AIGP Artificial Intelligence Governance Professional Questions and Answers

The correct answer is A because of the fundamental bias-variance tradeoff in machine learning. When model complexity is reduced, the model becomes simpler and less flexible, which decreases variance because it is less sensitive to fluctuations in the training data. However, this simplification comes at the cost of increased bias, meaning the model may oversimplify relationships and fail to capture underlying patterns accurately. This tradeoff is a core concept in AI fundamentals and directly impacts model per formance, reliability, and governance decisions. From an AI governance perspective, understanding this balance is critical when evaluating model risk, as high bias can lead to systematic errors and fairness issues, while high variance can result in instability and unpredictability in outputs. Proper model tuning aims to balance both for optimal and responsible performance.

Third-party risk management for AI systems should beproportional and risk-based, involvinginitial due diligenceandongoing monitoringthat reflects thelevel of risk posedby the third party ' s AI system.

From theAI Governance in Practice Report 2025:

“Third-party due diligence assessments to identify possible external risk and inform selection.” (p. 11)

“Legal due diligence may include verification of the personal data ' s lawful collection by the data broker, review of contractual obligations…” (p. 19)

Afocuses too narrowly on financial stability.

Cis excessive and not scalable or aligned with best practices.

Dinappropriately separates ethical and technical risks; both must be evaluated holistically.

The NIST AI Risk Management Framework’s Govern function emphasizes the importance of establishing accountability structures that empower and train cross-functional teams. This is crucial because cross-functional teams bring diverse perspectives and expertise, which are essential for effective AI governance and risk management. Training these teams ensures that they are well-equipped to handle their responsibilities and can make informed decisions that align with the organization’s AI principles and ethical standards. Reference: NIST AI Risk Management Framework documentation, Govern function section.

The most comprehensive way to identify a full range of risks — legal, ethical, operational, and societal — for a new AI model is through aformal impact assessment, such as aData Protection Impact Assessment (DPIA)orAlgorithmic Impact Assessment.

From theAI Governance in Practice Report 2025:

“Risk-based approaches are often distilled into organizational risk management efforts, which put impact assessments at the heart of deciding whether harm can be reduced.” (p. 29)

“DPIAs… help organizations identify, analyze and minimize data-related risks and demonstrate accountability.” (p. 30)

A. Environmental scanis too general.

B. Red teamingis useful for adversarial risk but not broad.

C. Integration testingfocuses on technical/system compatibility, not overall risk.

The correct answer is C because simply publishing a general AI policy or code of conduct does not satisfy specific transparency obligations required by AI regulations. Transparency requirements focus on providing clear, context-specific disclosures to affected individuals about how AI is being used, particularly when it directly impacts them. For example, notifying users when they are interacting with an AI system or labeling AI-generated content are explicit transparency measures aligned with regulatory expectations. The AI Governance in Practice Report highlights that transparency includes informing users when they interact with AI systems and providing meaningful information about outputs and system behavior . Model cards and labels support system-level and output-level transparency, while real-time notices ensure user awareness. In contrast, a general policy link lacks immediacy, specificity, and user relevance, making it insufficient for mandatory transparency compliance.

TheEU AI Actapplies extraterritorially, meaning it affects entitiesoutside the EUwhen their AI systemsimpact individuals within the EU. However, it doesnotapply to systems that are developed, sold, or usedentirely outside of the EU—such as in theUK, unless they affect the EU market or individuals.

From theAI Governance in Practice Report 2025:

“The act imposes regulatory obligations… depending on their capabilities, reach and computing power, certain GPAI systems are considered to present systemic risk and attract broadly similar obligations to those applicable to high-risk AI systems.” (p. 7)

“The EU AI Act is the world’s first comprehensive AI regulation… requirements apply to providers, deployers, importers, and distributors of AI systems when such systems are placed on the EU market.” (p. 7–8)

Thus:

A. Open source releasedoes not exclude applicability if deployed in the EU.

B. Deployment at an EU borderclearly invokes jurisdiction.

D. Training by an EU companycreates jurisdictional links.

C. Deployment only at UK checkpoints, withno EU use or impact, isoutside scope.

During the first month of monitoring the model for bias, it is most important to continue disparity testing. Disparity testing involves regularly evaluating the model ' s decisions to identify and address any biases, ensuring that the model operates fairly across different demographic groups.

