AAIR ISACA Advanced in AI Risk Questions and Answers

Synthetic data is generated algorithmically to resemble real data while protecting individual privacy. However, synthetic data generation processes may not perfectly capture the full statistical diversity of real-world populations—particularly rare conditions, edge cases, and underrepresented demographic groups.

Why A is Correct: According to ISACA AAIR data quality guidance for AI, the greatest risk of training on synthetic data is that it may not reflect real-world diversity. In healthcare, this is particularly consequential because AI models trained on non-diverse synthetic data may perform poorly for patient populations not well-represented in the original real data—potentially producing inaccurate diagnoses or treatment recommendations for vulnerable groups, perpetuating health inequities.

Why B is Wrong: While reduced diversity could contribute to increased false negatives in some scenarios, this is a specific manifestation of the broader diversity problem. The root cause—lack of real-world representativeness—is the more fundamental and comprehensive risk.

Why C is Wrong: Regulatory noncompliance from synthetic data use depends on jurisdiction-specific requirements. Many regulations explicitly encourage synthetic data to protect privacy. While compliance must be verified, it is not the greatest inherent risk of synthetic data quality.

Why D is Wrong: Synthetic data generation occurs in controlled internal environments and is not inherently more susceptible to data poisoning than other data types. Poisoning risk is a function of data pipeline controls, not whether data is synthetic or real.

Changes to production AI models—including retraining, parameter updates, and architecture modifications—can alter model behavior in ways that introduce new biases, reduce accuracy, or create regulatory compliance issues. Validation before deploying changes is the most critical safeguard.

Why C is Correct: According to ISACA AAIR change management guidance for AI systems, rigorous validation to assess changes' effects on predictive accuracy and model bias is the most important change management activity. Production AI models make real-world decisions affecting people and business outcomes. Unvalidated changes may degrade performance, introduce discriminatory patterns, or create regulatory violations that are difficult to detect and remediate after deployment.

Why A is Wrong: Allowing operational teams to adjust configuration parameters in real time bypasses change control processes and creates untracked, unvalidated changes to model behavior. This represents a governance risk, not an acceptable change management practice.

Why B is Wrong: Access controls for new model functionalities are a security and authorization concern. While important for access governance, they do not address the technical risk that model changes may degrade performance or introduce bias.

Why D is Wrong: Expediting production rollouts to minimize downtime prioritizes availability over quality assurance. Rushing changes without adequate validation trades one operational risk (downtime) for a potentially more severe risk (biased or inaccurate outputs affecting critical decisions).

Credit risk assessment AI models trained on unrepresentative datasets perpetuate and amplify historical financial inequities, producing discriminatory outcomes that violate anti-discrimination laws and harm underrepresented borrowers. Dataset diversity is the primary safeguard against training-data-driven bias.

Why A is Correct: According to ISACA AAIR bias and fairness guidance for financial AI, dataset diversity is the most important factor for supporting accurate and unbiased credit risk outcomes. A diverse dataset that represents the full population of potential borrowers—across demographics, income levels, credit histories, and geographies—enables the model to learn genuine risk relationships rather than proxies for protected characteristics. Without diversity, even technically sophisticated models perpetuate discriminatory patterns from historical data.

Why B is Wrong: Supervised learning is a modeling approach, not a data quality characteristic. The choice of supervised learning is appropriate for credit scoring but does not determine whether the training data is representative or unbiased.

Why C is Wrong: Synthetic data augmentation can supplement real data to address specific gaps but cannot substitute for diversity in the underlying real-world data. Synthetic data derived from biased real data may amplify rather than correct the original bias.

Why D is Wrong: Data normalization is a preprocessing technique that scales numerical features to comparable ranges to improve model convergence. It addresses technical modeling quality but has no effect on the representational diversity or demographic fairness of the dataset.

Threat actor profiling characterizes the motivations, capabilities, and likely attack methods of potential adversaries. In AI risk management, understanding who the likely attackers are and what they seek enables the design of controls specifically matched to the actual threat landscape.

Why B is Correct: According to ISACA AAIR threat-based risk management guidance, the most important reason for threat actor profiling is to tailor controls to adversary motivations and capabilities. Different threat actors—nation-state attackers, criminal organizations, competitors, insiders, activists—have different objectives (espionage vs. financial gain vs. disruption), capabilities (sophisticated vs. opportunistic), and methods. Controls calibrated to actual threat actor profiles are significantly more effective than generic controls that may not address the specific threats the organization actually faces.

Why A is Wrong: Aligning AI threats with IT control taxonomy is a governance integration activity that improves control consistency but does not capture the threat actor-specific tailoring value of profiling. Taxonomy alignment is an administrative benefit; threat-tailored controls are a security effectiveness benefit.

Why C is Wrong: Response metrics for cybersecurity incidents are developed for incident management planning. Threat actor profiling informs control design and incident response strategies but is not primarily used to develop response metrics.

Why D is Wrong: Prioritizing external threats over internal threats is a security strategy choice that threat actor profiling does not prescribe. Many AI attacks, including insider threats and social engineering, are internal. Profiling should result in appropriate prioritization based on actual threat likelihood, not a blanket prioritization of external threats.

Root cause analysis for AI incidents requires the ability to trace system behavior back through decision logic, data processing steps, and model internals to identify what caused the incident. AI systems—particularly deep learning models—often operate as black boxes, making this tracing extremely difficult.

Why A is Correct: According to ISACA AAIR incident management guidance, the lack of transparency in AI systems is the greatest root cause analysis challenge. When decision logic cannot be inspected, when data lineage is unclear, or when model internals are opaque, analysts cannot determine why the system behaved as it did. This transparency deficit prevents accurate root cause identification, perpetuates recurrence, and makes it impossible to demonstrate corrective action to regulators.

Why B is Wrong: Unclear system objectives represent a design and governance problem that should be addressed before deployment. While unclear objectives can contribute to incidents, they are typically knowable and addressable. Lack of transparency during an incident is a more immediate analytical barrier.

Why C is Wrong: Automation bias—the tendency to over-trust automated systems—is a human factors risk that affects decision-making during normal operations. While it may contribute to incidents, it is a behavioral phenomenon rather than the primary technical barrier to root cause analysis.

Why D is Wrong: Privacy compliance requirements may restrict access to certain data needed for analysis, creating constraints on investigation. However, these are governance constraints that can often be addressed through appropriate authorization, not fundamental analytical barriers.

AI-driven technical support systems rely on accurate, current knowledge to resolve user issues. Model drift causes the system to diverge from real-world conditions, producing inaccurate outputs that erode user trust, increase escalations, and potentially cause harm if incorrect technical guidance is followed.

Why A is Correct: According to ISACA AAIR validation guidance, inaccurate outputs from model drift represent the greatest risk in a technical support AI because they directly compromise the system's core function—providing correct technical guidance. Inaccurate outputs lead to unresolved issues, potential system damage from wrong instructions, and reputational harm. Unlike the other options, drift-driven inaccuracy affects every user interaction and cannot be remediated without model updates.

Why B is Correct Context: Infrequent training dataset updates are a contributing cause of model drift and are a serious concern, but they are an input factor rather than the manifest risk itself. The concern is the resulting inaccuracy.

Why C is Wrong: Encryption is a security control for data in storage and transit. While important for confidentiality, it does not affect the accuracy of AI outputs or the system's ability to provide correct technical guidance.

Why D is Wrong: Excessive manual sampling is a testing methodology concern that may reduce testing coverage efficiency. However, it represents a process inefficiency rather than a direct risk to output quality—the model's accuracy is the greater concern.

A comprehensive, well-designed data pipeline establishes consistent, documented processes for data collection, preprocessing, transformation, and quality validation across training, testing, and validation stages. This systematic approach reduces the likelihood of data errors propagating through to the final model.

