What Is the ISACA AAISM Certification?
The ISACA AAISM (Advanced in AI Security Management) certification validates a security professional’s ability to govern, manage risk for, and apply technical controls to artificial intelligence systems in enterprise environments. It is issued by ISACA—the organization responsible for CISM, CISA, CRISC, and CGEIT—and represents their first advanced-level credential focused exclusively on AI security. Candidates must hold an active CISM or CISSP before they can register.
AAISM goes beyond general cybersecurity coverage. It addresses the risks that AI systems introduce specifically: adversarial model attacks, data poisoning, prompt injection in generative AI, governance of AI third-party suppliers, and compliance with AI-specific regulations like the EU AI Act. The exam tests both the security risk side and the governance side—what can go wrong with AI systems, and how organizations establish policies and controls to manage those risks systematically.
The credential is built for experienced practitioners. It is not an entry point—the CISM or CISSP prerequisite ensures candidates bring baseline security management knowledge, and the exam evaluates them purely on AI-specific competencies.
The AAISM certification is relevant to several distinct roles:
- Information security managers and CISOs overseeing AI deployment decisions and governance frameworks
- AI and machine learning engineers responsible for secure model development and lifecycle management
- Risk and compliance professionals assessing AI systems under emerging regulatory frameworks
- IT auditors evaluating AI governance structures and control environments
- Security consultants building AI risk management programs for enterprise clients
What Are the AAISM Prerequisites, Costs, and Eligibility?
To register for the AAISM exam, candidates must hold an active CISM or CISSP certification—this requirement is mandatory and verified during the ISACA registration process. Beyond the credential requirement, ISACA expects demonstrated experience in security or advisory roles and practical familiarity with AI system assessment. The exam is designed for professionals already working in these areas, not for those transitioning into security for the first time.
If you are working toward the CISM credential first, the CISM exam preparation guide covers the exam format, domains, and study approach in detail.
Exam Fees
The AAISM exam costs $459 for current ISACA members and $599 for non-members. After passing, candidates pay a separate $50 application processing fee to complete the certification application. ISACA annual membership costs approximately $135, which means members save $140 on the exam fee alone—enough to offset membership for most candidates pursuing this credential.
Eligibility Window and Certification Timeline
Candidates have six months from their registration date to schedule and sit the exam. If the exam is not completed within that window, the registration expires. After passing, candidates have five years to submit the full certification application, including the $50 processing fee and agreement to ISACA’s Code of Professional Ethics and Continuing Professional Education policy.
What Does the AAISM Exam Look Like?
The AAISM exam consists of 100 multiple-choice questions delivered over 120 minutes. Scores are reported on a 200–800 scale, and candidates must achieve a minimum score of 450 to pass. This scaled scoring format is consistent with ISACA’s other major certification exams, including CISM and CISA. Each question has four answer options and exactly one correct answer; there is no partial credit.
Delivery Options
The exam is administered through PSI testing centers worldwide or via remote proctoring through ISACA Anywhere. Remote proctoring is not available in India, Mainland China, or Hong Kong—candidates in those regions must test at a PSI center.
Question Format and Pacing
The 120-minute duration allows approximately 72 seconds per question on average. Questions are scenario-based: candidates are presented with realistic enterprise situations—an AI governance decision, a risk assessment finding, a technology control evaluation—and must select the most appropriate course of action. This format rewards judgment and domain knowledge over rote memorization. No open-book materials or electronic devices are permitted during the exam.
What Are the Three AAISM Exam Domains?
The AAISM exam is organized into three content domains covering distinct areas of AI security management: AI Governance and Program Management, AI Risk Management, and AI Technologies and Controls. ISACA does not publish specific percentage weights per domain for AAISM, but understanding the scope and focus of each domain is essential for allocating your study time effectively.
