AI Governance, Risk & Compliance for CompTIA SecAI+

Sample Practice Questions

1. Question 1

   Which of the following should an auditor reference when reviewing a company’s human resources AI systems for legal non-compliance?
   1. A. Organization for Economic Cooperation and Development (OECD) standard
   2. B. National Institute of Standards and Technology (NIST) AI Risk Management Framework 9RMF)
   3. C. European Union (EU) AI Act
   4. D. International Organization for Standardization (ISO)
   Explanation

   The correct answer is: C. European Union (EU) AI Act.

   An auditor reviewing a human resources AI system for legal non-compliance should reference the EU AI Act, because Annex III of the Act explicitly classifies AI used in employment, worker management, and access to self-employment, including recruitment, candidate screening, and performance evaluation, as a high-risk category subject to mandatory legal obligations such as risk management, data governance, human oversight, logging, and conformity assessment. The OECD AI Principles are an influential but non-binding intergovernmental policy framework that cannot be cited to determine legal non-compliance. The NIST AI RMF (AI 100-1) is a voluntary risk management guideline that helps organizations operationalize trustworthy AI but does not itself impose legal requirements an auditor can hold the company against. The ISO option is too generic; ISO/IEC 42001 governs AI management systems and ISO/IEC 23894 covers AI risk, but conformance to these standards is voluntary certification rather than statutory law. Only the EU AI Act creates binding legal obligations specific to HR AI.

2. Question 2

   Which of the following is the most concerning risk for a company that allows corporate end users to use public-facing large language models (LLMs)?
   1. A. Inaccuracies due to hallucinations
   2. B. Out-of-date acceptable use policies
   3. C. Data security regulatory violations
   4. D. Malicious code generation
   Explanation

   The correct answer is: C. Data security regulatory violations.

   The most concerning risk when corporate end users send prompts to public-facing LLMs is data security regulatory violations, because employees routinely paste source code, customer records, contracts, or other regulated information into external chat interfaces, and that data can be retained, used for training, or otherwise exposed in ways that breach GDPR, HIPAA, PCI DSS, or contractual confidentiality obligations. This concern maps directly to OWASP LLM Top 10 risk LLM06 Sensitive Information Disclosure and to NIST AI RMF Manage function guidance on third-party AI services. Inaccuracies from hallucinations matter for output trust but are typically caught by the user reviewing the response and do not by themselves create legal liability the way a data leak does. An out-of-date acceptable use policy is a governance gap that should be fixed, yet it is the enabler of the underlying data exposure rather than the most serious risk on its own. Malicious code generation is a real concern but is mitigated by code review and is generally less material to a company than a regulator-reportable disclosure of protected data.

3. Question 3

   A healthcare organization plans to deploy a chatbot for appointment scheduling and patient records. Which of the following is the first step a security administrator should take?
   1. A. Implement prompt firewalls.
   2. B. Enable role-based access management
   3. C. Conduct a risk assessment.
   4. D. Use a secure data communication channel for chat.
   Explanation

   The correct answer is: C. Conduct a risk assessment..

   The first step a security administrator should take before deploying a healthcare chatbot that touches appointment scheduling and patient records is to conduct a risk assessment, because the use case involves protected health information and high-impact decisions and therefore demands that threats, data flows, regulatory obligations such as HIPAA and GDPR, and AI-specific risks like prompt injection and data leakage be identified and prioritized before any control is selected. This sequencing is exactly what the NIST AI RMF Map and Measure functions and ISO/IEC 23894 prescribe, and it is also the basis for an EU AI Act conformity assessment when the deployment falls under high-risk health categories. Implementing prompt firewalls, enabling role-based access management, and using a secure communication channel are all valid mitigations, but choosing controls before assessing risk inverts the process and can leave the most serious threats uncovered while spending effort on lower-priority defenses. The risk assessment is what tells the administrator which of those controls are actually needed and how strong they must be.

4. Question 4

   Which of the following helps in managing potential security issues related to model training?
   1. A. National Institute of Standards and Technology (NIST) AI Risk Management Framework (RMF)
   2. B. International Organization for Standardization (ISO) 27001
   3. C. Organization for Economic Co-operation and Development (OECD)
   4. D. General Data Protection Regulation (GDPR)
   Explanation

   The correct answer is: A. National Institute of Standards and Technology (NIST) AI Risk Management Framework (RMF).

   The NIST AI RMF is the most appropriate framework for managing security issues that arise specifically from model training, because its Measure and Manage functions address training-time risks such as data poisoning, biased or unrepresentative training data, model theft, supply chain weaknesses in foundation models, and the validation and monitoring needed to keep a model trustworthy across its lifecycle. ISO 27001 governs an information security management system and is essential for protecting the surrounding IT estate, but it is not AI-specific and does not prescribe controls for training data integrity, model evaluation, or bias measurement. The OECD AI Principles set non-binding international expectations for trustworthy AI but stop short of operational guidance for securing the training process. GDPR regulates personal data processing and lawful basis, which is relevant when training data includes personal information, yet it does not provide a methodology for the broader set of training-related security risks the question targets.

5. Question 5

   Which of the following responsible AI standards refers to a principle that clearly states the reasons behind the decisions for a particular conclusion?
   1. A. Accountability
   2. B. Auditability
   3. C. Transparency
   4. D. Explainability
   Explanation

   The correct answer is: D. Explainability.

   Explainability is the responsible AI principle that specifically requires a system to articulate the reasoning, features, or factors that drove a particular conclusion or prediction, allowing affected users and reviewers to understand why an output was produced. It is the property the NIST AI RMF places under the Explainable and Interpretable trustworthiness characteristic and that ISO/IEC 23894 ties to risk treatment for opaque models. Transparency is related but broader, referring to disclosure about the system as a whole, such as that an AI is in use, what data it was trained on, and what its known limitations are, rather than reasons for a single decision. Accountability is a governance principle that assigns ownership and answerability for outcomes to identifiable people and roles, not an explanation of the decision itself. Auditability is the capability to log, trace, and independently review the system over time so that an external party can verify behavior against policy, which supports explainability but does not on its own state the reasons behind a specific conclusion.

Other CompTIA SecAI+ domains

• AI-Assisted Security (13 questions)
• Basic AI Concepts Related to Cybersecurity (13 questions)
• Securing AI Systems (38 questions)