Isaca Updated AAISM Exam Questions and Answers by sienna-rose

AAISM’s risk management framework stresses that the most effective defense against deepfake-enabled fraud, such as payment diversion, is resilient payment approval processes. This includes multi-step verification, segregation of duties, and independent confirmations for high-value transactions. Employee training, policies, or limiting payment frequency may reduce exposure, but they cannot guarantee prevention. Only process-based controls enforce structural safeguards that prevent fraudulent instructions from being executed, even if a deepfake impersonation attempt is successful.

When setting RPOs and RTOs for AI systems, especially generative AI, the critical factor is the restoration of training data and model artifacts within the recovery window. Without this, restored systems may function inaccurately or incompletely, undermining business continuity.

AAISM risk management principles emphasize:

Recovery objectives must align with data protection requirements for both training and inference data.

The ability to restore large-scale training datasets is primary, since downtime without them leads to operational and compliance risks.

Computational efficiency and hardware consistency are secondary considerations, but not the primary drivers of RPO/RTO definitions.

Thus, ensuring backup and restore capabilities of training datasets directly within RTO is the primary requirement.

AAISM guidance on crisis management and communication emphasizes that the initial priority in responding to a reputational or market manipulation attack is to provide accurate clarifying information to the public through a pre-approved statement. This ensures stakeholders and markets are given verified facts immediately, limiting the spread of misinformation. While forensic analysis, employee training, and monitoring activities are important, they occur after the immediate need for public trust and damage control is addressed. Pre-approved statements are a central control in AI-related incident response to ensure consistency, timeliness, and credibility in communications.

AAISM notes that deep learning systems lack transparency due to complex neural architectures, where internal representations are statistical, nonlinear, and not directly interpretable.

While probability (C) and data sourcing (D) contribute to opacity, the root cause is the intrinsic complexity and opacity of deep neural networks.