CY0-001 Practice Questions: AI governance, risk, and compliance Domain

Correct answer (B): AI-generated output intended for external publication should be reviewed for possible copyright, licensing, confidentiality, or unsupported-claim risks. The prompt references copyrighted characters and brand styles, and the tool does not guarantee originality, so human review and rights review are the best controls before publication.

Why the other options are wrong:
- Option A: Commercial output permission from the tool is relevant, but it does not guarantee that the generated images are original or free of third-party rights issues.
- Option C: Deleting prompt history after publication does not reduce the risk of publishing infringing or license-violating material and may harm auditability.
- Option D: An AI-generated disclaimer may support transparency, but it does not resolve copyright or licensing concerns created by the prompt and output.

Correct answer (B): An AI acceptable-use policy should define approved tools, prohibited data types, user responsibilities, review requirements, and escalation paths before employees submit organizational data to AI services. The summaries contain potentially sensitive customer and security data, and the provider's retention and training-use terms have not been reviewed. Blocking the use until approved tooling and handling rules exist is the best governance response.

Why the other options are wrong:
- Option A: Removing obvious names may reduce some privacy risk, but IP addresses, account IDs, and free-text notes may still identify customers or reveal sensitive operations. It also does not address unapproved tooling or vendor data-use terms.
- Option C: Deleting prompts from a user interface does not prove provider logs, backups, telemetry, derived data, or training copies were deleted. It also does not satisfy governance approval.
- Option D: Security operations data can still be sensitive and subject to contractual, privacy, and confidentiality controls. The purpose does not remove the need for approved AI use.

Correct answer (C): The assistant would process customer data at scale, use CRM data approved only for reporting, retain prompt/output logs indefinitely, and lacks a privacy review and model card. Manual sending reduces some output risk but does not resolve purpose limitation, retention, privacy, or approval gaps. Governance approval should occur before production deployment, especially when personal or confidential customer data is involved.

Why the other options are wrong:
- Option A: Human sending helps reduce autonomous action risk, but it does not resolve missing privacy review, data-use permission, retention limits, or model documentation.
- Option B: Encryption and restricted access protect logs, but they do not address indefinite retention, purpose limitation, or missing approvals.
- Option D: A limited pilot may be possible after review, but revenue pressure does not justify processing customer data with unresolved governance gaps.

Correct answer (B): Human-in-the-loop review is especially important when AI outputs can trigger high-impact security actions such as disabling accounts. AI governance should assign accountable owners and document approval workflows, monitoring obligations, and risk decisions. The artifact identifies high impact, no human approval gate, and no risk owner, so those gaps must be resolved before production.

Why the other options are wrong:
- Option A: Reduced dwell time is valuable, but it does not overcome the identified governance gaps for high-impact automated account disablement.
- Option C: High precision may reduce false positives, but it does not replace ownership, approval records, human oversight, or monitoring for high-impact actions.
- Option D: Disabling all logging may reduce privacy exposure but harms auditability, monitoring, and incident response. The better approach is controlled logging with proper retention and access.

Correct answer (B): The vendor’s default terms conflict with the organization’s stated AI policy for training use, data residency, and retention. The best recommendation is to use the service only after the required opt-out, storage region, and retention controls are contractually or technically in place. Audit logs alone do not satisfy the stated requirements.

Why the other options are wrong:
- Option A: Audit logs support accountability, but they do not resolve prohibited model-improvement use, storage region, or retention conflicts.
- Option C: Shortened summaries may reduce data volume, but they can still contain employee data and do not resolve residency, retention, or training-use issues.
- Option D: Business benefit is relevant to adoption, but it does not override explicit governance and privacy requirements in the AI policy.

Correct answer (C): The monitoring data shows model performance degradation after an ungoverned upstream data change. Model drift and schema changes can create operational and compliance risk in AI-assisted security workflows. The best response is to reduce or pause reliance on the affected prioritization, investigate the schema change, validate or retrain as needed, and process the change through governance before resuming normal use.

Why the other options are wrong:
- Option A: Analyst review helps, but a significant false-negative increase and confirmed malware ranking failures require action rather than continued unchanged use.
- Option B: Disabling alerts hides the governance signal and would undermine monitoring rather than managing the risk.
- Option D: Expanding automation to close alerts would violate the approved use and increase risk when the model is already degrading.

Correct answer (A): The NIST AI RMF manage function involves prioritizing, responding to, monitoring, and documenting risk treatment decisions throughout the AI lifecycle. The monitoring report indicates a potential fairness or impact issue under a prior conditional approval. The best response is to document the issue, assess impact, decide and track risk treatment, and update approval status as needed.

Why the other options are wrong:
- Option B: Overall correctness does not resolve segment-level impact. High aggregate performance can mask fairness or responsible AI issues.
- Option C: Removing the field from reports would reduce transparency and weaken oversight. It does not address the underlying customer impact.
- Option D: Annual accuracy testing alone is weaker than the required fairness monitoring and does not address the current segment-level escalation issue.

Correct answer (C): The stem states a strict requirement that patient call content must remain in the approved region. The vendor's ability to process audio and transcripts in any supported region directly conflicts with that requirement and must be resolved through a data residency commitment before approval. Retention and subprocessors also require review, but the explicit blocking issue is cross-region processing of regulated patient content.

Why the other options are wrong:
- Option A: Retention requires review, especially for patient data, but the stem identifies residency as the required approval condition.
- Option B: Not using customer data for training by default is favorable, not the blocking compliance gap in this scenario.
- Option D: Subprocessors require disclosure and controls, but their use is not as directly conflicting as processing outside the approved region.

Correct answer (B): The prompt included an API token, internal endpoint names, and customer-like request fields in an unapproved public AI tool. Browser deletion does not prove removal from provider systems. The security team should treat the event as a potential exposure, assess vendor retention and data-use terms if possible, rotate or invalidate affected credentials, determine whether regulated or confidential data was included, and handle it through incident and policy processes.

Why the other options are wrong:
- Option A: Deleting browser history or a chat entry does not prove provider-side deletion, and test credentials may still create risk if usable in staging.
- Option C: Local debugging may be acceptable later, but it does not address the exposure that already occurred.
- Option D: Policy updates may be needed after review, but the immediate priority is incident handling and exposure assessment.

Correct answer (A): The RAG system needs governance controls that preserve data lineage, licensing context, and access restrictions at retrieval time. Source metadata, license tags, and user-based filtering help ensure users receive only content they are authorized to access and that the system respects internal-use and restricted-data constraints.

Why the other options are wrong:
- Option B: Improving embeddings may improve relevance, but it does not address unauthorized retrieval or license restrictions.
- Option C: Hiding citations reduces transparency and does not prevent restricted content from being retrieved or disclosed in generated answers.
- Option D: A warning may support policy awareness, but it does not enforce access control or licensing constraints in the RAG workflow.