Why A is Correct: According to ISACA AAIR data pipeline governance guidance, the primary benefit of a comprehensive pipeline is reducing error propagation risk. By applying consistent quality checks, validation gates, and transformation rules throughout the pipeline, errors in raw data are detected and corrected before they influence model training. This prevents data quality failures from compounding into model accuracy and bias problems—producing a higher-quality, more reliable final model.

Why B is Wrong: Governance risk sharing with external providers occurs through contractual arrangements and shared responsibility frameworks, not through data pipeline implementation. Pipeline design is an internal quality management measure.

Why C is Wrong: Automation of early-stage pipeline tasks is an operational efficiency benefit. While valuable, efficiency is a secondary benefit compared to the primary purpose of ensuring data quality and reducing error risk.

Why D is Wrong: Enhanced auditability is an important governance benefit that pipeline documentation provides but is not the primary purpose of pipeline implementation. The primary purpose is quality assurance during model development; auditability is a beneficial side effect.

Privacy and data protection regulations worldwide—including GDPR, CCPA, and sector-specific laws—impose strict requirements on the collection, use, and processing of personal information. Customer data used for AI systems must be obtained through lawful means with appropriate consent for the specific processing purpose.

Why A is Correct: According to ISACA AAIR guidance on regulatory compliance, the legal basis for processing personal data is the foundational requirement. An AI system built on data collected without proper consent or legal authorization exposes the organization to regulatory penalties, reputational damage, and forced shutdown of the system. Consent must be specific to the AI use case, not merely generic data collection consent.

Why B is Wrong: Backup and storage protocols address data security and resilience, which are compliance requirements but secondary to the lawfulness of data collection. Securely storing improperly obtained data does not cure the regulatory violation.

Why C is Wrong: Human review of recommendations is a governance safeguard for accuracy and fairness, not a regulatory compliance requirement for data collection. Many regulations do not require human review of recommendation systems.

Why D is Wrong: Supervised learning is a modeling technique that does not address regulatory compliance regarding data sourcing. The training methodology is irrelevant to whether the underlying data was legally obtained.

Training program effectiveness KPIs must measure behavioral change—whether training has actually altered how participants act in their work environment—rather than knowledge acquisition or adoption rates. The most meaningful behavioral signal for AI risk awareness training is whether trained users report suspicious activity.

Why B is Correct: According to ISACA AAIR training effectiveness measurement guidance, the number of AI irregularities and potential tampering incidents reported by users is the most appropriate behavioral KPI for risk awareness training effectiveness. When users report unusual AI behavior, this demonstrates they have internalized training concepts well enough to recognize anomalies and understand their obligation to report them. This behavioral change—from passive observation to active reporting—is the intended outcome of awareness training.

Why A is Wrong: Risk rating changes measure risk management process adjustments rather than individual behavioral change from training. Risk ratings reflect aggregate organizational risk, not the specific behavioral impact of an awareness training program.

Why C is Wrong: Ability to identify financial impacts is a knowledge assessment metric—it measures what users know rather than what they do differently as a result of training. Awareness training aims to change behavior, not just inform.

Why D is Wrong: AI adoption rates measure technology uptake, not risk awareness. Higher adoption could indicate confidence in AI systems but does not measure whether employees recognize and report AI risks—the specific objective of risk awareness training.

AI systems introduce unique security threat vectors that differ fundamentally from conventional IT security scenarios. Risk scenarios must address AI-specific attacks—model poisoning, adversarial inputs, output manipulation—that conventional security frameworks do not cover.

Why A is Correct: The ISACA AAIR AI security risk scenario guidance focuses on attacks that specifically exploit AI system properties—particularly techniques that maliciously alter AI outputs. These AI-specific attack vectors (adversarial examples, model inversion, prompt injection, output manipulation) represent the most important focus for AI security risk scenario development because they target capabilities unique to AI systems and cannot be addressed by repurposing conventional IT security scenarios.

Why B is Wrong: Business unit readiness documentation is a change management and organizational capability assessment activity. It supports AI adoption planning but does not constitute AI security risk scenario development.

Why C is Wrong: Access policy development is an important security control activity but represents control design rather than risk scenario development. Access policies respond to identified risks; they are not themselves risk scenarios.

Why D is Wrong: Quantum encryption is an emerging cryptographic technology addressing future threats to classical encryption. While relevant for long-term data protection planning, it represents a specialized and forward-looking concern rather than the most important focus for current AI security risk scenarios.

The shared responsibility model creates complexity in AI governance because control obligations are distributed between the organization and the vendor. The most critical risk is ambiguity about who owns specific controls and who makes decisions when issues arise.

Why D is Correct: The ISACA AAIR framework identifies documented assignment of control ownership as the cornerstone of shared responsibility governance. Without explicit documentation of which controls the organization owns versus which the vendor owns, and who has decision authority in each scenario, gaps and overlaps emerge that allow risks to go unmanaged. Named ownership ensures accountability persists across the shared boundary.

Why A is Wrong: Staff training on procedures is important but addresses operational readiness rather than the fundamental governance challenge of shared responsibility. Training supports a well-structured model but cannot substitute for defined ownership.

Why B is Wrong: Contractual liability clauses are legal protections that determine financial recourse after incidents. While essential, they do not prevent governance gaps from forming during normal operations.

Why C is Wrong: Data pathway testing is a security assurance activity addressing technical controls. It verifies control function but does not establish who owns those controls or what authority they have in the shared model.

AI performance alerts signal emerging issues with model behavior—accuracy degradation, anomalous outputs, drift—that require prompt management attention and decision-making. When these alerts are not escalated, corrective actions are delayed and AI system instability can escalate into serious operational incidents.

Why B is Correct: The ISACA AAIR operational risk management guidance identifies business disruption from delayed remediation as the greatest risk from alert escalation failures. When performance alerts are suppressed or not acted upon, unstable AI behavior continues and potentially worsens until it produces visible failures—system outages, incorrect critical decisions, customer harm—that disrupt business operations. The gap between alert generation and remediation is the window during which the AI system can cause the most damage.

Why A is Wrong: Governance reporting gaps represent a compliance and oversight concern but are secondary to the operational reality of unstable AI causing business disruption. Reporting gaps are administrative failures; operational disruption is the consequential business harm.

Why C is Wrong: Redundant mitigation activities might arise when issues are addressed without coordination, but this is an efficiency concern. The greater risk is that without escalation, no mitigation activities are initiated at all—the opposite of redundancy.

Why D is Wrong: Decision logging gaps affect traceability and auditability. While important for governance purposes, logging failures do not represent the most immediate operational risk from failing to escalate performance alerts to decision-makers.

AI models that learn from live data streams continuously update their parameters based on incoming data. This creates two specific risks: the model's behavior may drift from its validated state as data patterns change (data drift), and adversaries may deliberately introduce malicious data to manipulate the model's learning (data poisoning).

Why D is Correct: According to ISACA AAIR adaptive model risk guidance, implementing automated monitoring for both data drift and data poisoning is the most comprehensive response to live-learning model risks. Automated monitoring operates continuously at the speed of the data stream, detecting statistical changes in input distributions (drift signals) and anomalous data patterns (poisoning signals) in real time—enabling timely intervention before either risk materializes into harmful behavior.

Why A is Wrong: Defense-in-depth for model access controls who can interact with the model but does not address risks arising from the data the model learns from. Access controls are necessary but insufficient for managing adaptive learning risks.

Why B is Wrong: Restricting data sources reduces learning breadth, potentially undermining the model's adaptive capability that creates its value. Periodic inspections are too infrequent for live-learning systems where risks can emerge between inspection cycles.

Why C is Wrong: Dynamic performance thresholds detect output degradation after drift has occurred. While useful as a safety net, this reactive monitoring does not prevent drift or detect poisoning early enough for the live-learning risk context.

Deep learning models have numerous hyperparameters—learning rate, batch size, regularization parameters, network architecture choices—that control how the model learns from data. Fine-tuning these parameters optimizes model performance for the specific dataset and task requirements.

Why D is Correct: According to ISACA AAIR model development guidance, when a large volume of relevant data is already available, hyperparameter fine-tuning is the most effective technique for ensuring the model meets organizational needs. It systematically optimizes the learning process to maximize performance on the specific problem, calibrating accuracy, generalization, and efficiency to the organization's requirements.

Why A is Wrong: A federated accountability model is a governance structure, not a technical method for optimizing AI performance. It addresses how responsibility is distributed, not how the model learns.

Why B is Wrong: Unsupervised learning is a class of ML approaches used when labeled data is unavailable. It does not address optimization of a deep learning model where relevant data is already present.

Why C is Wrong: Data augmentation artificially expands training datasets through transformations—useful when data is scarce. With a large volume of relevant data already available, augmentation provides minimal additional benefit and hyperparameter optimization becomes the more impactful intervention.

Model poisoning attacks target the training data or model parameters to degrade performance or introduce malicious behavior. Supply chain tampering introduces compromised components at vendor or integration stages. Security by design principles require embedding defenses against these threats from the earliest design stages.

Why C is Correct: According to ISACA AAIR security by design guidance, adversarial resilience and data integrity controls address both model poisoning and supply chain tampering at their root. Adversarial resilience training prepares the model to resist maliciously crafted inputs. Data integrity controls—cryptographic signing, provenance tracking, integrity verification—detect tampering in training data and model artifacts across the supply chain. Together, these form the most comprehensive defense against both attack categories.

Why A is Wrong: Data refreshes with checksums detect post-hoc data corruption but do not build adversarial resilience into the model itself. Checksums verify file integrity but cannot prevent poisoning attacks that maintain file integrity while altering data content.

Why B is Wrong: Frequent retraining and bias monitoring address performance drift and fairness but do not specifically protect against deliberate tampering. A retrained model may still be trained on poisoned data if integrity controls are absent.

Why D is Wrong: Data tokenization protects sensitive field values from unauthorized access (a privacy control) but does not address model poisoning or supply chain tampering, which can occur without accessing or exposing the sensitive field values themselves.

AI model procurement for critical business functions requires that the selected model be fit for purpose. An AI model that does not align with the specific use case creates performance, compliance, and risk management failures regardless of its technical sophistication.

Why A is Correct: ISACA AAIR procurement guidance emphasizes use case alignment as the primary vetting criterion. A model optimized for one domain may perform poorly, introduce bias, or generate inaccurate outputs in a different context. For critical business functions, misalignment directly translates to operational risk, decision errors, and potential harm. Use case fit determines whether all other evaluation criteria are even relevant.

Why B is Wrong: Dataset size is a technical characteristic that may indicate breadth of training but does not determine suitability for a specific use case. A large general-purpose dataset may be less relevant than a smaller, domain-specific one.

Why C is Wrong: Industry certifications validate security controls and quality management processes. While useful supplementary evidence, they do not confirm that a model performs appropriately for the organization's specific application.

Why D is Wrong: Emphasis on innovation reflects vendor marketing positioning. For critical business functions, proven suitability and alignment with use cases outweighs novelty or innovation claims.

AI governance depends on the ability of stakeholders to understand, audit, and oversee AI model decisions. Explainability is the technical and documentation property that enables this oversight. When model cards fail to adequately document explainability, the entire governance chain is compromised.

Why B is Correct: According to ISACA AAIR, inadequate explainability in model documentation is the greatest governance risk because it prevents risk practitioners, auditors, regulators, and business owners from understanding why a model produces its outputs. Without explainability, discriminatory or erroneous decisions cannot be identified, challenged, or corrected. This undermines accountability, compliance, and responsible AI governance at the enterprise level.

Why A is Wrong: Regulatory filing delays represent a compliance timing issue that can be remediated. While risky, they do not fundamentally compromise the governance capability of understanding and overseeing AI behavior.

Why C is Wrong: Decentralized version control creates configuration management challenges and audit trail gaps. These are significant but can be remediated through governance process improvements. Explainability gaps affect the underlying ability to govern the model itself.

Why D is Wrong: Overly detailed technical specifications represent a documentation quality issue that may reduce usability but does not create a governance risk. Excessive detail is easily distilled; absent explainability cannot be reconstructed after the fact.

Chatbot accuracy in customer service depends on correctly identifying customer intent and generating appropriate responses. Both intent classification accuracy and training data quality directly determine chatbot performance over time.

Why D is Correct: According to ISACA AAIR model performance management guidance, measuring intent-classification error rates provides precise diagnostic information about where the chatbot misunderstands customer inquiries, while refining training datasets based on those errors continuously improves classification accuracy. This closed-loop approach—measure specific errors, improve the underlying data that drives them—is the most effective mechanism for sustained high accuracy.

Why A is Wrong: Increasing model temperature increases output randomness and diversity, which is counterproductive for accuracy in customer service contexts where consistent, precise answers are required. Precision and recall provide useful metrics but increased temperature actively undermines accuracy.

Why B is Wrong: Vendor benchmarking compares performance against generic standards. Customer service chatbots must be optimized for the specific organization's terminology, products, and customer base—generic thresholds may not capture the accuracy requirements of a specific deployment.

Why C is Wrong: Explainable AI techniques improve decision transparency but do not directly enhance classification accuracy. Code reviews address software quality, not the model's ability to accurately interpret customer intent.

Credit scoring AI systems make high-stakes financial decisions that directly affect individuals' access to credit. Post-implementation review for such systems must confirm that the system performs within ethical, legal, and regulatory boundaries—particularly regarding fairness and explainability.

Why B is Correct: According to ISACA AAIR post-implementation review guidance for high-stakes AI, confirming explainability and fairness is the most critical review element for credit scoring systems. Anti-discrimination laws (Equal Credit Opportunity Act, Fair Housing Act) require that credit decisions be explainable and not discriminatory. Fairness testing detects whether the system produces disparate outcomes across demographic groups, while explainability ensures individual decisions can be justified if challenged.

Why A is Wrong: Access token logging is a security audit trail mechanism. While important for access governance, it does not address the primary regulatory and ethical obligations of a credit scoring system regarding decision quality and fairness.

Why C is Wrong: Stakeholder communication of performance metrics is a governance reporting activity. Metric communication does not confirm the system is making fair, explainable decisions—it only reports on performance indicators.

Why D is Wrong: User ease of learning and use is a user experience and adoption concern. System usability does not determine whether credit scoring decisions are accurate, fair, or legally compliant—which are the primary post-implementation concerns.

Bias in AI models often originates from training data that does not represent the full population the model will serve. Underrepresentation of demographic groups in training data causes the model to perform poorly for those groups, producing discriminatory outcomes in high-stakes decisions like credit scoring.

Why B is Correct: The ISACA AAIR bias and fairness guidance identifies expanding training data coverage as the most effective mitigation for representation bias. Defining specific inclusivity goals ensures the data expansion targets the identified gaps, while broadening data sources introduces representative examples from underrepresented groups. This addresses the root cause—training data deficiency—rather than symptoms.

Why A is Wrong: Model drift reporting detects changes in model behavior over time but does not address existing representational bias embedded in the current model. Monitoring an already-biased model cannot remediate the bias.

Why C is Wrong: Notifying stakeholders of potential inaccuracy is a transparency measure but does not reduce harm to affected individuals. Disclosure of bias without remediation is insufficient under anti-discrimination regulations.

Why D is Wrong: Unsupervised learning can identify hidden patterns but cannot introduce the missing representative data needed to train an unbiased model. Discovering discriminatory patterns in existing data does not resolve the underlying data coverage gap.

Data minimization is a privacy principle requiring that personal data be processed only to the extent necessary for the specified purpose. When training AI models, this means reducing the identifiability of personal data while preserving its statistical utility for model training.

