built-in protection
- Article 22
- Automated decision rights
AI Lifecycle Stages
Scope | Design | Data | Train | Test | Release | Monitor
AI Impact vs DPIA
AI Impact Assessment
- Broad AI harms
- ISO/IEC 42005
- Whole lifecycle
DPIA
- Privacy risks only
- GDPR Article 35
- Personal data
AI harms vs privacy
Lifecycle Control Picker
- Starting a project→Impact assessment
- Choosing training data→Data governance
- Before release→Model card
- Stress-test for harm→Red teaming
- After deployment→Post-market monitoring
- Performance decays→Drift detection
AI Lifecycle
- Use-case
- Define problem, scope
- Design
- Architecture, requirements
- Data
- Source, prepare, govern
- Train
- Fit the model
- Test
- Validate, evaluate
- Release
- Readiness decision
- Deploy
- Put into use
- Monitor
- Track live performance
Development Controls
- Impact assessment
- Identify harms early
- Data provenance
- Origin of data
- Model card
- Documents model details
- Red teaming
- Adversarial testing
- Threat modeling
- Map attack paths
- Bias testing
- Measure disparate impact
Data Governance
- Provenance
- Where data originated
- Lineage
- How data transformed
- Quality
- Accurate, complete, current
- Fit for purpose
- Relevant, representative
- Lawful rights
- Permission to use
- Labeling
- Accurate ground truth
HITL vs HOTL
HITL
- Human approves action
- In the loop
- Blocks bad output
HOTL
- Human monitors
- On the loop
- Intervenes if needed
Approve vs monitor
Deployment Governance
- Deployment decision
- Go / no-go
- Vendor review
- Third-party due diligence
- Deployment controls
- Guardrails, usage limits
- Post-market monitoring
- Watch after launch
- Incident response
- Handle failures
- Deactivation
- Safe shutdown plan
Monitoring + Oversight
- Human oversight
- People can intervene
- HITL
- Human in loop
- HOTL
- Human on loop
- Drift detection
- Catch model decay
- Logging
- Record decisions, events
- Audit trail
- Traceable accountability
- Feedback
- User, subject reporting
Common Traps
Provider vs Deployer
Provider builds, places ≠ Deployer uses it
NIST vs EU AI Act
NIST is voluntary ≠ EU AI Act binding
Transparency vs Explainability
Transparency = disclosure ≠ Explainability = reasoning
ISO 42001 vs 42005
42001 = management system ≠ 42005 = impact assessment
Bias vs Fairness
Bias = the skew ≠ Fairness = the goal
GPAI vs High-risk
GPAI = model tier ≠ High-risk = use tier
Last Minute
- 1.Pass = 300 of 500
- 2.100 questions, 85 scored
- 3.2 hr 45 min appointment
- 4.Provider builds; deployer uses
- 5.EU tiers: unacceptable to minimal
- 6.RMF = Govern Map Measure Manage
- 7.ISO 42001 = AI management system
- 8.NIST voluntary; EU AI Act binding
- 9.Supervised = labeled; unsupervised = patterns
- 10.Transparency = disclose; explainability = why
- 11.DPIA = privacy impact only
- 12.Human oversight always required
Explore More IAPP Certifications
Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.
More From This Family
Videos and articles for deeper review.
