Question 11 - CompTIA SecAI+ CY0-001 Exam Questions [April 2026 Update]

Q: 11

Integration of a Generative AI agent within a corporate Slack environment allows it to manage project permissions and modify Jira tickets based on natural language requests. During a security audit, logs indicate that the agent upgraded an external contractor's access to Project Admin status after receiving an indirect prompt injection embedded in a shared document. This event highlights a failure in restricting the agent's autonomous capabilities within the production environment. Which of the following mitigation strategies BEST addresses the underlying risk of Excessive Agency in this scenario?

Options

Correct Answer:

Explanation

The core issue is "Excessive Agency," where the AI agent has the autonomy to perform high-impact actions (modifying permissions) without oversight, leading to a security breach when triggered by a malicious prompt. Implementing Human-in-the-loop (HITL) for all high-impact changes directly mitigates this risk. An HITL process would require a human operator to review and approve the agent's proposed action (upgrading a contractor's permissions) before it is executed, breaking the chain of unchecked autonomous action.

Why Incorrect

B. Deploy Homomorphic Encryption for all data stored in Jira: This protects the confidentiality of data at rest and in use but does nothing to prevent the AI agent from making unauthorized permission changes. The risk is about action, not data confidentiality.

C. Enable Role-Based Access Control (RBAC) on the vector database: This is a control to protect the AI model's knowledge base from being tampered with. It does not limit the actions the agent can take in external, integrated systems like Jira.

D. Utilize Data Masking for all outgoing project management logs: This is a data protection control for logs, obscuring sensitive information after an event has already occurred. It is a detective/forensic control, not a preventative measure against the agent taking the malicious action in the first place.

References

1. National Institute of Standards and Technology (NIST). (2024). AI Risk Management Framework (AI RMF 1.0). NIST AI 100-1. The "Govern" function emphasizes human oversight. Specifically, the framework states, "Human-in-the-loop, human-over-the-loop, and human-in-command approaches are common strategies for AI oversight" (Section 2.2, "Characteristics of Trustworthy AI"). The HITL approach described in option A is a direct implementation of this principle for high-risk actions.

2. Hendrycks, D., & Mazeika, M. (2022). X-Risk Analysis for AI Research. arXiv:2206.05862. This academic paper on AI safety discusses the risks of autonomous systems and the importance of "human oversight and control mechanisms" to prevent unintended and harmful actions, which is the essence of HITL.

3. MIT Computer Science and Artificial Intelligence Laboratory (CSAIL). (2020). Toward Trustworthy AI Development: Mechanisms for Supporting Verifiable Claims. The report discusses the need for systems that allow for meaningful human control, especially when AI agents are granted the ability to act in the real world or on production systems. HITL for critical decisions is a primary mechanism for achieving this.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE