IAPP AIGP Artificial Intelligence Governance Professional Exam Practice Test

Private LLMs offer advantages likecustomizability,reduced hallucination,confidentiality, andalignment with enterprise-specific tasks, but theydo not inherently reduce the time or effortneeded fordata validation or verification— which remains an essential step regardless of model privacy.

From the AI risk and quality sections:

“Ensuring the quality of the data… is highly contextual and must be validated regardless of the model’s deployment environment.” (p. 17)

B, C, Dare legitimate benefits of private LLMs.

Ais incorrect — validation still requires time and resources.

The correct answer isD.Emotion recognition in the workplaceis flagged asunacceptable or highly restrictedunder the EU AI Act due to its intrusive nature and potential for misuse.

From the AIGP ILT Guide – EU AI Act Training Module:

“AI systems that monitor individuals’ emotions in the workplace or educational settings are listed among prohibited or strictly limited practices under Article 5.”

AI Governance in Practice Report 2025 supports this interpretation:

“Emotion recognition systems, especially in sensitive contexts such as employment or education, raise significant concerns under EU fundamental rights law and are likely to be restricted.”

Other uses listed—such as emergency response or emotion detection in healthcare—may fall underlawful and beneficial uses, especially whenjustified by public interest.

===========

The primary purpose of conducting ethical red-teaming on an AI system is to simulate model risk scenarios. Ethical red-teaming involves rigorously testing the AI system to identify potential weaknesses, biases, and vulnerabilities by simulating real-world attack or failure scenarios. This helps in proactively addressing issues that could compromise the system ' s reliability, fairness, and security. Reference: AIGP Body of Knowledge on AI Risk Management and Ethical AI Practices.

The correct answer isA. While TEVV is important inlater lifecycle phases, it isnot the primary considerationwhen evaluating and prioritizinguse cases.

From the AIGP Body of Knowledge – Use Case Assessment Module:

“Use case evaluation focuses on value, impact, fairness, and accessibility—technical testing considerations come later.”

ILT Guide confirms:

“Organizations should first assess whether the AI system provides equitable outcomes and aligns with stakeholder expectations. TEVV is part of implementation, not initial prioritization.”

Thus,Ais not a top-level consideration during use caseselection.

In the context of AI, particularly generative models, " hallucination " refers to the generation of outputs that are not based on the training data and are factually incorrect or non-existent. The scenario described involves the generative AI tool providing incorrect and non-existent information about restaurants, which fits the definition of hallucination. Reference: AIGP BODY OF KNOWLEDGE and various AI literature discussing the limitations and challenges of generative AI models.

Respecting intellectual property rights means adhering to licensing terms and ensuring that generated content complies with these terms. A system that categorizes and applies filters based on licensing terms ensures that content is used legally and ethically, respecting the rights of content creators. While providing attribution is important, categorization and application of filters based on licensing terms are more directly tied to compliance with intellectual property laws. This principle is elaborated in the IAPP AIGP Body of Knowledge sections on intellectual property and compliance.

Biometric data in the U.S. refers to data that relates to measurable biological and behavioral characteristics that can be used to identify an individual. Examples include fingerprints, facial recognition, iris scans, and behavior-based data like gait or keystrokes.

According to definitions and discussions from theAI Governance in Practice Report 2025and U.S. privacy frameworks:

“Biometric data includes physical and behavioral human characteristics that can be used to digitally identify a person to grant access to systems, devices, or data. Examples include facial images, iris patterns, gait analysis, and voice recognition.” (Report context based on common frameworks in U.S. AI law and the use of biometrics in AI governance.)

Here’s how the options relate:

A. Iris scans– These are physical biometric identifiers.

B. Walking gait– Behavioral biometric used increasingly in surveillance and identification.

C. Keystroke dynamics– Behavioral biometric based on typing patterns.

D. GPS location of a user ' s fitness watch– This isnotbiometric data. It islocation data, which may be sensitive or personal, but not biometric.

The most critical reason for documenting AI-related risks is toreduce exposure to legal, regulatory, and reputational liabilities. Clear documentation demonstrates thatrisks were identified, assessed, and addressed, which is essential for accountability and defensibility in the face of audits, litigation, or enforcement actions.

From theAI Governance in Practice Report 2025:

“An effective AI governance model is about collective responsibility… which should encompass oversight mechanisms such as privacy, accountability, compliance.” (p. 13)

“Accountability… is based on the idea that there should be a person or entity that is ultimately responsible for any harm resulting from the use of the data, algorithm and AI system ' s underlying processes.” (p. 28)

While transparency, alignment with standards, and knowledge sharing are all secondary benefits,risk documentation’s primary role is liability mitigation.

The planning phase of the AI life cycle typically includes defining the objective of the model, choosing the appropriate architecture, and understanding the context in which the model will operate. However, the approach to governance is usually established as part of the overall AI governance framework, not specifically within the planning phase. Governance encompasses broader organizational policies and procedures that ensure AI development and deployment align with legal, ethical, and operational standards. Reference: AIGP Body of Knowledge, AI lifecycle planning phase section.

Theinitial deployment phaseof an AI model is critical forpost-deployment monitoring. When tracking forbias, the most important task is tocontinue disparity testingto determine whether outputs differ across protected groups.

From theAI Governance in Practice Report 2025:

“Performance monitoring protocols… should include mechanisms to assess and measure disparities in outcomes across different demographic groups.” (p. 12)

“Bias may not be evident during pre-deployment testing but can emerge in real-world use.” (p. 41)

B. Awareness trainingis helpful, but not a technical bias mitigation activity.

C. Analyzing training datais apre-deploymenttask.

D. Documenting human decisionsmay support auditability but doesn’t detect bias in AI outputs.

The White House Executive Order of November 2023 designates the National Institute of Standards and Technology (NIST) as the responsible body for creating guidelines to conduct red-teaming tests of AI systems. NIST is tasked with developing and providing standards and frameworks to ensure the security, reliability, and ethical deployment of AI systems, including conducting rigorous red-teaming exercises to identify vulnerabilities and assess risks in AI systems.

The correct answer is C because understanding algorithmic methodology is primarily a design, development, and model evaluation activity rather than part of a deactivation or sunset risk strategy. A deactivating risk strategy focuses on safely retiring or discontinuing an AI system, ensuring that operational, legal, and business risks are properly managed. This includes evaluating regulatory requirements such as data retention and deletion obligations, assessing business continuity and financial implications, and understanding dependencies with upstream and downstream systems to avoid disruption. These steps ensure a controlled and compliant system shutdown. In contrast, analyzing algorithmic methodology is relevant during system development, validation, and explainability efforts, not during the decommissioning phase of the AI lifecycle.

The correct answer is B because ISO/IEC 42005 emphasizes integrating AI risk management into existing enterprise risk management frameworks rather than creating siloed or duplicative processes. Effective AI governance requires embedding AI-specific risks into established governance structures such as risk registers, controls, and monitoring systems. This ensures consistency, scalability, and alignment with organizational risk practices. Options C and D introduce parallel or fragmented processes, which contradict the principle of integrated governance and may create inefficiencies or gaps. Option A focuses only on data collection and does not address governance integration. The AI Governance in Practice Report highlights that organizations should incorporate AI risks into broader enterprise risk management and maintain unified risk registers to ensure visibility, accountability, and coordinated mitigation across the organization.

Providing the loan applicants with information about the model capabilities and limitations would not directly support fairness testing by the compliance team. Fairness testing focuses on evaluating the model ' s decisions for biases and ensuring equitable treatment across different demographic groups, rather than informing applicants about the model.

The GDPR requires that individuals have the right to not be subject to decisions based solely on automated processing, including profiling, unless specific exceptions apply. One effective control is to establish a human-in-the-loop procedure (D), ensuring human oversight and the ability to contest decisions. This goes beyond just-in-time notices (A), data safeguarding (B), or review rights (C), providing a more robust mechanism to protect individuals ' rights.

The primary concern for a company adopting a policy prohibiting the use of generative AI is the risk of accidental disclosure of confidential and proprietary information. Generative AI tools can inadvertently leak sensitive data during the creation process or through data sharing. This risk outweighs the other reasons listed, as protecting sensitive information is critical to maintaining the company’s competitive edge and legal compliance. This rationale is discussed in the sections on risk management and data privacy in the IAPP AIGP Body of Knowledge.

The correct answer is Explainable Ai because it specifically refers to the ability of a system to describe the logic behind its decisions or output in a way that is understandable to humans. This is a key part of regulatory and ethical frameworks and is directly related to addressing the black-box problem in AI.

From the AIGP ILT Participant Guide (Module on Transparency and Explainability):

“Explainability refers to the understanding of how a black-box model works. The black-box problem exists because some models are too complex for human interpretation. Explainability methods aim to provide meaningful insight into the logic and decision-making of AI systems.”

Also, according to the AI Governance in Practice Report 2025:

“Explainability refers to the representation of the underlying mechanisms of the AI system’s operation... a key tenet of AI governance due to the desire to understand how AI systems are built, managed and maintained.”

Thus, while Trustworthy and Responsible AI are broader concepts,explainabilityspecifically targets the regulatory concern about understanding outputs.

===========

Training an AI model is time-consuming primarily due tomodel complexity,large data volumes, and the need forhigh-quality, well-prepared data.

From theAI Governance in Practice Report 2025:

“Most AI requires sizeable amounts of high-quality data… to ensure desired and accurate output.” (p. 15)

“The accuracy of AI model outputs depends significantly on the quality of their inputs.” (p. 24)

“Complex AI systems… with many parameters… result in long development and training phases.” (p. 32)

B. Maturity of governanceaffects oversight, not training time.

D. Number of stakeholdersaffects alignment, not direct training duration.

Offeringloan products based on current offerings and rulesrequires a system that can followexplicit business logic, not generate open-ended content. Anexpert system, which is a rules-based AI that uses “if-then” logic, is ideal here.

From the AI governance context:

“Rule-based AI systems are often preferred when decisions must adhere to precise regulatory or financial criteria.” (aligned with AI best practices in regulated sectors)

A. RAGis used to integrate external knowledge—not suitable for structured, rule-based logic.

B. Multimodal modelshandle varied input types—not needed here.

D. Quantum computingis not yet practical or relevant for this business use case.

In the design phase of integrating data from different sources, identifying fits and gaps is crucial. This process involves understanding how well the data from the clinical research partner aligns with the healthcare network ' s existing data. It ensures that the combined data set is coherent and can be effectively used for training the AI algorithm. This step helps in spotting any discrepancies, inconsistencies, or missing data that might affect the performance and accuracy of the AI model. It directly addresses the integrity and compatibility of the data, which is foundational before applying any privacy-enhancing technologies, labeling, or evaluating the origin of the data. Reference: AIGP Body of Knowledge on Data Integration and Quality.

The correct answers are A, C, and E because they reflect the shared but distinct responsibilities between AI developers and deployers in governance frameworks. Developers are responsible for designing systems that minimize bias and ensuring fairness during development. They are also required to provide clear documentation, including instructions for use, system capabilities, and limitations, to support transparency and proper operation. Deployers, on the other hand, are responsible for overseeing the system once it is in use, including continuous monitoring, auditing, and ensuring it performs as intended in real-world conditions. Option B is incorrect because liability is typically shared and depends on roles and context, not solely on developers. Option D is incorrect because independent bias assessments are not always strictly required of deployers before release.

The correct answer isB. AllowingPIIto be freely entered into prompts without safeguards is considered amajor privacy and security riskand is not a responsible governance practice.

From the AIGP ILT Guide – Generative AI & Third-Party Risk Management:

“Use of personal or sensitive information in AI prompts can result in unintended exposure, regulatory breaches, and downstream liability.”

The AI Governance in Practice Report 2025 highlights:

“PII should be minimized or protected by design. Prompt engineering should prevent entry of personally identifiable data unless legally and technically safeguarded.”

A, C, and D are established best practices under responsible AI procurement and use.

===========

The correct answer isA. While location of processors may have implications (such as for data transfers under GDPR), there is no absolute requirement that third-party processors be based in the same country.

