IAPP AIGP Artificial Intelligence Governance Professional Exam Practice Test

The NIST AI Risk Management Framework’s Govern function emphasizes the importance of establishing accountability structures that empower and train cross-functional teams. This is crucial because cross-functional teams bring diverse perspectives and expertise, which are essential for effective AI governance and risk management. Training these teams ensures that they are well-equipped to handle their responsibilities and can make informed decisions that align with the organization’s AI principles and ethical standards. Reference: NIST AI Risk Management Framework documentation, Govern function section.

The most challenging aspect of managing a data access request in this scenario is dealing with unstructured data that cannot be easily disentangled from other data, including information about other individuals. Unstructured data, such as free-text inputs or social media posts, often lacks a clear structure and may be intermingled with data from multiple individuals, making it difficult to isolate the specific data related to the requester. This complexity poses significant challenges in complying with data access requests under privacy laws. Reference: AIGP Body of Knowledge on Data Subject Rights and Data Management.

Post-deployment AI maintenance typically includes ensuring that all model components are subject to a control framework, dedicating experts to continually monitor the model output, and evaluating the need for audits under certain standards. However, defining thresholds to conduct new impact assessments is usually part of the initial deployment and ongoing governance processes rather than a maintenance activity. Maintenance focuses more on the operational aspects of the AI system rather than setting new thresholds for impact assessments.

Third-party risk management for AI systems should beproportional and risk-based, involvinginitial due diligenceandongoing monitoringthat reflects thelevel of risk posedby the third party's AI system.

From theAI Governance in Practice Report2025:

“Third-party due diligence assessments to identify possible external risk and inform selection.” (p. 11)

“Legal due diligence may include verification of the personal data's lawful collection by the data broker, review of contractual obligations…” (p. 19)

Afocuses too narrowly on financial stability.

Cis excessive and not scalable or aligned with best practices.

Dinappropriately separates ethical and technical risks; both must be evaluated holistically.

When the accuracy of a model deteriorates, the best first step is to conduct champion/challenger testing. This involves deploying a new model (challenger) alongside the current model (champion) to compare their performance. This method helps identify if the new model can perform better under current conditions without immediately discarding the existing model. It provides a controlled environment to test improvements and understand the reasons behind the deterioration. This approach is preferable to directly replacing the model, performing audits, or running red-teaming exercises, which may be subsequent steps based on the findings from the champion/challenger testing.

AI governance frameworks consistently define the“unique characteristics”of AI that create novel governance challenges.

Across the OECD AI Principles, NIST AI RMF, ISO/IEC 42001, and the EU AI Act, the key characteristics requiring governance are:

Autonomy– AI systems act without direct human intervention and take context-dependent decisions.

Adaptability– AI systems learn, evolve, and update their behavior over time, making outputs non-deterministic.

These traits fundamentally distinguish AI from traditional software and shape all major governance activities (risk assessment, monitoring, assurance, accountability, alignment, etc.).

Below is why each option is correct or incorrect:

A. Autonomy — NOT selected

Reason:

Autonomy is repeatedly cited as one of the defining characteristics that necessitates governance.

NIST AI RMF references the risks ofautonomous behavior.

ISO/IEC 42001 emphasizes governance controls for “systems operating with varying levels of autonomy.”

Thus,Autonomy IS a unique characteristic, so it isnotan answer.

B. Automation — SELECTED

Reason:

“Automation” is not a unique AI property. Automation predates AI and applies to robotics, scripts, business process automation, etc.

AI governance literature doesnotclassify automation as a unique AI-specific characteristic.

Automation is aresultof AI, but not adistinguishing property.

Therefore,Automation is correctly selected as NOT a unique AI characteristic.

C. Adaptability — NOT selected

Reason:

Adaptability (systems that update, learn, or change behavior) is recognized universally as a core distinctive trait of AI.

EU AI Act emphasizes governance requirements for “adaptive systems.”

NIST AI RMF highlights “learning and emergent behavior.”

Thus,Adaptability IS a unique characteristic, so it shouldnotbe chosen as an exception.

D. Speed and scale — SELECTED

Reason:

While AI can operate at high speed and scale,these are not unique characteristics of AI.

Traditional computing systems, cloud workloads, and automation pipelines operate at similar scale.

AI governance documents mention speed/scale as arisk amplifier, not a defining characteristic.

Therefore,Speed and scaleshould be selected.

E. Superintelligence — SELECTED

Reason:

“Superintelligence” is not a characteristic of current AI systems and isnot referenced as a governance-relevant attributein mainstream policy documents (OECD, NIST, ISO, EU AI Act).

It is speculative rather than a defining feature.

Therefore, it is correctly chosen as NOT a unique characteristic requiring governance today.

The White House Executive Order of November 2023 designates the National Institute of Standards and Technology (NIST) as the responsible body for creating guidelines to conduct red-teaming tests of AI systems. NIST is tasked with developing and providing standards and frameworks to ensure the security, reliability, and ethical deployment of AI systems, including conducting rigorous red-teaming exercises to identify vulnerabilities and assess risks in AI systems.

The most comprehensive way to identify a full range of risks — legal, ethical, operational, and societal — for a new AI model is through aformal impact assessment, such as aData Protection Impact Assessment (DPIA)orAlgorithmic Impact Assessment.

From theAI Governance in Practice Report2025:

“Risk-based approaches are often distilled into organizational risk management efforts, which put impact assessments at the heart of deciding whether harm can be reduced.” (p. 29)

“DPIAs… help organizations identify, analyze and minimize data-related risks and demonstrate accountability.” (p. 30)

A. Environmental scanis too general.

B. Red teamingis useful for adversarial risk but not broad.

C. Integration testingfocuses on technical/system compatibility, not overall risk.

Differential privacy is a technique used to ensure that the inclusion or exclusion of a single data point does not significantly affect the outcome of any analysis, providing a way to mathematically prove that no specific piece of training data has more than a negligible effect on the model or its output. This is achieved by introducing randomness into the data or the algorithms processing the data. In the context of training large language models (LLMs), differential privacy helps in protecting individual data points while still enabling the model to learn effectively. By adding noise to the training process, differential privacy provides strong guarantees about the privacy of the training data.

Importers of high-risk AI systems into the EU havespecific responsibilitiesunder the EU AI Act. They arenotthe parties responsible for affixing the CE marking or providing technical documentation—but they must verify that these have been done by the provider.

From theAI Governance in Practice Report2025:

“Importers must verify that the appropriate conformity assessment has been carried out, the technical documentation is available, and the CE marking has been affixed.” (p. 34–35)

Thus:

A. Provide technical documentation– done by theprovider.

B. Affix the CE marking–provider'sresponsibility.

C. Verify the Declaration of Conformity–importer obligation.

D. Conduct a DPIA– relevant under data protection laws,not requiredunder the EU AI Act forimporters.

The most critical reason for documenting AI-related risks is toreduce exposure to legal, regulatory, and reputational liabilities. Clear documentation demonstrates thatrisks were identified, assessed, and addressed, which is essential for accountability and defensibility in the face of audits, litigation, or enforcement actions.

From theAI Governance in Practice Report2025:

“An effective AI governance model is about collective responsibility… which should encompass oversight mechanisms such as privacy, accountability, compliance.” (p. 13)

“Accountability… is based on the idea that there should be a person or entity that is ultimately responsible for any harm resulting from the use of the data, algorithm and AI system's underlying processes.” (p. 28)

While transparency, alignment with standards, and knowledge sharing are all secondary benefits,risk documentation’s primary role is liability mitigation.

Offeringloan products based on current offerings and rulesrequires a system that can followexplicit business logic, not generate open-ended content. Anexpert system, which is a rules-based AI that uses “if-then” logic, is ideal here.

From the AI governance context:

“Rule-based AI systems are often preferred when decisions must adhere to precise regulatory or financial criteria.” (aligned with AI best practices in regulated sectors)

A. RAGis used to integrate external knowledge—not suitable for structured, rule-based logic.

B. Multimodal modelshandle varied input types—not needed here.

D. Quantum computingis not yet practical or relevant for this business use case.

Minimizing human involvement to the extent practicable is not a best practice during the testing of an ML model. Human oversight is crucial during testing to ensure that the model performs correctly and ethically, and to interpret any anomalies or issues that arise. Best practices include using representative test data, anonymizing data to the extent practicable, and performing testing specific to the intended uses of the model. Reference: AIGP Body of Knowledge on AI Model Testing and Human Oversight.

The planning phase of the AI life cycle typically includes defining the objective of the model, choosing the appropriate architecture, and understanding the context in which the model will operate. However, the approach to governance is usually established as part of the overall AI governance framework, not specifically within the planning phase. Governance encompasses broader organizational policies and procedures that ensure AI development and deployment align with legal, ethical, and operational standards. Reference: AIGP Body of Knowledge, AI lifecycle planning phase section.

When assessing whether users should be given the right to opt out from an AI system, the primary considerations are feasibility, risk to users, and industry practice. Feasibility addresses whether the opt-out mechanism can be practically implemented. Risk to users assesses the potential harm or benefits users might face if they cannot opt out. Industry practice considers the norms and standards within the industry. However, the cost of alternative mechanisms, while important in the broader context of implementation, is not directly relevant to the ethical consideration of whether users should have the right to opt out. The focus should be on protecting user rights and ensuring ethical AI practices.

Establishing a global AI governance infrastructure involves several key elements, including providing training to foster a culture that promotes ethical behavior, creating policies and procedures to manage third-party risk, and understanding differences in norms across countries. While publicly disclosing ethical principles can enhance transparency and trust, it is not a core element necessary for the establishment of a governance infrastructure. The focus is more on internal processes and structures rather than public disclosure. Reference: AIGP Body of Knowledge on AI Governance and Infrastructure.

The greatest risk from AI systems generatingrealistic synthetic mediaisdownstream harm, such asdeepfakes, misinformation, reputational damage, and erosion of trust.

From theAI Governance in Practice Report2025:

“With generative AI, downstream harms such as deception, reputational damage, misinformation, and manipulation can emerge even if original use was lawful.” (p. 55–56)

Bias in AI can be reduced during the planning and design phases through stakeholder involvement, human oversight, and careful data collection. While feature selection is critical in the development phase, it does not specifically occur during planning and design. Ensuring diverse stakeholder involvement and human oversight helps identify and mitigate potential biases early, and data collection ensures a representative dataset. Reference: AIGP Body of Knowledge on AI Development Lifecycle and Bias Mitigation.

Forcustomizable, interpretable modelsthat allow organizations toretain control and avoid vendor lock-in,classic ML models(e.g., regression, decision trees, random forests) are optimal.

From theAI Governance in Practice Report2025:

“Organizations seeking transparency, customizability, and control often prefer classic ML models due to their flexibility and ease of governance.” (p. 33)

AandCmay have limited transparency and are often tied to specific providers.

Dinvolves ongoing costs and limited model control.

Retraining an LLM (Large Language Model) is primarily done to improve or maintain its performance as data changes over time, to fine-tune it for specific use cases, and to incorporate new data interpretations to enhance accuracy and relevance. However, ensuring interpretability of the model's predictions is not typically a reason for retraining. Interpretability relates to how easily the outputs of the model can be understood and explained, which is generally addressed through different techniques or methods rather than through the retraining process itself. References to this can be found in the IAPP AIGP Body of Knowledge discussing model retraining and interpretability as separate concepts.

An AI system’sfunction,industry, anddeployment locationdefine itsrisk profile, which directly influences theinternal governance structuresan organization must put in place.

From theAI Governance in Practice Report2025:

“There are many challenges and potential solutions for AI governance, each with unique proximityand significance based on an organization’s role, footprint, broader risk-governance profile and maturity.” (p. 4)

“AI governance starts with defining the corporate strategy for AI… and formulating policy standards and operational procedures to reflect industry, use case, and location.” (p. 11)

A– Organizational accountability is broader and not directly scoped by industry or function.

C– Diversity of data sources is tied to data strategy.

D– Explainability is more influenced by model type, not use context.

Training an AI model is time-consuming primarily due tomodel complexity,large data volumes, and the need forhigh-quality, well-prepared data.

From theAI Governance in Practice Report2025:

“Most AI requires sizeable amounts of high-quality data… to ensure desired and accurate output.” (p. 15)

“The accuracy of AI model outputs depends significantly on the quality of their inputs.” (p. 24)

“Complex AI systems… with many parameters… result in long development and training phases.” (p. 32)

B. Maturity of governanceaffects oversight, not training time.

D. Number of stakeholdersaffects alignment, not direct training duration.

Theinitial deployment phaseof an AI model is critical forpost-deployment monitoring. When tracking forbias, the most important task is tocontinue disparity testingto determine whether outputs differ across protected groups.

From theAI Governance in Practice Report2025:

“Performance monitoring protocols… should include mechanisms to assess and measure disparities in outcomes across different demographic groups.” (p. 12)

“Bias may not be evident during pre-deployment testing but can emerge in real-world use.” (p. 41)

B. Awareness trainingis helpful, but not a technical bias mitigation activity.

C. Analyzing training datais apre-deploymenttask.

D. Documenting human decisionsmay support auditability but doesn’t detect bias in AI outputs.

The best reason for the police department to continue performing investigations even if the AI system scores an individual's likelihood of criminal activity at or above 90% is that AI systems affecting fundamental civil rights should not be fully automated. Human oversight is essential to ensure that decisions impacting civil liberties are made with due consideration of context and mitigating factors that an AI might not fully appreciate. This approach ensures fairness, accountability, and adherence to legal standards. Reference: AIGP Body of Knowledge on AI Ethics and Human Oversight.

Under theEU AI Act, serious incidents involvinghigh-risk AI systemsmust be reported. The deployer is required topromptly inform the provider and relevant authoritiesabout the issue.

From theAI Governance in Practice Report2025:

“Serious incidents involving high-risk systems… must be reported to the provider and relevant market surveillance authority.” (p. 35)

“Timely reporting is required when AI systems result in or may result in violations of fundamental rights.” (p. 35)

According to the EU AI Act, providers of high-risk AI systems are required to register with an EU oversight agency before these systems can be placed on the market. This requirement is part of the Act's framework to ensure that high-risk AI systems comply with stringent safety, transparency,and accountabilitystandards. High-risk systems are those that pose significant risks to health, safety, or fundamental rights. Registration with oversight agencies helps facilitate ongoing monitoring and enforcement of compliance with the Act's provisions. Systems categorized under other criteria, such as those trained on sensitive personal data or exhibiting "strong" general intelligence, also fall under scrutiny but are primarily covered under different regulatory requirements or classifications.

The correct answer isD. GPS location data isnot biometric data—it is consideredgeolocation data, which is personal data butnot biometricunder most U.S. laws.

From the AIGP ILT Guide (Data Privacy Module):

“Biometric data includes measurable biological or behavioral characteristics such as iris scans, facial recognition, voice prints, and keystroke patterns when used for identification.”

AI Governance in Practice Report2025(Privacy and Data Protection section):

“Location data, while sensitive, is not considered biometric unless it’s tied to a uniquely identifyingbiological trait.”

Thus,GPS location data, while potentially sensitive, is not classified as biometric.

The correct answer isD. Forming adedicated governance committeeensures continuous oversight, role clarity, and accountability throughout the AI lifecycle.

From the AIGP ILT Guide – Governance Structures:

“Organizations using AI in high-impact scenarios should establish a governance body responsible for oversight of risk, compliance, and ethical alignment.”

Also reflected in AI Governance in Practice Report2025:

“Committees support cross-functional decision-making, provide guidance for updates, and maintain accountability. This is especially critical for high-stakes applications like marketing to diverse audiences.”

Options A, B, and C are valid supplementary actions, butDoffers a long-term and systematic governance mechanism.

The NIST AI Risk Management Framework outlines several characteristics of trustworthy AI, including being secure and resilient, explainable and interpretable, and accountable and transparent. While being tested and effective is important, it is not explicitly listed as a characteristic of trustworthy AI in the NIST framework. The focus is more on the system's ability to function safely, securely, and transparently in a way that stakeholders can understand and trust. Reference: AIGP Body of Knowledge, NIST AI RMF section.

The correct answer isC.Registration in the EU databaseis an obligation ofprovidersof high-risk AI systems—not distributors.

From the AIGP ILT Guide – Roles & Obligations Module:

“Distributors must verify CE marking, ensure instructions for use are provided, inform authorities of risks, and take corrective action when necessary. However, registration duties in the EU database lie with the provider.”

Also from the AI Governance in Practice Report2025:

“The AI Act differentiates responsibilities for developers, providers, importers, and distributors. Only providers of high-risk systems are obligated to register their systems in the EU AI Database.”

Distributors focus onverification and communication, not formal registration.

The IEEE Ethical System Design Risk Management Framework (IEEE 7000-21) would be most appropriate for XYZ Corp's governance needs in addition to the NIST AI RiskManagement Framework. The IEEE framework specifically addresses ethical concerns during system design, which is crucial for ensuring the responsible use of AI in hiring. It complements the NIST framework by focusing on ethical risk management, aligning well with XYZ Corp's goals of deploying AI responsibly and mitigating associated risks​​​​.

Supervised learning is a subcategory of AI and machine learning where labeled datasets are used to train algorithms. This process involves feeding the algorithm a dataset where the input-output pairs are known, allowing the algorithm to learn and make predictions or decisions based on new, unseen data. Reference: AIGP BODY OF KNOWLEDGE, which describes supervised learning as a model trained on labeled data (e.g., text recognition, detecting spam in emails)​​.

In the selection and implementation of the AI hiring tool, involving Finance and Legal is crucial. The Finance team is essential for assessing cost implications, budget considerations, and financial risks. The Legal team is necessary to ensure compliance with applicable laws and regulations, including those related to data privacy, employment, and anti-discrimination. Involving these stakeholders ensures a comprehensive evaluation of both the financial viability and legal compliance of the AI tool, mitigating potential risks and aligning with organizational objectives and regulatory requirements.

The correct answeris.CThis action ties directly into principlesof dataminimization, purpose limitation,and lawfulnessof processing, which are central to privacy and AI governance.

From the AIGP Body of Knowledge, Section on Privacy Considerations:

“Personal data must only be processed for specified and lawful purposes. Organizations must consider whether they have a legal basis for processing such data under data protection laws like the GDPR or CCPA.”

Additionally, AI Governance in Practice Report2025emphasizes:

“One of the most significant challenges when designing and developing AI systems is ensuring the data used is appropriate for the intended purpose… Managing unnecessary data, especially data that may contain sensitive attributes, can increase risk.”

===========

According to the Canadian Artificial Intelligence and Data Act, high-impact AI systems must notify the Minister of Innovation, Science and Industry upon initial deployment. This requirement ensures that the authorities are aware of the deployment of significant AI systems and can monitor their impacts and compliance with regulatory standards from the outset. This initial notification is crucial for maintaining oversight and ensuring the responsible use of AI technologies. Reference: AIGP Body of Knowledge, domain on AI laws and standards.

An AI model is best defined as a program that has been trained on a set of data to find patterns within that data. This definition captures the essence of machine learning, where the model learns from the data to make predictions or decisions. Reference: AIGP BODY OF KNOWLEDGE, which provides a detailed explanation of AI models and their training processes​​.

The potential negative consequences of using an AI tool in hiring include reputational harm (A), civil rights violations (B), and discriminatory treatment (C). These issues stem from biases in the AI system or its misuse, which can lead to unfair hiring practices and legal liabilities. Intellectual property infringement (D) is not a typical consequence of using AI in hiring, as it relates to the unauthorized use of protected intellectual property, which is not directly relevant to the hiring process or the potential biases within AI tools​​​​.

Note:This is the same scenario and question as Question 21 and thus has thesame correct answer: A. It's possible this was duplicated in your original input.

Repeated for clarity:

“Testing AI tools pre- and post-deployment helps ensure they perform as expected and do not introduce bias, privacy issues, or fairness concerns. This mitigates reputational and legal risk.”

TheAI Governance in Practice Report2025further reinforces:

“Ongoing monitoring and testing post-deployment allows organizations to catch and correct unintended impacts... especially important in HR and hiring contexts.”

The correct answer isD. AI Impact Assessments are primarily used to identify and managerisks and harmsassociated with AI systems.

From the AIGP Body of Knowledge:

“The goal of an AI impact assessment is to ensure that risks are identified, evaluated, and mitigated prior to or during development and deployment.”

As further confirmed in the AI Governance in Practice Report2025(Part III):

“Risk-based tools like DPIAs and Algorithmic Impact Assessments help identify potential risks to individuals and society, enabling organizations to implement mitigation plans and safeguards.”

While benefits may be noted in such assessments, thecore objectiveis to manage risks andpromote responsible AI.

===========

If it is possible to provide a rationale for a specific output of an AI system, that system can best be described as explainable. Explainability in AI refers to the ability to interpret and understand the decision-making process of the AI system. This involves being able to articulate the factors and logic that led to a particular output or decision. Explainability is critical for building trust, enabling users to understand and validate the AI system's actions, and ensuring compliance with ethical and regulatory standards. It also facilitates debugging and improving the system by providing insights into its behavior.

Under the EU regulations, particularly the GDPR, banks using AI for decision-making must inform users about the use of AI and provide mechanisms for users to contest decisions. This is part of ensuring transparency and accountability in automated processing. Explicit consent under the privacy directive (A) and disclosing under the Digital Services Act (B) are not specifically required in this context. An adequacy decision is related to data transfers outside the EU (C).

The correct answer isC. Thechoice of architecture(e.g., neural networks vs. decision trees) is typically part of thedesign and developmentphase, not the initial planning.

From the AIGP Body of Knowledge – AI Lifecycle Module:

“Planning involves scoping, context definition, stakeholder identification, governance planning, and assumptions—not yet model selection.”

Confirmed in the ILT Participant Guide:

“Design decisions such as architecture or algorithm type come after planning—usually during development based on technical feasibility and data availability.”

AI's resource-intensive computing demands pose significant environmental risks. High-performance computing required for training and deploying AI models often leads to substantial energy consumption, which can result in increased carbon emissions and other environmental impacts. This is particularly relevant given the growing concern over climate change and the environmental footprint of technology. Organizations need to consider these environmental risks when developing AI systems, potentially exploring more energy-efficient methods and renewable energy sources to mitigate the environmental impact.

The GDPR requires that individuals have the right to not be subject to decisions based solely on automated processing, including profiling, unless specific exceptions apply. One effective control is to establish a human-in-the-loop procedure (D), ensuring human oversight and the ability to contest decisions. This goes beyond just-in-time notices (A), data safeguarding (B), or review rights (C), providing a more robust mechanism to protect individuals' rights.

The U.S. mortgage company's AI platform relates to housing and credit, making the Fair Housing Act (A), Fair Credit Reporting Act (B), and Equal Credit Opportunity Act (C) relevant. Title VII of the Civil Rights Act of 1964 deals with employment discrimination and is not directly relevant to the mortgage application context (D).

In the context of AI, particularly generative models, "hallucination" refers to the generation of outputs that are not based on the training data and are factually incorrect or non-existent. The scenario described involves the generative AI tool providing incorrect and non-existent information about restaurants, which fits the definition of hallucination. Reference: AIGP BODY OF KNOWLEDGE and various AI literature discussing the limitations and challenges of generativeAI models.

Under the EU AI Act, organizations that develop and deploy high-risk AI systems are required to provide several key disclosures to ensure transparency and accountability. These include the human oversight measures employed, how individuals can contest decisions made by the AI system, and informing individuals that an AI system is being used. However, there is no specific requirement to disclose the exact locations where data is stored. The focus of the Act is on the transparency of the AI system's operation and its impact on individuals, rather than on the technical details of data storage locations.

The primary reason the EU is considering updates to its Product Liability Directive is to address digital services and connected products. The current directive does not adequately cover the complexities and challenges posed by modern digital and connected technologies. By updating the directive, the EU aims to ensure that it remains relevant and effective in addressing the liabilities associated with these advanced products, ensuring consumer protection and fair market practices in the digital age.

All of the options listed may pose copyright risks when teachers use generative AI to create course content, except for students must expressly consent to this use of generative AI. While obtaining student consent is essential for ethical and privacy reasons, it does not directly relate to copyright risks associated with the creation and use of AI-generated content.