The latest changes and updates from the administration for this exam.
Latest Update: Jun 20 2026
All questions are working fine.
Correct AnswerD
A is incorrect: Network-level rate limiting can slow an attacker by restricting query volume but does not eliminate the model inversion vulnerability. A determined attacker can operate within rate limits by spacing queries over time and still extract sensitive training data information from the detailed output probabilities. While rate limiting is a useful supplementary control, it does not address the root cause of the vulnerability in the model's output information. Reference: https://owasp.org/www-project-machine-learning-security-top-10/docs/ML03_2023-Model_Inversion_Attack
B is incorrect: Retraining the model from scratch is a long-term corrective action that does not provide an immediate response to an active attack. The retraining process requires significant time for data collection, curation, training, and validation. Meanwhile, the attacker continues to exploit the current model's detailed outputs to reconstruct sensitive information. An immediate response must disrupt the ongoing attack before undertaking longer-term model improvement efforts. Reference: https://owasp.org/www-project-machine-learning-security-top-10/docs/ML03_2023-Model_Inversion_Attack
C is incorrect: Migrating the inference endpoint to a different cloud region does not address the fundamental vulnerability being exploited. The model inversion attack targets the detailed output information provided by the model regardless of its hosting location. Moving the model to a different region without changing its output behavior would allow the attacker to resume the same attack pattern once the new endpoint is discovered or announced. Reference: https://owasp.org/www-project-machine-learning-security-top-10/docs/ML03_2023-Model_Inversion_Attack
D is correct: Reducing output granularity by returning only the predicted class label without detailed confidence scores directly addresses the attack vector of model inversion. These attacks rely on analyzing detailed probability distributions and confidence score vectors to reverse-engineer training data attributes. By limiting the information returned in API responses to only the top predicted label, the attacker loses the detailed output signals needed to reconstruct sensitive training data, effectively disrupting the active attack at the inference layer. Reference: https://owasp.org/www-project-machine-learning-security-top-10/docs/ML03_2023-Model_Inversion_Attack
Correct AnswerB
A is incorrect: Compliance reporting is not the primary function of this playbook. While SOAR platforms can track metrics to support compliance activities, the described playbook specifically automates the enrichment of individual phishing incidents with threat intelligence context. Compliance reporting aggregates historical data for audit purposes, which is a separate operational function from real-time alert enrichment and investigation.
B is correct: The described playbook automates alert enrichment by gathering contextual information about a suspicious email through threat intelligence lookups and sandbox detonation of attachments. These automated steps provide analysts with the enrichment data they need to make faster, more informed decisions when they begin their review. By performing initial investigation steps automatically, the playbook accelerates the triage process and reduces the manual effort required per reported phishing incident.
C is incorrect: Vulnerability scanning of email infrastructure is a separate security function from the playbook described. The playbook analyzes the content and indicators within a specific reported email by extracting and investigating its components against threat intelligence. Vulnerability management assesses infrastructure weaknesses, which is a distinct security process from incident-level alert enrichment.
D is incorrect: Encrypting email attachments is a data protection control that ensures confidentiality, not the function of the described playbook. The playbook's purpose is to enrich the incident with threat context by querying external feeds and detonating files in a sandbox environment. Encryption addresses data confidentiality concerns, whereas this playbook automates investigative analysis of reported phishing attempts.
Correct AnswerA
A is correct: This is the correct answer. The NIST AI RMF and NISTIR 8312 emphasize that explainability requirements should be calibrated to the risk level and potential impact of AI system decisions. AI systems making consequential decisions affecting health, safety, or fundamental rights require heightened explainability to support clinical validation, ensure patient trust, and meet regulatory obligations. The AI Acceptable Use Policy should mandate more rigorous explainability documentation for such high-stakes applications. Reference: https://doi.org/10.6028/NIST.IR.8312
B is incorrect: Integration with electronic health record systems through API connections is an architectural and interoperability concern that affects system design and security posture. While API security is important for protecting patient data, the number and type of system integrations do not determine explainability requirements. Heightened explainability is justified by the stakes of AI-driven decisions affecting individuals, not by the system's integration architecture. Reference: https://doi.org/10.6028/NIST.IR.8312
C is incorrect: While complex deep learning architectures can make explainability more technically challenging to implement, architectural complexity alone does not justify heightened explainability requirements in policy. The primary justification comes from the potential consequences of the AI system's decisions on individuals and society. A simple model making high-stakes medical decisions would still require elevated explainability controls under the organizations policy. Reference: https://doi.org/10.6028/NIST.IR.8312
D is incorrect: Processing large volumes of medical imaging data is a technical infrastructure concern related to computational capacity and system performance. The volume of data processed does not determine the level of explainability required under policy. Explainability requirements are driven by the potential consequences and impact of the AI system's decisions on individuals, not by the quantity of data processed or the computational resources the system consumes. Reference: https://doi.org/10.6028/NIST.IR.8312
Correct AnswerC
A is incorrect: An AI system impact assessment (AIIA) evaluates potential societal, ethical, and legal impacts of AI systems on individuals and groups. While ISO/IEC 42001 requires AIIAs for high-risk use cases and their results feed into the risk assessment process, the AIIA does not serve as the document that formally justifies which Annex A controls are applicable to the AIMS scope. Reference: https://www.iso.org/standard/81230.html
B is incorrect: A corrective action register tracks identified nonconformities and the actions taken to address them as part of the continual improvement process required under Clause 10. While essential for ongoing AIMS maintenance and audit readiness, it does not document which Annex A controls are applicable or provide justification for control selection decisions. Reference: https://www.iso.org/standard/81230.html
C is correct: The Statement of Applicability (SoA) is the correct answer. Under ISO/IEC 42001, organizations must produce a SoA that documents which Annex A controls are applicable to their AIMS, justifies the selection of those controls based on risk assessment results, and explains any exclusions. The SoA serves as the formal link between identified AI risks and the implemented control measures, and it is verified during the certification audit. Reference: https://www.iso.org/standard/81230.html
D is incorrect: A risk treatment plan outlines how identified AI risks will be mitigated through selected controls and response strategies. While closely related to the SoA and informed by the risk assessment, the risk treatment plan describes mitigation strategies rather than formally mapping and justifying which specific Annex A controls are applicable and which are excluded. Reference: https://www.iso.org/standard/81230.html
Correct AnswerA
A is correct: This is correct. Under GDPR Article 46, Standard Contractual Clauses are the most widely used mechanism for transferring personal data to third countries that lack an adequacy decision. SCCs are pre-approved contractual terms adopted by the European Commission ensuring the data recipient provides adequate safeguards for personal data protection. For AI model training with external cloud providers, SCCs establish binding data processing commitments. Reference: https://gdpr.eu/article-46-appropriate-safeguards/
B is incorrect: This is incorrect. While encryption is an important supplementary security measure, it alone does not constitute a valid GDPR cross-border transfer mechanism. GDPR requires a specific legal basis for international transfers under Chapter V, such as adequacy decisions, SCCs, or binding corporate rules. Encryption combined with DPA notification does not replace these required mechanisms. Reference: https://gdpr.eu/article-46-appropriate-safeguards/
C is incorrect: This is incorrect. GDPR does not require organizations to obtain individual processing authorizations from each member state supervisory authority for cross-border data transfers. The regulation provides uniform transfer mechanisms that apply consistently across all EU member states, eliminating the need for separate country-level authorizations for standard transfers. Reference: https://gdpr.eu/article-46-appropriate-safeguards/
D is incorrect: This is incorrect. Restricting the timing of AI model training operations does not address the legal requirements for cross-border data transfers under GDPR. Transfer restrictions apply to the movement and processing of personal data in third countries regardless of when the processing occurs. Time-based processing restrictions are not a recognized GDPR transfer mechanism. Reference: https://gdpr.eu/article-46-appropriate-safeguards/
Correct AnswerD
A is incorrect: Model architecture and hyperparameters describe how the AI model is structured and tuned but do not provide human-readable explanations for specific escalation decisions. Auditors typically need to understand why a particular incident was escalated rather than examine the technical design details of the model's internal configuration and parameters.
B is incorrect: Providing the training dataset does not explain why any specific escalation decision was made. Training data reveals what the model learned from but does not document the rationale for individual decisions. Auditors require per-decision justification to verify that escalation criteria are being applied correctly and consistently to each incident.
C is incorrect: A secondary validation model adds a layer of verification but does not directly provide the rationale behind the original escalation decision. While dual-model validation can improve accuracy, auditors specifically require documentation explaining why the primary model made each decision, not an independent confirmation of the outcome from a separate model.
D is correct: Configuring per-decision explanations directly satisfies the audit requirement by providing documented rationale for each escalation decision. Explainable AI outputs allow auditors to review the specific factors such as alert severity, affected asset criticality, and threat intelligence matches that drove the AI model to escalate each incident, ensuring transparency and accountability.
Correct AnswerB
A is incorrect: Blocking outbound connections on non-standard ports is a prevention control, not a detection technique. Modern C2 frameworks commonly use standard ports such as HTTPS (443) and HTTP (80) to blend with legitimate traffic, so blocking non-standard ports alone would not detect C2 beaconing over allowed channels. Additionally, this approach does not use AI analysis and may disrupt legitimate business operations.
B is correct: Analyzing time-interval patterns is the correct answer. AI-driven NDR platforms detect C2 beaconing by examining intra-request time deltas between outbound connections. Beaconing traffic exhibits characteristic periodic patterns as compromised hosts communicate with C2 servers at regular intervals. Machine learning models identify these subtle timing regularities even when the intervals are slightly jittered to evade simple threshold-based detection, making this the most effective technique for stealthy C2 detection.
C is incorrect: Endpoint file scanning is an endpoint detection and response (EDR) capability, not a network detection and response technique. While file scanning can identify known malware on hosts, it does not analyze network traffic patterns to detect C2 beaconing behavior. NDR solutions operate at the network level, analyzing traffic flows and communication patterns rather than scanning individual files on endpoints.
D is incorrect: Static signature matching relies on known indicators of compromise such as specific IP addresses or domain names associated with C2 infrastructure. While useful for detecting known threats, this approach cannot identify novel or previously unseen C2 channels. The scenario specifically requires detecting stealthy beaconing that evades signature-based detection, making this approach insufficient for the stated requirement.
Correct AnswerB
A is incorrect: Increasing training data volume and diversity may improve the model's general accuracy and robustness but does not directly prevent prompt injection attacks. Prompt injection exploits how models process instructions at inference time, not gaps in training data coverage. An attacker can craft malicious prompts regardless of training data quality, so this approach does not address the runtime input manipulation that characterizes prompt injection. Reference: https://genai.owasp.org/llmrisk/llm01-prompt-injection/
B is correct: Applying input sanitization with semantic filters that treat user prompts as data is the most effective approach to reduce direct prompt injection risk. This approach validates and cleans user inputs before they reach the model, scanning for known injection patterns, encoded instructions, and attempts to override system prompts. OWASP recommends treating user input as data rather than commands and applying semantic filters to scan for non-allowed content as core defense principles for preventing prompt injection in LLM applications. Reference: https://genai.owasp.org/llmrisk/llm01-prompt-injection/
C is incorrect: Network segmentation and private subnet deployment protect the model infrastructure from unauthorized network access and reduce the overall attack surface. However, prompt injection attacks are delivered through legitimate application interfaces by submitting crafted text inputs, not by exploiting network-layer vulnerabilities. Network controls do not inspect or validate the semantic content of user prompts submitted through the application layer. Reference: https://genai.owasp.org/llmrisk/llm01-prompt-injection/
D is incorrect: Multi-factor authentication verifies the identity of users before granting access but does not restrict what authenticated users can submit as prompts. A legitimate, authenticated user can still craft or inadvertently submit inputs that trigger prompt injection vulnerabilities. Authentication controls address the question of who can access the chatbot, not the content or nature of what they submit to the model. Reference: https://genai.owasp.org/llmrisk/llm01-prompt-injection/
Correct AnswerA
A is correct: Model inversion attacks occur when an attacker reverse-engineers a model by systematically querying it and analyzing its detailed outputs to extract sensitive training data information. The described pattern of high-volume iterative queries with varied inputs, combined with collection of full probability distributions, is the signature indicator of model inversion at the inference layer. Runtime monitoring systems should be configured to detect this type of systematic probing behavior by establishing normal query baselines and alerting on anomalous iterative patterns. Reference: https://owasp.org/www-project-machine-learning-security-top-10/docs/ML03_2023-Model_Inversion_Attack
B is incorrect: Prompt injection attacks involve crafting malicious inputs designed to override or manipulate the instructions given to a language model. The scenario describes systematic querying of a healthcare model's API to collect and analyze probability distributions, which is characteristic of a privacy-focused inference attack rather than prompt manipulation. Prompt injection targets natural language processing models, not classification APIs returning confidence vectors. Reference: https://owasp.org/www-project-machine-learning-security-top-10/docs/ML03_2023-Model_Inversion_Attack
C is incorrect: Data poisoning attacks involve corrupting or manipulating the model's training data to influence its behavior during the learning phase. The scenario describes suspicious activity occurring at the inference layer through API queries at runtime, not manipulation of training data. Data poisoning targets the data pipeline during model training, whereas the described query behavior is specifically an inference-time privacy attack exploiting the model's output responses. Reference: https://owasp.org/www-project-machine-learning-security-top-10/docs/ML03_2023-Model_Inversion_Attack
D is incorrect: Adversarial evasion attacks involve crafting inputs designed to cause the model to misclassify or produce incorrect outputs at inference time. While evasion attacks also occur during inference, their goal is to fool the model's predictions, not to extract sensitive information about training data. The scenario's focus on capturing full probability distributions indicates a data reconstruction objective rather than an attempt to bypass the model's classification capabilities. Reference: https://owasp.org/www-project-machine-learning-security-top-10/docs/ML03_2023-Model_Inversion_Attack
Correct AnswerA
A is correct: This is the correct classification. The EU AI Act explicitly prohibits social scoring systems that evaluate or classify individuals based on social behavior or personal characteristics in ways that lead to detrimental or unfavorable treatment. Monitoring employee social media to assign trustworthiness scores that affect access to benefits constitutes social scoring that falls under the unacceptable risk tier. Such systems may not be placed on the market or used in the EU and must be decommissioned. Reference: https://artificialintelligenceact.eu/article/5/
B is incorrect: This is incorrect. While high-risk AI systems in employment contexts are permitted with compliance controls, the specific practice of assigning trustworthiness scores based on social behavior goes beyond typical employment classification. The EU AI Act categorizes social scoring as an unacceptable risk that is outright prohibited, not a high-risk practice that can be mitigated through conformity assessments or oversight mechanisms. The system must be decommissioned rather than made compliant. Reference: https://artificialintelligenceact.eu/article/5/
C is incorrect: This is incorrect. General-purpose AI models are a separate classification in the EU AI Act covering models trained on broad data that can perform a variety of tasks, such as large language models. The system described is a specific-purpose AI application designed for social scoring of employees, not a general-purpose foundation model. Furthermore, social scoring is classified as a prohibited practice under the unacceptable risk tier regardless of the underlying AI technology used. Reference: https://artificialintelligenceact.eu/chapter/5/
D is incorrect: This is incorrect. Limited-risk AI systems such as chatbots and recommendation engines are subject to transparency obligations requiring users to be informed about AI interaction. However, social scoring systems that assign trustworthiness ratings based on social behavior are far more harmful than limited-risk applications. The EU AI Act places social scoring in the prohibited tier due to its potential for discrimination, exclusion, and violation of fundamental rights. Reference: https://artificialintelligenceact.eu/article/50/
