IAPP AIGP Dumps

In the selection and implementation of the AI hiring tool, involving Finance and Legal is crucial. The Finance team is essential for assessing cost implications, budget considerations, and financial risks. The Legal team is necessary to ensure compliance with applicable laws and regulations, including those related to data privacy, employment, and anti-discrimination. Involving these stakeholders ensures a comprehensive evaluation of both the financial viability and legal compliance of the AI tool, mitigating potential risks and aligning with organizational objectives and regulatory requirements.

Random forest algorithms are classified as discriminative models. Discriminative models are used to classify data by learning the boundaries between classes, which is the core functionality of random forest algorithms. They are used for classification and regression tasks by aggregating the results of multiple decision trees to make accurate predictions.

The IEEE Ethical System Design Risk Management Framework (IEEE 7000-21) would be most appropriate for XYZ Corp's governance needs in addition to the NIST AI RiskManagement Framework. The IEEE framework specifically addresses ethical concerns during system design, which is crucial for ensuring the responsible use of AI in hiring. It complements the NIST framework by focusing on ethical risk management, aligning well with XYZ Corp's goals of deploying AI responsibly and mitigating associated risks​​​​.

Under the EU AI Act, organizations that develop and deploy high-risk AI systems are required to provide several key disclosures to ensure transparency and accountability. These include the human oversight measures employed, how individuals can contest decisions made by the AI system, and informing individuals that an AI system is being used. However, there is no specific requirement to disclose the exact locations where data is stored. The focus of the Act is on the transparency of the AI system's operation and its impact on individuals, rather than on the technical details of data storage locations.

The correct answer isD.Keystroke dynamics, used to identify individuals, fallunder biometricdata, which isa specialcategory of personaldata underthe GDPR and other frameworks.

From the AI Governance in Practice Report2025:

“Keystroke dynamics may constitute biometric data if used to uniquely identify an individual… Biometric data is classified as special category personal data and requires higher protection standards.”

Also reflected in ILT Participant Guide:

“Biometric data, such as facial images, voiceprints, iris scans or keystroke patterns, are treated as special category data when they are used for the purpose of uniquely identifying individuals.”

Retraining the model with data that reflects demographic parity is the best strategy to mitigate the bias uncovered in the loan applications. This approach addresses the root cause of the bias by ensuring that the training data is representative and balanced, leading to more equitable decision-making by the AI model.

The correct answer isB. The EU AI Act assigns atiered penalty systembased on the severity of the violation. A breach ofobligations related to high-risk AI systemsfalls into the mid-tier category, triggering fines of €15 million or 3% of annual global turnover.

From the AIGP ILT Guide – EU AI Act Module:

“Providers of high-risk AI systems must comply with strict documentation, testing, monitoring, and registration obligations. Breaches of these result in significant fines of up to €15 million or 3% of turnover.”

AI Governance in Practice Report2025supports this:

“Non-compliance with obligations under Title III (high-risk systems) leads to financial penalties under Article 71(3) of the EU AI Act.”

Note: Thehighest penalty (€35 million or 7%)applies toprohibited AI uses, not to obligations for high-risk systems.

===========

The correct answer isA. While educating technical staff is important, expectingall technical employees to be retooled as AI developersis unrealistic and not aligned with scalable governance practices.

From the AIGP ILT Guide:

"Training approaches should berole-specificand align with the individual's function and responsibilities... Organizations typically do not expect every technical role to participate in model development."

The AI Governance in Practice Report2025supports tailored approaches:

“Cross-functional training should be specific to the individual's role and exposure to AI risk... Role-based education supports scalability and comprehension.”

Thus,broad development training for all technical employeesis the least practical and least likely approach.

===========

The correct answeris.CThis action ties directly into principlesof dataminimization, purpose limitation,and lawfulnessof processing, which are central to privacy and AI governance.

From the AIGP Body of Knowledge, Section on Privacy Considerations:

“Personal data must only be processed for specified and lawful purposes. Organizations must consider whether they have a legal basis for processing such data under data protection laws like the GDPR or CCPA.”

Additionally, AI Governance in Practice Report2025emphasizes:

“One of the most significant challenges when designing and developing AI systems is ensuring the data used is appropriate for the intended purpose… Managing unnecessary data, especially data that may contain sensitive attributes, can increase risk.”

===========

The primary purpose of an AI impact assessment is to anticipate and manage the potential risks and harms of an AI system. This includes identifying the possible negative outcomes and implementing measures to mitigate these risks. This process helps ensure that AI systems are developed and deployed in a manner that is ethically and socially responsible, addressing concerns such as bias, fairness, transparency, and accountability. The assessment often involves a thorough evaluation of the AI system's design, data inputs, outputs, and the potential impact on various stakeholders. This approach is crucial for maintaining public trust and adherence to regulatory requirements.

An AI system that maintains its level of performance within defined acceptable limits despite real-world or adversarial conditions is described as resilient. Resilience in AI refers to the system's ability to withstand and recover from unexpected challenges, such as cyber-attacks, hardware failures, or unusual input data. This characteristic ensures that the AI system can continue to function effectively and reliably in various conditions, maintaining performance and integrity. Robustness, on the other hand, focuses on the system's strength against errors, while reliability ensures consistent performance over time. Resilience combines these aspects with the capacity to adapt and recover.

Note:This is the same scenario and question as Question 21 and thus has thesame correct answer: A. It's possible this was duplicated in your original input.

Repeated for clarity:

“Testing AI tools pre- and post-deployment helps ensure they perform as expected and do not introduce bias, privacy issues, or fairness concerns. This mitigates reputational and legal risk.”

TheAI Governance in Practice Report2025further reinforces:

“Ongoing monitoring and testing post-deployment allows organizations to catch and correct unintended impacts... especially important in HR and hiring contexts.”

The correct answer isD. Personalized content and advertisements, as long as properly disclosed and non-deceptive, arenot generally a consumer protection issueunder current legal regimes.

From the AI Governance in Practice Report2025(Consumer Protection Section):

“Standard practices like targeted advertising and recommendations are widely accepted provided they comply with transparency and consent requirements.”

Meanwhile, credit decision-making and misleading AI performance claims (Answers A and B) havealready led to regulatory enforcement.

The AIGP ILT Guide highlights:

“Deceptive claims, biased financial decisions, and unauthorized data use may violate consumer protection and privacy laws. Advertising personalization is routine but must be disclosed appropriately.”

The correct answer isD. While modernization through software may support efficiency, it isnot a foundational or essential componentof designing an integrated strategy.

From the AI Governance in Practice Report2025:

“Integrated strategies rely on senior management support, ethical reviews, and stakeholder engagement... The use of tools and platforms may come later as an operational enhancement.”

Also confirmed in AIGP Body of Knowledge:

“Key components of a governance framework include leadership buy-in, ethical analysis, and stakeholder input. Tools are supporting elements—not strategic drivers.”

===========

GPUs (Graphical Processing Units) are well-suited to running AI applications due to their ability to run many tasks concurrently, which significantly enhances processing speed. This parallel processing capability makes GPUs ideal for handling the large-scale computations required in AI and deep learning tasks. Reference: AIGP BODY OF KNOWLEDGE, which explains the importance of compute infrastructure in AI applications​​.

The correct answer isD. AI Impact Assessments are primarily used to identify and managerisks and harmsassociated with AI systems.

From the AIGP Body of Knowledge:

“The goal of an AI impact assessment is to ensure that risks are identified, evaluated, and mitigated prior to or during development and deployment.”

As further confirmed in the AI Governance in Practice Report2025(Part III):

“Risk-based tools like DPIAs and Algorithmic Impact Assessments help identify potential risks to individuals and society, enabling organizations to implement mitigation plans and safeguards.”

While benefits may be noted in such assessments, thecore objectiveis to manage risks andpromote responsible AI.

===========

The correct answer isD – Privacy impact assessments (PIAs). These aredirectly adaptablefor identifying risks in AI systems, particularly around data usage, bias, and individual impacts.

From the AIGP ILT Guide – Risk Management Module:

“PIAs and DPIAs are existing tools used in privacy compliance that can be extended to evaluate the risks of AI, including fairness, explainability, and legality.”