From the AI Governance in Practice Report 2025 and ILT Guide:

“Data controllers are responsible for ensuring that third-party processors have adequate protections, but not necessarily that they reside in the same jurisdiction. What is required is legal safeguards (e.g., SCCs) for international transfers, not same-country location.”

In contrast, DPIAs, DSARs, and implementation of technical/organizational safeguards are explicitly required under GDPR and responsible AI frameworks.

===========

Under the EU regulations, particularly the GDPR, banks using AI for decision-making must inform users about the use of AI and provide mechanisms for users to contest decisions. This is part of ensuring transparency and accountability in automated processing. Explicit consent under the privacy directive (A) and disclosing under the Digital Services Act (B) are not specifically required in this context. An adequacy decision is related to data transfers outside the EU (C).

The correct answer is A because developing a social media presence typically does not require AI and can be effectively achieved through traditional digital marketing strategies, content planning, and manual engagement. AI governance principles emphasize that organizations should first determine whether AI is necessary or proportionate to the problem being solved. Using AI where simpler, deterministic, or human-driven solutions suffice can introduce unnecessary complexity, cost, and risk. In contrast, options B, C, and D involve tasks such as campaign optimization, personalization, and automation, which benefit significantly from AI capabilities like pattern recognition, predictive analytics, and natural language processing. Responsible AI governance encourages a “fit-for-purpose” approach, ensuring AI is only deployed when it provides clear added value over non-AI alternatives.

The correct answer isD – Privacy impact assessments (PIAs). These aredirectly adaptablefor identifying risks in AI systems, particularly around data usage, bias, and individual impacts.

From the AIGP ILT Guide – Risk Management Module:

“PIAs and DPIAs are existing tools used in privacy compliance that can be extended to evaluate the risks of AI, including fairness, explainability, and legality.”

AI Governance in Practice Report 2025 further explains:

“Organizations can adapt privacy impact assessments to evaluate the ethical, legal, and technical risks posed by AI systems. They provide a structured and recognized method.”

PIAs are preferable over general security practices (like pen testing) which do not address algorithmic bias or legal compliance directly.

===========

The potential negative consequences of using an AI tool in hiring include reputational harm (A), civil rights violations (B), and discriminatory treatment (C). These issues stem from biases in the AI system or its misuse, which can lead to unfair hiring practices and legal liabilities. Intellectual property infringement (D) is not a typical consequence of using AI in hiring, as it relates to the unauthorized use of protected intellectual property, which is not directly relevant to the hiring process or the potential biases within AI tools​​​​.

In the machine learning context, feature engineering is the process of extracting attributes and variables from raw data to make it suitable for training an AI model. This step is crucial as it transforms raw data into meaningful features that can improve the model ' s accuracy and performance. Feature engineering involves selecting, modifying, and creating new features that help the model learn more effectively. Reference: AIGP Body of Knowledge on AI Model Development and Feature Engineering.

The IEEE 7000-2021 Standard focuses on a value-based engineering methodology for addressing ethical concerns during system design. This standard guides engineers and organizations in integrating ethical considerations into the design and development processes of AI systems, ensuring that these technologies are developed responsibly and align with human values. Reference: AIGP Study Material, section on risk management frameworks and standards.

To protect the company ' s intellectual property, the most pertinent contractual provision is ensuring that the AI provider will defend and indemnify the company against infringement claims. This clause means the provider will take responsibility for any intellectual property disputes that arise, thereby safeguarding the company from potential legal and financial repercussions related to the use of the tool. Other options, while beneficial, do not directly address the protection of intellectual property. This concept is detailed in the contractual best practices section of the IAPP AIGP Body of Knowledge.

The correct answer is A because the most immediate governance step when a significant AI issue is identified is to formally log the incident within the organization’s incident management system. AI governance frameworks emphasize structured incident response processes to ensure issues are properly documented, tracked, escalated, and addressed in a controlled manner. Logging the incident triggers established workflows, including investigation, stakeholder notification, and remediation planning. While notifying stakeholders, auditing the system, or retraining the model are important follow-up actions, they should occur after the issue is formally recorded and managed through governance channels. This ensures accountability, traceability, and consistent handling of risks, particularly in cases involving bias and potential discrimination.

