Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free AAISM Practice Questions

Pass your ISACA Advanced in AI Security Management (AAISM) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Not published by ISACA Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

A model card for a deployed customer-service LLM lists training data sources, intended use, and known limitations but omits any security review notes. From an AAISM perspective, what is the MOST significant gap?

A
B
C
D
to track
Same family resources

Explore More ISACA Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

CISA

Practice QuestionsStudy Guide
2 blogs

CISM

Practice QuestionsStudy Guide
2 blogs

CRISC Certified in Risk and Information Systems Control

Practice Questions
1 blog

ISACA COBIT 2019 Foundation

Practice Questions
1 blog

ISACA AAIA Advanced in AI Audit

Practice Questions

ISACA AAIR Advanced in AI Risk

Practice Questions

More From This Family

Videos and articles for deeper review.

ArticleCISA Exam Guide 2026: FREE ISACA Study Plan + Practice28 min readArticleCISM Exam Guide 2026: FREE ISACA Study Plan + Practice30 min readArticleCOBIT 2019 Foundation 2026: Governance-First Prep6 min readArticleCRISC Exam Guide 2026: FREE ISACA Study Plan + Practice30 min read
2026 Statistics

Key Facts: AAISM Exam

90

Exam Questions

ISACA AAISM ECO

2.5 hours

Time Limit

ISACA / PSI

450/800

Passing Score

ISACA scaled score

31/31/38

Domain Weights

Governance / Risk / Controls

$459

Member Exam Fee

ISACA (+ $50 application fee)

CISM or CISSP

Required Prerequisite

ISACA AAISM page

ISACA's AAISM (Advanced in AI Security Management) is a 2025-launch credential designed for security leaders extending CISM or CISSP into AI security. The exam is 90 multiple-choice questions in 2.5 hours with a 450/800 scaled passing score, delivered through PSI in test centers or remote proctoring. Candidates must hold an active CISM or CISSP and have a six-month eligibility window after registration. The exam covers AI Governance and Program Management (31%), AI Risk Management (31%), and AI Technologies and Controls (38%), with the standard fee of $459 for ISACA members or $599 for non-members plus a $50 application processing fee.

Sample AAISM Practice Questions

Try these sample questions to test your AAISM exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1An enterprise CISO is establishing accountability for AI security across business units. Which approach BEST aligns with ISO/IEC 42001 (AI Management System) and NIST AI RMF Govern function expectations?
A.Delegate all AI security decisions to data science teams since they understand the models
B.Establish a documented AI security charter with executive sponsorship, defined roles, and an AI governance committee that reports to senior leadership
C.Treat AI security as part of generic IT operations and reuse existing change management without additions
D.Wait for a regulatory mandate before formalizing any AI governance structure
Explanation: ISO/IEC 42001 and the NIST AI RMF Govern function both require documented accountability structures, executive sponsorship, and cross-functional oversight. A formal AI security charter with a governance committee tied to senior leadership creates the policy, accountability, and risk-tolerance backbone needed before risk management and controls can operate.
2Which of the following is the PRIMARY purpose of an AI security policy within an enterprise security program?
A.To list every AI vendor the organization currently uses
B.To translate executive risk appetite for AI into mandatory rules, roles, and acceptable-use boundaries enforced across the AI lifecycle
C.To replace the enterprise information security policy for systems that contain machine learning
D.To document model hyperparameters used in training
Explanation: An AI security policy is a directive document that translates the board's and CISO's risk appetite into mandatory requirements (e.g., approved use cases, data handling, third-party model rules, monitoring obligations). It supplements (not replaces) the enterprise information security policy.
3An AI security committee is being formed. Which membership composition BEST supports cross-functional governance of AI risk?
A.CISO and Head of Data Science only
B.CISO, Chief Data/AI Officer, Privacy/DPO, Legal, Risk, and a business sponsor with documented escalation authority
C.All software engineers who train models
D.Only external auditors to ensure independence
Explanation: AI risk crosses security, data, privacy, legal, and business value. A committee that pairs the CISO and Chief Data/AI Officer with privacy, legal, risk, and a business sponsor allows balanced decisions and clear escalation, which the NIST AI RMF Govern function and ISO/IEC 42001 expect.
4A model card for a deployed customer-service LLM lists training data sources, intended use, and known limitations but omits any security review notes. From an AAISM perspective, what is the MOST significant gap?
A.It is missing fairness disclosures only
B.It does not record adversarial-testing results, prompt-injection mitigations, or sensitive-data handling rules, so security stakeholders cannot verify residual risk
C.It should not exist because model cards are an academic artifact
D.It should include hyperparameter values for reproducibility
Explanation: From a security management perspective, the value of a model card is establishing residual risk and fitness for purpose. Without adversarial-testing results, prompt-injection mitigations, and sensitive-data handling rules, the security organization cannot accept the model into production with confidence.
5An organization is choosing a baseline AI management framework. Which standard formally defines an AI Management System (AIMS) with certification scheme?
A.NIST AI RMF 1.0
B.ISO/IEC 42001
C.OWASP Top 10 for LLM Applications
D.MITRE ATLAS
Explanation: ISO/IEC 42001 is the international management-system standard that defines an AI Management System (AIMS) with requirements suitable for third-party certification, similar in structure to ISO/IEC 27001 for information security.
6Within the NIST AI RMF 1.0 core, which function is responsible for cultivating a culture of risk management and is intended to apply across all stages of the AI lifecycle?
A.Map
B.Measure
C.Manage
D.Govern
Explanation: Govern is the cross-cutting function in NIST AI RMF 1.0 (along with Map, Measure, and Manage). It establishes the policies, accountability, culture, and processes that enable the other three functions throughout the AI lifecycle.
7A multinational deploys an HR-screening LLM that processes EU resumes. Which regulatory consideration MUST appear in the AI security program?
A.Only US state-level AI guidance
B.EU AI Act high-risk obligations plus GDPR lawful-basis, automated-decision, and data-subject-rights requirements
C.PCI DSS controls for cardholder data
D.FedRAMP boundary documentation
Explanation: Resume screening is classified as high-risk under the EU AI Act, triggering risk management, data quality, transparency, human-oversight, and conformity-assessment obligations. GDPR independently requires lawful basis, transparency, and Article 22 safeguards on automated decisions. Both apply.
8Which document defines the strategic direction, scope, milestones, and resource plan for an enterprise AI security capability over a multi-year horizon?
A.An AI security roadmap
B.An AI incident response playbook
C.A model card
D.A red-team report
Explanation: An AI security roadmap captures the multi-year strategic plan: capability gaps, sequencing, dependencies, owners, and budget. It is distinct from operational documents like playbooks or model cards.
9An AI security manager wants to track program effectiveness with leading rather than lagging indicators. Which is the BEST example of a leading KRI for AI security?
A.Number of historical AI security incidents last year
B.Percentage of in-scope AI systems with current threat models and pre-deployment red-team coverage
C.Total fines paid for past privacy violations
D.Number of customer complaints last quarter
Explanation: Coverage of threat modeling and pre-deployment red-teaming is forward-looking: it predicts whether the next deployment is likely to fail safely. Historical incidents, fines, and complaints are lagging indicators of past failures.
10An enterprise wants to classify training data used for a customer-support LLM. Which classification approach is MOST aligned with AI program governance and privacy expectations?
A.Treat all training data as Public to simplify access
B.Apply the existing enterprise data classification scheme to AI training data, with explicit labels for personal data, sensitive data, and IP, plus retention rules per class
C.Allow data scientists to set classifications informally per project
D.Use only model-derived classifications produced by the LLM itself
Explanation: AI training data must be governed by the enterprise data classification scheme so that access, retention, encryption, and deletion follow the same rules as production data. Personal and sensitive categories drive GDPR/CCPA obligations and contractual restrictions.

About the AAISM Exam

The ISACA Advanced in AI Security Management (AAISM) is a hard-prerequisite credential for security managers responsible for governing and securing AI systems. It validates AI governance and program management, AI risk management, and AI security technologies and controls aligned with ISACA's exam content outline, NIST AI RMF 1.0, ISO/IEC 42001, OWASP Top 10 for LLM Applications, and MITRE ATLAS. Candidates must hold an active CISM or CISSP to register.

Assessment

90 multiple-choice questions across three domains: AI Governance and Program Management (31%), AI Risk Management (31%), and AI Technologies and Controls (38%). Delivered by PSI in test centers or via online proctoring.

Time Limit

2.5 hours

Passing Score

450/800

Exam Fee

$459 (members) / $599 (non-members) + $50 application fee (ISACA / PSI)

AAISM Exam Content Outline

31%

AI Governance and Program Management

Stakeholder considerations, industry frameworks, and regulatory requirements (NIST AI RMF, ISO/IEC 42001, EU AI Act, GDPR, CCPA); AI strategies, policies, and procedures; AI asset and data lifecycle management; AI security program development; business continuity and incident response for AI

31%

AI Risk Management

AI risk assessment, thresholds, and treatment; AI threat and vulnerability management; AI vendor and supply chain management; adversarial ML and MITRE ATLAS techniques; OWASP Top 10 for LLM Applications 2025

38%

AI Technologies and Controls

AI security architecture and design; AI lifecycle controls (model selection, training, validation); data management controls; privacy, ethical, trust and safety controls; privacy-enhancing technologies (differential privacy, federated learning, MPC, homomorphic encryption, confidential computing); security monitoring and ML observability

How to Pass the AAISM Exam

What You Need to Know

  • Passing score: 450/800
  • Assessment: 90 multiple-choice questions across three domains: AI Governance and Program Management (31%), AI Risk Management (31%), and AI Technologies and Controls (38%). Delivered by PSI in test centers or via online proctoring.
  • Time limit: 2.5 hours
  • Exam fee: $459 (members) / $599 (non-members) + $50 application fee

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

AAISM Study Tips from Top Performers

1Memorize the AAISM domain weights (31% / 31% / 38%) and budget more practice on Domain 3 because it carries the most exam weight and the most technical depth.
2Be fluent in NIST AI RMF 1.0 functions (Govern, Map, Measure, Manage) and ISO/IEC 42001 AIMS clauses; many AAISM scenarios reward selecting the framework-aligned answer.
3Practice OWASP Top 10 for LLM Applications 2025 by identifier and example, especially LLM01 Prompt Injection, LLM06 Excessive Agency, LLM07 System Prompt Leakage, LLM08 Vector and Embedding Weaknesses, and LLM10 Unbounded Consumption.
4Treat retrieved content (RAG, browsing, tool output) as untrusted input and look for that pattern in scenario answers — sanitization, instruction stripping, allow-listing, and provenance tagging.
5Know privacy-enhancing technology trade-offs: differential privacy (epsilon budget), federated learning, MPC, homomorphic encryption (FHE/PHE), and confidential computing (TEEs/attestation).
6Always close the incident-response loop back into governance: post-incident review, control updates, governance metrics, and committee reporting are recurring AAISM answer patterns.

Frequently Asked Questions

What is the ISACA AAISM exam?

AAISM (Advanced in AI Security Management) is ISACA's 2025-launch credential for security leaders responsible for governing and securing AI systems. It is positioned as an advanced credential and requires an active CISM or CISSP certification to register. The 90-question, 2.5-hour exam is delivered through PSI.

What are the AAISM domain weights?

The AAISM exam content outline defines three domains: AI Governance and Program Management (31%), AI Risk Management (31%), and AI Technologies and Controls (38%). Domain 3 carries the most weight and emphasizes technical interpretation, control selection, and security judgment for AI systems.

Who is eligible to take the AAISM exam?

Candidates must hold an active CISM or CISSP certification at registration. ISACA also expects experience in security or advisory roles and some expertise assessing, implementing, or maintaining AI systems. After registration, candidates have a six-month eligibility window to schedule and take the exam.

How much does AAISM cost?

The exam fee is US$459 for ISACA members and US$599 for non-members. There is also a one-time US$50 application processing fee due after passing the exam. ISACA annual maintenance fees apply after certification.

What is the AAISM passing score?

Like ISACA's other credentials, AAISM uses a scaled score from 200 to 800 and a passing score of 450 or higher. The 90-question exam combines knowledge-based and scenario-based items.

How should I study for AAISM?

Start from the ISACA AAISM exam content outline, then layer in NIST AI RMF 1.0, ISO/IEC 42001, the EU AI Act, OWASP Top 10 for LLM Applications 2025, and MITRE ATLAS. Practice scenario decisions across governance, risk, and controls, and prioritize Domain 3 (38%) for technical depth on architecture, lifecycle controls, monitoring, and privacy-enhancing technologies.

How does AAISM differ from CISM and CISSP?

CISM is broad information security management; CISSP is broad security architecture and engineering. AAISM is purpose-built for AI security: AI-specific governance, risk, and controls, including model lifecycle, prompt injection, vector databases, agent security, and AI supply chain. AAISM is designed to extend, not replace, CISM or CISSP.