Developing a social media presence for a non-profit is best served by non-AI solutions. This task primarily involves content creation, community engagement, and strategic planning, which are effectively managed by human expertise and traditional marketing tools. AI is more suitable for tasks requiring automation, large-scale data analysis, and personalized recommendations, such as e-commerce personalization, forecasting cost overruns, or automating customer service responses. Reference: AIGP Body of Knowledge on AI Use Cases and Applications.

The correct answer is C because understanding algorithmic methodology is primarily a design, development, and model evaluation activity rather than part of a deactivation or sunset risk strategy. A deactivating risk strategy focuses on safely retiring or discontinuing an AI system, ensuring that operational, legal, and business risks are properly managed. This includes evaluating regulatory requirements such as data retention and deletion obligations, assessing business continuity and financial implications, and understanding dependencies with upstream and downstream systems to avoid disruption. These steps ensure a controlled and compliant system shutdown. In contrast, analyzing algorithmic methodology is relevant during system development, validation, and explainability efforts, not during the decommissioning phase of the AI lifecycle.

Anonymization is a privacy-enhancing technique that involves removing or permanently altering personal data elements to prevent the identification of individuals. In this case, the company obfuscated all personal data elements before training the model, which aligns with the definition of anonymization. This ensures that the data cannot be traced back to individuals, thereby protecting their privacy while still allowing the company to derive value from the dataset. Reference: AIGP Body of Knowledge, privacy-enhancing techniques section.

The highest concern for individual teachers using generative AI to ensure students learn the course material is model accuracy. Ensuring that the AI-generated content is accurate and relevant to the curriculum is crucial for effective learning. If the AI model produces inaccurate or irrelevant content, it can mislead students and hinder their understanding of the subject matter.

The correct answer is D because conformity requirements are primarily intended to ensure that AI systems meet applicable legal, regulatory, and safety standards before deployment. AI governance frameworks, including the EU AI Act and international standards, require conformity assessments to verify that systems are safe, reliable, and compliant with risk management, documentation, and performance obligations. These assessments help identify and mitigate risks prior to market release, particularly for high-risk AI systems that may impact individuals’ rights, health, or safety. Conformity ensures accountability, transparency, and trustworthiness, which are central principles of responsible AI governance. The other options relate to usability or technical considerations, but they do not address the pri mary purpose of conformity assessments, which is regulatory compliance and risk mitigation prior to deployment.

The White House Executive Order from November 2023 requires companies developing dual-use foundation models to report on their current training or development activities, the results of red-team testing, and the physical and cybersecurity protection measures. However, it does not mandate reports on environmental impact studies for each dual-use foundation model. While environmental considerations are important, they are not specified in this context as a reporting requirement under this Executive Order.

If it is possible to provide a rationale for a specific output of an AI system, that system can best be described as explainable. Explainability in AI refers to the ability to interpret and understand the decision-making process of the AI system. This involves being able to articulate the factors and logic that led to a particular output or decision. Explainability is critical for building trust, enabling users to understand and validate the AI system ' s actions, and ensuring compliance with ethical and regulatory standards. It also facilitates debugging and improving the system by providing insights into its behavior.

In the selection and implementation of the AI hiring tool, involving Finance and Legal is crucial. The Finance team is essential for assessing cost implications, budget considerations, and financial risks. The Legal team is necessary to ensure compliance with applicable laws and regulations, including those related to data privacy, employment, and anti-discrimination. Involving these stakeholders ensures a comprehensive evaluation of both the financial viability and legal compliance of the AI tool, mitigating potential risks and aligning with organizational objectives and regulatory requirements.

Performing an impact assessment is the best step to mitigate the possibility of discrimination before training and testing the AI solution. An impact assessment, such as a Data Protection Impact Assessment (DPIA) or Algorithmic Impact Assessment (AIA), helps identify potential biases and discriminatory outcomes that could arise from the AI system. This process involves evaluating the data and the algorithm for fairness, accountability, and transparency. It ensures that any biases in the data are detected and addressed, thus preventing discriminatory practices and promoting ethical AI deployment. Reference: AIGP Body of Knowledge on Ethical AI and Impact Assessments.

Deployers of proprietary models arenot responsible for design, but they are accountable for how the system performsin their context of use, including ensuring ethical behavior, performance, and legal compliance.

From theAI Governance in Practice Report 2025:

“Deployers of AI systems must take reasonable steps to ensure that systems are used ethically, perform safely, and align with applicable laws and standards.” (p. 11–12)

“Operational governance… includes performance monitoring protocols, incident management plans, and regulatory oversight.” (p. 12)

Thus:

✅A. Ethical testing– Required to mitigate misuse and unintended harms.

❌B. Ethical design– Belongs todevelopers/providers, not deployers.

✅C. Technical performance– Deployers must ensure that AI performs as expected.

❌D. System documentation– This is theprovider’sobligation.

✅E. Regulatory compliance– Deployers must ensure system use complies with applicable laws.

To maintain fairness in a deployed system, it is crucial to monitor for data drift that may affect performance and accuracy. Data drift occurs when the statistical properties of the input data change over time, which can lead to a decline in model performance. Continuous monitoring and updating of the model with new data ensure that it remains fair and accurate, adapting to any changes in the data distribution. Reference: AIGP Body of Knowledge on Post-Deployment Monitoring and Model Maintenance.

Under the EU AI Act, organizations that develop and deploy high-risk AI systems are required to provide several key disclosures to ensure transparency and accountability. These include the human oversight measures employed, how individuals can contest decisions made by the AI system, and informing individuals that an AI system is being used. However, there is no specific requirement to disclose the exact locations where data is stored. The focus of the Act is on the transparency of the AI system ' s operation and its impact on individuals, rather than on the technical details of data storage locations.

Risk impact estimation occurs in the design phase of the AI life cycle. This step involves evaluatingpotential risks associated with the AI system and estimating their impacts to ensure that appropriate mitigation strategies are in place. It helps in identifying and addressing potential issues early in the design process, ensuring the development of a robust and reliable AI system. Reference: AIGP Body of Knowledge on AI Design and Risk Management.

In selecting the specific type of algorithm for the AI solution, the healthcare network ' s data science team is most important. This team possesses the technical expertise and understanding of the data, the clinical context, and the performance requirements needed to make an informed decision about which algorithm is most suitable. While the cloud provider and consulting firm can offer support and infrastructure, and the AI governance committee provides oversight, the data science team’s specialized knowledge is crucial for selecting and implementing the appropriate algorithm. Reference: AIGP Body of Knowledge, AI governance and team roles section.

Machine learning (ML) is a subset of artificial intelligence (AI) where systems use data to learn and improve over time without being explicitly programmed. Option B accurately describes machine learning by stating that systems can automatically improve from experience through predictive patterns. This aligns with the fundamental concept of ML where algorithms analyze data, recognize patterns, and make decisions with minimal human intervention. Reference: AIGP BODY OF KNOWLEDGE, which covers the basics of AI and machine learning concepts.

The NIST AI Risk Management Framework outlines several characteristics of trustworthy AI, including being secure and resilient, explainable and interpretable, and accountable and transparent. While being tested and effective is important, it is not explicitly listed as a characteristic of trustworthy AI in the NIST framework. The focus is more on the system ' s ability to function safely, securely, and transparently in a way that stakeholders can understand and trust. Reference: AIGP Body of Knowledge, NIST AI RMF section.

The planning phase of the AI life cycle typically includes defining the objective of the model, choosing the appropriate architecture, and understanding the context in which the model will operate. However, the approach to governance is usually established as part of the overall AI governance framework, not specifically within the planning phase. Governance encompasses broader organizational policies and procedures that ensure AI development and deployment align with legal, ethical, and operational standards. Reference: AIGP Body of Knowledge, AI lifecycle planning phase section.

Training underwriters on the model prior to deployment is crucial so they can apply their own judgment to the initial assessment. While AI models can streamline the process, human judgment is still essential to catch nuances that the model might miss or to account for any biases or errors in the model ' s decision-making process.

The correct answer isD. Forming adedicated governance committeeensures continuous oversight, role clarity, and accountability throughout the AI lifecycle.

From the AIGP ILT Guide – Governance Structures:

“Organizations using AI in high-impact scenarios should establish a governance body responsible for oversight of risk, compliance, and ethical alignment.”

Also reflected in AI Governance in Practice Report 2025:

“Committees support cross-functional decision-making, provide guidance for updates, and maintain accountability. This is especially critical for high-stakes applications like marketing to diverse audiences.”

Options A, B, and C are valid supplementary actions, butDoffers a long-term and systematic governance mechanism.

The correct answer is D because one of the most significant risks associated with generative AI is the potential leakage of sensitive, confidential, or proprietary information. AI governance frameworks emphasize data protection, confidentiality, and secure data handling as critical organizational responsibilities. When employees input sensitive data into generative AI tools, especially external or third-party systems, that information may be stored, reused, or exposed unintentionally. This creates legal, regulatory, and reputational risks. As a result, organizations may restrict or prohibit generative AI use to prevent unauthorized data disclosure. The other options relate to operational or business considerations, which are not primary governance drivers. Protecting sensitive information aligns with core AI governance principles such as privacy, security, and risk mitigation, making it the strongest justification for such a policy.

The correct answer isD. AI Impact Assessments are primarily used to identify and managerisks and harmsassociated with AI systems.

From the AIGP Body of Knowledge:

“The goal of an AI impact assessment is to ensure that risks are identified, evaluated, and mitigated prior to or during development and deployment.”

As further confirmed in the AI Governance in Practice Report 2025 (Part III):

“Risk-based tools like DPIAs and Algorithmic Impact Assessments help identify potential risks to individuals and society, enabling organizations to implement mitigation plans and safeguards.”

While benefits may be noted in such assessments, thecore objectiveis to manage risks andpromote responsible AI.

===========

The correct answer is C. This option concerns consent, which is generally a privacy, transparency, or institutional governance issue rather than a copyright issue. Copyright risk in AI governance usually relates to whether protected third party works were used in model training, whether generated outputs may reproduce copyrighted expression, and whether content is created without proper attribution or clear ownership boundaries. That makes options A, B, and D directly relevant to copyright and intellectual property concerns. In contrast, whether students must expressly consent deals with notice, fairness, and lawful or ethical use in an educational environment. For AIGP exam purposes, it is important to separate intellectual property risks from privacy and data protection obligations, even when both appear in the same classroom or organizational AI use case.

The IEEE 7000-2021 Standard focuses on a value-based engineering methodology for addressing ethical concerns during system design. This standard guides engineers and organizations in integrating ethical considerations into the design and development processes of AI systems, ensuring that these technologies are developed responsibly and align with human values. Reference: AIGP Study Material, section on risk management frameworks and standards.

Deploying a challenger AI model alongside a champion model is a strategy used to compare the performance of different models in a real-world environment. This approach helps in providing a framework to consider alternatives to the champion model, automating real-time monitoring of the champion model, and performing testing on the champion model. However, retraining the champion model is not a reason to deploy a challenger model. Retraining is a separate process that involves updating the champion model with new data or techniques, which is not related to the use of a challenger model.

The correct answer is C because differential privacy is specifically designed to ensure that the inclusion or exclusion of any single data point does not significantly affect the output of a model. This provides strong mathematical guarantees that individual training data cannot be reverse-engineered or identified from model outputs. Differential privacy works by introducing controlled noise into the data or model outputs, thereby protecting individual-level information while preserving overall statistical patterns. In AI governance, it is widely recognized as a key privacy-enhancing technology for mitigating risks such as data leakage, membership inference attacks, and re-identification. Other options, such as homomorphic encryption, focus on secure computation, while data sharding and compartmentalization address data management but do not provide formal privacy guarantees at the model output level.

Business A is integrating a generative AI model licensed from a third party (Business B) and is primarily concerned with the risk of toxic or obscene outputs being delivered to users. In this scenario,testing and validationof the AI model for such content risks is the most direct and effective governance strategy.

According to theAI Governance in Practice Report 2025, organizations thatdeployAI must engage inperformance monitoring protocolsand ensure systems perform adequately for theirintended purposes, including filtering harmful content:

“Operational governance… development of: →Performance monitoring protocols to ensure systems perform adequately for their intended purposes.” (p. 12)

“Product governance... includes: →System impact assessments to identify and address risk prior to product development or deployment.” (p. 11)

Furthermore, under theEU AI Act, which sets the global standard many organizations aim to align with, there is a clear obligation to test and monitor systems for potential harmful behavior:

“The act imposes regulatory obligations… such as establishing appropriate accountability structures,assessing system impact, providing technical documentation,establishing risk management protocols and monitoring performance...” (p. 7)

Option B directly reflects this best practice ofpre-deployment testing and validationto ensure that the model aligns with Business A’s minimum content safety requirements.

Let’s now evaluate the incorrect options:

A. Fine-tuning on verified user-generated textmay improve model alignment but does not guarantee that the model will generalize correctly, especially if Business A lacks access to model internals (common in third-party licensing scenarios). Fine-tuning also introduces its own risks and may be contractually restricted.

C. A user reporting featureisreactive, not preventive. While helpful for long-term monitoring and mitigation, it does not prevent the initial harm of toxic outputs, which isBusiness A ' s primary concern.

D. Requesting documentation from Business Bis useful for transparency and risk management, but it does not replaceindependent verificationthat the model meets Business A’s content safety standards.

Thus,testing the model ' s behavior for unacceptable outputs before deploymentis the most aligned approach with AI governance best practices and obligations.

The correct answer isD. While modernization through software may support efficiency, it isnot a foundational or essential componentof designing an integrated strategy.

From the AI Governance in Practice Report 2025:

“Integrated strategies rely on senior management support, ethical reviews, and stakeholder engagement... The use of tools and platforms may come later as an operational enhancement.”

Also confirmed in AIGP Body of Knowledge:

“Key components of a governance framework include leadership buy-in, ethical analysis, and stakeholder input. Tools are supporting elements—not strategic drivers.”

===========

Retraining an LLM (Large Language Model) is primarily done to improve or maintain its performance as data changes over time, to fine-tune it for specific use cases, and to incorporate new data interpretations to enhance accuracy and relevance. However, ensuring interpretability of the model ' s predictions is not typically a reason for retraining. Interpretability relates to how easily the outputs of the model can be understood and explained, which is generally addressed through different techniques or methods rather than through the retraining process itself. References to this can be found in the IAPP AIGP Body of Knowledge discussing model retraining and interpretability as separate concepts.

Private LLMs offer advantages likecustomizability,reduced hallucination,confidentiality, andalignment with enterprise-specific tasks, but theydo not inherently reduce the time or effortneeded fordata validation or verification— which remains an essential step regardless of model privacy.

From the AI risk and quality sections:

“Ensuring the quality of the data… is highly contextual and must be validated regardless of the model’s deployment environment.” (p. 17)

B, C, Dare legitimate benefits of private LLMs.

Ais incorrect — validation still requires time and resources.

The correct answer is B because continuous monitoring is a core component of AI governance that ensures systems remain effective, reliable, and aligned with their intended objectives over time. AI systems can degrade due to data drift, model drift, or changing real-world conditions, making ongoing performance tracking essential. Monitoring allows organizations to detect anomalies, biases, or performance issues and take corrective actions such as retraining or recalibration. Governance frameworks emphasize post-deployment oversight to ensure systems continue to operate safely and within acceptable risk thresholds. Option A incorrectly suggests fully autonomous evolution without oversight, which contradicts governance principles. Options C and D address specific operational concerns but do not capture the primary purpose of continuous monitoring, which is maintaining performance, accountability, and alignment with defined goals.

The GDPR ' s transparency principle requires that when personal data is processed for automated decision-making, including profiling, data subjects must be informed about the existence of such automated decision-making. Additionally, they must be provided with meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for them. This requirement ensures that data subjects are fully aware of how their personal data is being used and the potential impacts, thereby promoting transparency and trust in the processing activities.

Biasis a common risk acrossboth proprietary and open-source models, andnot uniqueto proprietary deployments. All AI systems — regardless of origin — require evaluation for fairness, accuracy, and representativeness.

From theAI Governance in Practice Report 2025:

“Bias, discrimination and fairness challenges are present in both open and closed models, regardless of how the model is sourced.” (p. 41)

In the machine learning context, feature engineering is the process of extracting attributes and variables from raw data to make it suitable for training an AI model. This step is crucial as it transforms raw data into meaningful features that can improve the model ' s accuracy and performance. Feature engineering involves selecting, modifying, and creating new features that help the model learn more effectively. Reference: AIGP Body of Knowledge on AI Model Development and Feature Engineering.

The primary concern for a company adopting a policy prohibiting the use of generative AI is the risk of accidental disclosure of confidential and proprietary information. Generative AI tools can inadvertently leak sensitive data during the creation process or through data sharing. This risk outweighs the other reasons listed, as protecting sensitive information is critical to maintaining the company’s competitive edge and legal compliance. This rationale is discussed in the sections on risk management and data privacy in the IAPP AIGP Body of Knowledge.

Training an AI model is time-consuming primarily due tomodel complexity,large data volumes, and the need forhigh-quality, well-prepared data.

From theAI Governance in Practice Report 2025:

“Most AI requires sizeable amounts of high-quality data… to ensure desired and accurate output.” (p. 15)

“The accuracy of AI model outputs depends significantly on the quality of their inputs.” (p. 24)

“Complex AI systems… with many parameters… result in long development and training phases.” (p. 32)

B. Maturity of governanceaffects oversight, not training time.

D. Number of stakeholdersaffects alignment, not direct training duration.

Reviewing the terms of use is essential when gathering data from a clinical research partner. This step ensures that the healthcare network complies with all legal and contractual obligations related to data usage. It addresses data ownership, usage limitations, consent requirements, and privacy obligations, which are critical to maintaining ethical standards and avoiding legal repercussions. This review helps ensure that the data is used in a manner consistent with the agreements made and the regulatory environment, which is fundamental for lawful and ethical AI development. Reference: AIGP Body of Knowledge on Legal and Regulatory Considerations.

In the United States, the use of AI hiring tools must comply with anti-discrimination laws, accessibility laws, and privacy laws to avoid increasing liability. Anti-discrimination laws (A) ensure that hiring practices do not unlawfully discriminate against protected classes. Accessibility laws (C) require that hiring tools are accessible to all applicants, including those with disabilities. Privacy laws (D) govern the handling of personal data during the hiring process. Product liability laws (B), however, typically apply to the safety and reliability of physical products and would not generally increase liability specifically related to the responsible use of AI hiring tools in the employment context​​​​.

The correct answer is A because developing a social media presence typically does not require AI and can be effectively achieved through traditional digital marketing strategies, content planning, and manual engagement. AI governance principles emphasize that organizations should first determine whether AI is necessary or proportionate to the problem being solved. Using AI where simpler, deterministic, or human-driven solutions suffice can introduce unnecessary complexity, cost, and risk. In contrast, options B, C, and D involve tasks such as campaign optimization, personalization, and automation, which benefit significantly from AI capabilities like pattern recognition, predictive analytics, and natural language processing. Responsible AI governance encourages a “fit-for-purpose” approach, ensuring AI is only deployed when it provides clear added value over non-AI alternatives.

The IEEE Ethical System Design Risk Management Framework (IEEE 7000-21) would be most appropriate for XYZ Corp ' s governance needs in addition to the NIST AI Risk Management Framework. The IEEE framework specifically addresses ethical concerns during system design, which is crucial for ensuring the responsible use of AI in hiring. It complements the NIST framework by focusing on ethical risk management, aligning well with XYZ Corp ' s goals of deploying AI responsibly and mitigating associated risks​​​​.

The correct answers are A, C, and D because multiple regulatory regimes apply based on jurisdiction, data use, and deceptive practices. The EU AI Act applies because the system is being developed and tested in cooperation with an EU-based university and involves behavioral influence, which may fall under prohibited or high-risk AI practices, especially where manipulation or deception is present. The General Data Protection Regulation applies due to the processing of personal data of EU-based participants, particularly given the misleading study protocol, which violates principles such as transparency and informed consent. The Federal Trade Commission Act applies to the US company because deceptive or unfair practices, such as misleading participants about the purpose of experiments, fall under FTC enforcement. The Digital Services Act and PCI standards are not relevant to this specific use case.

All of the options listed may pose copyright risks when teachers use generative AI to create course content, except for students must expressly consent to this use of generative AI. While obtaining student consent is essential for ethical and privacy reasons, it does not directly relate to copyright risks associated with the creation and use of AI-generated content.

The correct answer is A because having a well-defined incident management process enables organizations to respond quickly and effectively when AI-related issues arise. AI governance frameworks emphasize incident management plans as a key component of operational governance, ensuring that risks such as system failures, harmful outputs, or security breaches are promptly identified, escalated, and resolved. A structured process reduces delays by clearly defining roles, responsibilities, and response procedures, thereby minimizing potential harm and operational disruption. While incident processes may also indirectly support compliance and reduce the impact of failures, their primary benefit is improving responsiveness and coordination. Efficient response times are critical in maintaining trust, ensuring safety, and limiting negative consequences in real-world AI deployments.

The Singapore Model AI Governance Framework recommends several measures to promote the responsible use of AI, such as determining the level of human involvement in decision-making, adapting governance structures, and establishing communications and collaboration among stakeholders. However, employing human-over-the-loop protocols is not specifically mentioned in this framework. The focus is more on integrating human oversight appropriately within the decision-making process rather than exclusively employing such protocols. Reference: AIGP Body of Knowledge, section on AI governance frameworks.

The correct answer isA. While location of processors may have implications (such as for data transfers under GDPR), there is no absolute requirement that third-party processors be based in the same country.

From the AI Governance in Practice Report 2025 and ILT Guide:

“Data controllers are responsible for ensuring that third-party processors have adequate protections, but not necessarily that they reside in the same jurisdiction. What is required is legal safeguards (e.g., SCCs) for international transfers, not same-country location.”

In contrast, DPIAs, DSARs, and implementation of technical/organizational safeguards are explicitly required under GDPR and responsible AI frameworks.

===========

Before offering an AI solution in the EU market, a Canadian company must take several steps to comply with the EU AI Act. These steps include establishing a risk and quality management system (B), engaging a third-party auditor to perform a bias audit (C), and drawing up technical documentation and instructions for use (D). However, there is no requirement to register the AI solution in a public EU database (A). This registration step is not specified as part of the compliance requirements under the EU AI Act for such solutions​​​​.

Testing results need to bedocumented thoroughlyto ensuretraceability, accountability, and compliance. This is central to enabling audits, investigations, or regulatory inquiries into the system’s development and performance.

From theAI Governance in Practice Report 2025:

“Documentation and recordkeeping are essential components… to demonstrate AI system compliance, trace system behavior, and support audits and conformity assessments.” (p. 34–35)

“Maintaining audit trails across development and deployment enables transparency and accountability.” (p. 12)

AandBare benefits, but not theprimary governance justification.

D– Limiting future testing is not a recommended goal.

Model disgorgement is the technique used to remove the effects of improperly used data from an ML system. This process involves retraining or adjusting the model to eliminate any biases or inaccuracies introduced by the inappropriate data. It ensures that the model ' s outputs are not influenced by data that was not meant to be used or was used incorrectly. Reference: AIGP Body of Knowledge on Data Management and Model Integrity.

The correct answer isC. Thechoice of architecture(e.g., neural networks vs. decision trees) is typically part of thedesign and developmentphase, not the initial planning.

From the AIGP Body of Knowledge – AI Lifecycle Module:

“Planning involves scoping, context definition, stakeholder identification, governance planning, and assumptions—not yet model selection.”

Confirmed in the ILT Participant Guide:

“Design decisions such as architecture or algorithm type come after planning—usually during development based on technical feasibility and data availability.”