Questions

Question 1

Fiona leads the data science team at a media company. She is developing a new machine learning model to
improve its recommender systems. She has a large volume of input data around user preferences, but not
all users actively confirmed their likes and dislikes. What would be the most suitable ML approach for Fiona
to use?
A. Supervised learning.
B. Unsupervised learning.
C. Reinforcement learning.
D. Semi-supervised learning.

Answer 1

1. The correct answer is D. The use of semi-supervised learning is the most suitable approach in this situation
   given the combination of labelled and unlabeled data in the full dataset.
   Body of Knowledge Domain I, Competency B

Question 2

2. Which of the following is a method that helps to ensure AI integrity and that data is representative,
   accurate and unbiased?
   A. Tracking data lineage.
   B. Assuming the data is accurate.
   C. Purchasing data from a vendor.
   D. Reversioning the data internally.

Answer 2

2. The correct answer is A. Data lineage tracks data over time from the source to any other intervening
   programs or uses, and ultimately to the AI program or process utilizing it. Knowing where and how data has
   been used and manipulated before it is incorporated into an AI program or process helps ensure the data
   being used is accurate and appropriate.
   Body of Knowledge Domain VI, Competency D

Question 3

3. You are tasked with designing an AI system to predict customer attrition for a telecommunications
   company. During the design phase, you are focusing on developing the data strategy. Which of the
   following statements best describes the critical importance of data gathering in this phase?
   A. It primarily aims to reduce data storage costs, prioritizing low-cost repositories over data quality or
   relevance.
   B. It ensures the AI system has access to high-quality and relevant data, which is the fuel for training
   effective models.
   C. It focuses on designing attractive user interfaces for data input, catering to user experience over data
   completeness or accuracy.
   D. It is only important for regulatory complianc

Answer 3

3. The correct answer is B. Implementing a data strategy during the AI system design phase is crucial because
   it ensures access to high-quality and relevant data, which is fundamental for training effective AI models.
   The quality and relevance of data directly impacts the performance and accuracy of AI systems. The other
   options are irrelevant aspects of an AI system’s design phase.
   Body of Knowledge Domain V, Competency B

Question 4

4. Which of the following is included in the Canadian Artificial Intelligence and Data Act’’s risk-based approach?
   A. Source of the artificial intelligence technology.
   B. Elimination of data privacy impact assessments.
   C. Consideration of the nature and severity of harms.
   D. Equal application to companies operating in and outside of Canada.

Answer 4

4. The correct answer is C. Bill C-27 bases the risk evaluation on:
   a. Nature and severity of harms.
   b. Scale of use of the system.
   c. Extent to which individuals can opt out or control interactions.
   d. Imbalance of economic and social status of the individual interacting with the system.
   Body of Knowledge Domain IV, Competency B

Question 5

5. In the context of workforce readiness for AI, what is an essential consideration for businesses to fully
   leverage AI benefits responsibly?
   A. Focusing on training a select IT task force in advanced AI techniques.
   B. Avoiding employee training on AI to prevent over-reliance on technology.
   C. Implementing comprehensive training programs across various departments.
   D. Outsourcing AI-related tasks to third-party specialists to reduce training needs.

Answer 5

5. The correct answer is C. To maximize the benefits of AI, businesses should implement comprehensive
   training programs that encompass not just technical AI skills but also ethical considerations of AI usage. This
   approach ensures a broad-based understanding of AI across the organization, enabling more effective and
   responsible use of AI technologies.
   Body of Knowledge Domain VII, Competency B

Question 6

6. The Human Rights, Democracy and Rule of Law Impact Assessment builds on a history of impact
   assessments used extensively in other domains; such as, for example, data protection regulation. What is
   one of the main objectives of this type of impact assessment?
   A. To produce a document with mandatory requirements and enforcement mechanisms for harmful
   design choices.
   B. To provide a process for assessing and grading the likelihood of risks associated with potentially
   harmful outcomes.
   C. To expand on the proposals and guidelines for specific sectors and AI applications decided solely by the
   Council of Europe.
   D. To voluntarily endorse business practices, technology or policies after they have been deployed or
   when most convenient to developers.

Answer 6

6. The correct answer is B. The Human Rights, Democracy and the Rule of Law Impact Assessment provides an
   opportunity for project teams and engaged stakeholders to come together to produce detailed evaluations
   of the potential and actual harmful impacts that the design, development and use of an AI system could
   have on human rights, fundamental freedoms, elements of democracy and the rule of law.
   Body of Knowledge Domain IV, Competency C

Question 7

7. The manager of a call center decides to use an AI system to record and conduct sentiment analysis on
   interactions between customers and call center agents. Prior to using this data to evaluate the
   performance of the agents, what step should be implemented to minimize error in the evaluations?
   A. A security review of the AI system.
   B. A manual review of the recordings.
   C. An estimate of call rates to the center.
   D. A retention policy for aggregate reports.

Answer 7

7. The correct answer is B. Human review or supervision of the recorded call should be done to ensure the
   sentiment analysis of the AI system is accurate prior to using the data to evaluate the agent’s performance.
   Retention of data is important, but aggregate report data will not create risk for an individual. An estimate of
   call rates may help in staffing or workforce planning but won’t directly affect an individual’s performance
   rating. A security review of the AI will ensure security of the system, but also does not directly affect the
   individual or how their performance is evaluated.
   Body of Knowledge Domain III, Competency B

Question 8

12. Consider you are a privacy consultant with a tech company developing an AI-driven health-monitoring
    application. The application collects user data to provide personalized health insights. The company is
    dedicated to ensuring user privacy and seeks your advice. In the context of developing a privacy-enhanced
    AI health-monitoring application, which of the following measures would be most effective in aligning with
    privacy standards?
    A. Implementing user consent mechanisms and anonymizing collected data to protect user identities.
    B. Utilizing social media integration to enrich user profiles with additional lifestyle information and offers.
    C. Sharing raw user data with various pharmaceutical companies to facilitate targeted drug development.
    D. Storing user health data on a publicly accessible server for easy collaboration with health care
    researchers.

Answer 8

12. The correct answer is A. Obtaining consent from users empowers individuals to make informed decisions
    about the use of their health data. Furthermore, anonymizing involves removing personally identifiable
    information from the collected data, such as names, addresses and contact details.
    Body of Knowledge Domain II, Competency B

Question 9

13. Which of the following is an important consideration for mitigating AI system errors?
    A. Excluding a review of previous incidents.
    B. Focusing exclusively on legal compliance.
    C. Adopting a uniform approach for all errors.
    D. Understanding the AI use case and the data type.

Answer 9

13. The correct answer is D. The AI use case and the data type involved in system errors will guide the method
    of mitigation needed. This allows for an appropriate response and helps to guide any updates or changes
    needed to avoid similar issues in the future.
    Body of Knowledge Domain VI, Competency E

Question 10

14. Large language models are considered massive neural networks that can generate human-like text (e.g.,
    emails, poetry, stories, etc.). These models also have the ability to predict the text that is likely to come
    next. How is machine learning related to LLMs?
    A. LLMs do not use ML but rely on a fixed answer database.
    B. ML and LLMs are unrelated; LLMs use manual programming, not ML.
    C. LLMs learn from text data and use ML algorithms to generate responses.
    D. ML and LLMs are separate; ML is for numerical analysis, and LLMs are for graphics.

Answer 10

14. The correct answer is C. Large language models cannot be designed without the training of the datasets
    required for the model to learn, make decisions and predict. LLMs are built using a machine learning
    algorithm trained to make classifications or predictions.
    Body of Knowledge Domain I, Competency A

Question 11

15. In the design phase of AI development, privacy-enhancing technologies play a critical role in addressing
    data privacy concerns. Among these technologies, differential privacy and federated learning are
    significant. Given this context, which of the following best illustrates the application of differential privacy in
    the AI design phase?
    A. An AI model is trained in a centralized dataset in which individual data points are anonymized before
    being added to the dataset.
    B. An AI system enables multiple models to learn from separate datasets, then combines them to improve
    the overall model without sharing individual data points.
    C. An AI application uses encryption to secure data in transit between the client and server, ensuring that
    intercepted data cannot be read by unauthorized parties.
    D. An AI system adds random noise to the raw data it collects, ensuring that any output reflects general
    trends in the dataset but does not compromise individual data privacy.

Answer 11

15. The correct answer is D. This option directly aligns with the principles of differential privacy. Differential
    privacy is a technique used to ensure the privacy of individual data points in a dataset by adding statistical
    noise. This method allows the dataset to be used for analysis or AI model training while maintaining the
    confidentiality of individual data entries. The key aspect of differential privacy is that it provides insights into
    the general patterns or trends of the data without revealing sensitive information about any specific
    individual.
    Body of Knowledge Domain V, Competency B

Question 12

16. When implementing responsible AI governance and risk management, what is a critical consideration for
    testing and evaluation in alignment with a specific use case?
    A. Include potentially malicious data in the test.
    B. There is no need for repeatability assessments for novel cases.
    C. Use the same testing and evaluation approach for all algorithms.
    D. Exclude cases that the AI has not encountered during its training.

Answer 12

16. The correct answer is A. Incorporating potentially malicious data into the testing process would enable the
    assessment of the AI’s robustness and resilience against adversarial inputs and ensure that it behaves safely
    in real-world scenarios. The other options are not aligned with the best practices for responsible AI testing.
    Body of Knowledge Domain VI, Competency E

Question 13

17. The Digital Services Act aims to regulate the digital marketplace in the EU. Which of the following best
    describes how the DSA will empower users?
    A. Online marketplaces will have to comply with special obligations to combat the sale of illegal products
    and services.
    B. Very large online search engines will be held accountable for their role in disseminating illegal and
    harmful content.
    C. Very large online platforms will have to be more transparent in how they select the companies allowed
    to advertise on their platform.
    D. Platforms will have to provide clear information on why content is shown and give users the right to opt
    out of profiling-based recommendations.

Answer 13

17. The correct answer is D. Platforms will be required to disclose to users why the user is being shown specific
    content, as well as provide users with the right to opt out of being shown content that was derived through
    profiling. This is the only option that provides users with control over their content.
    Body of Knowledge Domain III, Competency A

Question 14

21. When assessing the success of an AI system meeting its objectives, which of the following approaches best
    aligns with the requirement to ensure a comprehensive evaluation while avoiding automation bias?
    A. Evaluate and align predefined benchmarks that will provide evidence of having achieved your system
    goals.
    B. Rely on the AI system’s output to determine if the goals were achieved, as this will provide a reliable
    and objective measure.
    C. Conduct a review that includes the AI system’s output, human interpretation, and potential secondary
    or unintended outputs.
    D. Focus on user feedback about the AI system’s performance to directly measure the system’s
    effectiveness in meeting the objectives

Answer 14

21. The correct answer is C. This is a comprehensive approach as it includes different testing initiatives. By
    integrating the AI system’s output, human interpretation and potential secondary or unintended outputs,
    you will avoid automation bias (when only relying on the output), as well as the limitation of having only
    human feedback that might not fully capture AI specificities. Additionally, this process avoids a narrow
    focus, which would be the result of using only a benchmark as a comparison item.
    Body of Knowledge Domain VI, Competency E

Question 15

22. Which of the following pairs provides examples of potential group harms associated with AI technologies?
    A. Safety and deep fakes.
    B. Acceleration and reputational.
    C. Mass surveillance and facial recognition.
    D. Carbon dioxide emission and agricultural.

Answer 15

22. The correct answer is C. Mass surveillance and facial recognition can lead to group harm given the potential
    use of AI technology to target and/or discriminate against specific groups/demographics. Safety and deep
    fakes are examples of societal harm, which is different than group harms in that they are not targeted
    against a specific group or demographic. Acceleration refers to the potential harm caused by AI advancing
    beyond the ability to safeguard it properly. Reputational harm refers to the potential risk to organizations or
    individuals from poorly managed AI or competitors creating deep fakes. Carbon dioxide emissions and
    agricultural harm refer to the possibility of increased computer reliance affecting the environment.
    Body of Knowledge Domain II, Competency A

Question 16

23. What are the initial steps in the AI system planning phase?
    A. (1). Plan the team; (2). Determine specific use cases the organization wants the AI system to solve; (3).
    Identify gaps to achieve the use cases; (4). Identify necessary data for the AI system.
    B. (1). Gain stakeholder buy in; (2). Determine specific use cases the organization wants the AI system to
    solve; (3). Identify gaps to achieve the use cases; (4). Identify necessary data for the AI system.
    C. (1). Determine the budget; (2). Determine specific use cases the organization wants the AI system to
    solve; (3). Identify gaps to achieve the use cases; (4). Identify necessary data for the AI system.
    D. (1). Determine the business problem to be solved by the AI system; (2). Determine the specific use
    cases; (3). Identify gaps to achieve the use cases; (4). Identify necessary data for the AI system.

Answer 16

23. The correct answer is D. Identifying the business problem to be solved is always the first step in any
    significant technology investment. The steps listed in other answers may be relevant but are not initial
    considerations.
    Body of Knowledge Domain V, Competency A

Question 17

24. During the AI winter of the 1970s, funding declined partially due to?
    A. Failing to meet expectations from initial hype and promises.
    B. Government agencies reallocating budgets to other sciences.
    C. Hardware restrictions on complex neural network simulations.
    D. Mathematical proofs showing capabilities were overestimated.

Answer 17

24. The correct answer is A. Disillusion set in when early hopes did not match the actual capability delivered.
    Mathematical theories did not yet fully characterize limitations.
    Body of Knowledge Domain I, Competency D

Question 18

25. Which of the following is NOT true about the relationship of explainability and transparency as they relate
    to AI?
    A. They are synonymous.
    B. They support trustworthy AI.
    C. They are distinct characteristics that support each other.
    D. They enable users of the system to understand the outcomes.

Answer 18

25. The correct answer is A. Both are types of documentation that help users understand how the system
    produces its outputs. Both support trustworthy AI as defined by NIST, OECD and others. “Explainability and
    transparency are distinct characteristics that support each other. Transparency can answer the question of ‘what happened’ in the system. Explainability can answer the question of ‘how’ a decision was made in the
    system” (NIST AI RMF, 3.5 Explainable and Interpretable). They are not synonymous. The words do not have
    nearly the same meaning but can be presented in ways that may make this appear to be the case.
    Body of Knowledge Domain II, Competency B

Question 19

26. A regulator has ruled that the AI model used by some features of your product should not be used in its
    jurisdiction. What is the most robust way of reacting to this situation?
    A. Shut down the service in the jurisdiction to pressure the regulator to change its position.
    B. Create a second, separate version of the application and deploy it to users in the jurisdiction.
    C. Implement a feature flag to enable or disable the features based on a user’s country of origin.
    D. Retrain and deploy your AI model immediately to prove you can react quickly to regulatory demands.

Answer 19

26. The correct answer is C. Feature flags can be toggled without major engineering efforts, and keeping the
    model offline during regulatory negotiations avoids unnecessary confrontations, such as requiring a
    redeploy.
    Body of Knowledge Domain VI, Competency F

Question 20

27. Which of the following is often used as a defense to a claim for copyright infringement with respect to AI?
    A. Fair use.
    B. Ethical use.
    C. Patentability of AI models.
    D. AI models made by the government.

Answer 20

27. The correct answer is A. The fair use doctrine states that excerpts of copyright material may, under certain
    circumstances, be copied verbatim for purposes such as criticism, news reporting, teaching and research
    without the need for permission from or payment to the copyright holder. Many AI manufacturers rely on
    fair use as a copyright infringement defense, alleging that the use of copyrighted material for training an AI
    model is ”transformative” (does not merely replicate the material) and does not harm the commercial
    market for the copyright holder’s works.
    Body of Knowledge Domain III, Competency A

Question 21

31. What does the term “generalization” mean regarding an AI model?
    A. The model is a good data classifier.
    B. The model is effective with new data.
    C. The model can solve a variety of business problems.
    D. The model can produce good outputs from few inputs.

Answer 21

31. The correct answer is B. A model’s generalization is its ability to perform well on new data, in addition to
    training and initial test data.
    Body of Knowledge Domain V, Competency C

Question 22

32. How should an organization allocate resources to effectively address AI risks?
    A. Allocate resources to highest risk areas.
    B. Allocate resources to highest risk factors.
    C. Allocate resources to highest risk tolerance.
    D. Allocate resources to highest risk outcomes.

Answer 22

32. The correct answer is A. After performing a risk assessment to determine where AI risk resides in an
    organization, priority should be given to the highest risk areas in terms of resources allocated. Risk
    tolerance relates to organizational risk appetite, risk factors are inputs to determining a risk level and risk
    outcomes relate to adverse scenarios that might transpire. They are related concepts, but when it comes to
    prioritizing and allocating resources, best practice suggests it is done by risk area.
    Body of Knowledge Domain VI, Competency A

Question 23

33. Why should an AI developer separate data into training and test sets?
    A. To create models that can be trained quickly.
    B. To reduce the inherent biases in stochastic gradient descent.
    C. To avoid overfitting to the specific characteristics of the training data.
    D. To improve the test validation scores by presenting multiple datasets.

Answer 23

33. The correct answer is C. It is best practice to separate training and test sets to ensure any random biases in
    the training set do not carry over into the final model. In machine learning, overfitting occurs when an
    algorithm fits too closely or even exactly to its training data, resulting in a model that can’t make accurate
    predictions or conclusions from any data other than the training data.
    Body of Knowledge Domain VI, Competency F

Question 24

34. When considering the implementation of AI systems, how should companies educate users to best address
    their concerns?
    A. Abort the AI system to avoid addressing user concerns.
    B. Assume that users will self-educate through online resources.
    C. Provide highly technical details relevant only to AI professionals.
    D. Offer comprehensive information on AI functionalities and limitations.

Answer 24

34. The correct answer is D. To effectively address user concerns, companies should provide comprehensive
    and accessible information regarding the AI system. This includes educating users on the capabilities and
    limitations of AI to ensure that they have a balanced and realistic understanding of the AI technology in
    place.
    Body of Knowledge Domain VII, Competency B

Question 25

35. Which of the following is TRUE of a “weak” AI system?
    A. It closely mimics the operation of the human brain.
    B. It boosts productivity by enabling smarter decision-making.
    C. It outperforms humans across a comprehensive range of tasks.
    D. It can perform complex tasks and achieve goals in different contexts.

Answer 25

35. The correct answer is B. Weak AI systems boost productivity by enabling smarter decision making. The other
    responses are examples of strong AI systems. “Strong” AI refers to artificial general intelligence, which does
    not yet exist. All current AI systems today are considered to be “weak” AI that is suitable for supporting
    human decision-making and automating repetitive tasks but does not meet the standard of being
    equivalent to human intelligence in terms of understanding context and meaning.
    Body of Knowledge Domain I, Competency B

Question 26

36. Alex is working for a public transit agency that is building out its AI program. He is collaborating with a local
    university to work on an AI project that involves what the NIST AI Risk Management Framework defines as
    social responsibility. Which proposal below best aligns with the concepts of social responsibility?
    A. Using AI-assisted software to analyze anonymized ridership data to fulfill government reporting
    requirements.
    B. Attaching sensors on buses to determine and assess heavy traffic periods on specific routes to provide
    accurate travel time to passengers.
    C. Analyzing video from station surveillance cameras to determine when office trash cans need to be
    emptied to save staff from unnecessary trips.
    D. Developing an AI-based mobile application that provides pseudonymized assistance to disabled
    customers booking point-to-point ride services.

Answer 26

36. The correct answer is D. NIST refers to the organization’s social responsibility as considering the “impacts of
    its decisions and activities on society and the environment through transparent and ethical behavior.” While
    each of these are important or useful in one way or another, providing ride assistance to disabled customers meets the goal of ethical social behavior. By pseudonymizing the information and the service
    itself, the company is providing a socially responsible service that protects the individual.
    Body of Knowledge Domain IV, Competency C

Question 27

37. The engineering team is working on training an AI model with a large, new dataset culled from social
    media. The team has built out the model to predict trends in car buying for the coming year based on social
    media posts. The AI model has a clear bias toward one particular automotive model. It turns out the recent
    data input was pulled when the car was featured in a blockbuster Hollywood movie. This is an example of
    which type of AI bias?
    A. Human-cognitive.
    B. Systemic and directed.
    C. Computational and statistical.
    D. Psychological and sociological.

Answer 27

37. The correct answer is C. Computational and statistical biases may stem from errors due to non-
    representative samples. In this example, the data is skewed based on the movie release.
    Body of Knowledge Domain VI, Competency E

Question 28

41. What is the AI Liability Directive proposed by the European Commission?
    A. A directive that will regulate organizations’ implementation of AI systems.
    B. A directive that will provide for legal responsibility by organizations using AI systems.
    C. A directive that will minimize and regulate the development and adoption of AI systems.
    D. A directive that will reduce organizational legal risks and costs associated with AI systems.

Answer 28

41. The correct answer is B. The AI liability directive is a proposal by the European Commission for a directive on
    civil liability for AI systems that complements and modernizes the EU liability framework to introduce new
    rules specific to damages caused by AI systems.
    Body of Knowledge Domain III, Competency C

Question 29

42. George is developing an advertising campaign for Splendide Company’s new product. George wants to
    incorporate colorful, eye-catching modern art as the backdrop for the product in print and digital ads. He
    uses a generative AI application to create the campaign and plans to use the prompt, “colorful abstract
    paintings in the style of contemporary artist Alexandra Artiste.” George determines that, because he wants
    to reference a specific artist, he should obtain a copyright license from the artist. To protect Splendide from
    liability, he wants to include terms in the license that provide exceptions to copyright infringement
    indemnification, as is commonly done with copyright infringement licensing contracts. Which of the
    following is a common exception to copyright infringement indemnification that does NOT work well in an
    AI model?
    A. Identifying the licensee as the owner of the resulting work.
    B. Requiring the licensee to use the artwork to train the model.
    C. Identifying the output from the AI model as an original work.
    D. Combining the licensed artwork with other artwork in the AI model.

Answer 29

42. The correct answer is D. Typical exceptions to intellectual property infringement indemnification in IP
    license agreements include exceptions for modifications to the licensed work, unauthorized combinations of
    the licensed work and other works, and use of the licensed work beyond the scope authorized in the license
    agreement. Because AI models modify, combine and use the works on which they are trained in other
    contexts, these exceptions to infringement indemnification do not work.
    Body of Knowledge Domain VII, Competency A

Question 30

43. Nolan is in the IT procurement department of Happy Customer Inc., a provider of call center solutions.
    Other companies are using Happy Customer Inc. services to help their clients with easy, first-level support
    requests. Happy Customer Inc. wants to offer its B2B clients a new text-based chatbot solution that offers
    the right answers to a given set of questions. What type of AI model should Nolan look for?
    A. A robotics model.
    B. A statistical model.
    C. A decision tree model.
    D. A speech recognition model.

Answer 30

43. The correct answer is C. A decision tree model predicts an outcome based on a flowchart of questions and
    answers. A statistical model is used to model the relationships between two variables. A speech recognition
    model is used to analyze speech; e.g., for voice assistants. A robotics model is based on a multidisciplinary
    field that encompasses the design, construction, operation and programming of robots and allows AI
    systems and software to interact with the physical world without human intervention.
    Body of Knowledge Domain I, Competency C

Question 31

44. Which of the following best describes feature engineering?
    A. Transforming or manipulating features to enhance the performance of the model.
    B. Consulting with subject matter experts about features to include in the training data.
    C. Anonymizing raw data so personal information is not included in the features for the model.
    D. Annotating the raw data to create features with categorical labels that align with internal terminology.

Answer 31

44. The correct answer is A. While the other options are all actions that are performed in the AI development life
    cycle, feature engineering refers specifically to the transformation of “features” used as inputs for the
    model.
    Body of Knowledge Domain V, Competency C

Question 32

45. A company uses automated decision-making via an AI system to evaluate and subsequently accept or deny
    loan applications from potential customers. A customer (data subject) who is denied might use the process
    of redress because of the denial. Which of the following is a component of the right to redress?
    A. Review the privacy notice.
    B. Register a formal complaint.
    C. Sign a contract with the company.
    D. Provide consent for data processing.

Answer 32

45. The correct answer is B. The data subject would use the process of redress to make a formal complaint or
    request a review of the automated decision.
    Body of Knowledge Domain III, Competency B

Question 33

46. Which of the following is an important reason to continuously improve and maintain deployed models by
    tuning and retraining them with new data and human feedback?
    A. To comply with various legal and regulatory requirements.
    B. To maintain the system’s relevance and effectiveness over time.
    C. To reduce the initial cost of training the model by adding new data iteratively.
    D. To ensure perfect accuracy and eliminate any possibility of errors in the model.

