Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free ISACA AAIR Practice Questions

Pass your ISACA Advanced in AI Risk (AAIR) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
ISACA does not publicly report AAIR pass rates Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

Which is the best description of overfitting in a supervised model?

A
B
C
D
to track
Same family resources

Explore More ISACA Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

CISA

Practice QuestionsStudy Guide
2 blogs

CISM

Practice QuestionsStudy Guide
2 blogs

CRISC Certified in Risk and Information Systems Control

Practice Questions
1 blog

ISACA COBIT 2019 Foundation

Practice Questions
1 blog

ISACA AAIA Advanced in AI Audit

Practice Questions

ISACA AAISM Advanced in AI Security Management

Practice Questions

More From This Family

Videos and articles for deeper review.

ArticleCISA Exam Guide 2026: FREE ISACA Study Plan + Practice28 min readArticleCISM Exam Guide 2026: FREE ISACA Study Plan + Practice30 min readArticleCOBIT 2019 Foundation 2026: Governance-First Prep6 min readArticleCRISC Exam Guide 2026: FREE ISACA Study Plan + Practice30 min read
2026 Statistics

Key Facts: ISACA AAIR Exam

90

Exam Questions

Multiple-choice format

150 min

Time Limit

2.5 hours via PSI

450/800

Passing Score

Scaled score scale

$575

Member Fee

$760 non-member + $50 application

Apr 15 2026

Exam Launch

Newly released ISACA credential

PSI

Test Provider

In-person or remote proctored

ISACA's Advanced in AI Risk (AAIR) is a newly launched advanced credential that debuted on April 15, 2026 and is delivered by PSI as a 90-question, 2.5-hour exam scored on an 800-point scale (passing 450). The exam covers three domains — AI Risk Governance and Framework Integration, AI Lifecycle Risk Management, and AI Risk Program Management — and tests NIST AI RMF, ISO/IEC 42001, the EU AI Act, OWASP LLM Top 10, MITRE ATLAS, and AI program management practices. AAIR has a hard prerequisite: candidates must hold one of approximately 25 qualifying ISACA-recognized designations (CISA, CISM, CRISC, CGEIT, CDPSE, CISSP, CRMA, CGRC, CIPP, etc.) and complete the exam within a 6-month eligibility window. The fee is $575 for ISACA members and $760 for non-members, plus a $50 application fee.

Sample ISACA AAIR Practice Questions

Try these sample questions to test your ISACA AAIR exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which NIST AI Risk Management Framework (AI RMF 1.0) function establishes organizational culture, accountability structures, and AI risk management policies?
A.Map
B.Measure
C.Govern
D.Manage
Explanation: The Govern function of NIST AI RMF 1.0 cultivates a culture of risk management, defines policies, processes, roles and responsibilities, and provides accountability structures. It is cross-cutting across all other functions (Map, Measure, Manage).
2Under the EU AI Act, which article enumerates AI practices that are prohibited as posing unacceptable risk?
A.Article 5
B.Article 6
C.Article 9
D.Article 52
Explanation: Article 5 of the EU AI Act lists prohibited AI practices that constitute unacceptable risk, including manipulative subliminal techniques, exploitation of vulnerabilities, social scoring by public authorities, and untargeted scraping of facial images. Provisions on prohibited practices became applicable on February 2, 2025.
3ISO/IEC 42001:2023 establishes requirements for which organizational capability?
A.An AI management system (AIMS)
B.AI software testing
C.Cloud security controls
D.Data classification
Explanation: ISO/IEC 42001:2023 specifies requirements for establishing, implementing, maintaining, and continually improving an AI management system (AIMS) within an organization. It is the first certifiable management system standard for AI, modeled on the high-level structure shared by ISO/IEC 27001 and ISO 9001.
4Which standard provides guidance specifically for AI risk management aligned to ISO 31000?
A.ISO/IEC 23894
B.ISO/IEC 23053
C.ISO/IEC 24029
D.ISO/IEC 5338
Explanation: ISO/IEC 23894:2023 provides guidance on AI-specific risk management for organizations, mapping AI risk concerns to the ISO 31000 risk management framework. It complements ISO/IEC 42001 by detailing the risk-management process required by an AIMS.
5The EU AI Act entered into force on which date, marking the start of its phased applicability schedule?
A.May 21, 2024
B.August 1, 2024
C.February 2, 2025
D.August 2, 2026
Explanation: Regulation (EU) 2024/1689 (the AI Act) was published in the Official Journal on July 12, 2024 and entered into force on August 1, 2024. From that date a tiered timeline activates: prohibitions on Feb 2, 2025; GPAI obligations on Aug 2, 2025; most high-risk obligations on Aug 2, 2026; full applicability by Aug 2, 2027.
6Under the EU AI Act, a general-purpose AI (GPAI) model is presumed to have systemic risk when training compute exceeds which threshold?
A.10^22 FLOPs
B.10^23 FLOPs
C.10^25 FLOPs
D.10^27 FLOPs
Explanation: Article 51 of the EU AI Act establishes a presumption of systemic risk for GPAI models trained with cumulative compute greater than 10^25 floating-point operations. Models above this threshold trigger additional obligations including model evaluations, adversarial testing, incident reporting, and cybersecurity protections.
7Which characteristic of trustworthy AI in NIST AI RMF 1.0 is most directly concerned with the AI system's resilience to adversarial inputs and unexpected conditions?
A.Valid and Reliable
B.Safe
C.Secure and Resilient
D.Explainable and Interpretable
Explanation: Secure and Resilient is one of the seven trustworthy AI characteristics in NIST AI RMF 1.0 and addresses the system's ability to maintain confidentiality, integrity, and availability under adversarial conditions and to recover from attacks or failures.
8What is the maximum administrative fine under the EU AI Act for non-compliance with the prohibited AI practices in Article 5?
A.Up to €10 million or 2% of worldwide annual turnover
B.Up to €20 million or 4% of worldwide annual turnover
C.Up to €35 million or 7% of worldwide annual turnover
D.Up to €50 million or 10% of worldwide annual turnover
Explanation: Article 99 of the EU AI Act sets the maximum penalty for violating Article 5 prohibitions at €35 million or 7% of worldwide annual turnover (whichever is higher). This is the highest tier; lower tiers apply to other violations.
9Which OECD AI Principles value-based principle most directly addresses the goal that AI systems should respect the rule of law, human rights, and democratic values?
A.Inclusive growth, sustainable development and well-being
B.Human-centered values and fairness
C.Transparency and explainability
D.Robustness, security and safety
Explanation: The OECD AI Principles include a value-based principle on human-centered values and fairness, which calls on AI actors to respect the rule of law, human rights, democratic values, and diversity, and to deploy mechanisms and safeguards consistent with these values.
10GDPR Article 22 grants data subjects the right not to be subject to a decision based solely on which type of processing?
A.Manual review by a data controller
B.Automated processing, including profiling, that produces legal or similarly significant effects
C.Any algorithmic processing of personal data
D.Cross-border data transfers
Explanation: GDPR Article 22 gives data subjects the right not to be subject to a decision based solely on automated processing — including profiling — that produces legal effects concerning them or similarly significantly affects them, with limited exceptions (contractual necessity, legal authorization, explicit consent).

About the ISACA AAIR Exam

The ISACA Advanced in AI Risk (AAIR) credential validates advanced practitioner skills for managing AI risk across governance, lifecycle, and program dimensions. The 90-question, 2.5-hour exam covers NIST AI RMF 1.0, ISO/IEC 42001, ISO/IEC 23894, the EU AI Act, GDPR Article 22, OMB M-25-21, sectoral guidance (FDA AI/ML SaMD and SR 11-7), AI risk taxonomies, the AI lifecycle, fairness and robustness testing, OWASP Top 10 for LLM Applications, MITRE ATLAS, AI red teaming, model cards, datasheets for datasets, third-party AI vendor due diligence, and ISACA's Digital Trust Ecosystem Framework. AAIR is delivered by PSI in person or via remote proctoring with a 450/800 scaled passing score.

Assessment

90 multiple-choice questions across three domains: AI Risk Governance and Framework Integration, AI Lifecycle Risk Management, and AI Risk Program Management

Time Limit

2.5 hours (150 minutes)

Passing Score

450 / 800 scaled score

Exam Fee

$575 member / $760 non-member + $50 application fee (ISACA / PSI)

ISACA AAIR Exam Content Outline

~33%

AI Risk Governance and Framework Integration

NIST AI RMF 1.0 functions and trustworthy characteristics; NIST AI 600-1 generative AI profile; ISO/IEC 42001 AIMS; ISO/IEC 23894, 23053, 24029, 42005, 5338, 22989; EU AI Act risk tiers (Articles 5/6/9/13/14/27/52), Annex III high-risk areas, GPAI and systemic-risk threshold (10^25 FLOPs), penalties up to 7% turnover, phased timeline (Aug 1 2024 → Feb 2 2025 → Aug 2 2025 → Aug 2 2026 → Aug 2 2027); GDPR Article 22; US Executive Order 14110 revocation and OMB M-25-21; AI Bill of Rights; OECD AI Principles; sectoral guidance (FDA AI/ML SaMD, SR 11-7); AI policy integration

~33%

AI Lifecycle Risk Management

AI risk taxonomy (data/model/deployment/third-party/societal); AI lifecycle stages; data risks (bias, privacy, drift, poisoning, leakage, datasheets for datasets); model risks (overfitting/underfitting, accuracy/precision/recall/F1/AUC, fairness — demographic parity, equal opportunity, equalized odds, disparate impact, four-fifths rule); deployment risks (evasion, prompt injection, jailbreaking, model extraction, membership inference); monitoring (PSI, KL divergence, concept drift, A/B testing); AI red teaming; MITRE ATLAS; OWASP Top 10 for LLM Applications (LLM01-LLM10); explainability with SHAP/LIME; differential privacy and federated learning

~33%

AI Risk Program Management

Program charter, governance, three lines of defense for AI; KRIs/KPIs and board reporting; AI risk register and risk appetite; AI ethics committee; AI model inventory; third-party AI risk and vendor due diligence; AI vendor contractual provisions (DPAs, training-use restrictions, incident notification); model cards; datasheets for datasets; control mapping across NIST AI RMF, ISO/IEC 42001, EU AI Act, and OWASP LLM Top 10; ISACA Digital Trust Ecosystem Framework; post-market monitoring; AI incident response; awareness training; shadow AI; model retirement

How to Pass the ISACA AAIR Exam

What You Need to Know

  • Passing score: 450 / 800 scaled score
  • Assessment: 90 multiple-choice questions across three domains: AI Risk Governance and Framework Integration, AI Lifecycle Risk Management, and AI Risk Program Management
  • Time limit: 2.5 hours (150 minutes)
  • Exam fee: $575 member / $760 non-member + $50 application fee

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

ISACA AAIR Study Tips from Top Performers

1Memorize the EU AI Act timeline anchors: entry into force August 1, 2024; prohibitions February 2, 2025; GPAI August 2, 2025; high-risk August 2, 2026; full applicability August 2, 2027
2Know the four NIST AI RMF functions cold — Govern, Map, Measure, Manage — and the seven trustworthy characteristics including Valid and Reliable, Safe, Secure and Resilient, Accountable and Transparent, Explainable and Interpretable, Privacy-Enhanced, and Fair with Harmful Bias Managed
3Memorize OWASP Top 10 for LLM Applications LLM01-LLM10 with one example mitigation per category — Prompt Injection, Insecure Output Handling, Training Data Poisoning, Model DoS, Supply Chain, Sensitive Information Disclosure, Insecure Plugin Design, Excessive Agency, Overreliance, Model Theft
4Understand the difference between data drift (P(X) change) and concept drift (P(Y|X) change) and which detection metrics apply (PSI, KL divergence, performance monitoring)
5Know the EU AI Act systemic-risk threshold of 10^25 training FLOPs for GPAI and the maximum penalty of €35M / 7% global turnover for Article 5 prohibition violations
6Map your existing security/audit experience to AI-specific controls — robustness testing, red teaming, model cards, datasheets for datasets, and post-market monitoring under Article 72

Frequently Asked Questions

What is the ISACA Advanced in AI Risk (AAIR) certification?

AAIR is a newly launched ISACA credential, released April 15, 2026, designed for advanced practitioners who manage AI risk. It validates skills across AI risk governance, AI lifecycle risk, and AI risk program management. The exam is delivered by PSI in person or remotely as a 90-question, 2.5-hour test scored on an 800-point scale with a passing score of 450.

What are the prerequisites to sit for the AAIR exam?

AAIR has a hard prerequisite: candidates must hold one of approximately 25 ISACA-recognized designations such as CISA, CISM, CRISC, CGEIT, CDPSE, CISSP, CRMA, CGRC, or CIPP. After applying, candidates must complete the AAIR exam within a 6-month eligibility window.

How much does the ISACA AAIR exam cost?

The AAIR exam fee is $575 for ISACA members and $760 for non-members, plus a $50 application fee. Optional study materials and review courses from ISACA are priced separately. Self-study using free official resources (NIST AI RMF, EU AI Act text) is possible.

What domains does the AAIR exam cover?

AAIR covers three domains: AI Risk Governance and Framework Integration (NIST AI RMF, ISO/IEC 42001, EU AI Act, sectoral regulation, policy integration); AI Lifecycle Risk Management (data/model/deployment risks, fairness metrics, monitoring, red teaming, OWASP LLM Top 10, MITRE ATLAS); and AI Risk Program Management (governance, KRIs/KPIs, model inventory, third-party risk, ethics committee, post-market monitoring, ISACA DTEF). Detailed weights are not yet published by ISACA.

How is the AAIR exam delivered and scored?

The AAIR exam is delivered by PSI either at a testing center or via remote online proctoring. It contains 90 multiple-choice questions, runs 2.5 hours (150 minutes), and is scored on a scaled 200-800 range. Candidates need a scaled score of 450 or higher to pass.

How does AAIR differ from CRISC and CISM?

CRISC focuses on enterprise IT risk and controls broadly, and CISM focuses on information security management. AAIR is AI-specific: it tests how AI risk is governed (NIST AI RMF, ISO 42001, EU AI Act), how AI lifecycle risks are managed (fairness, robustness, OWASP LLM, ATLAS), and how an AI risk program is run. Many AAIR candidates already hold CRISC or CISM as prerequisites.

How should I prepare for the ISACA AAIR exam?

Strong preparation combines: (1) reading NIST AI RMF 1.0 and the NIST AI 600-1 Generative AI Profile, (2) studying ISO/IEC 42001 and ISO/IEC 23894, (3) working through the EU AI Act risk tiers, GPAI obligations, and timeline, (4) reviewing OWASP Top 10 for LLM Applications and MITRE ATLAS, and (5) practicing AAIR-style questions across all three domains. ISACA's official AAIR study guide and review questions are recommended.