AI Governance in Practice Report2025further explains:

“Organizations can adapt privacy impact assessments to evaluate the ethical, legal, and technical risks posed by AI systems. They provide a structured and recognized method.”

PIAs are preferable over general security practices (like pen testing) which do not address algorithmic bias or legal compliance directly.

===========

Before offering an AI solution in the EU market, a Canadian company must take several steps to comply with the EU AI Act. These steps include establishing a risk and quality management system (B), engaging a third-party auditor to perform a bias audit (C), and drawing up technical documentation and instructions for use (D). However, there is no requirement to register the AI solution in a public EU database (A). This registration step is not specified as part of the compliance requirements under the EU AI Act for such solutions​​​​.

The GDPR's transparency principle requires that when personal data is processed for automated decision-making, including profiling, data subjects must be informed about the existence of such automated decision-making. Additionally, they must be provided with meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for them. This requirement ensures that data subjects are fully aware of how their personal data is being used and the potential impacts, thereby promoting transparency and trust in the processing activities.

Under the EU regulations, particularly the GDPR, banks using AI for decision-making must inform users about the use of AI and provide mechanisms for users to contest decisions. This is part of ensuring transparency and accountability in automated processing. Explicit consent under the privacy directive (A) and disclosing under the Digital Services Act (B) are not specifically required in this context. An adequacy decision is related to data transfers outside the EU (C).

The correct answer isB. AllowingPIIto be freely entered into prompts without safeguards is considered amajor privacy and security riskand is not a responsible governance practice.

From the AIGP ILT Guide – Generative AI & Third-Party Risk Management:

“Use of personal or sensitive information in AI prompts can result in unintended exposure, regulatory breaches, and downstream liability.”

The AI Governance in Practice Report2025highlights:

“PII should be minimized or protected by design. Prompt engineering should prevent entry of personally identifiable data unless legally and technically safeguarded.”

A, C, and D are established best practices under responsible AI procurement and use.

===========

The correct answer isA. Only GPAI modelswith systemic riskmustpublish a detailed summary of training datato meet transparency and accountability standards under the EU AI Act.

From the AI Governance in Practice Report2025(EU AI Act Section):

“For GPAI systems with systemic risk, providers must publish sufficiently detailed summaries of the content used to train the model.”

Also, the AIGP ILT Guide confirms:

“The obligation to disclose summaries of training data applies only to systemic-risk GPAI models, not all general-purpose models or high-risk systems.”

This unique requirement is part of the Act’s effort to increasetransparency and auditabilityfor powerful foundational models.

===========

Typically, actors involved in the AI development life cycle include data architects (who design the data frameworks), socio-cultural and technical experts (who ensure the AI system is socio-culturally aware and technically sound), and legal and privacy governance experts (who handle the legal and privacy aspects). Government regulators, while important, are not directly engaged in the development process but rather oversee and regulate the industry. Reference: AIGP BODY OF KNOWLEDGE and AI development frameworks.

The correct answer isA. TheAcceptable Use Policy (AUP)sets the primary terms and conditions under which the AI model can be used, including limitations, prohibited uses, and operational constraints.

From the AIGP ILT Guide:

“The AUP is the most critical document to assess what you can and cannot do with the AI system. It governs use cases, outlines forbidden uses (e.g., disinformation), and supports responsible AI practices.”

Also confirmed in the AI Governance in Practice Report2025(Third-Party AI Assurance section):

“Reviewing and adhering to the acceptable use policy ensures that the model is being used in a manner that aligns with both provider expectations and ethical AI practices.”

===========

Under the EU AI Act, high-risk AI systems likeCrime Buster9619 would require a detailed conformity assessment before being deployed in the EU market. This assessment ensures that the AI system complies with all relevant regulations and standards, addressing potential risks related to privacy, security, and discrimination. The company would not need to register the tool with the EU database (A), seek approval from an EU authority (B), or face a ban (D) as long as it meets the necessary conformity requirements​​​​.

When assessing whether users should be given the right to opt out from an AI system, the primary considerations are feasibility, risk to users, and industry practice. Feasibility addresses whether the opt-out mechanism can be practically implemented. Risk to users assesses the potential harm or benefits users might face if they cannot opt out. Industry practice considers the norms and standards within the industry. However, the cost of alternative mechanisms, while important in the broader context of implementation, is not directly relevant to the ethical consideration of whether users should have the right to opt out. The focus should be on protecting user rights and ensuring ethical AI practices.

