The latest changes and updates from the administration for this exam.
Latest Update: Jun 20 2026
All questions are working fine.
Correct AnswerC
A is incorrect: The generator in a GAN-based malware engine does not reverse-engineer or extract the internal rules of the target detection model. In a black-box evasion scenario, the GAN uses the discriminator as an internal proxy for the target detector and optimizes adversarial samples through iterative feedback from this proxy. This approach does not require direct access to or understanding of the target model's internal classification logic or decision boundaries.
B is incorrect: Replacing a detection model's training data would constitute a data poisoning attack, which is a fundamentally different attack vector than GAN-based evasion. The GAN generates adversarial malware variants designed to evade detection without requiring access to or modification of the target system's training data pipeline. GAN-based evasion and data poisoning operate through entirely different mechanisms and attack surfaces. Reference: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/behavioral-blocking-containment
C is correct: This is correct. In a GAN-based malware evasion framework, the generator learns to produce malware variants whose features appear benign to detection classifiers. The discriminator acts as a substitute for the targeted ML-based detection model, providing iterative feedback that helps the generator progressively refine its output. Through this adversarial training loop, the generator creates increasingly evasive malware samples that retain malicious functionality while successfully fooling endpoint detection classifiers.
D is incorrect: The discriminator in a GAN does not inject noise into external detection models. The discriminator serves as an internal component of the GAN architecture that evaluates the generator's output against real samples. It functions as a proxy for the target detection system, providing feedback within the GAN training loop. The GAN operates independently from the target detection model and does not directly modify the target model's internal parameters or weights. Reference: https://attack.mitre.org/techniques/T1027/014/
Correct AnswerD
A is incorrect: Encrypting model artifacts at each pipeline stage protects model confidentiality and integrity during storage and transmission. However, encryption does not resolve the access control discrepancy between tools. A user with elevated CI/CD access could still manipulate deployment configurations and promote unauthorized models regardless of artifact encryption.
B is incorrect: Differential privacy adds controlled noise to training data or model outputs to protect individual data points from being re-identified. While valuable for data privacy, differential privacy does not address the access control inconsistency between MLOps tools that enables unauthorized manipulation of model deployments through elevated CI/CD platform permissions.
C is incorrect: Adversarial robustness testing validates that models behave correctly when subjected to adversarial inputs during the model evaluation phase. It addresses model security against input manipulation attacks, not the organizational access control vulnerability of inconsistent permissions across interconnected MLOps tools that the scenario describes.
D is correct: Cross-tool access exploitation occurs when insiders leverage inconsistent permissions across multiple MLOps tools to perform unauthorized actions. Enforcing consistent role-based access controls across all integrated tools, including data versioning systems, CI/CD platforms, model registries, and deployment systems, closes these gaps by ensuring that permissions are uniform and a user cannot circumvent restrictions in one tool by exploiting elevated access in another.
Correct AnswerD
A is incorrect: Applying network encryption protects data confidentiality during transit but does not prevent adversarial evasion attacks at the inference layer. The attacker crafts perturbations to the feature representation of traffic data that the model processes, not the raw network packets. Encryption does not change how the model interprets its input features and therefore cannot address decision boundary fragility against adversarial perturbations. Reference: https://csrc.nist.gov/pubs/ai/100/2/e2025/final
B is incorrect: Restricting API query access reduces the attack surface by limiting who can interact with the model and can slow down black-box attack techniques. However, it does not harden the model itself against adversarial perturbations. A determined attacker who gains access or uses transferable adversarial examples crafted on a substitute model can still exploit the undefended decision boundaries. Access restrictions are complementary controls, not a substitute for model hardening. Reference: https://csrc.nist.gov/pubs/ai/100/2/e2025/final
C is incorrect: Increasing training data volume with clean samples can improve overall model accuracy and generalization but does not specifically address adversarial robustness. Clean samples do not teach the model to handle intentionally crafted perturbations. The model may still have fragile decision boundaries that can be exploited by small input modifications, because it has never been exposed to adversarial examples during training. Reference: https://csrc.nist.gov/pubs/ai/100/2/e2025/final
D is correct: Performing adversarial training with representative attack samples is the most effective proactive defense. Adversarial training involves augmenting the training process with adversarial examples—inputs intentionally crafted to fool the model—so the model learns to correctly classify both clean and perturbed inputs. This technique directly strengthens the model's decision boundaries, making it resilient against evasion attacks that use small perturbations at inference time. As noted in NIST AI 100-2, evasion attacks modify testing samples to alter model predictions, and adversarial training is among the most established defenses. Reference: https://csrc.nist.gov/pubs/ai/100/2/e2025/final
Correct AnswerC
A is incorrect: Manual quarterly rotation reduces the exposure window if a key is compromised but still relies on a long-lived static credential between rotations. Manual processes are error-prone and may cause service outages if not executed correctly. Automated short-lived credentials provided by managed identities are more secure and operationally efficient than periodic manual rotation of static keys.
B is incorrect: IP-based allowlisting limits which network locations can use the API key, adding a layer of network-based access control. However, the credential itself remains a long-lived static key that can be stolen and potentially used from an allowed network. IP restrictions also become difficult to maintain in dynamic cloud environments where IP addresses change frequently due to autoscaling and redeployment.
C is correct: Managed identities eliminate the need for static credentials by providing automatically issued and rotated short-lived tokens for cloud service authentication. This approach removes the risk of long-lived API key exposure, eliminates manual credential management, and follows the security best practice of using temporary credentials for workload authentication. Cloud providers recommend managed identities or IAM roles with temporary credentials as the preferred authentication method for service-to-service communication.
D is incorrect: Moving the API key to a restricted configuration file improves access controls at the file system level but does not address the fundamental risk of using a long-lived static credential. The key remains static and can be exposed through configuration backups, container image inspection, or host compromise. This approach reduces the likelihood of accidental exposure but does not eliminate the inherent risk of static credentials.
Correct AnswerB
A is incorrect: Comparing clean accuracy before and after adversarial training only measures the impact on standard performance with unperturbed inputs and does not evaluate robustness against adversarial inputs. A model could maintain high clean accuracy while still being vulnerable to adversarial perturbations if adversarial robustness was not specifically tested using crafted adversarial examples. Reference: https://csrc.nist.gov/pubs/ai/100/2/e2025/final
B is correct: Comprehensive robustness evaluation requires testing against multiple adversarial attack methods such as FGSM, PGD, and C&W at different perturbation levels. This reveals how well the model maintains accuracy as attack intensity increases and identifies weaknesses against specific attack types. A model that only withstands one attack method at a single perturbation level may still be vulnerable to other techniques used by adversaries in production environments. Reference: https://csrc.nist.gov/pubs/ai/100/2/e2025/final
C is incorrect: Training loss convergence indicates that the model optimization process completed successfully during retraining, but it does not validate whether the model is actually robust against adversarial attacks in deployment. A converged model may still have vulnerabilities that are only exposed through dedicated adversarial testing with multiple attack techniques at varying strengths. Reference: https://csrc.nist.gov/pubs/ai/100/2/e2025/final
D is incorrect: Inference latency and throughput measure operational performance characteristics such as response time, which are important for production deployments but entirely unrelated to adversarial robustness. A model may perform efficiently under normal workloads yet remain highly vulnerable to adversarial perturbations that exploit its decision boundaries during classification. Reference: https://csrc.nist.gov/pubs/ai/100/2/e2025/final
Correct AnswerA
A is correct: Reviewing playbook run analytics and retraining the AI model with current threat data is the best corrective approach. SOAR platforms provide detailed metrics on playbook execution, including false positive rates and action outcomes. By analyzing these metrics and updating the AI model with recent threat intelligence, the team can iteratively improve detection accuracy while maintaining the benefits of automated continuous monitoring.
B is incorrect: Increasing the number of automated containment actions to offset false positives compounds the original problem rather than resolving it. Adding more automated actions without addressing the underlying model accuracy issue generates additional false positive containment events, causing greater business disruption and rapidly eroding analyst trust in the automation. The correct approach is to improve the model that drives playbook decisions.
C is incorrect: Removing SIEM data source connectors reduces visibility into the threat landscape and significantly degrades the organization's overall security posture. While fewer alerts would enter the SOAR platform, this approach creates dangerous monitoring blind spots by eliminating coverage for data sources that may contain legitimate threats. The issue is the AI model's classification accuracy, not the volume of data sources feeding the platform.
D is incorrect: Disabling all automated playbooks and reverting to manual handling abandons the efficiency and speed advantages of SOAR automation. Rather than eliminating automation entirely, the correct approach is to identify the root cause of false positives through run analytics and refine the AI model accordingly. Manual-only incident response operations cannot scale to meet the demands of continuous monitoring across modern enterprise threat environments.
Correct AnswerA
A is correct: Under GDPR Article 35, a Data Protection Impact Assessment (DPIA) is required prior to processing that is likely to result in a high risk to the rights and freedoms of data subjects. AI-powered behavioral profiling at scale involving personal data meets this threshold. The DPIA must include a description of processing operations, an assessment of necessity and proportionality, a risk evaluation, and measures to mitigate identified risks. Reference: https://gdpr.eu/article-35-impact-assessment/
B is incorrect: GDPR does not require formal registration of AI models with national data protection authorities prior to deployment. While organizations may need to consult their supervisory authority under Article 36 if a DPIA reveals high residual risks that cannot be sufficiently mitigated, there is no blanket registration requirement for AI systems or data processing operations under GDPR. Reference: https://gdpr.eu/article-36-prior-consultation/
C is incorrect: While penetration testing is a valuable security practice, GDPR does not specifically mandate third-party penetration testing as a prerequisite for deploying AI systems. GDPR Article 35 requires a DPIA for high-risk processing, which evaluates privacy risks to individual data subjects. Testing for model accuracy and bias, while important for responsible AI, is not the specific pre-deployment obligation established by GDPR for this scenario. Reference: https://gdpr.eu/article-32-security-of-processing/
D is incorrect: Adequacy decisions under GDPR Article 45 relate to the European Commission's assessment of whether a third country provides adequate data protection for cross-border personal data transfers. They do not apply to evaluating whether individual AI systems meet deployment standards within the EU. No such system-level adequacy approval process exists under GDPR for authorizing AI system deployments. Reference: https://gdpr.eu/article-45-transfers-on-the-basis-of-an-adequacy-decision/
Correct AnswerC
A is incorrect: The unacceptable risk tier applies to AI practices banned by the EU AI Act, such as social scoring, subliminal manipulation, and certain biometric identification uses in public spaces. A customer service chatbot answering product questions does not engage in any prohibited AI practices. It falls under the limited-risk tier with transparency obligations for user disclosure. Reference: https://artificialintelligenceact.eu/article/50/
B is incorrect: High-risk AI systems are those listed under Annex III that pose significant risk to health, safety, or fundamental rights, such as AI used in employment, credit scoring, or critical infrastructure management. A standard customer service chatbot answering product questions does not fall into these high-risk categories and does not require a conformity assessment or technical documentation. Reference: https://artificialintelligenceact.eu/article/50/
C is correct: Under the EU AI Act, chatbots that interact directly with users are classified as limited-risk AI systems. The primary obligation for limited-risk systems is transparency: providers must ensure that people interacting with the AI system are notified they are not communicating with a human. This disclosure enables users to make informed decisions about continuing the interaction. Reference: https://artificialintelligenceact.eu/article/50/
D is incorrect: Minimal-risk AI systems such as spam filters and AI-enabled video games face no additional regulatory requirements under the EU AI Act. However, a customer-facing chatbot that directly interacts with users carries specific transparency obligations because users must be informed they are communicating with AI, which places it above minimal-risk in the limited-risk tier. Reference: https://artificialintelligenceact.eu/article/50/
Correct AnswerA
A is correct: The most urgent priority for any organization with potential EU market exposure is completing an AI system inventory and conducting preliminary risk classification for each system. The inventory should capture each system's intended purpose, data processed, decisions affected, and populations touched. Each system should then be mapped against the Annex III categories to determine whether high-risk obligations apply before any other compliance activity begins. Reference: https://eur-lex.europa.eu/eli/reg/2024/1689/oj
B is incorrect: Post-market monitoring is a requirement for high-risk AI systems, but deploying monitoring tools across all systems before completing the inventory and risk classification is premature. The organization must first determine which systems are in scope and what level of monitoring obligations apply before investing in monitoring infrastructure. Reference: https://eur-lex.europa.eu/eli/reg/2024/1689/oj
C is incorrect: Engaging a notified body is premature and potentially unnecessary before completing inventory and classification. Most Annex III high-risk AI systems can use internal self-assessment per Annex VI, so notified body involvement may not be required. The organization must first determine risk classification to identify the correct conformity assessment path. Reference: https://eur-lex.europa.eu/eli/reg/2024/1689/oj
D is incorrect: While data governance is an important obligation under Article 10 of the EU AI Act for high-risk systems, implementing encryption before determining which systems are in scope skips the critical governance step of inventory and classification. An organization must first identify which AI systems qualify as high-risk before prioritizing specific technical controls. Reference: https://eur-lex.europa.eu/eli/reg/2024/1689/oj
Correct AnswerD
A is incorrect: Adversarial evasion attacks involve crafting inputs specifically designed to cause an AI model to misclassify or produce incorrect predictions, typically by introducing imperceptible perturbations to input data. This attack type targets model accuracy and decision boundaries. In the described scenario, the attacker's goal was not to cause a misclassification but to hijack the model's actions by embedding hidden instructions that redirect AI behavior, which is characteristic of prompt injection rather than evasion. Reference: https://genai.owasp.org/llmrisk/llm01-prompt-injection/
B is incorrect: Training data poisoning involves corrupting the data used to train an AI model, causing it to learn incorrect patterns or embed backdoors that can be exploited later. This attack targets the training phase of the AI lifecycle, not the inference phase. In the described scenario, the model's training data was not compromised. Instead, the attacker exploited the model's runtime behavior by embedding malicious instructions in an external document that was processed during inference. Reference: https://genai.owasp.org/llmrisk/llm01-prompt-injection/
C is incorrect: Direct prompt injection occurs when a user explicitly crafts malicious input in their own prompt to manipulate the model's behavior, such as typing 'ignore all previous instructions' directly into the chat interface. In this scenario, the employee submitted a legitimate summarization request and was not the source of the malicious instructions. The attack originated from hidden text embedded in an external document rather than from the user's own prompt, making this an indirect rather than direct prompt injection attack. Reference: https://genai.owasp.org/llmrisk/llm01-prompt-injection/
D is correct: Indirect prompt injection is the correct answer. This attack occurs when malicious instructions are embedded in external content, such as documents, web pages, or emails, that the LLM processes as part of its input context. Unlike direct prompt injection where the attacker inputs malicious prompts directly into the chat interface, indirect injection exploits the model's processing of third-party content to hijack its behavior. In this scenario, the hidden instructions in the external document represent attacker-controlled content that the AI misinterprets as legitimate commands, potentially leading to unauthorized data exfiltration. Reference: https://genai.owasp.org/llmrisk/llm01-prompt-injection/