Domain 1: AI Governance and Program Management
This domain covers how organizations establish, oversee, and maintain governance structures for AI systems. Topics include building an AI governance program aligned with enterprise risk appetite, defining roles and responsibilities for AI oversight (AI governance boards, model owners, and executive sponsors), and integrating AI governance with existing information security frameworks.
Regulatory alignment is central to this domain. The EU AI Act, the NIST AI Risk Management Framework, and ISO/IEC 42001 (the AI management system standard published in 2023) are all directly relevant. Candidates are expected to understand how to translate these regulatory requirements into practical governance policies, and how to communicate AI risk to executive leadership and boards in terms that drive decisions.
Domain 2: AI Risk Management
Domain 2 tests the ability to identify, assess, and manage risks specific to AI systems. The scope includes adversarial attack types—data poisoning, model inversion, and prompt injection for generative AI—as well as third-party AI risk (evaluating AI vendors and cloud model providers), and lifecycle risk management from model development through decommissioning.
This domain has natural overlap with CRISC competencies, applying established risk assessment and treatment frameworks to AI-specific scenarios. Candidates from a risk management background will recognize familiar frameworks, adapted to AI model risk, training data integrity, and the unique challenge of AI output reliability.
Domain 3: AI Technologies and Controls
The third domain addresses the technical side of AI security: the types of AI architectures in common enterprise use, the security controls specific to each, and how to test AI systems for weaknesses. Topics include secure model development practices, monitoring AI system behavior in production environments, incident response for AI-related security events, and AI-specific audit methodologies.
The OWASP Top 10 for LLM Applications is a useful reference for this domain, particularly for candidates preparing to address generative AI and large language model security risks. Governance-focused candidates typically find Domain 3 requires the most new learning.
How Does AAISM Fit Into the ISACA Certification Pathway?
AAISM sits above CISM in the ISACA portfolio, functioning as an AI security specialization built on the foundation that CISM or CISSP provides. It is one of the first ISACA credentials that requires another active certification as an entry condition—a design choice that reflects the advanced-practice nature of the exam and its position at the intersection of AI and information security management.
| Certification | Focus | Level |
|---|---|---|
| CISA | IT audit and assurance | Professional |
| CISM | Information security management | Professional |
| CRISC | IT risk and control | Professional |
| CGEIT | IT governance and enterprise strategy | Professional |
| AAISM | AI security management (advanced) | Advanced (requires CISM/CISSP) |
For CISM holders, AAISM is a natural progression if AI systems are already part of their organization’s risk landscape. For CISSP holders, AAISM provides ISACA-specific recognition for an area that the broad CISSP framework covers only at a high level. For professionals building toward the governance track, the CGEIT certification guide outlines the IT governance competencies that also intersect with AAISM Domain 1.
CRISC holders will find Domain 2 familiar territory—AI risk management draws directly on the risk assessment and treatment methodologies CRISC develops. CGEIT’s strategic governance perspective aligns closely with Domain 1 governance and program management content.
Why Is the AAISM Certification Worth Pursuing in 2026?
The AAISM certification addresses a convergence of market demand, regulatory pressure, and skills scarcity that makes 2026 an opportune time to earn it. AI security has moved from an emerging concern to a core enterprise priority, creating demand for professionals who can govern and manage AI risk at a credentialed, verifiable level.
Market Demand and Regulatory Pressure
According to McKinsey’s 2024 global survey, 72 percent of organizations now use AI in at least one business function—a figure that creates an enormous and largely unmanaged attack surface across industries. The IBM Cost of a Data Breach Report 2024 found that the global average cost of a data breach reached $4.88 million, with AI-assisted attacks contributing to faster breach timelines and higher financial impact.
Regulatory pressure is intensifying simultaneously. The EU AI Act’s first enforcement obligations took effect in February 2025 for prohibited AI practices, with subsequent obligations for general-purpose AI models following in August 2025. Organizations operating high-risk AI systems must now implement conformity assessments, human oversight mechanisms, and ongoing monitoring programs—competencies that map directly to AAISM Domain 1.