A privacy impact assessment (PIA) can be effectively leveraged to create an AI impact assessment. A PIA evaluates the potential privacy risks associated with the use of personal data and helps in implementing measures to mitigate those risks. Since AI systems often involve processing large amounts of personal data, the principles and methodologies of a PIA are highly applicable and can be extended to assess broader impacts, including ethical, social, and legal implications of AI. Reference: AIGP Body of Knowledge on Impact Assessments.

The AI risk that would not have been identified during the procurement process based on the categories of information requested by the third-party consultant is security. The consultant focused on accuracy rates, diversity of training data, and system functionality, which pertain to performance and fairness but do not directly address the security aspects of the AI system. Security risks involve ensuring that the system is protected against unauthorized access, data breaches, and other vulnerabilities that could compromise its integrity. Reference: AIGP Body of Knowledge on AI Security and Risk Management.

Training an AI model is time-consuming primarily due tomodel complexity,large data volumes, and the need forhigh-quality, well-prepared data.

From theAI Governance in Practice Report2025:

“Most AI requires sizeable amounts of high-quality data… to ensure desired and accurate output.” (p. 15)

“The accuracy of AI model outputs depends significantly on the quality of their inputs.” (p. 24)

“Complex AI systems… with many parameters… result in long development and training phases.” (p. 32)

B. Maturity of governanceaffects oversight, not training time.

D. Number of stakeholdersaffects alignment, not direct training duration.

Theprimary considerationin selecting any AI system, especially aproprietary model, is itsfit for business purpose. Whether it serves the intended goals is foundational before evaluating technical or governance features.

From theAI Governance in Practice Report2025:

“AI governance starts with defining the corporate strategy for AI… and aligning systems with business purpose and operational context.” (p. 11)

B, C, Dare relevant for evaluation, but onlyafterconfirming business applicability.

The planning phase of the AI life cycle typically includes defining the objective of the model, choosing the appropriate architecture, and understanding the context in which the model will operate. However, the approach to governance is usually established as part of the overall AI governance framework, not specifically within the planning phase. Governance encompasses broader organizational policies and procedures that ensure AI development and deployment align with legal, ethical, and operational standards. Reference: AIGP Body of Knowledge, AI lifecycle planning phase section.

The White House Executive Order from November 2023 requires companies developing dual-use foundation models to report on their current training or development activities, the results of red-team testing, and the physical and cybersecurity protection measures. However, it does not mandate reports on environmental impact studies for each dual-use foundation model. While environmental considerations are important, they are not specified in this context as a reporting requirement under this Executive Order.

The failures in semi-autonomous vehicles due to sensors misinterpreting environmental surroundings, such as sunlight, are examples of brittleness. Brittleness in AI systems refers to their inability to handle variations in input data or unexpected conditions, leading to failures when the system encounters situations that were not adequately covered during training. These systems perform well under specific conditions but fail when those conditions change. Reference: AIGP Body of Knowledge on AI System Robustness and Failures.

Third-party risk management for AI systems should beproportional and risk-based, involvinginitial due diligenceandongoing monitoringthat reflects thelevel of risk posedby the third party's AI system.

From theAI Governance in Practice Report2025:

“Third-party due diligence assessments to identify possible external risk and inform selection.” (p. 11)

“Legal due diligence may include verification of the personal data's lawful collection by the data broker, review of contractual obligations…” (p. 19)

Afocuses too narrowly on financial stability.

Cis excessive and not scalable or aligned with best practices.

Dinappropriately separates ethical and technical risks; both must be evaluated holistically.

Under theEU AI Act, serious incidents involvinghigh-risk AI systemsmust be reported. The deployer is required topromptly inform the provider and relevant authoritiesabout the issue.

From theAI Governance in Practice Report2025:

“Serious incidents involving high-risk systems… must be reported to the provider and relevant market surveillance authority.” (p. 35)

“Timely reporting is required when AI systems result in or may result in violations of fundamental rights.” (p. 35)

An AI system’sfunction,industry, anddeployment locationdefine itsrisk profile, which directly influences theinternal governance structuresan organization must put in place.

From theAI Governance in Practice Report2025:

“There are many challenges and potential solutions for AI governance, each with unique proximityand significance based on an organization’s role, footprint, broader risk-governance profile and maturity.” (p. 4)

“AI governance starts with defining the corporate strategy for AI… and formulating policy standards and operational procedures to reflect industry, use case, and location.” (p. 11)

A– Organizational accountability is broader and not directly scoped by industry or function.

C– Diversity of data sources is tied to data strategy.

D– Explainability is more influenced by model type, not use context.

Forcustomizable, interpretable modelsthat allow organizations toretain control and avoid vendor lock-in,classic ML models(e.g., regression, decision trees, random forests) are optimal.

From theAI Governance in Practice Report2025:

“Organizations seeking transparency, customizability, and control often prefer classic ML models due to their flexibility and ease of governance.” (p. 33)

AandCmay have limited transparency and are often tied to specific providers.

Dinvolves ongoing costs and limited model control.

Small language models (SLMs)arelightweight, requireless compute, and arebetter suited to low-resource or edge environments, making them ideal for agility and efficiency.

From general AI best practices:

“SLMs can be deployed in environments with limited computing power, ensuring lower cost and faster integration in constrained contexts.” (aligned with industry-wide AI deployment strategies)

Testing data is a subset of data used to provide a robust evaluation of a final model. After training the model on training data, it is essential to test its performance on unseen data (testing data) to ensure it generalizes well to new, real-world scenarios. This step helps in assessing the model's accuracy, reliability, and ability to handle various data inputs. Reference: AIGP Body of Knowledge on Model Validation and Testing.

Utilizing synthetic data to offset the lack of patient data is an efficient solution that balances privacy concerns with the need for sufficient data to train the model. Synthetic data can be generated to simulate real patient data while avoiding the privacy issues associated with using actual patient data. This approach allows for the development and testing of the AI algorithm without compromising patient privacy, and it can be refined with real data as it becomes available. Reference: AIGP Body of Knowledge on Data Privacy and AI Model Training.

When monitoring the functional performance of a model deployed into production, concerns typically include feature drift, model drift, and data loss. Feature drift refers to changes in the input features that can affect the model's predictions. Model drift is when the model's performance degrades over time due to changes in the data or environment. Data loss can impact the accuracy and reliability of the model. However, system cost, while important for budgeting and financial planning, is not a direct concern when monitoring the functional performance of a deployed model. Reference: AIGP Body of Knowledge on Model Monitoring and Maintenance.

The most comprehensive way to identify a full range of risks — legal, ethical, operational, and societal — for a new AI model is through aformal impact assessment, such as aData Protection Impact Assessment (DPIA)orAlgorithmic Impact Assessment.

From theAI Governance in Practice Report2025:

“Risk-based approaches are often distilled into organizational risk management efforts, which put impact assessments at the heart of deciding whether harm can be reduced.” (p. 29)

“DPIAs… help organizations identify, analyze and minimize data-related risks and demonstrate accountability.” (p. 30)

A. Environmental scanis too general.

B. Red teamingis useful for adversarial risk but not broad.

C. Integration testingfocuses on technical/system compatibility, not overall risk.

The NIST AI Risk Management Framework’s Govern function emphasizes the importance of establishing accountability structures that empower and train cross-functional teams. This is crucial because cross-functional teams bring diverse perspectives and expertise, which are essential for effective AI governance and risk management. Training these teams ensures that they are well-equipped to handle their responsibilities and can make informed decisions that align with the organization’s AI principles and ethical standards. Reference: NIST AI Risk Management Framework documentation, Govern function section.

Minimizing human involvement to the extent practicable is not a best practice during the testing of an ML model. Human oversight is crucial during testing to ensure that the model performs correctly and ethically, and to interpret any anomalies or issues that arise. Best practices include using representative test data, anonymizing data to the extent practicable, and performing testing specific to the intended uses of the model. Reference: AIGP Body of Knowledge on AI Model Testing and Human Oversight.

AI governance frameworks consistently define the“unique characteristics”of AI that create novel governance challenges.

Across the OECD AI Principles, NIST AI RMF, ISO/IEC 42001, and the EU AI Act, the key characteristics requiring governance are:

Autonomy– AI systems act without direct human intervention and take context-dependent decisions.

Adaptability– AI systems learn, evolve, and update their behavior over time, making outputs non-deterministic.

These traits fundamentally distinguish AI from traditional software and shape all major governance activities (risk assessment, monitoring, assurance, accountability, alignment, etc.).

Below is why each option is correct or incorrect:

A. Autonomy — NOT selected

Reason:

Autonomy is repeatedly cited as one of the defining characteristics that necessitates governance.

NIST AI RMF references the risks ofautonomous behavior.

ISO/IEC 42001 emphasizes governance controls for “systems operating with varying levels of autonomy.”

Thus,Autonomy IS a unique characteristic, so it isnotan answer.

B. Automation — SELECTED

Reason:

“Automation” is not a unique AI property. Automation predates AI and applies to robotics, scripts, business process automation, etc.

AI governance literature doesnotclassify automation as a unique AI-specific characteristic.

Automation is aresultof AI, but not adistinguishing property.

Therefore,Automation is correctly selected as NOT a unique AI characteristic.

C. Adaptability — NOT selected

Reason:

Adaptability (systems that update, learn, or change behavior) is recognized universally as a core distinctive trait of AI.

EU AI Act emphasizes governance requirements for “adaptive systems.”

NIST AI RMF highlights “learning and emergent behavior.”

Thus,Adaptability IS a unique characteristic, so it shouldnotbe chosen as an exception.

D. Speed and scale — SELECTED

Reason:

While AI can operate at high speed and scale,these are not unique characteristics of AI.

Traditional computing systems, cloud workloads, and automation pipelines operate at similar scale.

AI governance documents mention speed/scale as arisk amplifier, not a defining characteristic.

Therefore,Speed and scaleshould be selected.

E. Superintelligence — SELECTED

Reason:

“Superintelligence” is not a characteristic of current AI systems and isnot referenced as a governance-relevant attributein mainstream policy documents (OECD, NIST, ISO, EU AI Act).

It is speculative rather than a defining feature.

Therefore, it is correctly chosen as NOT a unique characteristic requiring governance today.

Establishing a global AI governance infrastructure involves several key elements, including providing training to foster a culture that promotes ethical behavior, creating policies and procedures to manage third-party risk, and understanding differences in norms across countries. While publicly disclosing ethical principles can enhance transparency and trust, it is not a core element necessary for the establishment of a governance infrastructure. The focus is more on internal processes and structures rather than public disclosure. Reference: AIGP Body of Knowledge on AI Governance and Infrastructure.

Differential privacy is a technique used to ensure that the inclusion or exclusion of a single data point does not significantly affect the outcome of any analysis, providing a way to mathematically prove that no specific piece of training data has more than a negligible effect on the model or its output. This is achieved by introducing randomness into the data or the algorithms processing the data. In the context of training large language models (LLMs), differential privacy helps in protecting individual data points while still enabling the model to learn effectively. By adding noise to the training process, differential privacy provides strong guarantees about the privacy of the training data.

Offeringloan products based on current offerings and rulesrequires a system that can followexplicit business logic, not generate open-ended content. Anexpert system, which is a rules-based AI that uses “if-then” logic, is ideal here.

From the AI governance context:

“Rule-based AI systems are often preferred when decisions must adhere to precise regulatory or financial criteria.” (aligned with AI best practices in regulated sectors)

A. RAGis used to integrate external knowledge—not suitable for structured, rule-based logic.

B. Multimodal modelshandle varied input types—not needed here.

D. Quantum computingis not yet practical or relevant for this business use case.

Risk impact estimation occurs in the design phase of the AI life cycle. This step involves evaluatingpotential risks associated with the AI system and estimating their impacts to ensure that appropriate mitigation strategies are in place. It helps in identifying and addressing potential issues early in the design process, ensuring the development of a robust and reliable AI system. Reference: AIGP Body of Knowledge on AI Design and Risk Management.