The latest changes and updates from the administration for this exam.
Latest Update: Jun 20 2026
All questions are working fine.
Correct AnswerD
A is incorrect: Encrypting training datasets at rest protects data confidentiality by preventing unauthorized access to data while stored. However, encryption does not address data integrity or the quality of the data content itself. Encrypted poisoned data remains poisoned after decryption, and an adversary who submits malicious data through legitimate channels would bypass encryption-based controls entirely. The attack described involves malicious content within the data, not unauthorized access to storage. Reference: https://genai.owasp.org/llmrisk/llm042025-data-and-model-poisoning/
B is incorrect: Rate limiting on inference endpoints is a runtime control that restricts the number of queries users can make against the deployed model. While useful for preventing model extraction attacks and denial-of-service, rate limiting operates at the inference layer and does not affect the training pipeline. It cannot prevent the injection of adversarial data into training datasets and would have had no impact on preventing the poisoning attack described in this scenario. Reference: https://genai.owasp.org/llmrisk/llm042025-data-and-model-poisoning/
C is incorrect: Output filtering on the production model is a post-deployment control that monitors and filters model responses to prevent harmful outputs from reaching users. While output filtering can mitigate the effects of a poisoned model by blocking inaccurate results, it does not address the root cause at the training pipeline level. The question asks which control would have prevented the poisoning attack, which requires data sanitization controls at the data ingestion stage of the pipeline. Reference: https://genai.owasp.org/llmrisk/llm042025-data-and-model-poisoning/
D is correct: Applying statistical outlier detection and anomaly detection is the correct answer. These data sanitization techniques are specifically designed to detect and remove adversarial data from training pipelines before it can corrupt the model. According to OWASP guidance on data and model poisoning, data sanitization with techniques such as statistical outlier detection and anomaly detection methods can detect and remove adversarial data from potentially being fed into the training process. This directly addresses the root cause of the poisoning attack. Reference: https://genai.owasp.org/llmrisk/llm042025-data-and-model-poisoning/
Correct AnswerA
A is correct: HSMs are tamper-responsive devices designed to detect physical intrusion attempts. When a tamper event is detected, the HSM automatically zeroizes all stored cryptographic key material, rendering the keys unrecoverable and preventing an attacker from extracting sensitive information. This is a critical safeguard for protecting encryption keys that secure AI model weights and inference data on on-premises servers. Reference: https://csrc.nist.gov/glossary/term/hardware_security_module_hsm
B is incorrect: HSMs do not respond to tamper events by failing over to a backup device. A failover response could potentially allow the compromised HSM to transmit key material over the network during the transition, creating an exposure window. Instead, the HSM immediately destroys all stored keys through automatic zeroization to ensure no key material remains available for extraction. Reference: https://csrc.nist.gov/glossary/term/hardware_security_module_hsm
C is incorrect: HSMs do not respond to tamper events by re-encrypting key material with a secondary key. The purpose of tamper response is to permanently destroy the key material so it cannot be extracted under any circumstances. Re-encrypting keys would still leave the data potentially recoverable if the secondary key were compromised, defeating the security purpose of tamper-responsive design. Reference: https://csrc.nist.gov/glossary/term/hardware_security_module_hsm
D is incorrect: While session locking is a valid security response for logical access violations, it is not the HSM's response to a physical tamper event. Physical tampering requires a more aggressive defense because the attacker has direct access to the hardware. HSMs respond by permanently destroying key material through zeroization, ensuring no cryptographic secrets survive in the compromised device. Reference: https://csrc.nist.gov/glossary/term/hardware_security_module_hsm
Correct AnswerA
A is correct: Applying differential privacy noise to the output confidence scores is correct. Membership inference attacks exploit the statistical differences in confidence scores between training data members and non-members. By applying a differential privacy mechanism to modify and normalize confidence score vectors at inference time, the model's outputs become indistinguishable between members and non-members. This directly neutralizes the attack vector while maintaining the model's primary classification utility with minimal accuracy degradation. Reference: https://owasp.org/www-project-machine-learning-security-top-10/ and https://csrc.nist.gov/pubs/ai/100/2/e2025/final
B is incorrect: Encrypting confidence scores in transit between the model and all API consumers is incorrect. Transport layer encryption using TLS protects data from eavesdropping during network transmission but does not alter the information content of the model's outputs. An authorized API consumer conducting a membership inference attack receives the same detailed confidence scores after decryption, meaning the vulnerability remains fully exploitable despite encryption being applied to API communications. Reference: https://owasp.org/www-project-machine-learning-security-top-10/ and https://csrc.nist.gov/pubs/ai/100/2/e2025/final
C is incorrect: Logging all inference requests to a centralized security information and event management system is incorrect. While logging and SIEM integration are important detection controls that can help identify suspicious query patterns after the fact, they do not mitigate the underlying vulnerability. Logging enables forensic investigation and alerting but does not prevent the model from returning exploitable confidence scores to users performing membership inference queries at runtime. Reference: https://owasp.org/www-project-machine-learning-security-top-10/ and https://csrc.nist.gov/pubs/ai/100/2/e2025/final
D is incorrect: Implementing role-based access control policies on the prediction API endpoint is incorrect. Access controls determine which users are authorized to query the model but do not reduce the information content of the responses provided to authorized users. A legitimate authenticated user with proper RBAC credentials can still perform membership inference attacks using the detailed confidence scores the model returns within its normal prediction responses. Reference: https://owasp.org/www-project-machine-learning-security-top-10/ and https://csrc.nist.gov/pubs/ai/100/2/e2025/final
Correct AnswerC
A is incorrect: Minimal-risk AI systems under the EU AI Act include applications such as spam filters or AI-enabled video games that pose negligible risk and are subject only to voluntary codes of conduct and best practices. The described system performs social scoring based on personal behaviors, which represents the highest risk level under the Act. It is classified as unacceptable risk and is fully prohibited from deployment. Reference: https://artificialintelligenceact.eu/article/5/
B is incorrect: While the EU AI Act permits high-risk AI systems in areas such as employment and worker management with strict requirements including conformity assessments, AI-based social scoring goes beyond the high-risk classification. Systems that evaluate individuals based on social behavior and personal characteristics to determine access to benefits fall into the unacceptable risk category and are completely prohibited rather than regulated with additional safeguards. Reference: https://artificialintelligenceact.eu/article/5/
C is correct: Under the EU AI Act, AI systems that perform social scoring based on social behavior or personal characteristics are classified as unacceptable risk and are explicitly prohibited under Article 5. The Act bans AI practices that threaten fundamental rights, including systems that evaluate and classify individuals based on inferred personality traits or social behavior to determine access to resources, as these practices cause discrimination and exclusion. The prohibition on social scoring practices took effect on February 2, 2025, as part of the first enforcement wave. Reference: https://artificialintelligenceact.eu/article/5/
D is incorrect: Limited-risk AI systems under the EU AI Act are subject to transparency obligations such as informing users they are interacting with AI. However, the described system constitutes social scoring, which is classified as unacceptable risk and prohibited entirely under Article 5. Transparency disclosures alone are wholly insufficient for a system that fundamentally violates the Act's prohibition on social scoring practices. Reference: https://artificialintelligenceact.eu/article/5/
Correct AnswerC
A is incorrect: Deep learning models typically require significantly more computational resources than traditional signature-based lookups, particularly during training and complex inference operations. Signature matching is a comparatively lightweight process. The primary advantage of deep learning lies in its superior detection capability against unknown variants, not in reduced computational requirements.
B is incorrect: Deep learning models require substantial amounts of labeled training data to learn meaningful patterns for accurate classification. The training process is essential to how deep learning functions, as the model extracts features and builds predictions based on patterns observed during training. Deep learning leverages large datasets more effectively but does not eliminate the need for training data.
C is correct: Deep learning models learn underlying behavioral and structural patterns from training data, enabling them to generalize and detect previously unseen malware variants including polymorphic and zero-day threats. Unlike signature-based systems that require exact matches to known signatures, deep learning classifiers can recognize similarities to known malware families even when code has been modified or obfuscated.
D is incorrect: Deep learning models produce probabilistic outputs based on learned patterns, assigning confidence scores to their classification decisions. Unlike signature-based systems that provide deterministic matches against known indicators, deep learning classifiers may produce varying confidence levels and can occasionally generate false positives or negatives requiring analyst review.
Correct AnswerC
A is incorrect: Granting unrestricted access to security tools does not solve the non-determinism challenge and introduces significant security risks. Broad access permissions could allow AI agents to take unintended actions or access sensitive data unnecessarily. The concern in the scenario is about consistency of AI outputs, which is addressed through structured workflow design and bounded reasoning, not through expanded tool access permissions.
B is incorrect: Removing human oversight does not address the non-determinism of AI agents and instead eliminates a critical safety mechanism. Human oversight provides validation of AI-generated conclusions and ensures accountability for response actions. The variability in AI outputs is inherent to probabilistic reasoning and cannot be eliminated by removing human review from the process. Proper governance requires maintaining oversight for high-impact decisions.
C is correct: The best approach combines deterministic pipeline steps with bounded AI reasoning. In this model, the overall workflow remains deterministic and auditable while AI agents perform reasoning only within defined nodes where interpretation is needed. This maintains the predictability and auditability of traditional SOAR playbooks while leveraging AI flexibility for tasks requiring judgment such as alert classification and risk assessment within controlled boundaries.
D is incorrect: Replacing AI agents entirely with static rule-based playbooks eliminates the benefits of AI-driven analysis, including the ability to handle novel threats and interpret ambiguous scenarios. While this would restore full determinism, it sacrifices the adaptive intelligence AI provides for triage and investigation. The better approach is to bound AI reasoning within a deterministic structure rather than removing AI capabilities from the platform entirely.
Correct AnswerC
A is incorrect: Large-scale data exfiltration typically involves transferring significant volumes of data out of a network, often characterized by large or variable-sized payloads and sustained high-bandwidth connections. The scenario describes small, consistent payload sizes at regular intervals, which is inconsistent with bulk data transfer. While exfiltration can occur over C2 channels, the small uniform payloads point specifically to beaconing behavior.
B is incorrect: DDoS reconnaissance involves scanning and probing target systems to identify vulnerabilities before launching a volumetric attack. This activity typically generates varied probe patterns, port scanning, and service enumeration traffic rather than regular periodic communication with consistent intervals and uniform payload sizes. The behavioral pattern described in the scenario is characteristic of C2 beaconing, not DDoS preparation activities.
C is correct: Command-and-control beaconing is the correct answer. C2 beaconing is characterized by regular, periodic communications between a compromised host and an attacker-controlled server, often using small, uniform payloads to check for new instructions. AI-driven NDR platforms detect this behavior by analyzing intra-request time delta patterns in network traffic. The combination of consistent timing intervals, off-hours activity, and small uniform payloads is a strong indicator of automated C2 communication rather than legitimate user activity.
D is incorrect: Brute-force credential spraying involves rapidly attempting authentication requests against multiple accounts using common passwords. This generates traffic directed at authentication endpoints with varying response codes and burst connection patterns. The scenario describes periodic outbound communication to a single external IP with uniform payloads, which does not match the traffic profile of a credential spraying attack.
Correct AnswerD
A is incorrect: Data poisoning involves an attacker deliberately introducing malicious data into the training set to corrupt the model's behavior. Adversarial training is a legitimate defense technique that intentionally includes adversarial examples to improve robustness, not a poisoning attack. The decrease in clean accuracy is an expected side effect of the robustness-accuracy tradeoff inherent in adversarial training, not evidence that the model has been poisoned or that its feature representations have been maliciously corrupted. Reference: https://csrc.nist.gov/pubs/ai/100/2/e2025/final
B is incorrect: Adversarial training is applicable across a wide range of model architectures including convolutional neural networks, deep neural networks, and other deep learning architectures commonly used in threat detection. The decrease in clean accuracy is not caused by architectural incompatibility but by the inherent tradeoff between adversarial robustness and standard accuracy. The model architecture does not need to be changed because the accuracy decrease is a recognized and expected characteristic of adversarial training. Reference: https://csrc.nist.gov/pubs/ai/100/2/e2025/final
C is incorrect: Data leakage occurs when information from outside the training dataset inadvertently influences the model, typically inflating performance metrics rather than reducing them. The observed decrease in clean accuracy is not consistent with data leakage, which would more likely cause artificially high accuracy results. The accuracy drop is attributable to the well-known robustness-accuracy tradeoff that occurs when models are optimized to handle both clean and adversarially perturbed inputs simultaneously during training. Reference: https://csrc.nist.gov/pubs/ai/100/2/e2025/final
D is correct: Adversarial robustness introduces a recognized tradeoff between robustness and clean accuracy. When a model is trained to correctly classify both clean and adversarially perturbed inputs, its decision boundaries shift to accommodate worst-case perturbations, which can reduce performance on standard unperturbed data. This accuracy-robustness tradeoff is a well-documented phenomenon in adversarial machine learning and is an expected outcome that security teams must balance when hardening AI models. Reference: https://csrc.nist.gov/pubs/ai/100/2/e2025/final
Correct AnswerB
A is incorrect: OAuth 2.0 with role-based access scopes controls who can access the API and what permissions they hold. While essential for access management, it does not limit the volume or pattern of queries an authorized consumer can submit within their permitted scope. An authenticated user with valid credentials and appropriate scopes could still perform model extraction through high-volume, systematic querying of the inference endpoint without violating their access permissions. Reference: https://genai.owasp.org/llmrisk/llm102025-unbounded-consumption/
B is correct: Rate limiting with query pattern monitoring is the correct answer. Model extraction attacks depend on sending a high volume of systematically structured queries to an AI inference API and using the outputs to replicate the model's behavior. Rate limiting restricts the volume of queries a consumer can submit, while query pattern monitoring detects the systematic querying patterns characteristic of extraction attempts. OWASP identifies rate limiting of API calls and detection techniques such as DLP as key controls to reduce the risk of data exfiltration from LLM applications, directly addressing the model theft threat vector. Reference: https://genai.owasp.org/llmrisk/llm102025-unbounded-consumption/
C is incorrect: Input schema validation ensures that API requests conform to expected data structures and formats, rejecting malformed or non-conforming inputs. However, model extraction attacks typically use well-formed, legitimate queries that would pass schema validation checks. The extraction relies on the volume and systematic variation of valid queries rather than on exploiting malformed request structures, making schema validation alone insufficient for preventing this attack. Reference: https://genai.owasp.org/llmrisk/llm102025-unbounded-consumption/
D is incorrect: TLS encryption and certificate pinning protect data in transit between the client and the server, ensuring confidentiality and integrity of communications. However, these controls do not prevent an authenticated consumer from sending a high volume of queries to replicate the model's behavior. Model extraction attacks operate through legitimate, properly encrypted API calls rather than through eavesdropping on network traffic, making transport-level encryption insufficient for this specific threat. Reference: https://genai.owasp.org/llmrisk/llm102025-unbounded-consumption/
Correct AnswerA
A is correct: Analyzing disparity metrics across protected demographic attributes is the correct first step. When a bias assessment reveals statistically significant differences in AI outcomes across racial demographics, the organization must quantify the extent and nature of the disparity using established fairness metrics such as disparate impact ratios and equalized odds. This systematic assessment follows NIST SP 1270 guidance on identifying and managing bias and fulfills the AUP's requirement for periodic bias evaluations. Implementing remediation without first understanding the specific disparity patterns could introduce new issues or fail to address the root cause. Reference: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1270.pdf
B is incorrect: Replacing the AI model with a rule-based system is an overly drastic response that abandons the benefits of AI-driven analysis without first understanding the nature of the bias. Rule-based systems can also encode bias through their defined rules and thresholds. The appropriate first step under the AUP is to assess and quantify the identified bias using disparity metrics, not to eliminate the AI system entirely. Bias assessment should precede any decision about model replacement or remediation strategy. Reference: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1270.pdf
C is incorrect: Differential privacy is a mathematical technique designed to protect individual data points from being identified in outputs or queries. While valuable for data privacy, it does not address the underlying bias in the model's decision-making process. Obscuring demographic patterns in outputs does not resolve the discriminatory approval rate differences detected by the audit. The AUP's bias assessment requirement focuses on identifying and correcting unfair outcomes rather than masking them with privacy-preserving techniques. Reference: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1270.pdf
D is incorrect: Removing demographic data from training datasets is a common misconception about bias mitigation. AI models can still learn discriminatory patterns through proxy features that correlate with protected attributes, such as geographic location correlating with race. Additionally, removing demographic features without first analyzing the disparity makes it impossible to measure whether bias has been effectively addressed. The AUP requires a thorough understanding of the bias before implementing corrective measures. Reference: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1270.pdf
