Exam AAIR Topic 1 Question 69 Discussion
Actual exam question for ISACA's AAIR exam
Question #: 69
Topic #: 1
Question #: 69
Topic #: 1
An organization has deployed an AI system to automate critical data analysis functions. Which of the following is the MOST appropriate way for the risk practitioner to assess the multiple sources of risk associated with this situation?
Suggested Answer: A Vote an answer
When multiple risk sources are present in a critical AI deployment, the risk practitioner must apply a prioritization framework that focuses resources on the risks with the greatest potential for organizational harm. This risk-based prioritization is more effective than comprehensive but undifferentiated risk cataloging.
Why A is Correct: The ISACA AAIR risk assessment methodology prioritizes risk factors based on potential harm severity as the most appropriate approach for critical AI systems. Focusing on risks most likely to generate substantial harm ensures that the organization's risk management resources are directed toward the exposures that matter most-protecting the critical functions that the AI system supports and preventing the most consequential adverse outcomes.
Why B is Wrong: Quantifying competitors' risk events provides external benchmarking data but cannot accurately characterize the organization's specific risk profile. Competitor risk events may involve different AI architectures, use cases, and organizational contexts that make direct comparison unreliable.
Why C is Wrong: Rating each risk factor independently without integration produces a fragmented view that misses risk correlations, cascade effects, and the compounding nature of multiple simultaneous risk factors.
Independent ratings also do not inherently lead to the harm-based prioritization needed for critical systems.
Why D is Wrong: Documenting technical limitations is a useful input to risk identification but represents a technical inventory activity rather than a comprehensive risk assessment methodology. Technical limitations are one category of risk factor among many-operational, governance, data quality, and third-party risks also require assessment.
Why A is Correct: The ISACA AAIR risk assessment methodology prioritizes risk factors based on potential harm severity as the most appropriate approach for critical AI systems. Focusing on risks most likely to generate substantial harm ensures that the organization's risk management resources are directed toward the exposures that matter most-protecting the critical functions that the AI system supports and preventing the most consequential adverse outcomes.
Why B is Wrong: Quantifying competitors' risk events provides external benchmarking data but cannot accurately characterize the organization's specific risk profile. Competitor risk events may involve different AI architectures, use cases, and organizational contexts that make direct comparison unreliable.
Why C is Wrong: Rating each risk factor independently without integration produces a fragmented view that misses risk correlations, cascade effects, and the compounding nature of multiple simultaneous risk factors.
Independent ratings also do not inherently lead to the harm-based prioritization needed for critical systems.
Why D is Wrong: Documenting technical limitations is a useful input to risk identification but represents a technical inventory activity rather than a comprehensive risk assessment methodology. Technical limitations are one category of risk factor among many-operational, governance, data quality, and third-party risks also require assessment.
by Arlene at Jun 19, 2026, 01:17 PM
Contact Us
If you have any question please leave me your email address, we will reply and send email to you in 12 hours.
Our Working Time: ( GMT 0:00-15:00 ) From Monday to Saturday
Support: Contact now
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).