Isaca Updated AAISM Exam Questions and Answers by bilal

The AAISM materials highlight that one of the primary legal risks with generative AI systems is the unauthorized use of copyrighted or intellectual property–protected data drawn from internet sources. To mitigate lawsuits, the most effective recommendation is to implement filtering logic that actively excludes data flagged for intellectual property risks before ingestion or generation. While disclosing compliance policies, appointing governance roles, or reviewing logs are supportive measures, they do not directly prevent the core liability of using restricted content. The study guide explicitly emphasizes that proactive filtering and data governance controls are the most effective safeguards against legal disputes concerning content origin.

Per AAISM’s ML lifecycle controls, hyperparameter tuning is performed on the validation set, reserving the test set strictly for final, unbiased performance estimation. The training set is used to fit parameters; the validation set guides model selection and hyperparameter optimization; the test set is untouched until the end to prevent leakage and optimistic bias. “Configuration” is not a dataset type in the lifecycle split.

Model drift occurs when the statistical properties of input data and/or the relationship between features and outcomes change over time, causing degraded model performance. The AAISM guidance classifies data-centric causes (distribution shift, concept drift, and contamination) as the primary drivers and highlights that malicious contamination of training or incremental learning data (data poisoning) is a direct, high-likelihood driver of observable drift in production because it changes the effective data-generating process the model learns from. In contrast:

• Perfect knowledge is an attacker capability descriptor, not a drift cause.

• Membership inference targets privacy of the training set and does not inherently shift data distributions.

• Model stealing targets IP/confidentiality; it does not change the victim model’s data distribution or decision boundary in situ.

According to the AI Security Management™ (AAISM) study framework, compliance with privacy and regulatory standards must begin with a formalized process of identifying, documenting, and maintaining applicable obligations. The guidance explicitly notes that organizations should maintain a comprehensive register of legal and regulatory requirements to ensure accountability and alignment with privacy laws. This register serves as the foundation for all governance, risk, and control practices surrounding AI systems that handle personal data.

Maintaining such a register ensures that the recommendation system operates under the principles of privacy by design and privacy by default. It allows decision-makers and auditors to trace every AI data processing activity back to relevant compliance obligations, thereby demonstrating adherence to laws such as GDPR, CCPA, or other jurisdictional mandates.

Other measures listed in the options contribute to good practice but do not achieve the same direct compliance outcome. Retraining models improves technical accuracy but does not address legal obligations. Oversight committees are valuable but require the documented register as a baseline to oversee effectively. Indefinite storage of customer data contradicts regulatory requirements, particularly the principle of data minimization and storage limitation.

AAISM Domain Alignment:

This requirement falls under Domain 1 – AI Governance and Program Management, which emphasizes organizational accountability, policy creation, and maintaining compliance documentation as part of a structured governance program.

References from AAISM and ISACA materials:

AAISM Exam Content Outline – Domain 1: AI Governance and Program Management

AI Security Management Study Guide – Privacy and Regulatory Compliance Controls

ISACA AI Governance Guidance – Maintaining Registers of Applicable Legal Requirements