CY0-001 Practice Questions: Securing AI systems Domain

Correct answer (A): Data poisoning risk is reduced by knowing where training data came from, validating integrity, reviewing questionable sources, and controlling approval into fine-tuning datasets. These controls address the training inputs before they influence model behavior.

Why the other options are wrong:
- Option B: This may appear to dilute bad data, but model size does not provide reliable protection against poisoning.
- Option C: This may reduce one category of output risk, but it does not prevent poisoned examples from entering the dataset.
- Option D: This may limit exposure, but network placement does not address malicious fine-tuning data.

Correct answer (B): The deployed model lacks approval and artifact signing and came from an experimental branch. Rolling back to the last trusted signed version reduces production risk while the team investigates model provenance, deployment controls, and possible compromise.

Why the other options are wrong:
- Option A: Accuracy is not proof of model integrity or authorized deployment. A high score cannot compensate for missing approval and signature evidence.
- Option C: Retraining before containment and investigation may destroy evidence or introduce poisoned data into a new model.
- Option D: Disabling approval gates would weaken secure MLOps controls and make unauthorized deployments easier.

Correct answer (A): Secrets should not be embedded in prompts, templates, repositories, logs, training data, or model configuration files. The exposed key should be rotated, and future access should use an approved secrets management mechanism integrated with the application or pipeline.

Why the other options are wrong:
- Option B: This relies on obscurity and does not prevent access by anyone who can read the repository.
- Option C: Token limits affect model output length, not protection of credentials stored in files.
- Option D: A warning is not an effective control for a secret already committed to a shared repository.

Correct answer (A): The artifact indicates possible data poisoning or unauthorized manipulation: unvalidated community data, shared write access, no manifest, no reviewer, and a suspicious behavior shift. Provenance tracking, integrity checks, least-privilege write access, and review workflows are appropriate controls for training and fine-tuning data integrity.

Why the other options are wrong:
- Option B: More frequent training can spread poisoned or low-quality data faster if ingestion controls remain weak.
- Option C: A larger model does not make untrusted or poisoned labels safe and may still learn malicious patterns.
- Option D: Encryption helps confidentiality, but it does not validate the source or integrity of the ingested data.

Correct answer (A): The record shows weak provenance, broad write access, and missing review, which create data poisoning risk. Trusted sources, dataset lineage, validation, review workflows, anomaly checks, and restricted write permissions are key controls for training and fine-tuning data integrity.

Why the other options are wrong:
- Option B: A larger model may not correct malicious or mislabeled data and can still learn poisoned patterns.
- Option C: Deleting lineage reduces accountability and makes investigation harder; lineage should be protected, not removed.
- Option D: A longer training window may hide symptoms but does not validate source integrity or prevent malicious records.

Correct answer (A): AI-generated commands can be incorrect, unsafe, or manipulated. Before production use, outputs that cause operational changes should be validated against policy, tested or sandboxed where possible, and approved by a human analyst before execution, especially when the action could disrupt a host.

Why the other options are wrong:
- Option B: A confidence score is not an authorization control and does not prove the command is safe or compliant.
- Option C: Limiting scope to critical-alert endpoints reduces exposure but still allows unvalidated commands to run on production systems.
- Option D: Improving readability may help review, but it does not provide validation, sandboxing, or approval enforcement.

Correct answer (A): The failure is unauthorized retrieval of restricted content. A RAG system must enforce access control at retrieval time so users only retrieve embeddings, chunks, metadata, and source documents they are authorized to access. Content filtering, disclaimers, or encryption at rest do not solve authorized-but-inappropriate retrieval.

Why the other options are wrong:
- Option B: Encryption at rest protects stored data from some unauthorized storage access, but it does not stop the application from retrieving restricted chunks for an authenticated user.
- Option C: A disclaimer may warn users, but it does not prevent disclosure of sensitive source material.
- Option D: Keyword-based refusal is brittle and may block legitimate questions while failing to enforce document-level authorization.

Correct answer (B): AI agents should operate with least privilege and explicit boundaries. Read-only investigation and low-impact ticket creation can improve workflow, while high-impact actions such as disabling accounts or changing firewall rules should require human approval or policy checks.

Why the other options are wrong:
- Option A: This may seem efficient, but after-the-fact sampling does not prevent unsafe account or firewall changes.
- Option C: This reduces risk, but it unnecessarily removes useful low-risk tool access needed for triage.
- Option D: This improves speed, but it creates excessive agency and allows privileged changes without safeguards.

Correct answer (B): The main weakness is that unauthorized content is retrieved before the application enforces access. RAG systems must apply authorization at retrieval time, and sensitive embeddings should be protected with access controls, segmentation or tenant separation, minimization, retention controls, and monitoring.

Why the other options are wrong:
- Option A: Encryption at rest protects stored data from storage-level compromise, but it does not prevent the application from retrieving unauthorized chunks for a logged-in user.
- Option C: Embedding dimension is a model design parameter, not an access-control boundary. It does not stop unauthorized retrieval.
- Option D: Better denial wording does not help if restricted content has already been retrieved and used to generate the response.

Correct answer (A): AI logs, retrieved chunks, and embeddings can contain sensitive information. The best approach preserves supportability while applying access control, data minimization, redaction, monitoring, and retention controls. Encryption alone does not prevent authorized users or workflows from accessing excessive sensitive content.

Why the other options are wrong:
- Option B: Encryption at rest is valuable, but broad developer access still exposes sensitive logs after decryption.
- Option C: Disabling all logging may reduce exposure but harms auditability, incident response, and troubleshooting.
- Option D: A model registry is not the appropriate control for sensitive prompt and retrieval logs.