The latest changes and updates from the administration for this exam.
Latest Update: Jun 20 2026
All questions are working fine.
Correct AnswerA
A is correct: The Statement of Applicability (SoA) is the correct answer. Under ISO/IEC 42001, organizations must produce a Statement of Applicability that documents which Annex A controls have been selected, the justification for their inclusion, and the rationale for excluding any controls. The SoA provides the certification body with auditable evidence that the organization has systematically evaluated and justified its control selections in relation to its identified AI risks. This is a critical documentation requirement for demonstrating conformance with the standard's risk treatment obligations under Clause 6.1.3. Reference: https://www.iso.org/standard/81230.html
B is incorrect: Defining AI risk acceptance criteria is part of Clause 6's planning requirements, where organizations establish thresholds for distinguishing acceptable from unacceptable risks. While risk acceptance criteria are documented as part of the broader risk assessment process, this document addresses risk tolerance boundaries rather than justifying which specific Annex A controls were selected or excluded for the AIMS during certification. Reference: https://www.iso.org/standard/81230.html
C is incorrect: Annex B of ISO/IEC 42001 provides implementation guidance for the 38 controls listed in Annex A and serves as a helpful reference for organizations implementing those controls. However, Annex B is an informative annex within the published standard itself and is not a document that organizations produce as an audit deliverable. The document specifically required to justify control selections is the Statement of Applicability. Reference: https://www.iso.org/standard/81230.html
D is incorrect: An AI system impact assessment (AIIA) is a required document under Clause 6 of ISO/IEC 42001, particularly for AI systems that pose high potential impact to individuals, groups, or society. However, the AIIA documents identified risks and potential negative outcomes of AI activities. It does not serve as the document that justifies which specific Annex A controls were selected or excluded for the AIMS. The AIIA is an input to the risk assessment, not a control justification artifact. Reference: https://www.iso.org/standard/81230.html
Correct AnswerD
A is incorrect: Unconstrained AI autonomy directly amplifies the inconsistency concern raised by the security architect. Without workflow boundaries, AI agents may produce unpredictable and unauditable results, increasing operational risk rather than addressing it. Effective AI integration in SOAR requires defined guardrails and human oversight at critical decision points within the workflow.
B is incorrect: Suppressing low-confidence alerts creates dangerous coverage gaps where novel or sophisticated threats could go undetected. The appropriate approach is to route low-confidence AI classifications to human analysts for manual review rather than discarding them, which preserves both response consistency and threat detection coverage across the environment.
C is incorrect: Completely removing AI capabilities eliminates the ability to handle novel alert types that prompted the AI integration. This overly drastic approach abandons the benefits of AI-assisted automation rather than addressing the consistency concern through proper workflow architecture that balances AI reasoning with deterministic process controls and human oversight.
D is correct: The recommended approach for integrating AI agents into SOAR playbooks is to create hybrid workflows that combine deterministic automation for the overall process flow with AI reasoning in specific bounded steps. This maintains the auditability and consistency of the overall workflow while leveraging AI flexibility to handle novel scenarios within defined boundaries, directly addressing the concern about inconsistent outcomes.
Correct AnswerD
A is incorrect: Encrypting notebooks at rest using full-disk encryption protects stored data from unauthorized physical or logical access to the storage media. However, full-disk encryption does not address credentials being hardcoded in the notebook code itself. When notebooks are accessed and decrypted during normal operations, the embedded credentials remain visible in plaintext within the code, leaving them exposed through screen sharing, version control, or collaboration workflows. Reference: https://cheatsheetseries.owasp.org/cheatsheets/Secure_AI_Model_Ops_Cheat_Sheet.html
B is incorrect: Restricting notebook access through multifactor authentication strengthens identity verification for users accessing the notebooks. However, MFA controls who can access the notebooks, not how credentials are managed within them. The hardcoded API keys and database credentials remain embedded in the code, and any authorized user who gains legitimate access will still see those credentials in plaintext, potentially leading to credential misuse or inadvertent sharing. Reference: https://cheatsheetseries.owasp.org/cheatsheets/Secure_AI_Model_Ops_Cheat_Sheet.html
C is incorrect: Moving notebooks to a private Git repository with branch protection improves source code access control and change management. However, this approach does not remediate hardcoded credentials because version control systems retain historical versions of committed files. Even if credentials are removed in a later commit, they persist in the repository commit history and can be recovered by anyone with repository access, making this an insufficient remediation. Reference: https://cheatsheetseries.owasp.org/cheatsheets/Secure_AI_Model_Ops_Cheat_Sheet.html
D is correct: Implementing a secrets manager is the best remediation. Secrets managers such as HashiCorp Vault or AWS Secrets Manager enable organizations to replace hardcoded credentials in notebook code with programmatic API calls that retrieve secrets at runtime. By injecting credentials through environment variables or CI secrets injection, sensitive values are never stored in notebooks or source code, eliminating the risk of credential exposure through version control history or shared notebook environments. Reference: https://cheatsheetseries.owasp.org/cheatsheets/Secure_AI_Model_Ops_Cheat_Sheet.html
Correct AnswerB
A is incorrect: The EU AI Act does not require high-risk AI systems to be deployed exclusively in EU-based data centers or mandate Cyber Resilience Act certification for hosting infrastructure. While the Cyber Resilience Act addresses digital product cybersecurity and may apply to AI-enabled products, the EU AI Act focuses on system-level cybersecurity measures and conformity assessment rather than data center residency requirements. Reference: https://eur-lex.europa.eu/eli/reg/2024/1689/oj
B is correct: The EU AI Act explicitly includes cybersecurity as an essential requirement for high-risk AI systems under Article 15. The Act mandates appropriate technical solutions to ensure cybersecurity, specifically requiring measures to prevent, detect, respond to, and control data poisoning, model poisoning, model evasion, and adversarial attacks. Under the Act, a high-risk AI system that is not cybersecure is by definition not considered safe. Reference: https://eur-lex.europa.eu/eli/reg/2024/1689/oj
C is incorrect: The EU AI Act does not prescribe specific cryptographic algorithms or mandate government-approved encryption for all training datasets. The Act's cybersecurity requirements focus on resilience against AI-specific attack vectors such as data poisoning and adversarial attacks rather than imposing prescriptive encryption standards. Data governance under Article 10 addresses data quality and representativeness. Reference: https://eur-lex.europa.eu/eli/reg/2024/1689/oj
D is incorrect: The EU AI Act does not mandate a specific annual penetration testing cadence by EU-accredited third parties as a requirement for high-risk AI systems. While cybersecurity is an essential requirement, the Act requires proportionate technical measures to address AI-specific threats rather than prescribing specific testing frequencies or mandating external testing bodies for cybersecurity validation. Reference: https://eur-lex.europa.eu/eli/reg/2024/1689/oj
Correct AnswerB
A is incorrect: This option incorrectly states that a lower epsilon value provides weaker privacy. In differential privacy, the relationship between epsilon and privacy is inverse: lower epsilon values correspond to stronger privacy protection. While this option correctly associates lower epsilon with more noise, it draws the wrong conclusion about the resulting privacy strength. More noise means more privacy, not less. Reference: https://www.nist.gov/blogs/cybersecurity-insights/differential-privacy-privacy-preserving-data-analysis-introduction-our
B is correct: In differential privacy, the epsilon parameter controls the privacy-utility tradeoff. A lower epsilon value provides stronger privacy by adding more statistical noise to the training process, making it harder for attackers to extract information about individual data points. As NIST describes, 'the lower the value of the epsilon parameter, the more indistinguishable the results, and therefore the more each individual''s data is protected.' This inverse relationship between epsilon and privacy strength is a fundamental principle of differential privacy applied to machine learning training pipelines. Reference: https://www.nist.gov/blogs/cybersecurity-insights/differential-privacy-privacy-preserving-data-analysis-introduction-our
C is incorrect: While a lower epsilon value does provide stronger privacy, it achieves this by adding more statistical noise during training, not by reducing the volume of training data. Differential privacy works by adding calibrated noise to mask individual contributions within the data. Reducing data volume would degrade model performance without providing the mathematically provable privacy guarantees that differential privacy offers through its noise-based mechanism. Reference: https://www.nist.gov/blogs/cybersecurity-insights/differential-privacy-privacy-preserving-data-analysis-introduction-our
D is incorrect: This option is incorrect on both accounts. A lower epsilon value provides stronger privacy protection, not weaker, and it increases the amount of noise added to the training process rather than decreasing it. This option actually describes the effect of increasing the epsilon parameter. Higher epsilon values result in less noise and weaker privacy guarantees for the training pipeline. Reference: https://www.nist.gov/blogs/cybersecurity-insights/differential-privacy-privacy-preserving-data-analysis-introduction-our
Correct AnswerB
A is incorrect: Automating repetitive, well-defined tasks is precisely what traditional rule-based SOAR playbooks excel at. Playbooks are designed to automatically run predefined workflows when triggered by a rule or incident, efficiently handling tasks like ticket creation, alert logging, priority escalation, and notification routing.
B is correct: Traditional rule-based SOAR playbooks rely on deterministic, hard-coded logic where every step and outcome is fixed and predefined. This means they struggle to handle new use cases, manage scenarios where parts of the automation fail, or adapt when confronted with missing information. AI-driven automation addresses this gap by enabling agents to reason through unplanned variables dynamically.
C is incorrect: Traditional rule-based SOAR playbooks are designed to reliably execute predefined response steps when triggered by matching conditions. Their strength lies in consistent, deterministic execution of known workflows. Their limitation is the inability to adapt beyond those predefined steps when facing novel or unexpected situations.
D is incorrect: Integration with third-party tools through APIs is a core strength of traditional SOAR platforms. Orchestration, a fundamental SOAR component, specifically enables connections to a wide variety of internal and external tools and integrations so that information can be centralized, shared, and acted upon across the security environment.
Correct AnswerB
A is incorrect: Encrypted network propagation relates to network-layer evasion and does not explain why a locally installed antivirus failed to detect the malware already present on the endpoint. The scenario describes a code mutation technique that defeats signature-based file scanning, which operates on the file system level independently of how the malware was delivered to the system. Reference: https://attack.mitre.org/techniques/T1027/014/
B is correct: AI-powered polymorphic malware uses mutation engines to rewrite code on each execution, resulting in a different binary structure and file hash every time. Since signature-based detection relies on matching known patterns or file hashes, the continuously changing code ensures no variant matches the original stored signature. This fundamental limitation of static signature matching is the core reason why AI-driven polymorphic malware evades traditional antivirus solutions. Reference: https://attack.mitre.org/techniques/T1027/014/
C is incorrect: Code-signing certificate abuse is a separate evasion technique that targets trust-based verification controls rather than signature-based pattern detection. The scenario specifically describes AI-driven code mutation that produces structurally different binaries, which defeats hash and pattern-matching signatures rather than certificate-based allowlisting mechanisms used by some security solutions. Reference: https://attack.mitre.org/techniques/T1027/014/
D is incorrect: While some malware uses rootkit techniques to intercept system calls or tamper with security tools, this describes a fundamentally different evasion mechanism than code mutation. The scenario specifically identifies the malware as using an AI-powered mutation engine to rewrite its code, which evades signature matching by changing the binary itself rather than by manipulating the scanning process. Reference: https://attack.mitre.org/techniques/T1027/014/
Correct AnswerA
A is correct: Adversarial training with perturbation-augmented examples is the best defensive measure. The scenario describes an evasion attack where attackers craft small modifications to inputs at deployment time to cause misclassification. Adversarial training specifically counters evasion attacks by including adversarially perturbed examples during the training process, teaching the model to correctly classify inputs even when small perturbations are present. This hardens the model's decision boundaries against the type of input manipulation described. Reference: https://csrc.nist.gov/pubs/ai/100/2/e2025/final
B is incorrect: Implementing strict input validation on the training data pipeline addresses training-time data poisoning attacks, not deployment-time evasion attacks. In this scenario, the attacker is modifying inputs at inference time rather than corrupting training data. While data pipeline validation is important for preventing poisoning, it does not strengthen the model's resilience against adversarial perturbations applied to inputs during deployment. Reference: https://csrc.nist.gov/pubs/ai/100/2/e2025/final
C is incorrect: Encrypting the model's parameters and inference endpoints protects the confidentiality of the model and its communications but does not address the model's vulnerability to adversarial perturbations. The attack described involves carefully modified inputs that exploit weaknesses in the model's decision boundaries, which encryption cannot mitigate. Encryption defends against model theft and data interception, not evasion attacks targeting classification logic. Reference: https://csrc.nist.gov/pubs/ai/100/2/e2025/final
D is incorrect: Increasing the training dataset with additional clean samples may improve general model accuracy but does not specifically address vulnerability to adversarial perturbations. Standard clean data does not teach the model how to handle deliberately crafted adversarial modifications. Without including adversarial examples during training, the model's decision boundaries remain vulnerable to the same perturbation-based evasion techniques. Reference: https://csrc.nist.gov/pubs/ai/100/2/e2025/final
Correct AnswerB
A is incorrect: Deploying the model in a load-balanced cluster addresses availability and performance requirements for production workloads but has no bearing on the security integrity of the model. Deploying an unverified or compromised model across multiple instances would scale the security risk across the entire cluster without addressing the underlying supply chain vulnerability.
B is correct: Verifying a pre-trained model's integrity using digital signatures and file hashes ensures the model has not been tampered with or replaced with a backdoored version. OWASP recommends using models only from verifiable sources and performing third-party model integrity checks with signing and file hashes to compensate for the lack of strong model provenance commonly found in public repositories.
C is incorrect: Fine-tuning the model with proprietary data adapts its behavior for the organization's specific use case, but it does not verify the model's integrity or detect hidden backdoors. Research has demonstrated that adversarial modifications such as backdoors can persist through the fine-tuning process, meaning a compromised base model may retain its malicious behavior after fine-tuning.
D is incorrect: Configuring rate limiting and authentication on inference endpoints controls access volume and prevents unauthorized use, which are important operational security measures. However, these controls protect the serving layer and do not validate the integrity of the model binary itself. A tampered model would serve backdoored predictions regardless of the endpoint security controls applied.
Correct AnswerB
A is incorrect: UEBA does not restrict its monitoring to privileged administrator accounts. It monitors all users and entities within the environment, including standard users, service accounts, servers, applications, and devices. The advantage of UEBA over UBA is its broader entity scope encompassing non-human entities, not a narrower focus on a specific subset of user accounts. Limiting monitoring to privileged accounts alone would create significant detection gaps.
B is correct: This is the correct answer. The key differentiator between UBA and UEBA is that UEBA extends behavioral analysis beyond human users to include non-human entities such as servers, applications, IP addresses, and devices. By monitoring the behavior of both users and these entities, UEBA provides broader threat detection coverage, enabling the identification of compromised assets, anomalous device behavior, and application-level threats that UBA's user-only monitoring scope would miss.
C is incorrect: Signature-based malware detection is a function of antivirus and endpoint protection platforms, not UEBA. UEBA's expanded capability over UBA is its ability to analyze the behavior of non-human entities, not its use of malware signatures. Both UBA and UEBA rely on behavioral analysis and machine learning to detect anomalies rather than signature matching, making this an incorrect characterization of the additional detection capability that UEBA provides.
D is incorrect: UEBA does not replace security information and event management (SIEM) solutions. UEBA is designed to complement SIEM by adding behavioral analytics and anomaly detection capabilities on top of the data that SIEM collects. Many organizations integrate UEBA into their existing SIEM infrastructure to enhance threat detection. The distinction between UBA and UEBA is the expanded entity monitoring scope, not a replacement of existing security log management platforms.
