Isaca Updated AAISM Exam Questions and Answers by diya

AAISM states that AI agent security training should focus on the unique risks of agentic systems, which include:

• prompt injection

• memory control and context hijacking

• unsafe tool execution (agents triggering unauthorized actions)

These risks are specific to autonomous or semi-autonomous AI agents.

Bias, fairness (B) and output moderation (C) are important but not the most critical for agent security. API abuse and plug-in risk (D) matter but are secondary.

AAISM defines model inversion attacks as those where adversaries use queries or synthetic data to reconstruct sensitive information or approximate the inner workings of a model. By exploiting outputs, attackers attempt to reverse engineer training data or model functionality. Distillation refers to compressing models, not adversarial attacks. Prompt attacks relate to manipulating language model inputs, and poisoning occurs when adversaries corrupt training data rather than infer from outputs. The scenario describes attackers using synthetic data to reveal hidden characteristics, which aligns directly with inversion attacks.

For executive security and governance reporting, AAISM prioritizes risk- and harm-oriented KPIs that reflect safety, reliability, and responsible behavior of AI systems. Error rate (safety/quality signal) and bias detection (fairness/compliance signal) provide leading indicators of model risk, potential user harm, and regulatory exposure—key interests for a CISO. Explainability and F1 (A) are model performance/interpretability metrics; customer effort/retention (B) are business CX metrics; response time/throughput (C) are operational SRE metrics. While valuable, they are secondary to risk-centric KPIs for CISO oversight.

AAISM requires that risk thresholds/tolerances be set by aligning threat likelihood and impact with the organization’s business context and risk appetite. Determining “acceptable” risk starts with assessing business impact of credible threats (e.g., prompt injection leading to data exfiltration, policy evasion, or harmful actions), then translating this into control intensity and thresholds. Hard input restrictions (A) and static output caps (C) are blunt measures that may degrade utility without ensuring alignment to risk appetite. Monitoring (B) is essential for detection, but it does not, by itself, define what level of risk is acceptable.