Isaca Updated AAISM Exam Questions and Answers by madiha

In AAISM governance guidance, risk documentation is described as the structured record that defines the organization’s risk appetite and tolerance levels for AI initiatives. By outlining acceptable levels of risk, documentation ensures decision-makers can approve, monitor, and adjust AI projects within defined boundaries. While it may also serve audit functions, technical analysis, or communication to stakeholders, its primary role is to formalize risk acceptance thresholds and integrate them into governance and decision-making. This aligns directly with the governance requirement to align AI adoption with organizational risk appetite.

AAISM emphasizes data lineage, provenance tracking, and inventory completeness as essential controls to ensure data security and accountability across all AI data life-cycle phases. This enables detection of unauthorized modifications, improper use, and compliance violations.

Periodic reviews (B) are necessary but insufficient without lineage. Restricting third-party use (C) is one control but not comprehensive. Open-source model choice (A) does not secure data.

AAISM clarifies that model owners hold responsibility for ensuring corrective actions are implemented after AI audits. They are accountable for:

• model behavior

• compliance gaps

• security improvements

• governance alignment

Internal auditors (B) perform assessments but do not implement changes. System architects (A) support technical fixes but do not own compliance. End users (C) are not responsible for audit remediation.

AAISM guidance highlights data minimization as a critical practice for addressing both security and privacy concerns. By ensuring that only the minimum necessary data is collected and retained, the organization reduces the risk of sensitive information being exposed or misused during training. Data augmentation expands data but does not mitigate privacy risk. Classification organizes data but does not limit exposure. Data discovery helps locate sources but does not directly reduce risks. The control that directly aligns with privacy-by-design principles is data minimization.