Domain 3C–E: Data Controls, Privacy, Ethics & Security Monitoring
This page completes Domain 3 of the AAISM exam — the largest domain at 38% of all questions. You will master the controls that protect AI training data (data governance, encryption, provenance), the privacy-engineering techniques that embed rights into AI (differential privacy, federated learning, GDPR Art. 22), the ethical frameworks that ensure fairness and explainability, and the operational controls and monitoring pipelines that detect adversarial inputs, concept drift, and model misbehavior in production. These topics appear heavily on the ISACA AAISM exam and require both conceptual understanding and the ability to choose the right control for a given scenario.
Training Data Governance
Establishes quality standards, validation pipelines, and data lineage for AI training datasets. RBAC limits dataset access to authorized data scientists; cryptographic hashing verifies integrity before and after each pipeline stage.
Differential Privacy & Federated Learning
Differential privacy adds calibrated Laplace or Gaussian noise so that individual records cannot be inferred from model outputs or aggregate statistics. Federated learning trains on distributed data without raw records ever leaving the source device or silo.
AI Fairness Metrics
Demographic parity, equalized odds, and individual fairness are mathematically incompatible objectives — you cannot simultaneously satisfy all three. AAISM candidates must understand the trade-off and choose the appropriate metric for each business context.
Explainability Controls
SHAP (SHapley Additive exPlanations) decomposes model predictions into per-feature contributions. LIME generates locally faithful linear approximations. Both support the GDPR Art. 22 right to explanation for automated decisions affecting individuals.
AI Security Monitoring
Production AI systems require continuous monitoring for concept drift, distribution shift, performance degradation, and adversarial inputs. SIEM integration, immutable audit trails, and automated circuit breakers enable rapid detection and response.
Safety & Hallucination Controls
LLM safety controls include output filtering, toxicity classifiers, and RAG-based grounding to reduce hallucinations. Human-in-the-loop review is mandatory for high-stakes decisions. Confidence thresholds gate low-certainty outputs for human escalation.
Privacy-Preserving ML Techniques — Comparison
| Technique | How It Works | Raw Data Shared? | Computation Overhead | Best Use Case |
|---|---|---|---|---|
| Differential Privacy | Adds calibrated statistical noise to outputs or gradients | No (aggregates only) | Low–Medium | Census-style queries, model training |
| Federated Learning | Model gradients aggregated; raw data stays local | No (gradients only) | Medium | Mobile devices, hospital networks |
| Secure SMPC | Parties compute jointly on encrypted shares | No | Very High | Joint analytics between competitors |
| Homomorphic Encryption | Arithmetic on ciphertext without decrypting | No | Extremely High | Cloud inference on private inputs |
| Synthetic Data | GAN/VAE generates statistically similar artificial records | No | Medium (training) | Testing, de-identification pipelines |
| k-Anonymity | Each record matches ≥k−1 others on quasi-identifiers | Transformed records | Low | Publishing anonymized training sets |
AI Bias Types — At a Glance
| Bias Type | Origin | Example | Mitigation |
|---|---|---|---|
| Data Bias | Training data under/over-represents groups | Facial recognition trained mostly on lighter skin tones | Re-sample, augment, curate balanced datasets |
| Algorithmic Bias | Model objective or architecture amplifies disparity | Loss function penalizes minority errors less | Fairness-aware loss functions, regularization |
| Societal Bias | Historical inequity encoded in labels | Hiring dataset reflects past discriminatory decisions | Counterfactual fairness, proxy removal |
| Measurement Bias | Different error rates for different groups in ground truth | Medical device less accurate for some demographics | Stratified validation, equalized error analysis |
Data Management Controls (Domain 3C)
Training Data Governance
Governance for AI training data extends traditional data management to cover the full lifecycle of dataset creation, curation, and deprecation. Organisations must establish data quality standards that specify acceptable completeness, accuracy, and representativeness thresholds before a dataset is approved for training. Automated validation pipelines run statistical checks (null rate, outlier distribution, class imbalance) at each ingestion stage.
Data Lineage and Provenance
Data lineage tracks the chain of transformations a dataset has undergone from source to model. Data provenance documents the original origin, collection method, consent basis, and legal authority for each dataset. Together they enable forensic investigation when model outputs are challenged and support right-to-erasure requests under GDPR.
Exam tip: Lineage = the transformation path; Provenance = the origin story. Both are required for regulatory compliance audit trails.
Access Controls for Training Data
Role-based access control (RBAC) restricts training dataset access to authorised roles (data scientists, ML engineers). Least privilege means data scientists receive read access to only the specific dataset partitions needed for their current experiment — not the entire data lake. Access logs must be retained and reviewed regularly.
Data Minimization for AI
Organisations should collect only the data attributes necessary for the intended model objective. Excess collection increases privacy risk, regulatory exposure, and breach impact. Data minimization reviews should occur at system design time (Privacy by Design) rather than retroactively.
Anonymisation, Pseudonymisation, and Synthetic Data
- Anonymisation irreversibly removes identifying information so re-identification is not reasonably possible — GDPR no longer applies to truly anonymised data.
- Pseudonymisation replaces direct identifiers with tokens; re-identification is possible with the key. GDPR still applies.
- Synthetic data uses GANs or VAEs to generate statistically representative artificial records with no correspondence to real individuals — useful for testing and sharing without privacy risk.
Data Integrity Controls
Cryptographic hash functions (SHA-256) applied to dataset files detect tampering or corruption. Checksums should be recorded in the data registry at ingestion and re-verified before each training run. Hash mismatch triggers an incident response workflow.
Data Labeling Security
Outsourced annotation introduces label poisoning risk — a malicious annotator intentionally mislabels samples to degrade model accuracy or embed backdoors. Controls include: inter-annotator agreement thresholds, randomised quality audits, honey-pot samples with known correct labels, and restricting annotator access to the full dataset.
Encryption of Training Data and Model Weights
Training datasets and serialised model weights must be encrypted at rest (AES-256) and in transit (TLS 1.3). Key management should follow a FIPS 140-2 validated HSM strategy. Model weights are sensitive intellectual property and should be treated equivalently to source code.
Privacy Controls for AI (Domain 3D — Part 1)
Privacy by Design for AI Systems
Privacy by Design (PbD) embeds privacy protections into AI system architecture from the earliest design phase. The seven foundational principles include: proactive not reactive, privacy as the default setting, privacy embedded into design, full functionality (positive-sum not zero-sum), end-to-end security, visibility and transparency, and respect for user privacy.
GDPR Article 22 — Automated Decision-Making
Art. 22 grants EU data subjects the right not to be subject to decisions based solely on automated processing when those decisions produce legal or similarly significant effects. Organisations must provide:
- Right to explanation: meaningful information about the logic involved
- Right to human review: ability to request human oversight
- Right to contest: ability to challenge the automated decision
Exam trap: Art. 22 applies to decisions based solely on automated processing. A decision with any meaningful human review may fall outside its scope — though DPAs interpret "solely" narrowly.
Data Protection Impact Assessment (DPIA)
A DPIA is mandatory under GDPR Art. 35 when processing is likely to result in high risk to individuals. AI systems that make automated profiling, process special category data, or involve large-scale systematic monitoring typically require a DPIA. The DPIA must: describe the processing, assess necessity and proportionality, identify and mitigate risks, and be conducted prior to deployment.
Differential Privacy
Differential privacy provides a mathematical guarantee: the probability that any algorithm output changes by more than a factor of e^ε when one individual's record is added or removed. The privacy budget (ε) controls the privacy–utility trade-off. Smaller ε = stronger privacy, more noise, less accurate results. Mechanisms include Laplace (for numeric queries) and Gaussian (for approximate DP).
Federated Learning
In federated learning, a central server distributes a model to edge devices or data silos. Each participant trains locally and sends only gradient updates to the server, which aggregates them (e.g., FedAvg). Raw training data never leaves the local environment. Remaining risks include gradient inversion attacks — mitigated by combining federated learning with differential privacy.
Secure Multi-Party Computation (SMPC)
SMPC enables multiple parties to jointly compute a function over their private inputs without revealing those inputs to each other. Applications include joint fraud scoring across competing banks. Computation overhead is very high; current practice restricts SMPC to small-scale, high-value analytics.
Homomorphic Encryption
Homomorphic encryption allows arithmetic operations directly on ciphertext, producing encrypted results that — when decrypted — equal the result of the same operations on plaintext. Fully homomorphic encryption (FHE) supports arbitrary computation but carries extremely high computational overhead (100–10,000× slower). Practical deployments today are limited to partial or somewhat homomorphic schemes for inference on private inputs.
AI Output Privacy — Memorisation Risk
Large language models and generative models can memorise and regurgitate verbatim training data in outputs — a phenomenon known as training data extraction. Controls include: deduplication of training data, differential privacy during training, membership inference testing before deployment, and output screening for PII patterns.
Cross-Border Data Transfers for AI Training
Transferring personal data outside the EEA for AI training requires a legal transfer mechanism: adequacy decision (e.g., UK, Canada), Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or a derogation. The Schrems II ruling invalidated Privacy Shield and requires organisations to assess whether the destination country's surveillance laws undermine SCC protections.
Ethical, Trust & Safety Controls (Domain 3D — Part 2)
AI Bias and Fairness
Bias in AI systems emerges from three primary sources: the training data, the model objective/algorithm, and the societal context in which labels were created. Disparate impact occurs when a model's outcomes disproportionately harm a protected class, even without explicit use of protected attributes — because proxy variables (zip code, name, browsing history) can encode protected characteristics.
Fairness Metrics — The Impossibility Theorem
| Metric | Definition | Mathematical Focus | When to Use |
|---|---|---|---|
| Demographic Parity | Equal positive prediction rates across groups | P(Ŷ=1|A=0) = P(Ŷ=1|A=1) | Allocation decisions (loans, hiring) |
| Equalized Odds | Equal TPR and FPR across groups | TPR and FPR equal across A | Classification with known labels |
| Individual Fairness | Similar individuals get similar outcomes | d(x,x') small → d(f(x),f(x')) small | Personalised scoring |
| Counterfactual Fairness | Outcome unchanged if protected attribute flipped | Causal inference framework | Causal audit of sensitive decisions |
Key insight: Chouldechova's impossibility theorem proves that demographic parity, equalized odds, and calibration cannot all be satisfied simultaneously when base rates differ across groups. Organisations must choose which fairness criterion aligns with their legal and ethical obligations.
Explainability and Interpretability Controls
- SHAP (SHapley Additive exPlanations): assigns each feature a contribution value based on cooperative game theory. Consistent, globally applicable. Computationally expensive for large feature sets.
- LIME (Local Interpretable Model-Agnostic Explanations): generates a locally faithful linear proxy model around a specific prediction. Fast, but local explanations may not generalise.
- Attention visualisation: shows which input tokens influenced an LLM's output — useful for auditing but does not constitute a causal explanation.
- Model cards: standardised documentation of a model's intended uses, performance metrics, and fairness evaluation results — required for transparency disclosure.
Human Oversight and Human-in-the-Loop
High-stakes AI decisions (parole, credit denial, medical triage) must include mandatory human review before the decision takes effect. Human-in-the-loop (HITL) means a human approves each decision. Human-on-the-loop (HOTL) means a human monitors and can intervene but decisions are auto-executed — a weaker control appropriate for lower-stakes contexts.
LLM Safety Controls — Hallucination Reduction
- Retrieval-Augmented Generation (RAG): grounds LLM outputs in verified documents retrieved at inference time, reducing hallucinations on factual questions.
- Confidence thresholds: outputs below a calibrated confidence score are flagged for human review rather than displayed to end users.
- Output filtering: post-generation classifiers screen outputs for toxicity, PII, harmful content, and jailbreak artefacts.
- Constitutional AI / RLHF: reinforcement learning from human feedback aligns model behaviour with safety preferences during training.
Responsible AI Frameworks
- EU AI Act: risk-based classification (unacceptable, high-risk, limited, minimal). High-risk AI requires conformity assessment, registration in EU database, and human oversight mechanisms.
- Microsoft Responsible AI: six principles — fairness, reliability & safety, privacy & security, inclusiveness, transparency, accountability.
- Google PAIR: People + AI Research guidelines emphasising user-centred design, mental model alignment, and error recovery in AI products.
- NIST AI RMF: four functions — Govern, Map, Measure, Manage — for organisational AI risk management.
AI Ethics Review Boards
An AI ethics review board (or responsible AI committee) provides governance oversight for high-risk AI initiatives. Composition should include technical, legal, ethics, and business representatives. The board reviews DPIAs, fairness audits, and high-risk system approvals, and provides escalation authority to halt deployments that fail ethical criteria.
Security Controls & Monitoring for AI (Domain 3E)
AI-Specific Input/Output Security Controls
- Input validation: schema enforcement, type checking, and anomaly scoring on inference requests to detect adversarial or malformed inputs.
- Output sanitisation: stripping sensitive data patterns (PII, credentials) from model outputs before delivery to users.
- Rate limiting: caps on API inference requests prevent model extraction attacks where adversaries repeatedly query to reconstruct the model.
- Prompt injection defences: input scanning and instruction hierarchy enforcement for LLMs to prevent user prompts from overriding system instructions.
Model Behaviour Monitoring
Concept drift occurs when the statistical relationship between features and labels changes over time in production, degrading model accuracy. Data distribution shift (covariate shift) occurs when input feature distributions change even if the label relationship is stable. Both require continuous monitoring of prediction distributions, error rates, and feature statistics compared to training baselines.
Adversarial Attack Detection
Adversarial inputs are crafted samples — imperceptible to humans — that cause misclassification. Production monitoring detects adversarial attacks by watching for: unusual input statistics (pixel intensity histograms, token frequency distributions), abnormal confidence scores (very high or very low), and known adversarial pattern signatures. Certified defences include adversarial training and input smoothing.
AI Security Dashboards — Key Metrics
| Metric | What It Signals | Alert Threshold Example |
|---|---|---|
| Mean prediction confidence | Concept drift or adversarial inputs when drops suddenly | >10% drop vs. 7-day baseline |
| Error rate by subgroup | Fairness degradation or targeted poisoning | >15% disparity vs. baseline |
| Data quality score | Pipeline corruption or feature engineering errors | Below 95% completeness threshold |
| Inference latency p99 | Overload attacks or model bloat | >2× baseline latency |
| Out-of-distribution score | Distribution shift in production inputs | KL divergence > 0.2 vs. training distribution |
AI Audit Trails and Logging
AI systems must log: each inference request (timestamp, user/system ID, input hash, model version), data sources consulted (for RAG systems), and output delivered. Logs must be immutable (write-once, tamper-evident) to support forensic investigation and regulatory compliance. Retention periods should align with data protection law requirements.
SIEM Integration for AI
AI behavioural signals — prediction confidence anomalies, error rate spikes, adversarial input detections — should be fed as structured events into the organisation's SIEM. This enables correlation with other security signals (network anomalies, authentication events) to detect multi-stage attacks and enables SOC analysts to respond to AI-specific incidents through existing playbooks.
Model Watermarking and Intellectual Property Protection
Model watermarking embeds a proprietary identifier (a backdoor trigger that produces a specific output, or statistical fingerprinting of weights) into a trained model. If the model is stolen and re-deployed, the watermark can be activated to prove ownership. This is the AI equivalent of software licence enforcement.
Canary Deployments and Continual Validation
AI canary deployments route a small percentage of production traffic (1–5%) to a new model version while monitoring security properties alongside performance metrics. If anomalies appear, traffic is automatically rerouted to the stable version. Challenger models run in shadow mode alongside the champion model, enabling A/B comparison of security behaviour without user-facing risk.
Automated Response — Circuit Breakers and Rollback
When monitoring detects a defined anomaly threshold breach, automated circuit breakers pause or reroute inference requests, preventing a degraded model from serving harmful outputs at scale. Rollback procedures restore the last known-good model version. Rollback triggers should be pre-defined in an AI incident response playbook and tested during tabletop exercises.
Memory Hooks
Six mnemonics to anchor the most complex AAISM concepts under exam pressure.
Data Governance Controls
Remember the six pillars of training data governance:
RBAC (role-based access for datasets)
Integrity (hash verification / checksums)
Minimization (collect only what's needed)
Encryption (at rest and in transit)
Deletion (secure disposal of sensitive data)
Privacy-Preserving ML Spectrum
Order the techniques by raw-data exposure risk (lowest → highest overhead, not data sharing):
Federated Learning — share gradients only
SMPC — encrypted joint compute
Homomorphic Encryption — arithmetic on ciphertext
Synthetic Data — generate artificial records
K-anonymity — generalise quasi-identifiers
Think: "Data Flows Safely, Homomorphically Synthesised & K-masked"
Fairness Metrics Impossibility
The three incompatible fairness criteria, plus the solution:
Equalized odds — equal TPR and FPR
Calibration — equal precision per score
Impossible — all three at once when base rates differ
"You can't DEC-I-de to have all three — pick one and justify it."
GDPR Art. 22 Automated Decisions
Three rights data subjects have against automated decisions with significant effects:
Human review — right to obtain human intervention
Contest — right to challenge the decision
"Every Human Can contest a robot's ruling."
Also remember: applies to decisions based solely on automated processing with legal or similarly significant effects.
AI Monitoring Signals
Five key monitoring signals for production AI security:
Adversarial — unusual input statistics / OOD scores
Drift — concept drift detected in feature distributions
Fairness — subgroup error rate disparity grows
Error rate — overall accuracy degrades vs. baseline
"CADFE sounds like 'café' — your monitoring dashboard is your morning check."
LLM Safety Controls Stack
Four layers of hallucination and safety control for generative AI:
RLHF — reinforcement learning from human feedback aligns outputs
Output filtering — post-generation toxicity/PII screening
Confidence gating — low-certainty outputs held for human review
"GROC: What you stock the pantry with — what you stock the LLM with."
Practice Quiz
10 exam-style questions covering Domain 3C–E. Select an answer to see instant feedback.
Flashcards
Click any card to reveal the answer. Click again to flip back. Review all 8 cards.
What is the privacy budget (ε) in differential privacy, and how does its value affect the privacy–utility trade-off?
The privacy budget ε (epsilon) bounds the maximum log-ratio by which any single record can change the probability of any output. A smaller ε means stronger privacy (more noise added, individual records harder to infer) but lower utility (less accurate results). A larger ε means better accuracy but weaker privacy guarantees. Organisations set ε based on their risk tolerance — typical values range from 0.1 (strong) to 10 (weak).
Under GDPR Art. 22, what three rights must an organisation provide when making automated decisions with significant effects?
(1) Right to explanation — meaningful information about the logic, significance, and likely consequences of the processing. (2) Right to human review — ability to obtain human intervention to reconsider the decision. (3) Right to contest — ability to challenge the automated decision and have it reconsidered. Art. 22 is triggered when decisions are based solely on automated processing and produce legal or similarly significant effects.
Why is it mathematically impossible to simultaneously satisfy demographic parity, equalized odds, and calibration when base rates differ across groups?
This is Chouldechova's impossibility theorem. When the base rate (prevalence) of the outcome differs across groups, satisfying all three constraints simultaneously would require the model to produce different probability scores for the same true outcome probability — a mathematical contradiction. Organisations must therefore choose one fairness criterion based on their legal obligations and the harm profile of their use case (e.g., equalized odds for criminal justice, demographic parity for hiring allocation).
What is data provenance in the context of AI training pipelines, and why is it critical for regulatory compliance?
Data provenance documents the origin, collection method, consent basis, and legal authority for each training dataset — the "chain of custody" story. It is critical because: (1) GDPR right-to-erasure requires knowing which records trained which models; (2) regulatory audits require proof that data was lawfully obtained; (3) bias investigations need to trace whether protected class data was improperly included; and (4) IP disputes require demonstrating dataset ownership. Contrast with lineage (the transformation path), which documents what happened to the data after ingestion.
What is concept drift in AI systems, and what monitoring controls detect it in production?
Concept drift occurs when the statistical relationship between input features and the target label changes over time in production — the model's learned mapping becomes stale. Controls to detect it include: continuous monitoring of prediction confidence distributions and error rates against training baselines; KL divergence or PSI (Population Stability Index) on feature distributions; shadow challenger models that flag when a retrained model outperforms the live champion; and automated alerts when error rate exceeds a threshold (e.g., +15% vs. baseline).
How does model watermarking work, and what threat does it mitigate?
Model watermarking embeds a proprietary signature into a trained model — either as a backdoor trigger (a specific input pattern produces a predictable, unusual output) or as statistical fingerprinting of the weight distribution. The signature is secret and does not affect normal model performance. It mitigates model theft/IP theft: if an adversary steals and re-deploys the model, the watermark can be activated by the owner to prove ownership in legal proceedings. It is the AI equivalent of a software licence key embedded in the binary.
What is Retrieval-Augmented Generation (RAG), and how does it reduce LLM hallucinations?
RAG (Retrieval-Augmented Generation) is an architecture that grounds LLM outputs by retrieving relevant documents from a verified knowledge base at inference time and inserting them into the prompt context before generation. The LLM then synthesises answers based on the retrieved evidence rather than relying solely on parametric memory. This reduces hallucinations because the model can cite verifiable source documents rather than generating plausible-sounding but fabricated facts. RAG is a primary control for factual accuracy in enterprise LLM deployments.
What is label poisoning in data labeling, and what controls prevent it?
Label poisoning is a data integrity attack where a malicious annotator intentionally assigns incorrect labels to training samples — either to degrade overall model accuracy or to embed a backdoor trigger that causes the model to misclassify specific targeted inputs. Controls include: inter-annotator agreement (IAA) thresholds (labels must match across multiple independent annotators); honey-pot samples (known-correct samples mixed in to test annotator reliability); randomised quality audits of completed annotation batches; and least-privilege access to prevent annotators from seeing the full dataset or model feedback loops.
Study Advisor
Select a category for targeted study tips and exam strategies.
🗄️ Data Controls — Study Strategy
- Know the provenance vs. lineage distinction cold. Provenance = origin story (where the data came from, consent basis, legal authority). Lineage = transformation path (every processing step applied). Exam scenarios will test whether you can apply the right term to a compliance or audit scenario.
- RBAC for training data is not optional. Data scientists follow least privilege — they access only the dataset partition needed for their current experiment. Questions often present overly permissive access as a correct-sounding but wrong answer.
- Understand the three anonymisation tiers. True anonymisation (GDPR does not apply), pseudonymisation (GDPR still applies, but reduced risk), and synthetic data (no correspondence to real individuals). The exam tests whether you can identify when GDPR obligations remain active.
- Hash verification is an integrity control, not a privacy control. SHA-256 checksums on training dataset files detect tampering or corruption — they do not protect confidentiality. Questions may conflate the two; be precise.
- Label poisoning is a supply chain attack. The threat model: malicious annotator → corrupted label → backdoor embedded in model. The control chain: IAA thresholds → honey-pot audits → annotator least-privilege. Memorise this chain for scenario-based questions.
- Encryption in transit AND at rest. Training datasets and model weights need both. The exam may ask which is more important — the correct answer is that both are required; the risk profile is different (transit = interception, at rest = breach).
🔒 Privacy Controls — Study Strategy
- Master the privacy-preserving ML spectrum. For each technique (DP, FL, SMPC, HE, synthetic data, k-anonymity), know: what data leaves the organisation, computational overhead, and primary use case. Exam questions present scenarios and ask you to select the most appropriate technique.
- Differential privacy ε is the privacy budget. Smaller ε = stronger privacy = more noise = less accuracy. This is a trade-off, not a configuration error. Questions test whether you understand that setting ε too small may make the model unusable.
- Federated learning is not perfectly private by itself. Gradient inversion attacks can reconstruct training samples from shared gradients. The exam may test that federated learning + differential privacy together provide stronger guarantees than either alone.
- GDPR Art. 22 applies only to decisions based solely on automated processing. Any meaningful human involvement may take a decision outside Art. 22 scope — but regulators interpret "solely" narrowly. Know both sides of this argument for the exam.
- DPIA triggers for AI: automated profiling of individuals, large-scale processing of special category data, systematic monitoring of public areas, or high-risk innovative technology. When in doubt, a DPIA is required — the exam favours risk-averse answers on DPIA necessity.
- Schrems II and cross-border AI training. Privacy Shield is dead. Standard Contractual Clauses require a Transfer Impact Assessment to confirm destination country surveillance laws do not undermine the SCCs. This is a frequently tested EU data transfer scenario.
⚖️ Ethics & Fairness — Study Strategy
- The impossibility theorem is a guaranteed exam topic. You cannot simultaneously satisfy demographic parity, equalized odds, and calibration when base rates differ. Chouldechova (2017). Know the theorem name and be able to explain why it creates a necessary trade-off.
- Know when to use each fairness metric. Demographic parity for allocation decisions (hiring, loans). Equalized odds when error rates matter equally (recidivism prediction). Individual fairness for personalised scoring. Counterfactual fairness for causal audit. Map metric to use case.
- SHAP vs LIME distinction matters. SHAP = global, game theory-based, consistent but slow. LIME = local, linear proxy, fast but may not generalise. For a single high-stakes decision requiring audit trail → SHAP. For quick interactive explanation → LIME.
- Disparate impact ≠ intentional discrimination. An AI system can produce discriminatory outcomes without any protected attribute in its inputs — via proxy variables. The exam tests whether you can identify proxies (zip code → race, name → gender) and appropriate controls (proxy removal, counterfactual testing).
- EU AI Act risk tiers. Unacceptable risk (banned) → biometric mass surveillance, social scoring. High risk → credit, hiring, healthcare, law enforcement. Limited risk → chatbots (disclosure required). Minimal risk → spam filters. Know which tier triggers conformity assessment and mandatory human oversight.
- Ethics review boards need cross-functional composition. Technical + legal + ethics + business. The board's authority must include the power to halt deployment — advisory-only boards without real authority are a governance failure the exam may ask you to identify.
👁️ AI Monitoring — Study Strategy
- Know the five monitoring signals by heart. Prediction confidence drops, adversarial input OOD scores, concept drift in feature distributions, fairness degradation (subgroup error rate disparity), and overall error rate increase. CADFE mnemonic from Memory Hooks will save you under pressure.
- Concept drift vs. covariate shift — know both. Concept drift = the P(Y|X) relationship changes. Covariate shift = the P(X) distribution changes. Both degrade model performance but require different monitoring approaches. Covariate shift is detected earlier by input distribution monitoring; concept drift requires output monitoring.
- SIEM integration for AI is a security control, not a DevOps tool. AI anomaly signals (confidence drops, adversarial input spikes) become security events when fed to the SIEM. This enables correlation with network anomalies to detect multi-stage attacks. The exam tests SIEM integration as a security monitoring control.
- Immutable audit logs are a compliance requirement. Write-once, tamper-evident storage for inference request logs (timestamp, user, input hash, model version, output). Required for forensic investigation and regulatory compliance. Mutable logs fail audit requirements.
- Circuit breakers are automated response controls. Pre-defined thresholds trigger automatic model rollback or traffic rerouting. This prevents a degraded model from serving harmful outputs at scale while human review occurs. The exam may ask what should happen automatically vs. what requires human decision.
- Canary deployments and shadow challenger models. Canary = small % of live traffic routed to new model. Shadow = challenger runs in parallel, predictions logged but not served to users. Both enable safe evaluation of new model versions. Shadow mode is lower risk and preferred for security property testing.
🛡️ Safety Controls — Study Strategy
- Input validation is the first line of LLM defence. Schema enforcement, token length limits, and anomaly scoring on incoming prompts before the LLM processes them. Prompt injection attacks embed adversarial instructions in user inputs — input validation and instruction hierarchy enforcement are the primary controls.
- RAG reduces hallucinations but does not eliminate them. RAG grounds outputs in retrieved documents but the LLM can still misinterpret or contradict retrieved evidence. RAG + confidence thresholding + output filtering provides layered hallucination control. No single control is sufficient alone.
- Output sanitisation is distinct from input validation. Output sanitisation screens model-generated text for PII, credentials, toxic content, and jailbreak artefacts — applied post-generation before delivery to users. The exam may present both as options; know which comes first in the pipeline.
- Human-in-the-loop vs. human-on-the-loop. HITL = human approves each individual decision before execution (strongest control, appropriate for high-stakes: parole, credit, medical triage). HOTL = human monitors and can intervene but decisions are auto-executed (weaker, appropriate for lower-stakes or high-volume contexts). Know which context requires which.
- Rate limiting prevents model extraction attacks. By capping API inference requests per user/IP, rate limiting makes it impractical for adversaries to reconstruct a model through repeated querying. The exam tests rate limiting as a security control, not just a performance management tool.
- Adversarial training is both an attack mitigation and a robustness improvement. Including adversarial examples in training data causes the model to learn adversarially robust decision boundaries. It is the most widely validated defence against adversarial input attacks, though certified defences (randomised smoothing) provide formal guarantees.
Key Resources
Official references and authoritative sources for Domain 3C–E exam preparation.
ISACA AAISM Certification
Official ISACA page for the Advanced in AI Security Management credential — exam guide, ECM requirements, and candidate resources.
Visit ISACA →NIST AI Risk Management Framework (AI RMF 1.0)
NIST's four-function framework (Govern, Map, Measure, Manage) for trustworthy AI — the primary risk management reference for AAISM Domain 1 and Domain 3 monitoring controls.
Read the AI RMF →GDPR Article 22 — Automated Decision-Making
Full text of GDPR Art. 22 and Recital 71, which explain the scope of automated decision-making rights and the definition of "solely automated processing."
Read GDPR Art. 22 →EU AI Act — Official Text
The EU's risk-based AI regulation establishing unacceptable, high-risk, limited, and minimal risk categories with conformity assessment requirements for high-risk AI systems.
Explore the AI Act →SHAP — A Unified Approach to Model Interpretability
Lundberg & Lee's original SHAP paper and the open-source Python library documentation — the canonical reference for Shapley-value-based explainability used in AAISM exam scenarios.
SHAP Documentation →FlashGenius AAISM Practice Tests
Exam-style questions across all 5 AAISM domains — adaptive difficulty, detailed rationales for every answer, and performance analytics to focus your remaining study time.
Start Practicing →