CompTIA Updated CY0-001 Exam Questions and Answers by yusra

Basic Concept: Generative AI chatbots interact with users in natural language and may access organizational knowledge bases, databases, or prior conversations. The conversational nature of these systems creates unique risks around sensitive information disclosure. CompTIA SecAI+ Study Guide ranks data leakage as the primary security concern for generative AI chatbots.

Why B is Correct: Data leakage occurs when a generative AI chatbot inadvertently reveals sensitive information including PII, confidential business data, intellectual property, training data, or system configurations in its responses. This can happen through prompt injection attacks, insufficient output filtering, or the model memorizing and reproducing sensitive training data. The impact is immediate, potentially irreversible, and can result in regulatory violations, competitive disadvantage, and reputational damage.

Why A is Wrong: Overly permissive access is a contributing factor that can exacerbate data leakage but is an access control design issue rather than the most directly impactful runtime risk of operating a generative AI chatbot.

Why C is Wrong: Weak encryption is a data protection concern for data in transit or at rest. While important, it is a configuration issue separate from the generative AI chatbot ' s core operational risks and is not specific to chatbot technology.

Why D is Wrong: Model validation ensures a model performs as expected before deployment. While important for quality assurance, it is a development lifecycle activity rather than an ongoing operational security risk associated with running a chatbot.

Basic Concept: Various regulatory frameworks govern AI use in different contexts. For auditing legal compliance in high-risk AI applications such as employment and HR, binding regulatory legislation takes precedence over voluntary standards. CompTIA SecAI+ Exam Objectives cover AI governance and compliance frameworks under Domain 4.

Why C is Correct: The EU AI Act is the world ' s first comprehensive, legally binding AI regulation. It explicitly classifies AI systems used in employment, worker management, and recruitment as high-risk AI systems, subjecting them to strict compliance requirements including conformity assessments, transparency obligations, and human oversight mandates. An auditor reviewing HR AI for legal non-compliance must reference this binding legislation.

Why A is Wrong: The OECD AI Principles are non-binding international guidelines promoting responsible AI. They offer policy guidance but carry no legal enforcement power for compliance auditing.

Why B is Wrong: The NIST AI RMF is a voluntary, risk management-focused framework. It is not a legal compliance standard and cannot be used to assess legal non-compliance.

Why D is Wrong: ISO standards such as ISO 42001 are voluntary international best practice standards. They are not legal compliance instruments with enforceable penalties for HR AI systems.

Basic Concept: Different regulatory and standards bodies address different aspects of technology governance. For AI-specific compliance guidance that addresses the unique characteristics of AI systems including transparency, fairness, accountability, and societal impact, a framework specifically designed for AI is required. CompTIA SecAI+ Study Guide identifies OECD as a key source of AI-specific compliance guidance.

Why A is Correct: The OECD AI Principles and Recommendation on AI provide internationally recognized, AI-specific guidance on compliance with responsible AI values including transparency, accountability, robustness, security, safety, and human-centric values. The OECD has developed a dedicated framework specifically addressing the compliance considerations unique to AI systems across sectors and national boundaries, making it the most AI-specific compliance guidance option listed.

Why B is Wrong: ISO 27001 is a general information security management standard addressing broad organizational security controls. It is not AI-specific and does not address the unique compliance considerations of AI transparency, fairness, or algorithmic accountability.

Why C is Wrong: PCI DSS is a payment card industry security standard focused on protecting payment card data. It has no AI-specific compliance provisions and is limited to financial transaction security requirements.

Why D is Wrong: GDPR is a European data protection regulation focused on personal data privacy rights and obligations. While relevant to AI systems that process personal data, GDPR is a privacy regulation rather than AI-specific compliance guidance addressing the full spectrum of AI governance considerations.

Basic Concept: Infrastructure hardening for AI systems involves applying security baseline settings and eliminating unnecessary attack surfaces. CompTIA SecAI+ Exam Objectives identify configuration standards as the specific governance instrument that mandates infrastructure hardening requirements for AI deployments.

Why D is Correct: Configuration standards are formal, technical documents specifying exact security settings, baseline configurations, and hardening requirements that developers and administrators must implement to protect systems including AI infrastructure. They establish enforceable rules such as disabling unnecessary services, applying least-privilege access, and enforcing secure communication protocols specifically for AI systems.

Why A is Wrong: Intake processes govern how new projects, systems, or requests are evaluated and onboarded into an organization. They are procedural checkpoints for initial assessment, not technical hardening directives for developers.

Why B is Wrong: Acceptable use policies define appropriate ways employees and users may use organizational systems and AI tools. They are behavioral guidelines aimed at end users, not technical requirements instructing developers to secure infrastructure.

Why C is Wrong: Development guidelines provide best practices and recommendations for software development and may include security considerations. However, they are advisory in nature and broader in scope than the specific mandatory infrastructure-hardening requirements found in configuration standards.