A greedy algorithm is one that makes the best choice at each step to achieve an immediate objective, without considering the longer-term consequences. It focuses on local optimization at each decision point with the hope that these local solutions will lead to an optimal global solution. However, greedy algorithms do not always produce the best overall solution for certain problems, but they are useful when an immediate, locally optimal solution is desired. Reference: AIGP Body of Knowledge, algorithm types section.

After completing model testing and validation, the most important step prior to deploying the model into production is to perform a readiness assessment. This assessment ensures that the model is fully prepared for deployment, addressing any potential issues related to infrastructure, performance, security, and compliance. It verifies that the model meets all necessary criteria for a successful launch. Other steps, such as defining a model-validation methodology, documenting maintenance teams and processes, and identifying known edge cases, are also important but come secondary to confirming overall readiness. Reference: AIGP Body of Knowledge on Deployment Readiness.

According to the Canadian Artificial Intelligence and Data Act, high-impact AI systems must notify the Minister of Innovation, Science and Industry upon initial deployment. This requirement ensures that the authorities are aware of the deployment of significant AI systems and can monitor their impacts and compliance with regulatory standards from the outset. This initial notification is crucial for maintaining oversight and ensuring the responsible use of AI technologies. Reference: AIGP Body of Knowledge, domain on AI laws and standards.

An AI system that maintains its level of performance within defined acceptable limits despite real-world or adversarial conditions is described as resilient. Resilience in AI refers to the system ' s ability to withstand and recover from unexpected challenges, such as cyber-attacks, hardware failures, or unusual input data. This characteristic ensures that the AI system can continue to function effectively and reliably in various conditions, maintaining performance and integrity. Robustness, on the other hand, focuses on the system ' s strength against errors, while reliability ensures consistent performance over time. Resilience combines these aspects with the capacity to adapt and recover.

The EU AI Act explicitly prohibits the use of AI systems for social scoring by public authorities, as it can lead to discrimination and unfair treatment of individuals based on their social behavior or perceived trustworthiness. While AI can be used to promote equitable distribution of welfare benefits, manage border control, and even detect an individual ' s intent for law enforcement purposes (within strict regulatory and ethical boundaries), implementing social scoring systems is not permissible under the Act due to the significant risks to fundamental rights and freedoms.

The most challenging aspect of managing a data access request in this scenario is dealing with unstructured data that cannot be easily disentangled from other data, including information about other individuals. Unstructured data, such as free-text inputs or social media posts, often lacks a clear structure and may be intermingled with data from multiple individuals, making it difficult to isolate the specific data related to the requester. This complexity poses significant challenges in complying with data access requests under privacy laws. Reference: AIGP Body of Knowledge on Data Subject Rights and Data Management.

The correct answer is C because performing an impact assessment is the most effective proactive measure to identify and mitigate discrimination risks before model training and testing. AI governance frameworks emphasize early-stage risk identification, particularly for high-stakes domains like healthcare, where bias can lead to harmful or inequitable outcomes. Impact assessments, such as algorithmic or data protection impact assessments, evaluate potential harms, affected populations, and fairness risks prior to development. This enables organizations to design appropriate safeguards, adjust data selection, and implement mitigation strategies before biases become embedded in the model. Options like audits and bias bounty programs are reactive or post-development controls, while simply acquiring more data does not guarantee reduced bias without proper analysis. A structured impact assessment aligns with risk-based governance and supports fairness, accountability, and regulatory compliance.

Before offering an AI solution in the EU market, a Canadian company must take several steps to comply with the EU AI Act. These steps include establishing a risk and quality management system (B), engaging a third-party auditor to perform a bias audit (C), and drawing up technical documentation and instructions for use (D). However, there is no requirement to register the AI solution in a public EU database (A). This registration step is not specified as part of the compliance requirements under the EU AI Act for such solutions​​​​.

The EU AI Act outlines what must be included intechnical documentationfor high-risk systems. These requirements are designed to supportconformity assessment, transparency, and traceability.

From theAI Governance in Practice Report 2025:

“It mandates drawing up technical documentation… must include a general description of the AI system, the intended purpose, and a detailed description of the elements and development process.” (p. 34)

“Documentation… includes training, testing, evaluation procedures, andappropriateness of performance metrics.” (p. 34–35)

Therisk management systemis addressed separately through arisk management plan, not within the technical documentation itself.

Thus:

A, C, and Dare explicitly required in thetechnical documentation.

B, while important, is part of therisk management process, not a required section oftechnical documentation.

Minimizing human involvement to the extent practicable is not a best practice during the testing of an ML model. Human oversight is crucial during testing to ensure that the model performs correctly and ethically, and to interpret any anomalies or issues that arise. Best practices include using representative test data, anonymizing data to the extent practicable, and performing testing specific to the intended uses of the model. Reference: AIGP Body of Knowledge on AI Model Testing and Human Oversight.

The primary reason the EU is considering updates to its Product Liability Directive is to address digital services and connected products. The current directive does not adequately cover the complexities and challenges posed by modern digital and connected technologies. By updating the directive, the EU aims to ensure that it remains relevant and effective in addressing the liabilities associated with these advanced products, ensuring consumer protection and fair market practices in the digital age.

Developing a social media presence for a non-profit is best served by non-AI solutions. This task primarily involves content creation, community engagement, and strategic planning, which are effectively managed by human expertise and traditional marketing tools. AI is more suitable for tasks requiring automation, large-scale data analysis, and personalized recommendations, such as e-commerce personalization, forecasting cost overruns, or automating customer service responses. Reference: AIGP Body of Knowledge on AI Use Cases and Applications.

The White House Blueprint for an AI Bill of Rights focuses on protecting civil rights, privacy, and ensuring AI systems are safe and effective. It includes principles like data privacy (D), human alternatives (A), and safe and effective systems (C). However, it does not specifically address high-risk mitigation standards as a distinct category (B).

The third-party consultant asked each vendor for information about the diversity of their datasets to assist in ensuring the fairness of the AI system. Diverse datasets help prevent biases and ensure that the AI system performs equitably across different demographic groups. This is crucial for a law enforcement application, where fairness and avoiding discriminatory practices are of paramount importance. Ensuring diversity in training data helps in building a more just and unbiased AI system. Reference: AIGP Body of Knowledge on Ethical AI and Fairness.

In the selection and implementation of the AI hiring tool, involving Finance and Legal is crucial. The Finance team is essential for assessing cost implications, budget considerations, and financial risks. The Legal team is necessary to ensure compliance with applicable laws and regulations, including those related to data privacy, employment, and anti-discrimination. Involving these stakeholders ensures a comprehensive evaluation of both the financial viability and legal compliance of the AI tool, mitigating potential risks and aligning with organizational objectives and regulatory requirements.

The correct answer isB – The tech company. The party thatdevelops and trains the foundational modelis responsible for ensuring thelawful collection of training data.

From the AIGP ILT Guide – Foundational Models & Data Governance:

“Responsibility for the lawfulness of data collection typically lies with the party that trains the model—usually the provider or developer of the foundational model.”

AI Governance in Practice Report 2025 confirms:

“General Purpose AI providers are required to ensure that training data is lawfully acquired, including compliance with intellectual property and privacy requirements.”

The marketing agency is only auserordownstream integrator, not responsible for original data collection.

Supervised learning is a subcategory of AI and machine learning where labeled datasets are used to train algorithms. This process involves feeding the algorithm a dataset where the input-output pairs are known, allowing the algorithm to learn and make predictions or decisions based on new, unseen data. Reference: AIGP BODY OF KNOWLEDGE, which describes supervised learning as a model trained on labeled data (e.g., text recognition, detecting spam in emails)​​.

Defining the roles and responsibilities of AI stakeholders is crucial for encouraging accountability over AI systems. Clear delineation of who is responsible for different aspects of the AI lifecycle ensures that there is a person or team accountable for monitoring, maintaining, and addressing issues that arise. This accountability framework helps in ensuring that ethical standards and regulatory requirements are met, and it facilitates transparency and traceability in AI operations. By assigning specific roles, organizations can better manage and mitigate risks associated with AI deployment and use.