“AI security management is no longer a niche specialty—it is a core governance responsibility for any organization deploying AI systems in high-stakes environments.”
Career Value
AI security and AI governance roles in the US market command $160,000–$220,000 annually, with premiums for candidates holding recognized vendor-neutral credentials. The ISACA brand carries particular weight in enterprise risk, audit, and compliance hiring contexts—environments where the AAISM credential’s governance and risk management emphasis is directly relevant.
For a structured step-by-step approach to earning the credential, the AAISM certification strategy guide on Edusum outlines how experienced security professionals build their preparation plan around the three domains.
How to Study for the AAISM Exam
AAISM has no mandatory training requirement before sitting the exam, but the scenario-based format rewards structured preparation over last-minute cramming. Most candidates with a CISM or CISSP background report needing 8–12 weeks of dedicated study time. Domain 3 (AI Technologies and Controls) typically requires the most new learning for governance-focused candidates, while Domain 2 (AI Risk Management) tends to be more accessible to those with a CRISC or risk management background.
Key Study Resources
- AAISM Exam Candidate Guide: The official free PDF from ISACA outlines exam structure, domain scope, and preparation guidance. Download the AAISM exam candidate guide directly from ISACA’s website before building your study plan.
- ISACA Learning Platform: Official ISACA e-courses and exam review materials are updated to reflect current exam content and are available through the ISACA portal.
- Practice exam questions: Timed practice sessions across all three domains build both knowledge and pacing discipline for the 120-minute exam window.
Domain-by-Domain Study Approach
Domain 1 — Governance: Review the NIST AI RMF, the structure of ISO/IEC 42001, and the EU AI Act’s high-risk system classification tiers. Focus on governance program design and board-level risk communication, not just familiarity with framework names.
Domain 2 — Risk Management: Map each AI-specific attack vector (data poisoning, adversarial inputs, prompt injection) to a risk treatment approach. Candidates with CRISC experience can adapt their existing risk matrix skills to AI-specific scenarios directly.
Domain 3 — Technologies and Controls: If your background is governance-heavy, invest extra time here. Study generative AI architecture basics, LLM security risks, and the OWASP Top 10 for LLM Applications. Understanding how AI models process inputs—and where they are vulnerable—is a prerequisite for answering technology control questions confidently.
What Do AAISM Practice Questions Test?
AAISM practice questions follow the same scenario-based multiple-choice format as the real exam. Each question presents a brief enterprise situation—an AI governance committee decision, a security team detecting anomalous model behavior, or an auditor evaluating a third-party AI vendor—and asks candidates to identify the best next action or assessment approach. This format tests judgment and prioritization, not just factual recall.
A key skill the questions develop is domain identification: recognizing which of the three AAISM domains applies to a given scenario. A question about detecting adversarial inputs during model inference is a Domain 3 (Technologies and Controls) question. A question about reporting AI risk exposure to the board is a Domain 1 (Governance) question. Correctly mapping scenarios to domains improves both accuracy and speed on the actual exam.
Candidates can access a bank of 190+ AAISM scenario questions on the AAISM practice exam platform from Edusum, covering questions across all three domains with detailed explanations for both correct and incorrect answers. The platform offers two months of access with unlimited attempts—structured timed sessions that mirror the 100-question, 120-minute exam format are the most effective way to use this resource.
How Do You Register for the AAISM Exam?
AAISM registration is handled directly through ISACA’s website. The process is straightforward but requires confirming your active CISM or CISSP before you can proceed—ISACA validates this during the registration workflow.
- Confirm your prerequisite: Ensure your CISM or CISSP is active and in good standing. Check your certification status in your ISACA account if needed.
- Log into your ISACA account: All AAISM registration is managed through the ISACA portal. Create an account if you do not already have one.
- Complete exam registration: Select your preferred delivery format (PSI center or remote proctoring), pay the exam fee ($459 for members, $599 for non-members), and confirm your six-month eligibility window start date.
- Schedule your exam date: After registration, PSI’s scheduling system becomes accessible. Choose a date that leaves adequate preparation time within your six-month window.
- Sit the exam: Bring acceptable government-issued photo identification. For remote candidates, verify the ISACA technical requirements for a compliant proctored environment at least 48 hours in advance.
- Apply for certification: After passing, submit the $50 application processing fee and complete ISACA’s certification application within five years of your exam pass date.
Current fee schedules, testing center search, and full registration instructions are available on the ISACA AAISM credential page.
FAQ: ISACA AAISM Frequently Asked Questions
What is the ISACA AAISM certification?
AAISM stands for Advanced in AI Security Management. It is an advanced-level certification from ISACA that validates a professional’s ability to govern, manage risk for, and secure artificial intelligence systems in enterprise environments. It requires an active CISM or CISSP as a prerequisite.
Do I need a CISM to take the AAISM exam?
Yes. Candidates must hold either an active CISM (Certified Information Security Manager) or an active CISSP (Certified Information Systems Security Professional) before registering for the AAISM exam. ISACA verifies this during the registration process.
How many questions are on the AAISM exam?
The AAISM exam consists of 100 multiple-choice questions. Each question has four answer options with one correct answer. The exam allows 120 minutes, giving candidates approximately 72 seconds per question on average.
What is the passing score for the AAISM exam?
The AAISM passing score is 450 on a scaled 200–800 scoring range. This scaled system is consistent with other major ISACA certification exams, including CISM and CISA.
How much does the AAISM exam cost?
The exam fee is $459 for ISACA members and $599 for non-members. After passing, a separate $50 application processing fee is required to complete the certification application. ISACA membership costs approximately $135 per year.
What are the three AAISM exam domains?
The three AAISM exam domains are: (1) AI Governance and Program Management, which covers governance frameworks, program design, and regulatory compliance; (2) AI Risk Management, covering adversarial attacks, vendor risk, and AI lifecycle risk; and (3) AI Technologies and Controls, covering AI architectures, secure development practices, and incident response.
How long should I study for the AAISM exam?
Most candidates with an active CISM or CISSP background report needing 8–12 weeks of structured preparation. The exact time depends on your familiarity with each domain—Domain 3 (AI Technologies and Controls) typically requires the most new learning for governance-focused professionals.
Can I take the AAISM exam online?
Yes. AAISM is available via remote proctoring through ISACA Anywhere in most regions. Remote proctoring is not available in India, Mainland China, or Hong Kong—candidates in those regions must test at an authorized PSI testing center.
How does AAISM differ from CISM?
CISM (Certified Information Security Manager) is a broad information security management certification with no prerequisite. AAISM is an advanced specialization that builds on CISM, narrowing the focus to AI-specific governance, risk management, and technical controls. AAISM requires an active CISM or CISSP to register, making it a logical progression rather than a standalone credential.
Is there an AAISM practice exam available?
Yes. Edusum offers a bank of 190+ AAISM practice questions that simulate the exam’s scenario-based format, covering all three domains with answer explanations. The platform provides two months of unlimited-attempt access, which is sufficient for multiple full-length timed practice sessions before exam day.
Conclusion
The ISACA AAISM certification offers experienced security professionals a structured, credentialed pathway into AI governance and risk management at a time when both regulatory and market pressures are creating genuine enterprise demand for these skills. The three-domain structure—AI Governance and Program Management, AI Risk Management, and AI Technologies and Controls—maps directly to the practical challenges security teams face as AI systems expand across enterprise infrastructure.
For CISM and CISSP holders ready to specialize, AAISM is a well-positioned next credential. Start with the official ISACA candidate guide, build domain knowledge systematically, and supplement with scenario-based practice questions to develop the judgment and pacing the 100-question exam demands. The resources in this guide give you everything needed to begin preparation with confidence.
