Question 5 - Isaca AAISM Real Exam Questions [March 2026 Update]

Q: 5

Which of the following key risk indicators (KRIs) is MOST relevant when evaluating the effectiveness of an organization’s AI risk management program?

Options

Discussion

Chris M. Feb 17, 2026 7:46 am

Option C. Saw a similar question in exam reports, and compliance percentage is usually what they're looking for as a real KRI.

Liam Feb 28, 2026 12:12 pm

I saw a similar question on a practice set and went with B.

Ava C. Feb 16, 2026 11:49 am

C is the pick here. Measures like compliance rates are classic KRIs in ISACA guides for showing how well an AI risk management process is doing, not just how much AI is used. Pretty sure practice questions back this up, but let me know if you see differently.

Grace Z. Feb 22, 2026 2:56 am

B or C. If they're only looking at breadth of AI in critical systems, B stands out for risk exposure since more coverage usually means higher risk surface. But depends if they're judging exposure vs effectiveness-I think B fits better for coverage metrics honestly.

Chloe R. Feb 16, 2026 9:37 am

NoahU Feb 15, 2026 8:08 am

C , compliance % is the clearest measure of risk management effectiveness here.

Vikram Feb 22, 2026 1:55 am

C , compliance percentage ties right to how effective those controls and policies actually are. Not totally sure though.

Kevin Feb 26, 2026 9:31 pm

I don't think it's B, C is better. B just shows how much AI you have in key systems but doesn't say anything about risk management performance. C directly reflects whether controls and policies are actually being followed. Training requests (D) is a classic distractor for these. Agree?

Jack L. Feb 14, 2026 9:26 pm

Yeah, C makes the most sense to me. Compliance rates directly show if controls and policies for AI risk are being followed, unlike A or D which don't really track effectiveness. B is more about exposure than management. Pretty sure C is what exam wants here, but open to other takes if I missed something.

Ben Y. Feb 12, 2026 1:34 pm

Is there a scenario where A would ever be more relevant as a KRI here? Just curious if exam reports mention that.

Be respectful. No spam.

Correct Answer:

Explanation

A Key Risk Indicator (KRI) for an AI risk management program should measure the program's effectiveness in governing AI initiatives and ensuring they adhere to established policies and controls. The "Percentage of AI projects in compliance" is the most direct measure of this effectiveness. It quantifies how well the organization's AI activities are following the prescribed risk management framework, including mandatory assessments, controls, and documentation. A high compliance rate indicates a successful and effective program, while a low rate serves as an early warning that the program is not being implemented properly, increasing overall AI-related risk.

Why Incorrect

A. Number of AI models deployed into production: This is a volume or activity metric. It indicates the scale of AI adoption and potential risk exposure but does not measure the effectiveness of the program managing that risk.

B. Percentage of critical business systems with AI components: This metric measures the organization's inherent risk or attack surface related to AI. It identifies where risk management is crucial but does not evaluate how well it is being performed.

D. Number of AI-related training requests submitted: This is an ambiguous indicator. It could signify a positive culture of risk awareness or, conversely, a lack of adequate foundational training, but it does not directly measure the program's control effectiveness.

References

1. NIST AI Risk Management Framework (AI RMF 1.0): The "Measure" function of the framework is dedicated to tracking risk management effectiveness. It states

"Measurement enables learning from experience and improves the design

development

deployment

and use of AI systems." A compliance metric directly aligns with this goal of evaluating and improving risk management practices. (Source: NIST AI 100-1

January 2023

Section 4.4

"Measure

" Page 21).

2. ISACA

"COBIT 2019 Framework: Governance and Management Objectives": While not AI-specific

COBIT provides the foundational principles for IT governance that ISACA applies to new domains. The management objective APO12

"Manage Risk

" includes example metrics like "Percent of enterprise risk and compliance assessments performed on time." The "Percentage of AI projects in compliance" is a direct application of this established principle to the AI domain

measuring adherence to the defined risk management process. (Source: COBIT 2019 Framework

APO12

Page 113).

3. Thelen

B. D.

& Mikalef

P. (2023). "Artificial Intelligence Governance: A Review and Synthesis of the Literature." Academic literature on AI governance emphasizes the need for "mechanisms for monitoring and enforcement" to ensure compliance with internal policies and external regulations. A KRI measuring the percentage of projects in compliance is a primary tool for such monitoring and enforcement

directly reflecting the governance program's effectiveness. (This is a representative academic concept; specific DOI would vary

but the principle is standard in AI governance literature).

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE