Domain 1 Overview — AI Governance & Program Management
AI governance is the foundation of the AAISM certification, accounting for approximately 31% (~28 questions) of the 90-question exam. This domain tests your ability to design, implement, and maintain AI governance programs that align with international frameworks, satisfy regulatory requirements, and protect organizational stakeholders. Mastery here means understanding who governs AI, what rules apply, and how policies enforce accountability.
Click into any concept for deeper study in the Concepts tab.
AI Governance Structures
A governance charter defines AI scope, authority, and accountability. The AI steering committee drives strategy; the AI ethics board adjudicates fairness disputes; the CISO/AI Security Officer owns technical risk. Board-level oversight ensures C-suite accountability via the Chief AI Officer (CAIO) role.
NIST AI RMF 1.0
The four core functions — Govern, Map, Measure, Manage — create a lifecycle approach to AI risk. Govern sets context; Map identifies AI risks; Measure quantifies likelihood and impact; Manage selects and applies risk responses. Aligns with the NIST CSF 2.0 and the EU AI Act.
ISO/IEC 42001 & 23894
ISO/IEC 42001:2023 is the first international AI management system standard — a PDCA-based framework analogous to ISO 27001 for AI. ISO/IEC 23894 provides AI-specific risk management guidance. Both integrate with existing GRC and ISMS programs.
EU AI Act & Regulatory Landscape
The EU AI Act (2024) classifies AI by risk tier: Unacceptable → High → Limited → Minimal. High-risk AI requires conformity assessments and CE marking. The EU AI Office enforces compliance. GDPR Article 22 grants rights against automated decision-making. US EO on AI (Oct 2023) mandates safety standards and watermarking for frontier models.
AI Policies & Procedures
Core policies include: AI Security Policy (scope, principles, enforcement), Acceptable Use Policy (shadow AI controls), AI Procurement Policy (security review before adoption), AI Ethics Policy (bias, fairness), and AI Transparency Policy (disclosure obligations). Policies must align with corporate risk appetite.
Stakeholder Management
Internal stakeholders include the board, C-suite, IT, legal, HR, and compliance. External stakeholders include regulators, customers, partners, and the public. Transparency reports and AI impact disclosures build trust. Balancing innovation against risk requires structured dialogue with the tone set from the top.
Key AI governance frameworks at a glance — a frequent exam comparison target.
| Framework / Standard | Issuer | Primary Purpose | Key Structure | Regulatory Force |
|---|---|---|---|---|
| NIST AI RMF 1.0 | NIST (US) | AI risk management lifecycle | Govern · Map · Measure · Manage | Voluntary (US); aligns with EU AI Act |
| ISO/IEC 42001:2023 | ISO/IEC | AI management system (AIMS) | PDCA cycle, clauses 4–10 | Voluntary; certifiable standard |
| ISO/IEC 23894:2023 | ISO/IEC | AI risk management guidance | Risk identification, analysis, treatment | Voluntary guidance |
| EU AI Act (2024) | European Union | Legal AI risk classification | 4 risk tiers + prohibited uses | Mandatory for EU market |
| OECD AI Principles | OECD | International AI values baseline | 5 principles (growth, human-centered, transparency, robustness, accountability) | Political commitment |
| NIST CSF 2.0 | NIST (US) | Cybersecurity for AI systems | Govern · Identify · Protect · Detect · Respond · Recover | Voluntary; widely adopted |
| Singapore AI Governance Framework | IMDA / Singapore | Practical AI governance for businesses | Internal governance, risk assessment, ops management | Voluntary guidance |
AI Governance Structures & Charters
An AI governance charter is the foundational document that formally establishes an organization's AI governance program. It defines the program's scope (which AI systems are covered), grants authority for oversight bodies, and assigns accountability for AI outcomes.
RACI Matrix for AI Governance
A RACI matrix clarifies roles across AI initiatives to prevent accountability gaps:
| Role | R – Responsible | A – Accountable | C – Consulted | I – Informed |
|---|---|---|---|---|
| AI Security Officer | Day-to-day security controls | AI risk posture | Architecture reviews | Incident status |
| Data Science Team | Model development | Bias testing methods | Policy updates | |
| Legal / Compliance | Regulatory compliance | Contract review | Audit findings | |
| Board / Audit Committee | Organizational AI risk appetite | Quarterly AI risk reports | ||
| Business Unit Leaders | Business case for AI use | Requirements gathering | Deployment decisions |
Governance Bodies
AI Steering Committee
- Cross-functional body chaired by the CAIO or CTO
- Sets AI strategy, prioritizes AI investments, governs AI portfolio
- Reviews major AI initiatives for risk/return alignment
- Meets quarterly (minimum) to review AI program metrics
AI Ethics Board
- Adjudicates ethical disputes about AI system behavior
- Includes external independent members (ethicists, civil society)
- Reviews high-risk AI for fairness, bias, and societal impact
- Issues ethical guidelines and escalation procedures
CISO / AI Security Officer
- Owns AI security policy and technical controls
- Manages AI-specific threat modeling and incident response
- Reports AI security risk metrics to the steering committee
- Coordinates with legal on regulatory notification obligations
Chief AI Officer (CAIO)
- Emerging C-suite role mandated by US EO on AI for federal agencies
- Accountable for enterprise AI strategy, ethics, and governance
- Bridges technical AI teams and board-level oversight
- Key interface for external regulators and auditors
Industry Frameworks in Detail
NIST AI RMF 1.0 — The Four Core Functions
| Function | Purpose | Key Activities |
|---|---|---|
| GOVERN | Sets organizational context and culture for AI risk | Define AI risk appetite; establish policies; assign RACI; set up AI RMF governance structure |
| MAP | Categorizes AI systems and identifies AI risks | AI system inventory; stakeholder identification; context documentation; risk identification |
| MEASURE | Analyzes and quantifies AI risks | Bias evaluation; performance metrics; impact analysis; trustworthiness assessment |
| MANAGE | Prioritizes and treats AI risks | Risk response selection; residual risk acceptance; monitoring; continuous improvement |
ISO/IEC 42001:2023 — AI Management System
The first international certifiable AI standard. It follows the high-level structure (HLS) harmonized with ISO 27001 and ISO 9001, enabling integration into existing management systems.
- Clause 4: Context of the organization (AI system scope, interested parties)
- Clause 5: Leadership (top management commitment, AI policy, CAIO role)
- Clause 6: Planning (AI risk and opportunity assessment, objectives)
- Clause 7: Support (resources, competence, communication, documented information)
- Clause 8: Operation (AI system lifecycle controls, responsible AI practices)
- Clause 9: Performance evaluation (monitoring, internal audit, management review)
- Clause 10: Improvement (nonconformity, corrective action, continual improvement)
OECD AI Principles (5 Principles)
- Inclusive growth & sustainable development — AI should benefit people and the planet
- Human-centered values & fairness — respect rule of law, human rights, democratic values
- Transparency & explainability — stakeholders should understand AI decisions
- Robustness, security & safety — AI systems must be safe, secure, and resilient
- Accountability — actors are responsible for AI systems and their outcomes
Regulatory Landscape
EU AI Act (2024) — Risk Tiers
| Risk Tier | Definition | Examples | Requirements |
|---|---|---|---|
| Unacceptable Risk | Prohibited — fundamental rights violation | Social scoring by governments; real-time biometric surveillance in public spaces; subliminal manipulation | Banned outright |
| High Risk | Significant potential harm — regulated | AI in hiring, credit scoring, critical infrastructure, medical devices, law enforcement, border control | Conformity assessment, CE marking, registration in EU database, human oversight |
| Limited Risk | Transparency obligations only | Chatbots, deepfakes, emotion recognition | Must disclose AI nature to users |
| Minimal Risk | No specific obligations | AI spam filters, AI-enabled video games, recommendation systems | Voluntary code of practice |
GDPR & AI Decision-Making
- Article 22: Individuals have the right not to be subject to purely automated decisions that produce legal or significant effects
- Right to explanation: Controllers must provide meaningful information about the logic of automated decisions
- Data minimization: AI training data must be limited to what is necessary for the stated purpose
- Purpose limitation: Data collected for one purpose cannot be repurposed for AI training without legal basis
US Executive Order on AI (October 2023)
- Requires developers of frontier AI models to report safety test results to the US government
- Mandates NIST to develop standards for AI red-teaming and safety evaluations
- Establishes watermarking requirements for AI-generated content
- Requires federal agencies to designate a Chief AI Officer (CAIO)
- Directs agencies to protect citizens' rights from AI-related risks
Sector-Specific Regulations
- FDA: Medical AI/ML-based Software as Medical Device (SaMD) — premarket approval, locked vs. adaptive AI requirements
- SEC / FINRA: AI in financial advice, algo trading — suitability obligations, explainability requirements, market manipulation risks
- China AI Governance: Regulations on deep synthesis (deepfakes), recommendation algorithms, generative AI — mandatory registration and labeling
- Singapore AI Governance Framework: Voluntary two-part framework — internal governance and human-centric AI principles; AI Verify toolkit for assessment
AI Strategies, Policies & Procedures
Core AI Policy Portfolio
| Policy | Scope | Key Elements | Risk Addressed |
|---|---|---|---|
| AI Security Policy | All AI systems in scope | Principles, roles, controls, enforcement, review cycle | Unauthorized access, model theft, adversarial attacks |
| Acceptable Use Policy (AUP) | Employee AI tool usage | Approved tools list, shadow AI prohibition, data classification in prompts | Shadow AI, data leakage to external LLMs |
| AI Procurement Policy | Vendor AI tool acquisition | Security review checklist, due diligence criteria, contract requirements | Unvetted AI introducing supply chain risk |
| AI Ethics Policy | AI development lifecycle | Bias testing requirements, fairness metrics, non-discrimination standards | Discriminatory AI outcomes, regulatory sanctions |
| AI Transparency Policy | AI interactions with external parties | Disclosure obligations, explainability requirements, audit trail | Regulatory non-compliance, trust erosion |
Shadow AI Risk
Shadow AI refers to employees using unauthorized AI tools (e.g., personal ChatGPT accounts, consumer AI assistants) for work tasks without organizational knowledge or approval. Risks include:
- Confidential data submitted to external LLM providers, potentially used for training
- Compliance violations when regulated data (PII, PHI, financial data) is processed externally
- Inconsistent output quality and unvetted AI decisions influencing business processes
- Bypassing data loss prevention (DLP) and access controls
Aligning Policy with Risk Appetite
AI policies must reflect the organization's documented risk appetite. A conservative risk appetite requires more restrictive AI policies (e.g., prohibiting generative AI in customer-facing contexts), while an innovation-focused appetite may permit broader AI use with compensating controls. The AI steering committee formally approves risk appetite statements for AI.
Stakeholder Considerations
Internal Stakeholder Map
| Stakeholder | Primary AI Concern | Communication Need |
|---|---|---|
| Board of Directors | Strategic risk, fiduciary duty, reputation | Quarterly AI risk dashboard; material AI incidents |
| C-Suite (CEO, CFO, CISO) | Business impact, regulatory exposure, cost | Monthly AI program health metrics |
| Legal & Compliance | Regulatory obligations, liability | Regulatory change alerts; audit readiness status |
| HR | Workforce impact, AI in hiring, employee rights | AI use in HR processes; bias testing results |
| Business Units | Efficiency gains, competitive advantage | Approved AI tools; approved use cases |
| IT / Security | Integration security, data flows, access control | Technical AI security standards; incident response |
Building AI Security Culture
- Tone from the top: Board and C-suite visibly champion responsible AI, setting behavioral norms
- Role-based AI training: Tailored awareness programs for developers, business users, and executives
- Clear escalation paths: Employees know how to report AI concerns without fear of retaliation
- Incentive alignment: Performance reviews reward responsible AI use, not just AI-driven results
- Transparency reports: External AI transparency reports build public trust and demonstrate accountability
Six proven mnemonics to lock in the most testable AAISM governance concepts.
NIST AI RMF — "Good Maps Measure Margins"
The four functions of the NIST AI Risk Management Framework in order: Govern, Map, Measure, Manage. Think of a project manager who first sets the rules (Govern), then surveys the terrain (Map), takes measurements (Measure), then manages the project (Manage). The phrase "Good Maps Measure Margins" captures all four words.
Govern · Map · Measure · ManageEU AI Act Risk Tiers — "Uncle Henry Loves Mondays"
The four EU AI Act risk tiers from most to least severe: Unacceptable, High, Limited, Minimal. Unacceptable AI is flat-out banned; High-risk requires conformity assessments and CE marking; Limited requires transparency disclosure; Minimal has no specific obligations. "Uncle Henry Loves Mondays" = Unacceptable, High, Limited, Minimal.
Unacceptable · High · Limited · MinimalOECD AI Principles — "I Have Three Really Accountable Friends"
The five OECD AI Principles: Inclusive growth, Human-centered values, Transparency, Robustness, Accountability. Rearranged from "I Have Three Really Accountable" — the "Three" stands as a placeholder for Transparency. Alternatively: IHTRA — "I Hit Rock-solid AI" remixed.
Inclusive · Human-centered · Transparency · Robustness · AccountabilityRACI Roles — "Really Accountable? Consult Informants"
RACI stands for Responsible (does the work), Accountable (owns the outcome — only one per task), Consulted (provides input before decisions), Informed (notified of outcomes). The phrase "Really Accountable? Consult Informants" walks through all four roles and emphasizes the key exam point: there is only ONE accountable party per task.
Responsible · Accountable · Consulted · InformedISO 42001 vs ISO 23894 — "42 Manages, 23 Guides"
ISO/IEC 42001 is the AI Management System standard — it tells you how to build and certify an AIMS (like ISO 27001 for security). ISO/IEC 23894 provides Risk Management Guidance — it's advisory, not certifiable. "42 Manages, 23 Guides": the higher number manages the system; the lower number guides your risk thinking. Both published in 2023.
42001 = Management System · 23894 = Risk GuidanceShadow AI — "Unseen Tools, Unseen Risks"
Shadow AI = employees using unauthorized AI tools outside organizational controls. The exam loves testing the AUP (Acceptable Use Policy) as the primary control. Key risks: data leakage to external LLMs, compliance violations (GDPR, HIPAA), bypassing DLP controls. The fix is a clear AUP + approved tools list + monitoring — not outright prohibition alone, as that drives shadow AI underground.
Shadow AI → AUP + Approved Tools + Monitoring10 exam-style questions on AI Governance, Frameworks & Regulatory Compliance. Select your answer — instant feedback is shown. Your score appears after question 10.
Quiz Complete!
Click any card to reveal the answer. Review all 8 cards to reinforce key governance concepts.
AI Steering Committee: Sets AI strategy and portfolio priorities; chaired by CAIO or CTO; focuses on business value, investment, and cross-functional coordination. The Ethics Board has a normative role; the Steering Committee has a strategic/operational role.
2. Watermarking: AI-generated content must carry authentication watermarks to enable identification.
3. NIST standards: NIST was directed to develop AI red-teaming and safety evaluation standards for frontier models.
Tap or click any card to flip it
Select a category to get targeted study tips and exam strategy advice.
🏛️ Governance Structures — Study Tips
Master the RACI Rule First
The most common exam trap is assigning multiple "Accountable" parties. Drill this: only ONE person can be accountable per task. Responsible parties do the work; Accountable owns the outcome. Consulted are SMEs who provide input; Informed are notified but not involved in decisions.
Know Which Body Does What
The exam will present governance scenarios and ask which body acts. Ethics Board = ethical disputes + external members. Steering Committee = strategy + portfolio. CISO/AI Security Officer = technical risk + security controls. Board = risk appetite + fiduciary oversight. Don't mix these up.
Understand the Charter's Purpose
The AI governance charter is the why and who document, not the how. It establishes scope, authority, and accountability — it does not contain technical procedures or model specifications. Questions asking "what belongs in a governance charter" should focus on authority grants and accountability assignments, not technical details.
Link CAIO to the US EO
The Chief AI Officer (CAIO) role gained formal recognition through the US Executive Order on AI (Oct 2023), which mandated federal agencies designate a CAIO. Expect questions that test whether you know the CAIO is the strategic AI accountability role, not just a technical role.
📋 Frameworks & Standards — Study Tips
Memorize NIST AI RMF in Order
The four functions — Govern, Map, Measure, Manage — appear in exam questions testing which function applies to a given scenario. "Govern" sets context; "Map" identifies AI risks in a specific context; "Measure" quantifies them; "Manage" treats them. Use "Good Maps Measure Margins" to anchor the sequence.
ISO 42001 vs 23894 — Never Confuse These
42001 = certifiable management system (like ISO 27001 structure). 23894 = guidance only, not certifiable. The exam will offer both as plausible answers. Key distinguisher: can you get certified against it? Only 42001. Both were published in 2023, so year won't help you differentiate.
OECD Principles as Ethics Baseline
The five OECD AI Principles (Inclusive growth, Human-centered, Transparency, Robustness, Accountability) represent the international political baseline that many national AI regulations reference. They are not legally binding but signal direction. Questions may ask which principle covers a specific AI requirement (e.g., explainability = Transparency; resilience = Robustness).
Understand Framework Alignment
The NIST AI RMF is designed to align with the EU AI Act — the Govern function maps to EU AI Act governance requirements. NIST CSF 2.0 added "Govern" as its new sixth function specifically to handle AI and supply chain governance. Questions may test cross-framework alignment rather than individual frameworks in isolation.
⚖️ Regulatory Compliance — Study Tips
Know the EU AI Act Tier Examples Cold
Memorize examples for each tier: Unacceptable = social scoring, real-time biometric ID in public, subliminal manipulation; High = hiring AI, credit scoring, medical devices, critical infrastructure; Limited = chatbots, deepfakes; Minimal = spam filters, AI games. Wrong tier assignment = wrong answer every time.
GDPR Art. 22 Is About Automated Decisions
Article 22 is often tested with AI scenarios. The key trigger: a decision is (1) solely automated, (2) produces legal or similarly significant effects. When both are true, the data subject has the right to human review, explanation, and contest. Don't confuse Art. 22 with general data processing consent rules.
US EO on AI — Three Core Mandates
Safety test reporting to government; AI-generated content watermarking; NIST directed to build red-teaming standards. Also: federal agencies must designate a CAIO. Exam questions may present these mandates and ask which applies to frontier model developers specifically (safety reporting + watermarking).
Sector Regulations — Focus on FDA and Finance
For FDA: know the "locked vs. adaptive" AI distinction — adaptive AI that changes after deployment requires new premarket submissions. For SEC/FINRA: suitability obligations mean AI recommendations must match customer risk profiles, and explainability is required for algorithmic trading patterns. These details appear in domain-specific compliance questions.
📝 AI Policies — Study Tips
Know Each Policy's Primary Risk Target
Policy questions often describe a scenario and ask which policy applies. AI Security Policy → unauthorized access/model theft. AUP → shadow AI/data leakage. Procurement Policy → unvetted third-party AI risk. Ethics Policy → bias/fairness. Transparency Policy → disclosure obligations. Match scenario symptoms to the right policy.
AUP Is the Answer for Shadow AI Questions
Whenever a question describes an employee using an unauthorized AI tool, the primary control answer is the Acceptable Use Policy (AUP) — not a firewall, not a training program, not an ethics policy. The AUP explicitly prohibits unauthorized tools. Monitoring and DLP are compensating controls, but AUP is the governance foundation.
Policy Must Align with Risk Appetite
A key exam principle: AI policies are not one-size-fits-all. A conservative organization's AI policy will restrict generative AI in customer communications; an innovation-focused company may permit it with compensating controls. Risk appetite, documented by the AI steering committee, drives policy permissiveness — not technical capability alone.
AI Procurement Policy vs. Security Policy
Procurement Policy applies before adoption — it governs the security review and due diligence process before an AI tool is approved for use. Security Policy applies after adoption — it governs ongoing controls over approved AI systems. Questions about "vetting a new AI vendor" point to Procurement Policy, not Security Policy.
👥 Stakeholder Management — Study Tips
Match Stakeholder to Their AI Concern
The board cares about strategic risk and reputation, not technical details. Legal cares about regulatory exposure and liability. HR cares about AI in employment decisions and workforce impact. Business units care about efficiency and competitive advantage. Questions will describe a stakeholder's concern and ask the right communication approach — match the concern to the stakeholder type.
"Tone from the Top" Is Always Correct for Culture
Questions about building an AI security culture almost always involve "tone from the top" — board and C-suite visibly championing responsible AI. This is the AAISM-endorsed starting point for culture change. Technical controls and training programs are secondary if leadership doesn't model the behavior first.
External Stakeholders Include Regulators
Don't limit "stakeholders" to internal roles. Regulators (EU AI Office, FDA, SEC), customers, business partners, and the general public are all external AI stakeholders. AI impact disclosures and transparency reports are primary communication mechanisms for external stakeholders. These are mandatory for High-risk AI under the EU AI Act.
Innovation vs. Risk Tension Is a Governance Test
Exam scenarios often present business pressure to deploy AI quickly against security/compliance risk. The governance answer is structured stakeholder dialogue: escalate to the AI steering committee, document the risk acceptance decision, and obtain formal approval from the accountable executive — not a unilateral decision by the business unit or by IT security alone.
Authoritative sources for AAISM Domain 1 exam preparation — frameworks, regulations, and practice.
NIST AI Risk Management Framework (AI RMF 1.0)
The authoritative NIST publication covering all four functions — Govern, Map, Measure, Manage — with the AI RMF Playbook for practical implementation guidance.
airc.nist.gov →ISO/IEC 42001:2023 — AI Management Systems
The first international certifiable AI management system standard. Available via ISO.org. Understanding the clause structure (4–10) is sufficient for exam purposes; full text purchase is optional.
iso.org →EU AI Act — Official Text & EU AI Office
The complete EU AI Act text and guidance from the EU AI Office. Focus on the risk classification annexes and Articles 6–15 covering high-risk AI system obligations and conformity assessment procedures.
European Commission →ISACA AAISM Exam Candidate Guide
The official ISACA exam guide for AAISM covering the job practice areas, domain weights, and recommended study resources. Required reading before sitting the exam.
isaca.org →OECD AI Principles & AI Policy Observatory
The OECD AI Principles and the OECD AI Policy Observatory tracking global AI regulatory developments. Useful for understanding the international policy landscape tested in Domain 1.
oecd.ai →FlashGenius AAISM Practice Exams
Full-length AAISM practice exams with 90 questions covering all 5 domains. Domain-filtered practice, detailed answer explanations, and performance analytics to target weak areas.
Start practicing →