During an audit of an investment organization's AI-powered software, an IS auditor identifies a potential security risk. What is the GREATEST risk associated with staff exfiltrating organizational data to a generative AI tool?
Correct Answer: B
The AAIA™ Study Guide stresses that inputting confidential or proprietary data into third-party generative AI tools may result in unauthorized data disclosure. These tools may store, process, or retrain on the input data, leading to privacy and intellectual property risks. "When employees input sensitive data into external AI tools, organizations risk losing control over that information. This may result in regulatory non-compliance, legal exposure, and irreversible data leakage." While business disruption (C) and reliance (D) are notable, the most severe and immediate risk is B- unauthorized disclosure. Data contamination (A) impacts model reliability, not data security. Reference: ISACA Advanced in AI Audit™ (AAIA™) Study Guide, Section: "Ethical and Legal Considerations in AI," Subsection: "Data Privacy and Use of External AI Tools"
AAIA Exam Question 52
An IS auditor reviewing documentation for an AI model notes that the modeler utilized a K-means clustering algorithm, which clusters data into categories for correlations and analysis. Which of the following is the MOST important risk for the auditor to consider?
Correct Answer: C
K-means clustering is a widely used unsupervised learning algorithm. However, it is sensitive to outliers and assumes that features are on the same scale, which can distort clustering results if not properly normalized. According to the AAIA™ Study Guide, this sensitivity can impact model reliability and the meaningfulness of clusters. "Auditors should assess whether proper data preprocessing (e.g., normalization, outlier removal) was applied in clustering models. K-means assumes Euclidean distances, making it prone to errors when features differ in scale or contain outliers." Therefore, C correctly identifies the key risk. Reference: ISACA Advanced in AI Audit™ (AAIA™) Study Guide, Section: "AI Fundamentals and Technologies," Subsection: "Clustering Algorithms and Data Risks"
AAIA Exam Question 53
An AI healthcare diagnostic tool requires large volumes of patient data, raising concerns about privacy and data breaches. Which of the following is the MOST effective strategy to mitigate this risk?
Correct Answer: D
The most effective strategy to protect sensitive patient data is to use synthetic data or anonymized datasets for model training. This reduces exposure of personally identifiable information while allowing the model to learn meaningful medical patterns. AAIA emphasizes privacy-by-design, de-identification, and minimal use of raw personal data in high-risk sectors such as healthcare. Anonymization and synthetic data significantly reduce the risk of re-identification or breach-related harm. Option A (encryption) protects data in transit but does not eliminate privacy risks. Option B is impractical because healthcare models require clinically relevant datasets, not public data. Option C increases data exposure, aggravating privacy risks. Thus, using anonymized or synthetic data is the strongest privacy protection aligned with healthcare compliance principles. References: AAIA Domain 5: Data Privacy, AI Ethics, and Compliance. AAIA Domain 2: Data Management Practices for Sensitive AI Use Cases.
AAIA Exam Question 54
An IS auditor is planning an audit of an AI medical prognosis system. Which of the following is the BEST way to test model transparency?
Correct Answer: D
SHAP (Shapley Additive Explanations) is the leading, industry-recognized method for explaining complex AI model predictions. AAIA specifically identifies SHAP as a robust technique for transparency in high-impact systems such as medical AI. SHAP provides: * Feature contribution breakdowns * Visual explanation of each decision * Global and local interpretability * Quantifiable insights into model logic * Compliance-friendly justification of predictions Options A and B relate to integration and stress testing, not transparency. Option C validates outputs but does not explain how the model reached them. Thus, SHAP is the best approach for achieving explainability in medical AI. References: AAIA Domain 5: Explainability Techniques AAIA Domain 3: Model Validation and Auditability
AAIA Exam Question 55
Which of the following is the MOST important course of action for an organization prior to allowing end users to utilize an AI tool?
Correct Answer: A
An AI usage policy sets the foundation for safe, ethical, and effective AI deployment. According to the AAIA™ Study Guide, having an AI policy in place ensures that users understand acceptable behaviors, limitations, and responsibilities when interacting with AI tools. "AI acceptable use policies promote governance by clearly outlining the dos and don'ts of AI interaction, preventing misuse and aligning user activity with organizational values and compliance standards." Other actions (B, C, D) are important in operations and risk management but should follow the establishment of governance protocols through a usage policy. Hence, A is the highest-priority prerequisite. Reference: ISACA Advanced in AI Audit™ (AAIA™) Study Guide, Section: "AI Governance and Risk Management," Subsection: "Policy Frameworks for End-User AI Interaction"