Why D is Correct: According to ISACA AAIR data privacy guidance, pseudonymization directly supports data minimization by replacing identifying attributes with artificial identifiers, allowing the model to train on statistically representative data without processing full personal identifiers. This satisfies minimization requirements under frameworks like GDPR while maintaining training data utility—the specific challenge of AI model development with personal data.

Why A is Wrong: Data Loss Prevention prevents unauthorized transmission of data but does not reduce the amount of personal information contained in training datasets. DLP addresses data exfiltration risk, not data minimization compliance.

Why B is Wrong: Role-based access control restricts who can access the training data but does not reduce the volume or identifiability of personal information in the dataset. RBAC addresses access risk, not data minimization.

Why C is Wrong: Data encryption protects data confidentiality in storage and transit but does not remove or obfuscate personal identifiers from training data. Encrypted personal data is still personal data under privacy law.

Risk scenario development in AI requires that scenarios be grounded in organizational context, business processes, and actual threat landscapes. Risk scenarios must reflect the specific systems, data flows, and stakeholder concerns relevant to the organization.

Why D is Correct: According to the ISACA AAIR Study Guide, engaging key stakeholders is the cornerstone of effective risk scenario development. Stakeholders bring domain knowledge, business context, and awareness of operational dependencies that technical practitioners may lack. This collaborative approach ensures scenarios address real-world consequences, organizational risk appetite, and business-critical functions—making them actionable and relevant.

Why A is Wrong: Adversarial testing in a sandbox validates controls but does not by itself produce contextually relevant risk scenarios. It is a technical activity, not a scenario development process.

Why B is Wrong: Peer benchmarking provides useful threat intelligence but cannot replace stakeholder engagement. Industry peer data may not reflect the organization's specific AI architecture or risk tolerance.

Why C is Wrong: Data flow diagrams are useful supporting artifacts but describe technical pathways rather than capturing the organizational and business context required for relevant risk scenarios.

Model drift occurs when the statistical relationship between model inputs and outputs changes over time, causing previously accurate predictions to become less reliable. Regular retraining with updated, relevant data recalibrates the model to current real-world patterns.

Why A is Correct: According to ISACA AAIR model maintenance guidance, regular retraining with new relevant datasets is the most direct mitigation for model drift. By periodically retraining on current data, the model learns the latest patterns and relationships—counteracting the drift that accumulates as real-world conditions diverge from the original training data. This is the standard industry practice for maintaining production AI models in dynamic environments.

Why B is Wrong: Restricting automated data validation to low-risk models creates a governance double standard that leaves high-risk models more vulnerable. If anything, high-risk models require more rigorous automated validation, not less. This approach increases rather than mitigates drift risk for critical applications.

Why C is Wrong: Maintaining existing dataset variance during preprocessing preserves statistical characteristics from a historical snapshot. If drift has occurred in real-world data, deliberately maintaining old variance levels prevents the model from adapting to new conditions.

Why D is Wrong: Role-based access controls protect model parameters and data from unauthorized modification. While important for security, access controls do not address model drift, which is driven by changing real-world conditions rather than unauthorized changes.

Third-party LLMs process organizational data—including sensitive and proprietary information—during both training and inference. The vendor's data handling practices determine whether the organization's data remains private, secure, and compliant with legal obligations.

Why D is Correct: According to ISACA AAIR third-party risk guidance, data handling practices are the most critical evaluation criterion for AI vendors. How the vendor uses input data—whether for model training, analytics, or retention—directly determines data privacy risk, intellectual property exposure, and regulatory compliance. Vendors who train on customer input data without restriction create significant privacy and confidentiality risks.

Why A is Wrong: SLA alignment with corporate strategy addresses availability and performance obligations. While important, these commercial terms do not address the fundamental data risk created by vendor data handling practices.

Why B is Wrong: ML method selection reflects technical sophistication but does not determine data risk. The risk profile is driven by data governance, not algorithmic choice.

Why C is Wrong: Subscription models represent commercial and procurement considerations. Pricing structure has no bearing on data privacy risk or the organization's risk exposure from vendor data practices.