Answer 33

46. The correct answer is B. This option best captures one of the key objectives of continuously improving and
    maintaining models. Other reasons include adapting the model to evolving data and addressing potential
    bias. No model can achieve perfect accuracy, and continuous improvement aims to minimize errors, not
    eliminate them entirely. While continuous training can improve model performance over time, it is not
    primarily a cost-saving measure. Laws and regulations might necessitate responsible AI practices that are
    aided by training on new data, but the concept of continuous improvement focuses more on enhancing the
    model’s real-world effectiveness and fairness.
    Body of Knowledge Domain VI, Competency F

Question 34

47. Olive is on a team of governance, risk and compliance professionals building out an AI policy for her
    company, which sells customizable baby strollers. She has been assigned to review the ISO/IEC Guide 51,
    “Safety aspects — Guidelines for their inclusion in standards,” to incorporate areas of safety for its main
    product line. Which item below is NOT one of the four areas of safety to consider?
    A. Basic safety.
    B. Group safety.
    C. Product safety.
    D. Development safety.

Answer 34

47. The correct answer is D. The four safety standards set forth in ISO/IEC Guide 51 are: basic safety, group
    safety, product safety and standards containing safety aspects. Development safety is not one of the four
    standards.
    Body of Knowledge Domain IV, Competency C

Question 35

48. Olive presents her work to the GRC AI policy group and receives positive feedback from the team. The
    group asks Olive to build out a questionnaire for departments with potential AI projects using the ISO/IEC
    Guide 51 questions around “the purpose of the standard.” With that as a starting point, which question
    below should be removed from the survey?
    A. Will AI impact any safety aspects of your project?
    B. Will large AI-processed datasets be used as part of the project?
    C. Will AI be used as a basis for conformity assessments as part of the project?
    D. Will AI be used during any of the phases of product testing or model building?

Answer 35

48. The correct answer is B. The other options are all questions that should be asked to determine how the use
    of AI could introduce or increase existing risk to safety. While understanding what datasets may be used is
    important for privacy, it is not part of the ISO/IEC Guide 51 safety aspects.
    Body of Knowledge Domain IV, Competency C

Question 36

52. The Turing test was introduced by mathematician and cryptographer Alan Turing in 1950. What did the test
    originally attempt to identify?
    A. A human can often demonstrate unintelligent behavior.
    B. A machine can be built that is as intelligent as a human.
    C. A machine can demonstrate behavior indistinguishable from a human.
    D. A machine can be built that is able to converse intelligently with a human.

Answer 36

52. The correct answer is C. When Turing proposes the question, “Can machines think?” he formulates a
    situation where a human evaluator would try to distinguish between a computer and human text response.
    Body of Knowledge Domain I, Competency A

Question 37

53. A newly developed AI system in your organization is almost ready to deploy. The engineers who
    collaborated on the project are the most appropriate personnel to ensure which of the following is in place
    before the system is deployed?
    A. A change management plan to support widespread internal adoption.
    B. A new company policy to address AI developer, deployer and user risks.
    C. A method for continuous monitoring for issues that affect performance.
    D. A set of documented roles and responsibilities for an AI governance program.

Answer 37

53. The correct answer is C. This is the only option that describes one of the four key steps in the
    implementation phase: monitoring. The prompt states the actors involved are engineers who worked
    directly on the project. These engineers can be assumed to have the technical and project knowledge
    necessary to establish continuous monitoring for deviations in accuracy or irregular decisions made by the
    model. The other options listed should also be in place before the system is deployed but are best
    addressed by the chief privacy officer, AI governance committee, office for responsible AI, ethics board or
    other steering groups.
    Body of Knowledge Domain V, Competency D

Question 38

54. Morgan has just started their position as an AI governance lead for a pharmaceutical company, Pharma Co.
    They have been tasked with ensuring AI governance principles are integrated across the company. What is
    one of the principles that should be applied consistently at Pharma Co.?
    A. Adopt a dissenting viewpoint.
    B. Select a team that is process focused.
    C. Ensure planning and design is consensus-driven.
    D. Prioritize the financial considerations of the program.

Answer 38

54. The correct answer is C. Core objectives to ensure AI governance principles apply an integrated focus
    include adopting a pro-innovation mindset, ensuring the AI ethics framework is law, remaining industry and
    technology agnostic, focusing the team on outcomes and ensuring there is consensus in planning and
    design. Financial considerations are important, but they should not be the primary consideration. Adopting
    a dissenting viewpoint will likely only silo AI governance rather than integrate it into the company. Finally,
    while the team can follow a process, it should focus on the outcomes. There may be many pathways to
    integrate AI governance into the company to achieve successful outcomes.
    Body of Knowledge Domain VI, Competency B

Question 39

55. WonderTemp, a temporary staffing company, terminated most of its employees after implementing a
    virtual assistant to help write emails, policies, marketing materials and responses to client questions. Three
    months later, WonderTemp learns that four of its biggest clients are not renewing their contracts because
    the work product from WonderTemp is full of inaccuracies. Based on these facts, what types of harm has
    WonderTemp suffered because of its reliance on the virtual assistant?
    A. Legal and regulatory harm.
    B. Individual and societal harm.
    C. Economic and reputational harm.
    D. Disinformation and reportable harm.

Answer 39

55. The correct answer is C. The company suffers economic harm when the four companies choose not to
    renew, and they suffer reputational harm because their clients found their work to be full of inaccuracies.
    Legal and regulatory do not apply here as WonderTemp has not been sued, there are no assertions that the
    company violated laws or regulations, and it is not in a highly regulated industry. Social harm is also
    incorrect, as this type of harm is not experienced by WonderTemp. Disinformation is incorrect, as
    disinformation is false information that is deliberately intended to mislead — intentionally misstating the
    facts, and that is not what is happening here.
    Body of Knowledge Domain II, Competency A

Question 40

You work for a large online retailer and the engineering team comes to you with a proposal to implement an AI
system for matching customers with products they might want to buy.
For the next two items, identify the type of use case described in the situation.

56. Use Case 1: A customer inputs a picture of the product they are looking for and receives a link to the page
    where they can purchase the product.
    A. Detection.
    B. Recognition.
    C. Optimization.
    D. Personalization.
57. Use Case 2: A marketer predicts and displays items a known customer might want to buy on the landing
    page based on the customer’s profile.
    A. Detection.
    B. Recognition.
    C. Optimization.
    D. Personalization.

Answer 40

56. The correct answer is B. The system needs to recognize and identify the item shown in the customer’s
    picture to match it with products in the company catalog. Recognition models are also used for tasks like
    facial recognition, identification of defects in manufacturing, and deepfake detection.
    Body of Knowledge Domain I, Competency A
57. The correct answer is D. When a company is developing a customer profile, it is using information about the
    customer’s previous behavior to predict future purchasing behavior. Personalization models aim to create a
    unique experience based on the needs and preference of each customer.
    Body of Knowledge Domain I, Competency A

Question 41

58. How do you ensure your AI system does not develop bias over time?
    A. You train a specialized customer service representative to handle any complaints about bias.
    B. You implement an automated test suite to check for bias and monitor the results continuously.
    C. You provide users with a survey every quarter asking if the respondents have observed any bias.
    D. You personally test the system every week to ensure your recommendations remain the same or
    improve.

Answer 41

58. The correct answer is B. Automated testing is the only method that ensures full coverage of the user base.
    Not all users respond to surveys or contact customer service. Checking the system yourself does not cover
    all corner cases.
    Body of Knowledge Domain VI, Competency F

Question 42

59. The recruiting department for Company X wants to use AI to help it identify the best external candidates
    and fast-track the hiring process for open positions. It trains the AI program using the resumes of top-
    performing software engineers across the company. The AI determines that men between the ages of 25
    and 35 are the best candidates. This is an example of what type of bias in the AI system?
    A. Sampling bias.
    B. Temporal bias.
    C. Projection bias.
    D. Confirmation bias.

Answer 42

59. The correct answer is A. The data is skewed toward a subset of individuals due to the limited group selected
    (internal employees) to train the program — the sample. The sample data should be broader than just those
    individuals currently employed by the company. The larger the sample, the more diverse the results will be.
    Temporal bias does not apply because the biased outcome is not due to unbalanced data sampling over
    time. Confirmation bias does not apply because the recruiters did not seek out information to confirm
    existing beliefs, but trained the AI using performance statistics. Projection bias does not apply as this type of
    bias is based on assuming others share our preferences, beliefs and attitudes, and there is no indication
    that this is the case.
    Body of Knowledge Domain II, Competency B

Question 43

60. Which of the following is the best reason why it is important to conduct red team reviews of models before
    deployment?
    A. To uncover potential biases in the models before they are deployed to external users.
    B. To eliminate all flaws and weaknesses in the model before they impact real-world users.
    C. To avoid the need to conduct formal risk assessments for various models before deployment.
    D. To improve traditional security testing methods that are not effective when testing AI models.

Answer 43

60. The correct answer is A. This option effectively captures a key purpose of red teaming; i.e., proactively
    identifying biases. B is incorrect as red teaming should complement, not replace, formal risk assessments. C
    is incorrect as red teaming is not a guarantee that a model will perform perfectly, as real-world deployment
    can present new flaws or issues. D is incorrect — red teaming should complement, not replace, traditional
    security testing methods, which remain important for broader system security.
    Body of Knowledge Domain VI, Competency F

Question 44

61. What is the role of U.S. federal agencies in regulating and overseeing the development and use of AI
    systems?
    A. To discourage the development and adoption of AI systems, including private use.
    B. To regulate the development and use of AI systems, including various liability issues.
    C. To reduce the legal risks and costs associated with AI systems, including copyright issues.
    D. To change the accountability of parties who cause damage with AI systems, including social media
    companies.

Answer 44

61. The correct answer is B. The role of U.S. federal agencies is to regulate and oversee the development and
    use of AI systems and to address the liability issues and challenges arising from AI systems. U.S. federal
    agencies have been involved in various initiatives and activities related to AI, such as issuing guidance,
    standards and best practices; conducting research and analysis; providing funding and support; and
    enforcing laws and regulations. For example, the National Artificial Intelligence Initiative Office, created in
    January 2021, is responsible for coordinating and advancing the federal government’s efforts and
    investments in AI research, development, innovation and education.
    Body of Knowledge Domain III, Competency C

Question 45

65. Which of the following is an example of societal harm in AI?
    A. Reputational harm to an organization.
    B. Housing discrimination against a family.
    C. Spread of disinformation over the internet.
    D. Insurance discrimination against a demographic.

Answer 45

65. The correct answer is C. The spread of disinformation causes harm to a society by making it difficult or
    impossible for individuals to verify whether the information they are accessing is accurate or not. This
    undermines the individual’s faith in their societal structure, causing social polarization, unrest and mistrust
    in the decision-making process of policy makers. The internet has made the ability to spread disinformation
    a much more rapid process, complicating these issues further. Reputational harm to an organization is an
    example of organization harm; housing discrimination is an example of individual harm; and insurance
    discrimination is an example of AI bias that causes individual harm.
    Body of Knowledge Domain II, Competency A

Question 46

66. AbleSoft developed an AI-based screening system to identify potential insider trading. As part of adopting
    Singapore’s Model AI Governance Framework, AbleSoft took which of these steps?
    A. Contracted with outside experts to audit algorithms for bias risks.
    B. Set up IT security policies limiting access to source code and data.
    C. Joined industry groups defining standards for financial AI systems.
    D. Established an approval process for AI systems based on their risk level.

Answer 46

66. The correct answer is D. The Singapore Framework has guidance on implementing policies and processes
    for accountable and ethical AI development aligned to risk levels.
    Body of Knowledge Domain I, Competency C

Question 47

67. Starnet Ltd. is a multinational company that provides a virtual assistant. Patrick, a user from the EU,
    decides to generate an image of himself. To his surprise, the assistant generates an image that is clearly
    derived from his private social media profile. Patrick believes that Starnet Ltd. has performed untargeted
    scraping of the internet to obtain facial images for the dataset used by its LLM. To which authority should
    Patrick report this incident, and, if Starnet Ltd. is liable under the EU AI Act, what would be the threshold of
    the penalty to be imposed?
    A. The incident should be reported to the EDPS. The penalty would be a fine of up to 15 million euros or
    three percent of the total worldwide turnover.
    B. The incident should be reported to the EU AI office. The penalty would be a fine of up to 15 million
    euros or three percent of the total worldwide turnover.
    C. The incident should be reported to the data protection regulator. The penalty would be a fine of up to
    7.5 million euros or 1.5 percent of the total worldwide turnover.
    D. The incident should be reported to the designated national authority. The penalty would be a fine of up
    to 35 million euros or seven percent of the total worldwide turnover.

Answer 47

67. The correct answer is D. According to the latest release by the European Commission on the EU AI Act,
    Member States must designate a national authority to serve as a point of contact for the complaints of
    citizens. Furthermore, the use of AI for untargeted scraping of the internet for facial images to build up or
    expand databases is classified as a prohibited use case of AI and, as such, any AI system used for this
    purpose will be banned. Therefore, if Starnet Ltd. has used an AI system for this purpose, Starnet Ltd., as a
    multinational company, would face an applicable threshold of penalty of a fine of up to 35 million euros or
    seven percent of the total worldwide turnover.
    Body of Knowledge Domain IV, Competency A

Question 48

68. Your company is developing an AI system for global markets. This system involves personal data processing
    and some decision-making that may affect rights of the individuals. Part of your role as an AI governance
    professional is to ensure that the AI system complies with various international regulatory requirements.
    Which of the following approaches best aligns with a comprehensive understanding of and compliance
    with AI regulatory requirements in this situation?
    A. Focus on the EU AI Act, as it is the most comprehensive regulation, since compliance with it will ensure
    compliance with all other international regulations that apply to AI.
    B. Develop a compliance strategy based on the strictest requirements in various regulations, including the
    EU AI Act, GDPR and HIPAA, then harmonize it into a unified compliance framework.
    C. Consider that if the AI system complies with local regulations of the country where the company is
    based, it is not necessary to comply with international regulations, as AI is adaptable globally.
    D. Adopt a region-specific compliance strategy where the AI is modified to meet regulatory requirements
    of each region independently, disregarding commonalities or overlaps in international regulations.

Answer 48

68. The correct answer is B. This option represents a balanced and comprehensive approach to AI regulatory
    compliance by acknowledging the need to understand and integrate multiple international requirements,
    ensuring adherence to the highest standards of AI compliance, data privacy and other regulatory
    considerations.
    Body of Knowledge Domain VI, Competency C

Question 49

69. As technology continues to advance, companies, scientists and technologists are adopting a human-centric
    approach to develop AI. What specifically characterizes an AI system as “human-centric”?
    A. It prioritizes technical advancement without considering human input, needs or experiences.
    B. It is designed with a focus on human input, providing an approach that addresses human needs and
    experiences.
    C. It disregards technological advancements and societal technological needs and rely entirely on human
    input.
    D. It is developed internally by companies without review of existing technologies and without
    collaboration with external technologists.

Answer 49

69. The correct answer is B. Human-centric AI is AI designed to put humans before the machine by
    acknowledging human abilities and ingenuity. HCAI is AI that enhances and augments human abilities rather
    than displacing them. HCAI aims to preserve human control to ensure that AI meets human needs.
    “Human centeredness asserts firstly, that we must always put people before machines, however complex or
    elegant that machine might be, and, secondly, it marvels and delights at the ability and ingenuity of human
    beings. In the Human Centered System, there exists a symbiotic relation between the human and the
    machine, in which the human being would handle the qualitative subjective judgements and the machine
    the quantitative elements. It involves a radical redesign of the interface technologies and at a philosophical
    level, the objective is to provide tools (in the Heidegger sense) which would support human skill and
    ingenuity rather than machines which would objectivize that knowledge.” Mike Cooley, On Human-Machine
    Symbiosis, 2008.
    Body of Knowledge Domain II, Competency B

Question 50

70. A financial institution aims to develop a model for detecting fraudulent credit card transactions. It
    possesses a history of transaction data in which instances of fraud and non-fraud are clearly labeled and
    explicitly identified. What is the appropriate machine learning technique the financial institution should
    adopt?
    A. Supervised.
    B. Unsupervised.
    C. Reinforcement.
    D. Semi-supervised.

Answer 50

70. The correct answer is A. In this situation, where the financial institution has a labeled dataset with instances
    of fraud and non-fraud clearly identified, the appropriate machine learning technique is supervised learning.
    In supervised learning, the model is trained on labeled data, and it learns to make predictions or
    classifications based on the provided labels. The goal is to identify patterns in the labeled data that can be
    used to accurately predict the labels for new, unseen instances.
    Body of Knowledge Domain I, Competency B

Question 51

71. BankC has created an artificial intelligence algorithm that filters loan applications based on criteria, such as
    current zip code, applicant job industry and name, in addition to the expected criteria. One staff person
    noticed that several loan applicants who passed through the filter were white, as compared with a
    distribution that was representative of the community’s distribution prior to use of the algorithm. If BankC
    proceeds with using this algorithm in the U.S., which of the below federal laws must its compliance
    department be aware of (in addition to others not listed)?
    A. The Dodd-Frank Act.
    B. Fair Credit Reporting Act.
    C. Equal Credit Opportunity Act.
    D. Americans with Disabilities Act.

Answer 51

71. The correct answer is C. The Equal Credit Opportunity Act prohibits discrimination against credit applicants
    based on race, color, national origin, sex, marital status, age, existing income from a public assistance
    program, or because an applicant has, in good faith, exercised any right under the Consumer Credit
    Protection Act. Another relevant law, which is broader, is section 5 of the Federal Trade Commission Act,
    which provides that “unfair or deceptive acts or practices in or affecting commerce … are … declared
    unlawful.” 15. U.S.C. Sec. 45(a)(1).
    Body of Knowledge Domain III, Competency A

Question 52

74. When initiating an AI governance program, which of the following statements best reflects a strategic
    approach to effectively engaging leadership?
    A. Identify leaders already using AI who see opportunities for differentiation through improved
    governance.
    B. Postpone leadership engagement until the AI program is fully implemented to avoid an overly
    complicated journey.
    C. Prioritize leaders with extensive business experience to help minimize discussions about responsible AI
    and simplify your decision-making process.
    D. Get buy-in from leaders whose primary interest centers around the ability of AI to allow the
    organization to get ahead of its competition.

Answer 52

74. The correct answer is A. In the context of AI governance, it is crucial to engage leaders who not only have
    experience with AI, but also recognize the potential for differentiation through responsible practices. This
    approach ensures leadership alignment with the AI governance program goals and helps in understanding
    the value it brings.
    Body of Knowledge Domain VI, Competency C

Question 53

75. The EU AI Act and NIST AI Risk Management Framework are both pursuing the dual purposes of promoting
    the uptake of AI and addressing the risks associated with its use. Which of the following is one of the main
    differences between the EU AI Act and NIST AI RMF?
    A. The EU AI Act is underpinned by a risk-based approach, while the NIST AI RMF is a horizontal regulation.
    B. The EU AI Act is applicable to EU-based companies only, while the NIST AI RMF has an extraterritorial
    effect.
    C. The EU AI Act is relevant to large- and medium-sized companies, while NIST AI RMF applies to
    companies of all sizes.
    D. The EU AI Act imposes mandatory compliance requirements, while NIST AI RMF is a voluntary AI
    governance framework.

Answer 53

75. The correct answer is D. The NIST AI Risk Management Framework is intended for voluntary use and to
    improve the ability to incorporate trustworthiness considerations into the design, development, use and
    evaluation of AI products, services and systems. The EU AI Act imposes comprehensive mandatory
    compliance requirements on high-risk AI with respect to, among other things, risk mitigation, data
    governance, detailed documentation, human oversight, transparency, robustness, accuracy and
    cybersecurity. The EU AI Act requires mandatory conformity assessments and fundamental rights impact
    assessments. It also provides a right for citizens to launch complaints about AI systems and receive
    explanations about decisions based on high-risk AI systems that impact their rights.
    Body of Knowledge Domain IV, Competency A

Question 54

76. Robotic processing automation is an emerging type of artificial intelligence. Which of the following does
    NOT describe RPA?
    A. Machines that mimic human actions on digital systems.
    B. Software robots that are used to automate rule-based tasks.
    C. Machines designed to perform tasks relying on human intervention.
    D. Software robots that are augmented by other types of artificial intelligence.

Answer 54

76. The correct answer is C. The intent of robotic processing automation is to “mimic” human behavior by
    leveraging intelligent systems. The goal of this is to decrease human intervention by automating tasks to
    increase efficiency of business processes, and not rely on humans to complete tasks.
    Body of Knowledge Domain I, Competency B

Question 55

77. A retailer plans to implement facial recognition in physical stores. Which of the following measures should
    the retailer take to comply with regulatory requirements?
    A. Disclose the practice of facial recognition to consumers.
    B. Train the employees not to reveal the use of facial recognition technology.
    C. Ensure as many images as possible are placed into the facial-matching system.
    D. Consult with a trusted privacy professional network to source a facial-recognition vendor.

Answer 55

77. The correct answer is A. Transparency is a key value in privacy and responsible AI. Failure to disclose risks of
    harm to consumers can also lead to violations of the FTC Act section 5, as well as existing privacy laws such
    as the GDPR, and potentially to violations of emerging laws. Companies that use facial recognition in
    physical stores should, at a minimum, consider disclosing the practice to consumers.
    Body of Knowledge Domain III, Competency A

Question 56

78. Company N works in the field of disability benefits and wants to use AI to determine who is most likely to
    benefit from its services by filtering applications. Company N’s privacy officer is concerned about
    unintended serious impacts of filtering applications. What is a negative impact the privacy officer should
    consider when analyzing the proposed project?
    A. Impacting an employee’s job.
    B. Making individuals uncomfortable.
    C. Discriminating against a particular group.
    D. Creating a false sense of security for applicants.

Answer 56

78. The correct answer is C. The privacy officer should examine the project carefully to determine if there will be
    an unintended result of discrimination against a particular group of individuals who may share a trait that
    will accidentally cause the AI to filter out their applications for disability benefits, even though they would
    normally qualify.
    Body of Knowledge Domain II, Competency A

Question 57

79. A new generative AI (GenAI) service will be launched in China and may be used by minors. Developers will
    manually tag the data used to train and develop the AI models. Before the launch of the GenAI service,
    which of the following actions will the GenAI service NOT need to take to be compliant with China’s Interim
    Measures for the Management of Generative Artificial Intelligence?
    A. Carry out assessments to assess the quality of the tagging.
    B. Provide training to personnel on how to properly tag the data.
    C. Provide notices to parents of minors identifying risks of addiction.
    D. Employ measures to prevent minors from being addicted to the GenAI Service.

Answer 57

79. The correct answer is C. The Interim Measures require that preventative measures be taken to prevent
    minors from being addicted to the generative AI services. No notice to parents of minors is required.
    Body of Knowledge Domain IV, Competency B

Question 58

80. Kim is expanding their governance, risk and compliance role at their organization to include the NIST AI Risk
    Management Framework. Kim is using the four core functions to lay out their project to present to
    management. Which of the following is the step for the measure function?
    A. Risk management is cultivated and present.
    B. Identified risks are assessed, analyzed or tracked.
    C. Risk is prioritized and acted upon based on projected impact.
    D. Context is recognized and risks related to context are identified.

Answer 58

80. The correct answer is B. The measure function involves quantifying risks and their related impacts, including
    tracking trustworthiness and social impacts. Through this stage, organizations can balance any trade-offs
    necessary and ensure the risks are mitigated where possible.
    Body of Knowledge Domain IV, Competency C

Question 59

81. A meat processing facility and warehouse in the U.S. is planning to use automated, driverless forklifts to
    supplement its work force to increase efficiencies and reduce operating costs. Which agency guidelines and
    regulations should the facility review and analyze to maximize employee safety in connection with
    implementing this program?
    A. The Food and Drug Administration.
    B. The Consumer Product Safety Commission.
    C. The Equal Opportunity Employment Commission.
    D. The Occupational Safety and Health Administration.

Answer 59

81. The correct answer is D. The Occupational Safety and Health Administration establishes the relevant
    regulations and guidelines for safety and acceptable potential hazards in the workplace.
    The other agencies have also issued guidelines relevant to developing and implementing AI systems, but
    those guidelines and regulations are not focused on product safety in the workplace.
    Body of Knowledge Domain III, Competency A

Question 60

82. Which of the following outline some of the necessary components of creating an AI governance structure?
    A. (1). Promote the IT organization with full AI governance responsibility; (2). Document AI governance
    decisions; (3). Identify an executive champion.
    B. (1). Federate all governance responsibility throughout the organization; (2). Document AI governance
    decisions; (3). Identify an executive champion.
    C. (1). Promote the compliance organization with full AI governance responsibility; (2). Document AI
    governance decisions; (3). Identify an executive champion.
    D. (1). Determine whether there is an AI governance structure; (2). Identify and document who will
    maintain and implement AI governance structure; (3). Identify an executive champion.

Answer 60

82. The correct answer is D. These components provide a foundational approach to establishing an effective AI
    governance structure. Neither a specific organizational unit, such as the compliance department or IT, nor a
    federated approach to governance is sufficient to support the complex organizational and governance
    needs of an AI system.
    Body of Knowledge Domain V, Competency A

Question 61

83. SOS Soft, an EU-based company, has created an AI system for classifying calls made to emergency services.
    The user only needs to select which emergency service they require before the AI system routes them to
    the appropriate service nearest to their location. As the intended purpose of this system is only to route the
    caller to the appropriate emergency service location, recordings of emergency calls were not collected to
    train the system. During the development phase, it was decided that synthetic data should be used in the
    validation dataset to detect negative bias and correct it. Prior to the system’s release, it was tested during a
    two-day trial, with the permission of a local municipality, using real citizens. Would the EU AI Act apply to
    SOS Soft, and, if yes, would the company be in compliance with the procedures for testing AI systems under
    the EU AI Act?
    A. The EU AI Act will apply to SOS Soft, and the company is in full compliance with the procedures for
    testing AI systems.
    B. The EU AI Act will apply to SOS Soft, and the company is not in compliance with the procedures for
    testing AI systems under the EU AI Act.
    C. SOS Soft would not be regulated under the EU AI Act because the system was tested with the
    permission of the municipality, meaning it was trialed in a simulated environment.
    D. The EU AI Act will not apply to SOS Soft, as it was trialed in a simulated environment; however, if this
    system is released on the market, it would not be in compliance with the procedures for testing AI
    systems under the EU AI Act.

Answer 61

83. The correct answer is A. Per the EU AI Act, the regulation shall not apply to research, testing and
    development activities, but testing in real world conditions is NOT included in this exemption. The
    definitions include in the Act refer to real-world conditions outside of a laboratory or otherwise simulated
    environment. In this case, since the testing took place in a manner where real citizens made use of the AI
    system for the purpose of contacting emergency services, the testing is “real-world testing,
    ” so the EU AI Act
    does apply to SOS Soft. Furthermore, per the testing procedures mandated by the EU AI Act in Article 10(5)
    in relation to bias testing, clause (a) states that bias detection and correlation cannot be effectively fulfilled
    by processing synthetic data.
    Body of Knowledge Domain IV, Competency A

Question 62

84. What is the purpose of a risk assessment in AI Governance?
    A. Test and validate the AI system.
    B. Establish priorities and allocate resources.
    C. Compile feedback from impacted AI actors.
    D. Establish appropriate roles and responsibilities.

Answer 62

84. The correct answer is B. The purpose of a risk assessment is to identify the areas of greatest risk in an AI
    system so risk mitigation resources can be allocated appropriately. Risk assessments can also be used to
    generate metrics for tracking and managing priorities throughout the model development life cycle.
    Body of Knowledge Domain VI, Competency D

Question 63

85. The use of deidentification or anonymization within AI systems will mitigate or remove risks to individuals
    under the GDPR. However, what is a challenge likely created by using these methods?
    A. They reduce the utility of data.
    B. They produce security concerns.
    C. They restrict access to information.
    D. They generate a lack of transparency.

Answer 63

85. The correct answer is A. Deidentifying or anonymizing data reduces its utility within AI systems and is
    difficult to do with large datasets. Using these methods will not create additional concerns related
    to security and transparency or restrict access to the data.
    Body of Knowledge Domain III, Competency B

Question 64

86. John is the AI governance lead for his EU-based company, XYZ. XYZ provides users with a virtual assistant.
    When exiting the system, users receive a notice which informs them they have interacted with an AI system
    and its responses may include hallucinations that should be reviewed by the user. John informs XYZ of his
    approval of this notice along with the way it is presented to him. Based on the information provided, why is
    XYZ not in compliance with the transparency requirements set out by the EU AI Act?
    A. The notice is not GDPR compliant.
    B. The notice was not displayed in a timely manner.
    C. The notice is not accessible to vulnerable persons.
    D. The notice is not adequate in terms of the information provided.

Answer 64

86. The correct answer is B. As per the transparency obligations set forth in the EU AI Act, the notice that
    informs users they are using an AI system shall be provided, at the latest, at the time of first interaction or
    exposure to the AI system in question. In this case, the notice was provided as a response to the first
    prompt rather than being displayed to users at the time of the first interaction or exposure, before they
    enter a prompt.
    Body of Knowledge Domain IV, Competency A

Question 65

87. Which of the following most directly led to renewed interest and funding in AI research in the 1980s?
    A. Early successes of neural networks.
    B. Academic conferences bringing together AI researchers.
    C. The development of expert systems and natural language processing.
    D. Advances in computer processing power and availability of large datasets.

Answer 65

87. The correct answer is D. Increased computing power and data availability enabled more complex AI systems
    to be developed, renewing interest in the field.
    Body of Knowledge Domain I, Competency D

Question 66

88. DPIAs and AI conformity assessments are both important tools in evaluating privacy risk. Which of the
    following is a key component of both?
    A. A targeted mitigation plan.
    B. An effective consent model.
    C. A strategy to anonymize data.
    D. A policy for personal data use.

Answer 66

88. The correct answer is A. Both assessments should involve an assessment of risks, as well as a plan to
    mitigate such risks. Consent and anonymization may be needed depending on the process or system
    involved. While personal data is a component of a DPIA, it may or may not be for an AI conformity
    assessment.
    Body of Knowledge Domain III, Competency B

Question 67

89. How can human oversight influence the reduction of bias or discrimination in AI/ML models (algorithmic
    bias) in the initial stages of selecting data and defining goals?
    A. Using only data scientists to handle data selection in AI/ML models ensures success in meeting set
    goals.
    B. Working with a variety of social experts ensures inclusive and unbiased data during the AI/ML model
    design.
    C. Having software engineers manage AI/ML bias reduction without social science input provides clarity in
    data selection.
    D. Allowing government regulators to provide the sole definition of AI/ML model data will remove all bias
    and discrimination.

Answer 67

89. The correct answer is B. Collaboration with social experts, such as psychologists, linguists and sociologists,
    provides diverse insights into human behavior and societal dynamics essential for identifying potential
    biases that may not be obvious to data scientists or software engineers.
    Body of Knowledge Domain I, Competency A

Question 68

90. What is the purpose of liability reform regarding liability for AI systems?
    A. To discourage the development and adoption of AI systems.
    B. To increase the legal risks and costs associated with AI systems.
    C. To reduce the legal certainty for developers and users of AI systems.
    D. To change the rules governing accountability for damages caused by AI systems.

Answer 68

90. The correct answer is D. Liability reform is the process of changing the legal rules and principles that govern
    the responsibility and accountability of parties who cause or contribute to damage or harm through AI
    systems.
    Body of Knowledge Domain III, Competency C

Question 69

91. When building an AI model, which of the following is a best practice for feature selection?
    A. Raw data is preferred to processed data.
    B. The more features used, the better the model performs.
    C. Personal information should never be used as a feature.
    D. The same features must be used for training and testing.

Answer 69

91. The correct answer is D. Training and testing data must use the same features to ensure accuracy. There are
    trade-offs to adding model features in performance, and adding too many features can cause overfitting to the training data. Raw data needs to be processed before being added to the model, at the very least, for
    data cleaning purposes. Finally, personal information can be used as a feature, but only where necessary.
    Body of Knowledge Domain V, Competency C

Question 70

92. Company XBR is developing an AI system for a virtual assistant to be used in households. How would the
    development team incorporate the principles of human-centric design throughout the entire process, from
    conception to deployment?
    A. Ignoring privacy concerns to maximize data collection for refining the AI algorithms.
    B. Designing the virtual assistant to operate independently, without requiring user input.
    C. Prioritizing user feedback and involving potential users in the early stages of development.
    D. Focusing on technical advancements and automation to streamline the virtual assistant’s capabilities.

Answer 70

92. The correct answer is C. The development team should rely on users’ participation and feedback to
    incorporate the principles of human-centric design through the process, from development to deployment
    of the AI system. Human-centered AI learns from human input and collaboration, and continuously
    improves based on human feedback.
    Prioritizing users’ feedback and involving users in the development of the AI system or otherwise is known
    as “human-centered design,” which is an approach to interactive systems development that aims to make
    systems usable and useful by focusing on the users, and their needs and requirements, and by applying
    human factors/ergonomics, usability knowledge and techniques. This approach enhances effectiveness and
    efficiency, improves human well-being, user satisfaction, accessibility and sustainability; and counteracts
    possible adverse effects of use on human health, safety and performance. See ISO 9241-210:2019(E)
    Body of Knowledge Domain II, Competency B

Question 71

93. Which one of the following options contains elements that should be considered when building an AI
    incident response plan?
    A. The security incident plan, which covers all requirements needed, includes required incident actions so
    the security team can oversee AI incident management.
    B. The third-party tools that are integrated into your system should be identified because, in the case of
    an incident, you might need to notify those third parties.
    C. An automated tool should be in place to guarantee the algorithm is shut down immediately, avoiding
    dependence on human action to avoid delays or human error.
    D. The existing privacy breach response tools in your organization need to be reused, as the data privacy
    team should be the reporting body overseeing all data-related incidents.

Answer 71

93. The correct answer is B. To understand third-party risk in the organization, it is necessary to identify all
    third-party tools that are integrated in the system. If there is an incident, the organization might need to
    notify the user of these third-party tools, as the incident might not only impact the tool owned by the
    organization.
    Body of Knowledge Domain VI, Competency F

Question 72

94. The HR department of the EU-based CompanyX purchases an AI-enabled tool to optimize efficiency and
    resource allocation. The tool collects personal data, including special categories of personal data under the
    GDPR, for an automated rating of workers’ performance and assignment of work. Given the context, the
    tool might be qualified as a high-risk AI system under the EU AI Act. Consequently, CompanyX must conduct
    tests against preliminarily defined metrics and probabilistic thresholds to identify risks and the most
    appropriate risk management measures. Since the tool will be used for automated decision-making
    affecting the privacy rights of employees, CompanyX must?
    A. Carry out a conformity assessment procedure after working with a representative in the EU.
    B. Draft the technical documentation and the required instructions for use once the tool is ready for use.
    C. Perform a data protection impact assessment to determine the impact to personal data before
    launching the tool.
    D. Inform appropriate national authorities of the Member States of all the risk mitigations taken as soon
    as the tool is in use.

Answer 72

94. The correct answer is C. CompanyX is an EU-based AI user and, therefore, it will need to comply with the
    requirements of the EU AI Act. The EU AI Act classifies AI systems used in employment and worker
    management as high risk and imposes rigorous obligations on the providers of high-risk AI systems. Users
    of high-risk AI tools must comply with less stringent requirements, such as using the product according to
    provider instructions; conducting impact assessments, including data protection impact assessments;
    monitoring the operation of the system; and notifying the provider or distributor of system malfunctions.
    Carrying out a data protection impact assessment in this context is a GDPR requirement since the type of
    processing activity described creates a likelihood of a high-risk outcome to the rights and freedoms of the
    employees.
    Body of Knowledge Domain IV, Competency A

Question 73

95. The U.S. Federal Trade Commission is urging what tort reform initiative?
    A. Encourage AI developers to limit contractual liability to AI users.
    B. Protect trade secrets by maintaining confidentiality of AI algorithms.
    C. Ensure robust, empirically sound, ethical, transparent and fair decisions.
    D. Favor agency enforcement of AI safety violations over private right of action.

Answer 73

95. The correct answer is C. The FTC guidance on “Using Artificial Intelligence and Algorithms” urges businesses
    to be transparent with consumers; ensure decisions are fair, robust and empirically sound; and hold
    themselves accountable for compliance, ethics, fairness and non-discrimination.
    Body of Knowledge Domain VII, Competency A

Question 74

96. CompanyZ is a U.S.-based hospital system with a clinic serving a particular community with a chronic
    disease that, long-term, is fatal. CompanyZ’s IT department wants to create an artificial intelligence tool that
    will ingest clinical data from electronic medical records, and then analyze progression of the disease to
    anticipate a patient’s significant clinical decline before it is a medical emergency. The IT department has
    asked for the privacy officer’s help in determining how to make the tool compliant. Which law below must
    the privacy officer consider?
    A. Colorado Privacy Act.
    B. Gramm-Leach-Bliley Act.
    C. Federal Trade Commission Health Breach Notification Rule.
    D. Health Insurance Portability and Accountability Act of 1996.

Answer 74

96. The correct answer is D. The Health Insurance Portability and Accountability Act of 1996 requires that
    protected health information be protected and not disclosed without a patient’s consent or knowledge, except in certain limited circumstances. The privacy officer must determine how to ensure that the
    proposed project protects patient information, if the project should allow for prior patient authorization of
    the use of artificial intelligence, and if it must allow patients to decline use of their data in the project
    without affecting their ability to obtain care.
    Body of Knowledge Domain III, Competency A

Question 75

97. A consulting company will be using a new recruiting platform that will prescreen candidates using an
    automated employment decision tool as part of its hiring process. The tool will score candidates based on
    their application submitted through the company’s website, and the recruiters will see the top candidates
    for open job roles. The consulting company will be hiring candidates from New York. Which of the following
    actions is the consulting company NOT required to take to comply with New York City’s Local Law 144?
    A. Publish the results of the bias audit on its public website.
    B. Provide a transparent notice to employees or candidates about the use of AEDT.
    C. Conduct a bias audit within one year prior to using it to screen candidates for employment.
    D. Notify the NYC Department of Consumer Worker Protection of the results of any bias audit.

Answer 75

97. The correct answer is D. Notification of bias audit results is not a requirement of Local Law 144. The result of
    the bias audit needs to be published on the public website.
    Body of Knowledge Domain IV, Competency B

Question 76

98. An organization wants to build a model to analyze content on social media by considering both textual
    content and associated images or videos. Which type of machine learning modeling technique is suitable in
    this scenario?
    A. Regression.
    B. Multi-modal.
    C. Reinforcement.
    D. Anomaly detection.

Answer 76

98. The correct answer is B. Multi-modal models are designed to process and integrate information from
    multiple modalities, making them well suited for tasks that involve diverse types of data, such as text,
    images and videos. In the given scenario, where the organization wants to analyze content on social media
    by developing a model that processes both textual content and associated images or videos, the resulting
    model would be regarded as multi-modal.
    Body of Knowledge Domain I, Competency B

Question 77

99. The engineering team within your company has been working on an AI tool for the past several months.
    After completion of planning, design and development, what is the next step?
    A. Perform a readiness assessment.
    B. Define the business requirements.
    C. Determine the governance structure.
    D. Verify the data used to test the system.

Answer 77

99. The correct answer is A. Although the other options reference some part of the AI development life cycle,
    these steps should be completed before commencement of the implementation phase and during system
    planning, design and development. After the completion of these activities, a readiness assessment will
    determine whether the technology is ready to deploy.
    Body of Knowledge Domain V, Competency D

Question 78

100. Which of the following activities is a best practice method to identify and mitigate predictable risks of
     secondary or unintended uses of AI models?
     A. Developing model cards for AI systems.
     B. Implementing an AI governance strategy.
     C. Conducting data protection impact assessments.
     D. Engaging in bug bashing and red teaming exercises.

Answer 78

100. The correct answer is A. Model cards are short summary documents explaining the purpose of an AI
     model and provide information regarding a model’s development and performance, as well as additional
     details for model transparency purposes. These cards are considered as a best practice method to identify
     and mitigate predictable risks associated with any secondary/unintended AI model use.
     Body of Knowledge Domain VI, Competency F