The latest changes and updates from the administration for this exam.
Latest Update: Jun 20 2026
All questions are working fine.
Correct AnswerC
A is incorrect: National market surveillance authorities are responsible for monitoring AI systems that are already on the market and enforcing ongoing compliance. They do not conduct mandatory pre-market reviews or approvals of individual high-risk AI systems. The provider independently completes the conformity assessment, applies CE marking, and registers in the EU AI database. Reference: https://artificialintelligenceact.eu/article/49/
B is incorrect: The European Artificial Intelligence Board provides guidance, advice, and coordination among national competent authorities but does not approve individual high-risk AI systems for market placement. The conformity assessment, CE marking, and database registration are provider responsibilities under the EU AI Act and do not require direct authorization from the Board. Reference: https://artificialintelligenceact.eu/article/49/
C is correct: Under the EU AI Act, high-risk AI systems that meet conformity assessment requirements receive CE marking signifying compliance with the Act. Additionally, Article 49 requires providers to register the system in the EU AI database before market placement, including details about the system's identity, intended purpose, and affected populations in each Member State. Reference: https://artificialintelligenceact.eu/article/49/
D is incorrect: ISO/IEC 42001 provides an international AI management system framework that supports governance and can complement EU AI Act compliance efforts. However, obtaining ISO/IEC 42001 certification is not a mandatory legal prerequisite under the EU AI Act for placing a high-risk AI system on the market. The Act requires conformity assessment, CE marking, and EU AI database registration as mandatory steps. Reference: https://artificialintelligenceact.eu/article/49/
Correct AnswerB
A is incorrect: Testing only with clean data evaluates standard model accuracy but does not assess robustness against adversarial inputs. A model may achieve very high accuracy on clean data while remaining highly vulnerable to adversarial perturbations that cause misclassifications. Robustness evaluation specifically requires generating and testing adversarial examples to determine how the model responds to crafted inputs designed to exploit its decision boundaries. Reference: https://csrc.nist.gov/pubs/ai/100/2/e2025/final
B is correct: Testing against multiple adversarial attack methods such as FGSM, PGD, and other perturbation techniques with varying perturbation budgets is the most appropriate robustness evaluation approach. This comprehensive testing identifies weaknesses in the model's decision boundaries under diverse attack conditions. Best practices for robustness evaluation emphasize using a range of attack types and strengths rather than a single method, as different attacks exploit different model vulnerabilities. Reference: https://csrc.nist.gov/pubs/ai/100/2/e2025/final
C is incorrect: Static code review identifies software vulnerabilities and coding errors in the training pipeline implementation but does not evaluate the model's robustness to adversarial perturbations. Model robustness is a learned property of how the trained model responds to crafted inputs, requiring active adversarial testing rather than code inspection. Software security and model robustness are separate security concerns. Reference: https://csrc.nist.gov/pubs/ai/100/2/e2025/final
D is incorrect: Infrastructure vulnerability scanning identifies traditional security weaknesses such as missing patches in the deployment environment. While important for system security, this does not evaluate the AI model's ability to withstand adversarial perturbations in its inputs. Model robustness evaluation focuses specifically on the model's resilience to adversarial manipulation of input data at inference time. Reference: https://csrc.nist.gov/pubs/ai/100/2/e2025/final
Correct AnswerA
A is correct: Deploying an XDR platform is correct. XDR extends detection beyond endpoints by ingesting signals from a wide range of sources including endpoints, cloud workloads, email systems, identity platforms, and networks. Unlike EDR, which is limited to endpoint devices, XDR uses a cross-domain correlation engine that connects alerts across these layers to reveal complete attack chains. This directly addresses the inability to trace attacks that move across multiple security domains.
B is incorrect: Adding a standalone NIDS introduces another siloed monitoring tool. While it may detect some network-level anomalies in cloud traffic, it does not correlate those findings with endpoint telemetry or email signals. The detection gap in this scenario requires unified cross-domain correlation, not additional disconnected monitoring tools that create separate alert streams for analysts to manually investigate.
C is incorrect: Increasing the EDR agent polling frequency would generate more granular endpoint data but does not solve the fundamental limitation. EDR is focused solely on protecting endpoints and does not provide visibility into cloud workloads, email systems, or identity platforms. Regardless of polling frequency, the EDR solution cannot correlate signals from non-endpoint domains where the attack has pivoted.
D is incorrect: Forwarding endpoint logs to a centralized syslog server consolidates data storage but does not add cross-domain detection capabilities. The syslog server receives only endpoint telemetry already collected by the EDR agent. Without ingestion and AI-driven correlation of cloud workload and email telemetry, the security team still cannot trace attacks that move beyond the endpoint layer.
Correct AnswerC
A is incorrect: Storing model weights on a shared network file system accessible from the corporate network violates the principle of least privilege and aggressive isolation. This approach exposes proprietary model weights to a broad range of corporate users and systems, significantly increasing the risk of unauthorized access, theft, or modification. Model weight storage must be isolated from general corporate network resources. Reference: https://media.defense.gov/2024/Apr/15/2003439257/-1/-1/0/CSI-DEPLOYING-AI-SYSTEMS-SECURELY.PDF
B is incorrect: Distributing encrypted weight fragments across multiple GPU nodes complicates management without providing the level of protection that network isolation delivers. While encryption adds a security layer, spreading weight data across multiple nodes increases the number of systems that must be individually secured and monitored. Centralized, isolated storage in a highly restricted zone with strict access controls is the recommended approach. Reference: https://media.defense.gov/2024/Apr/15/2003439257/-1/-1/0/CSI-DEPLOYING-AI-SYSTEMS-SECURELY.PDF
C is correct: Isolating model weight storage in a highly restricted zone (HRZ) on a separate, dedicated network segment is a best practice recommended by NSA/CISA guidance for securing AI deployments. This approach aggressively isolates the most sensitive AI assets by limiting network accessibility to only specifically authorized systems and personnel. Combined with strict access controls, this significantly reduces the attack surface for model theft or tampering. Reference: https://media.defense.gov/2024/Apr/15/2003439257/-1/-1/0/CSI-DEPLOYING-AI-SYSTEMS-SECURELY.PDF
D is incorrect: Replicating model weights across multiple network segments increases the attack surface rather than protecting the weights from theft. Distributing copies of proprietary model weights to additional network locations creates more potential access points for an attacker to exploit. Best practices recommend minimizing the number of locations where weights are stored and isolating them in a restricted zone, not spreading them across the network. Reference: https://media.defense.gov/2024/Apr/15/2003439257/-1/-1/0/CSI-DEPLOYING-AI-SYSTEMS-SECURELY.PDF
Correct AnswerC
A is incorrect: Deploying under voluntary minimal-risk codes of conduct is incorrect for this scenario. Minimal-risk AI systems such as spam filters are subject only to voluntary best practices and codes of conduct under the EU AI Act. The described system assigns scores based on individuals' social behavior, which constitutes a prohibited social scoring practice under Article 5 that must be blocked from deployment entirely rather than managed through voluntary measures.
B is incorrect: Proceeding with a conformity assessment is incorrect because the described system falls under prohibited practices, not the high-risk category. While high-risk AI systems listed in Annex III may be placed on the EU market after satisfying conformity assessment requirements under Article 43, systems that perform social scoring are outright banned under Article 5 of the EU AI Act and no conformity assessment can make a prohibited system compliant.
C is correct: Prohibiting deployment is the correct governance decision. Under Article 5 of the EU AI Act, AI systems that evaluate or classify individuals based on social behavior or personal characteristics to assign trustworthiness scores constitute social scoring, which is an explicitly prohibited practice. This system falls under the unacceptable risk category, meaning it cannot be placed on the EU market or deployed in the EU regardless of any safeguards that may be implemented.
D is incorrect: Meeting transparency obligations alone is insufficient because the system is classified as unacceptable risk under the EU AI Act, not limited risk. Limited-risk AI systems such as chatbots and recommendation engines must primarily meet transparency and disclosure requirements. A system that assigns trustworthiness scores based on social behavior is a prohibited social scoring practice that cannot be remedied by implementing transparency measures alone.
Correct AnswerA
A is correct: Decreasing the epsilon value is correct. In differential privacy, the epsilon parameter (also called the privacy budget) controls the strength of the privacy guarantee. A lower epsilon value means more noise is added to mask individual data contributions, resulting in stronger privacy protection. NIST guidance confirms that the lower the value of the epsilon parameter, the more indistinguishable the results, and therefore the more each individual's data is protected. While this tradeoff may reduce model accuracy, it provides mathematically rigorous privacy guarantees for individuals in the training data. Reference: https://www.nist.gov/blogs/cybersecurity-insights/differential-privacy-privacy-preserving-data-analysis-introduction-our
B is incorrect: Increasing the epsilon value would weaken, not strengthen, privacy protection. A higher epsilon allows more information about individual data points to be revealed through the model's outputs. The inverse relationship between epsilon and privacy means that larger epsilon values result in less noise and weaker privacy guarantees. To increase protection, the epsilon value should be decreased, not increased. Reference: https://www.nist.gov/blogs/cybersecurity-insights/differential-privacy-privacy-preserving-data-analysis-introduction-our
C is incorrect: Increasing the number of permitted queries would deplete the privacy budget faster, reducing rather than increasing privacy protection. Each query consumes a portion of the privacy budget, and when the budget is exhausted, no further queries should be allowed. Allowing more queries increases the cumulative information revealed about individuals in the dataset, weakening the overall privacy guarantee. Reference: https://www.nist.gov/blogs/cybersecurity-insights/differential-privacy-future-work-open-challenges
D is incorrect: Removing noise injection would eliminate the differential privacy protection entirely. Statistical noise is the core mechanism that enables differential privacy to protect individual records in the training data. Without noise, the model could memorize and later reveal specific patient information from the training set. Removing this step is the opposite of increasing the privacy protection level. Reference: https://www.nist.gov/blogs/cybersecurity-insights/protecting-trained-models-privacy-preserving-federated-learning
Correct AnswerB
A is incorrect: Network-layer DLP sensors monitor data flowing across the network for sensitive content, but they are not designed to parse and understand the structure of AI inference API responses. Output filtering implemented at the application or API gateway layer operates with awareness of the model's response format, enabling more precise detection and redaction of PII patterns within generated text before it reaches the end user. Reference: https://genai.owasp.org/llmrisk/llm022025-sensitive-information-disclosure/
B is correct: Output filtering is the correct control. The AI assistant is generating responses that contain sensitive PII retrieved from internal documents. Implementing output filtering at the API layer provides a runtime mechanism to scan model responses for sensitive data patterns such as Social Security numbers and credit card numbers, and redact or mask them before the response is delivered to the user. This is a recommended mitigation for sensitive information disclosure in LLM applications. Reference: https://genai.owasp.org/llmrisk/llm022025-sensitive-information-disclosure/
C is incorrect: Retraining or fine-tuning the model on anonymized data could reduce the risk of PII appearing in outputs over time, but it is a long-term remediation that requires significant time, resources, and data preparation. It does not address the immediate problem of the currently deployed model returning sensitive data. Output filtering provides an immediate, runtime safeguard that can be deployed without modifying the model itself. Reference: https://genai.owasp.org/llmrisk/llm022025-sensitive-information-disclosure/
D is incorrect: Encrypting documents at rest protects them from unauthorized access to the storage layer, ensuring confidentiality if the storage medium is compromised. However, encryption does not prevent an authorized AI system from reading and including sensitive data in its generated responses. The model decrypts and processes the documents as part of normal operation, so encryption alone does not address the leakage of PII in model outputs. Reference: https://genai.owasp.org/llmrisk/llm022025-sensitive-information-disclosure/
Correct AnswerD
A is incorrect: A one-time pre-deployment assessment does not satisfy Article 9 requirements. The EU AI Act explicitly states that risk management is not a one-time assessment. The risk management system must remain active and be continuously updated, incorporating post-market monitoring data and giving particular attention to vulnerable populations including minors. Reference: https://eur-lex.europa.eu/eli/reg/2024/1689/oj
B is incorrect: While periodic reviews contribute to risk management, Article 9 requires continuous risk management that responds to emerging risks from post-market data rather than only during scheduled annual reviews. AI systems can evolve after deployment, and the risk management process must be responsive and iterative throughout the entire lifecycle. Reference: https://eur-lex.europa.eu/eli/reg/2024/1689/oj
C is incorrect: Conducting risk assessment only during the initial design phase fails to meet Article 9 requirements. Because AI systems can evolve after market placement and usage patterns may change, the EU AI Act mandates that risk management span the entire lifecycle, continuing well beyond the pre-market design and development phase. Reference: https://eur-lex.europa.eu/eli/reg/2024/1689/oj
D is correct: Article 9 of the EU AI Act requires that risk management for high-risk AI systems be an iterative, lifecycle-spanning process. It must identify known and foreseeable risks, estimate risk exposure during intended use and foreseeable misuse, evaluate emerging risks from post-market data, and implement targeted mitigations on an ongoing basis throughout the system's operational life. Reference: https://eur-lex.europa.eu/eli/reg/2024/1689/oj
Correct AnswerD
A is incorrect: Backdoor attacks involve specific triggers embedded during the training phase that cause the model to produce predetermined malicious outputs when the trigger pattern appears in an input. The described behavior involves systematically probing the model with varied inputs to learn about sensitive data attributes, which is an inference-time privacy attack, not an attempt to activate a hidden trigger embedded in the model. Reference: https://csrc.nist.gov/pubs/ai/100/2/e2025/final
B is incorrect: Data poisoning attacks target the training stage by injecting malicious or corrupted data into the training pipeline to alter the model's learned behavior. The scenario describes queries submitted to a deployed model during inference, not modifications to training data. Inference-time query activity cannot poison the model's already-trained parameters. Data poisoning requires control of training data, which is a different attack surface than the inference API. Reference: https://csrc.nist.gov/pubs/ai/100/2/e2025/final
C is incorrect: Adversarial evasion attacks create carefully perturbed inputs designed to cause the model to make incorrect predictions, such as classifying a malicious input as benign. The described pattern focuses on analyzing predictions to infer sensitive demographic attributes from partial records, not on causing misclassification. The attacker's goal is information extraction about training data, not manipulation of the prediction outcomes. Reference: https://csrc.nist.gov/pubs/ai/100/2/e2025/final
D is correct: An attribute inference attack involves an adversary who has partial knowledge of a training record and uses the model's predictions to infer the unknown sensitive attributes. The pattern of submitting partial records with systematically varied demographic fields and analyzing resulting predictions to deduce missing values is characteristic of attribute inference. As defined by NIST AI 100-2, these attacks infer sensitive attributes of training data records given partial knowledge about the record. Reference: https://csrc.nist.gov/pubs/ai/100/2/e2025/final
Correct AnswerD
A is incorrect: Suppressing low-confidence alerts without performing cross-entity correlation could result in missing genuine multi-stage attacks where each individual step produces only subtle anomalies. Advanced persistent threats deliberately use techniques that generate low-confidence signals at each stage to avoid detection. The purpose of UEBA behavioral analytics is to correlate these weak signals across entities, not to suppress them, which would undermine the platform's ability to detect sophisticated attack chains.
B is incorrect: Waiting for alerts to reach a static count threshold is a rule-based approach that ignores the contextual relationships between entities and the sequential nature of the attack chain. A static count threshold does not consider whether anomalies are connected across entities or represent stages of a single attack. UEBA is designed to correlate behavioral anomalies based on entity relationships and temporal proximity, not simply to count the total number of independent alerts.
C is incorrect: Escalating each low-confidence alert independently to separate analysts fails to leverage the cross-entity correlation that makes UEBA effective at detecting multi-stage attacks. Without seeing the connected pattern across all three entities, individual analysts would likely dismiss each low-confidence alert in isolation. The strength of UEBA lies in its ability to automatically link related anomalies across entities, providing analysts with the full attack context rather than fragmented individual alerts.
D is correct: Cross-entity alert correlation is the correct approach. UEBA platforms aggregate related security events across multiple data sources and entities to detect multi-stage attack patterns like lateral movement. While a single anomaly is not a strong signal of malicious behavior, a combination of several anomalies at different points on the kill chain provides a much clearer indication of a potential attack. By correlating the user login anomaly, the unusual server session, and the abnormal database queries, the platform can identify a coherent lateral movement pattern that individual alerts could not reveal.