The correct answer isB. The EU AI Act assigns atiered penalty systembased on the severity of the violation. A breach ofobligations related to high-risk AI systemsfalls into the mid-tier category, triggering fines of €15 million or 3% of annual global turnover.

From the AIGP ILT Guide – EU AI Act Module:

“Providers of high-risk AI systems must comply with strict documentation, testing, monitoring, and registration obligations. Breaches of these result in significant fines of up to €15 million or 3% of turnover.”

AI Governance in Practice Report 2025 supports this:

“Non-compliance with obligations under Title III (high-risk systems) leads to financial penalties under Article 71(3) of the EU AI Act.”

Note: Thehighest penalty (€35 million or 7%)applies toprohibited AI uses, not to obligations for high-risk systems.

===========

The correct answer is A because having a well-defined incident management process enables organizations to respond quickly and effectively when AI-related issues arise. AI governance frameworks emphasize incident management plans as a key component of operational governance, ensuring that risks such as system failures, harmful outputs, or security breaches are promptly identified, escalated, and resolved. A structured process reduces delays by clearly defining roles, responsibilities, and response procedures, thereby minimizing potential harm and operational disruption. While incident processes may also indirectly support compliance and reduce the impact of failures, their primary benefit is improving responsiveness and coordination. Efficient response times are critical in maintaining trust, ensuring safety, and limiting negative consequences in real-world AI deployments.

The common types of machine learning include supervised learning, unsupervised learning, reinforcement learning, and deep learning. Cognitive learning is not a type of machine learning; rather, it is a term often associated with the broader field of cognitive science and psychology. Reference: AIGP BODY OF KNOWLEDGE and standard AI/ML literature.

According to the GDPR, individuals have the right to not be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects them. However, there are exceptions to this right, one of which is when the decision is based on the data subject ' s explicit consent. This means that if an individual explicitly consents to the automated decision-making process, there is no requirement for human intervention to confirm or replace the decision. This exception ensures that individuals can have control over automated decisions that affect them, provided they have given clear and informed consent.

The highest concern for individual teachers using generative AI to ensure students learn the course material is model accuracy. Ensuring that the AI-generated content is accurate and relevant to the curriculum is crucial for effective learning. If the AI model produces inaccurate or irrelevant content, it can mislead students and hinder their understanding of the subject matter.

Testing results need to bedocumented thoroughlyto ensuretraceability, accountability, and compliance. This is central to enabling audits, investigations, or regulatory inquiries into the system’s development and performance.

From theAI Governance in Practice Report 2025:

“Documentation and recordkeeping are essential components… to demonstrate AI system compliance, trace system behavior, and support audits and conformity assessments.” (p. 34–35)

“Maintaining audit trails across development and deployment enables transparency and accountability.” (p. 12)

AandBare benefits, but not theprimary governance justification.

D– Limiting future testing is not a recommended goal.

The correct answer isB – Procedural. TheOECD Framework for Classifying AI Systemscategorizescodes of conduct and collective agreementsasprocedural toolsbecause they guide internal governance and decision-making processes.

From the AIGP ILT Participant Guide – Global Governance Models:

“Procedural tools include internal codes of conduct, collective agreements, and procedural audits that guide governance without necessarily involving technical measurement.”

AI Governance in Practice Report 2025 elaborates:

“These procedural tools support internal accountability mechanisms and ethics compliance frameworks… they are part of soft governance.”

These toolsdo not measure or analyze technical performance, hence they arenot technical or analytic.

===========

Machine learning (ML) is a subset of artificial intelligence (AI) where systems use data to learn and improve over time without being explicitly programmed. Option B accurately describes machine learning by stating that systems can automatically improve from experience through predictive patterns. This aligns with the fundamental concept of ML where algorithms analyze data, recognize patterns, and make decisions with minimal human intervention. Reference: AIGP BODY OF KNOWLEDGE, which covers the basics of AI and machine learning concepts.

Training underwriters on the model prior to deployment is crucial so they can apply their own judgment to the initial assessment. While AI models can streamline the process, human judgment is still essential to catch nuances that the model might miss or to account for any biases or errors in the model ' s decision-making process.