Question 2 - Isaca AAISM Real Exam Questions [March 2026 Update]

Q: 2

During the creation of a new large language model (LLM), an organization procured training data from multiple sources. Which of the following is MOST likely to address the CISO's security and privacy concerns?

Options

Discussion

Adam A. Feb 13, 2026 3:24 am

B. Data minimization.

Luke Feb 10, 2026 8:43 am

I’d say it's B. Minimizing the data collected is the main protection for both privacy and security concerns in this scenario.

Noah Feb 19, 2026 3:41 pm

Maybe C, since you need to label the data before you can focus on privacy risks. Not 100% sure.

Ravi U. Mar 1, 2026 10:18 pm

Honestly, these questions always overcomplicate things. Minimization is what CISOs actually care about for privacy, not just labeling stuff. B.

Grace S. Feb 23, 2026 3:33 am

B , since minimizing the data set actually removes sensitive info that could leak out of the LLM later. Classification helps control it but doesn't prevent risky data from getting in. Seen similar wording on practice questions, and B fits best unless they're asking for just an inventory, which they're not. Open to other views but this is pretty clear to me.

Vikram Feb 26, 2026 10:01 am

Feels like it's B. Only minimizing the data actually deals with privacy risks up front, not just labeling or discovering it.

CalmSec867 Feb 23, 2026 4:55 am

I get why B is tempting but C makes more sense if you want to actually address privacy up front. C.

Hannah Feb 15, 2026 6:30 am

Ryan D. Feb 28, 2026 6:53 pm

Its B, data minimization. That actually reduces the amount of sensitive data in training sets, directly cutting down privacy risk. C is a common distractor but just labeling doesn't fix exposure. Pretty sure B is what CISOs want here.

Karan G. Feb 27, 2026 3:40 am

C tbh, since classification has to come first when pulling from multiple sources. Can't minimize what you haven't labeled yet. Pretty sure that's how most orgs would approach security here, but open to other thoughts.

Be respectful. No spam.

Correct Answer:

Explanation

Data minimization is a core privacy and security principle that involves processing only the data that is absolutely necessary for a specific purpose. In the context of training a large language model (LLM), applying data minimization means proactively identifying and removing any sensitive, personal, or proprietary information from the training datasets before the model is trained. This directly addresses the CISO's concerns by fundamentally reducing the risk surface. By ensuring sensitive data is not included, the organization mitigates the possibility of the model memorizing and later exposing this information, thus preventing potential data breaches and ensuring compliance with privacy regulations.

Why Incorrect

A. Data augmentation: This technique is used to increase the volume of training data to improve model accuracy and generalization, not to address security or privacy risks.

C. Data classification: This is a foundational step to identify sensitive data, but it does not, by itself, mitigate the risk; it only categorizes it.

D. Data discovery: This process locates data across systems. Like classification, it is a preliminary step that identifies the problem but does not implement a solution.

References

1. National Institute of Standards and Technology (NIST). (2023). Artificial Intelligence Risk Management Framework (AI RMF 1.0). (NIST AI 100-1).

Page 29

Table 7

MAP.T10: In the section on documenting training data

this subcategory explicitly lists "adherence to data minimization principles" as a key element for managing AI risks. This directly supports using data minimization to handle training data concerns.

2. ISACA. (2023). Artificial Intelligence: An Audit and Assurance Framework.

Page 21

Section 3.2.1 Data Governance: The framework states

"Data used to train AI models should be relevant

accurate and appropriate for the intended purpose... It is important to ensure that the data used for training does not contain any sensitive or confidential information that could be inadvertently exposed by the AI model." This aligns with the principle of data minimization to remove unnecessary sensitive data.

3. European Union. (2016). General Data Protection Regulation (GDPR).

Article 5(1)(c): This article establishes "data minimisation" as a core principle of data protection

stating that personal data shall be "adequate

relevant and limited to what is necessary in relation to the purposes for which they are processed." This legal and privacy principle is the direct solution to the CISO's concerns when applied to AI training data.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE