AIGP Artificial Intelligence Governance Professional Questions and Answers

Risk probability/severity testing is not typically used to evaluate the performance of an AI system. While important for risk management, it does not directly assess an AI system ' s operational performance. Adversarial robustness, statistical sampling, and decision analysis are all methods that can help evaluate the performance of a responsible AI system by testing its resilience, accuracy, and decision-making processes under various conditions. Reference: AIGP Body of Knowledge on AI Performance Evaluation and Testing.

When anew versionof a third-party model is released, the deployer must ensure it still meets safety, performance, and compliance requirements — which calls for aformal audit.

From theAI Governance in Practice Report 2025:

“Any updates or changes to AI systems should trigger a re-evaluation to ensure continued compliance and performance.” (p. 12)

“Post-market monitoring includes reassessing the impact of updated models or retraining.” (p. 35)

To mitigate the risk of reputational harm from using an AI hiring tool, XYZ Corp should rigorously test the AI tool both before and after deployment. Pre-deployment testing ensures the tool works correctly and does not introduce bias or other issues. Post-deployment testing ensures the tool continues to operate as intended and adapts to any changes in data or usage patterns. This approach helps to identify and address potential issues proactively, thereby reducing the risk of reputational harm. Ensuring the vendor assumes responsibility for damages (B) does not address the root cause of potential issues, selecting the most economical tool (C) may compromise quality, and continuing manual screening (D) defeats the purpose of using the AI tool​​​​.

The 1956 Dartmouth summer research project on AI is best known as a meeting focused on the founding of the AI field. This conference is historically significant because it marked the formal beginning of artificial intelligence as an academic discipline. The term " artificial intelligence " was coined during this event, and it laid the foundation for future research and development in AI.

The White House Executive Order of November 2023 designates the National Institute of Standards and Technology (NIST) as the responsible body for creating guidelines to conduct red-teaming tests of AI systems. NIST is tasked with developing and providing standards and frameworks to ensure the security, reliability, and ethical deployment of AI systems, including conducting rigorous red-teaming exercises to identify vulnerabilities and assess risks in AI systems.

The correct answer is A because of the fundamental bias-variance tradeoff in machine learning. When model complexity is reduced, the model becomes simpler and less flexible, which decreases variance because it is less sensitive to fluctuations in the training data. However, this simplification comes at the cost of increased bias, meaning the model may oversimplify relationships and fail to capture underlying patterns accurately. This tradeoff is a core concept in AI fundamentals and directly impacts model per formance, reliability, and governance decisions. From an AI governance perspective, understanding this balance is critical when evaluating model risk, as high bias can lead to systematic errors and fairness issues, while high variance can result in instability and unpredictability in outputs. Proper model tuning aims to balance both for optimal and responsible performance.

The most comprehensive way to identify a full range of risks — legal, ethical, operational, and societal — for a new AI model is through aformal impact assessment, such as aData Protection Impact Assessment (DPIA)orAlgorithmic Impact Assessment.

From theAI Governance in Practice Report 2025:

“Risk-based approaches are often distilled into organizational risk management efforts, which put impact assessments at the heart of deciding whether harm can be reduced.” (p. 29)

“DPIAs… help organizations identify, analyze and minimize data-related risks and demonstrate accountability.” (p. 30)

A. Environmental scanis too general.

B. Red teamingis useful for adversarial risk but not broad.

C. Integration testingfocuses on technical/system compatibility, not overall risk.

Note:This is the same scenario and question as Question 21 and thus has thesame correct answer: A. It ' s possible this was duplicated in your original input.

Repeated for clarity:

“Testing AI tools pre- and post-deployment helps ensure they perform as expected and do not introduce bias, privacy issues, or fairness concerns. This mitigates reputational and legal risk.”

TheAI Governance in Practice Report 2025further reinforces:

“Ongoing monitoring and testing post-deployment allows organizations to catch and correct unintended impacts... especially important in HR and hiring contexts.”

A greedy algorithm is one that makes the best choice at each step to achieve an immediate objective, without considering the longer-term consequences. It focuses on local optimization at each decision point with the hope that these local solutions will lead to an optimal global solution. However, greedy algorithms do not always produce the best overall solution for certain problems, but they are useful when an immediate, locally optimal solution is desired. Reference: AIGP Body of Knowledge, algorithm types section.

Once a company moves from being adeployerto also acting as aprovider or developer, it assumesnew obligationsunder regulations like the EU AI Act. One of the core requirements for providers is to produce and maintaintechnical documentation, including descriptions of the model, associated risks, and mitigation strategies.

From theAI Governance in Practice Report 2025:

“Providers of high-risk AI systems must draw up technical documentation demonstrating the system’s conformity with the requirements... including potential risks and safeguards applied.” (p. 34)

“This documentation must be available before placing the system on the market.” (p. 35)

The correct answer isC. ISO/IEC 22989 and 42001 focus onterminology, risk, and management systems, butdo not specifically address procurement-related concerns with third-party vendors.

From the AIGP Body of Knowledge – Standards Section:

“ISO/IEC 22989 defines terminology and foundational concepts. ISO/IEC 42001 provides a management system standard for AI. They are not procurement-focused documents.”

Also confirmed in the AI Governance in Practice Report 2025:

“These standards help establish common language and risk governance procedures. Procurement governance typically falls under separate frameworks or sector-specific guidance.”

Thus,procurement governance (Option C)is not a central use case for these standards.

===========

Under the EU regulations, particularly the GDPR, banks using AI for decision-making must inform users about the use of AI and provide mechanisms for users to contest decisions. This is part of ensuring transparency and accountability in automated processing. Explicit consent under the privacy directive (A) and disclosing under the Digital Services Act (B) are not specifically required in this context. An adequacy decision is related to data transfers outside the EU (C).

After completing model testing and validation, the most important step prior to deploying the model into production is to perform a readiness assessment. This assessment ensures that the model is fully prepared for deployment, addressing any potential issues related to infrastructure, performance, security, and compliance. It verifies that the model meets all necessary criteria for a successful launch. Other steps, such as defining a model-validation methodology, documenting maintenance teams and processes, and identifying known edge cases, are also important but come secondary to confirming overall readiness. Reference: AIGP Body of Knowledge on Deployment Readiness.

The correct answer is A because the first step in any AI project lifecycle is to clearly define the business objective and justify the use of AI. AI governance frameworks emphasize that planning begins with understanding the purpose, value, and necessity of the system before moving into design or risk assessment stages. Establishing a business case ensures alignment with organizational goals, identifies expected benefits, and evaluates whether AI is the appropriate solution. This step corresponds to the planning phase of the AI lifecycle, where objectives and intended outcomes are documented. In contrast, TEVV processes occur during development and testing, while impact assessments and redress considerations arise later as part of risk management and governance. Starting with a clear “why AI” foundation ensures responsible, efficient, and goal-oriented system development.

The correct answer isA. While location of processors may have implications (such as for data transfers under GDPR), there is no absolute requirement that third-party processors be based in the same country.

From the AI Governance in Practice Report 2025 and ILT Guide:

“Data controllers are responsible for ensuring that third-party processors have adequate protections, but not necessarily that they reside in the same jurisdiction. What is required is legal safeguards (e.g., SCCs) for international transfers, not same-country location.”

In contrast, DPIAs, DSARs, and implementation of technical/organizational safeguards are explicitly required under GDPR and responsible AI frameworks.

===========

Feature selection is the most important element of feature engineering to mitigate potential bias in an AI system. This process involves choosing the most relevant and representative features from the data set, which directly affects the model’s performance and fairness. By carefully selecting features, data scientists can reduce the influence of biased or irrelevant attributes, ensuring that the AI system is more accurate and equitable. Proper feature selection helps in eliminating biases that might stem from socio-demographic factors or other sensitive variables, leading to a more balanced and fair AI model. Reference: AIGP Body of Knowledge on Fairness in AI and Feature Engineering.

Retraining an LLM (Large Language Model) is primarily done to improve or maintain its performance as data changes over time, to fine-tune it for specific use cases, and to incorporate new data interpretations to enhance accuracy and relevance. However, ensuring interpretability of the model ' s predictions is not typically a reason for retraining. Interpretability relates to how easily the outputs of the model can be understood and explained, which is generally addressed through different techniques or methods rather than through the retraining process itself. References to this can be found in the IAPP AIGP Body of Knowledge discussing model retraining and interpretability as separate concepts.

Business A is integrating a generative AI model licensed from a third party (Business B) and is primarily concerned with the risk of toxic or obscene outputs being delivered to users. In this scenario,testing and validationof the AI model for such content risks is the most direct and effective governance strategy.

According to theAI Governance in Practice Report 2025, organizations thatdeployAI must engage inperformance monitoring protocolsand ensure systems perform adequately for theirintended purposes, including filtering harmful content:

“Operational governance… development of: →Performance monitoring protocols to ensure systems perform adequately for their intended purposes.” (p. 12)

“Product governance... includes: →System impact assessments to identify and address risk prior to product development or deployment.” (p. 11)

Furthermore, under theEU AI Act, which sets the global standard many organizations aim to align with, there is a clear obligation to test and monitor systems for potential harmful behavior:

“The act imposes regulatory obligations… such as establishing appropriate accountability structures,assessing system impact, providing technical documentation,establishing risk management protocols and monitoring performance...” (p. 7)

Option B directly reflects this best practice ofpre-deployment testing and validationto ensure that the model aligns with Business A’s minimum content safety requirements.

Let’s now evaluate the incorrect options:

A. Fine-tuning on verified user-generated textmay improve model alignment but does not guarantee that the model will generalize correctly, especially if Business A lacks access to model internals (common in third-party licensing scenarios). Fine-tuning also introduces its own risks and may be contractually restricted.

C. A user reporting featureisreactive, not preventive. While helpful for long-term monitoring and mitigation, it does not prevent the initial harm of toxic outputs, which isBusiness A ' s primary concern.

D. Requesting documentation from Business Bis useful for transparency and risk management, but it does not replaceindependent verificationthat the model meets Business A’s content safety standards.

Thus,testing the model ' s behavior for unacceptable outputs before deploymentis the most aligned approach with AI governance best practices and obligations.

The EU AI Act outlines what must be included intechnical documentationfor high-risk systems. These requirements are designed to supportconformity assessment, transparency, and traceability.

From theAI Governance in Practice Report 2025:

“It mandates drawing up technical documentation… must include a general description of the AI system, the intended purpose, and a detailed description of the elements and development process.” (p. 34)

“Documentation… includes training, testing, evaluation procedures, andappropriateness of performance metrics.” (p. 34–35)

Therisk management systemis addressed separately through arisk management plan, not within the technical documentation itself.

Thus:

A, C, and Dare explicitly required in thetechnical documentation.

B, while important, is part of therisk management process, not a required section oftechnical documentation.

The correct answer is C because it follows a structured, risk-based AI governance approach aligned with best practices and regulatory expectations. AI governance frameworks emphasize identifying and assessing risks through probability and severity analysis before deployment. This allows organizations to prioritize the most critical risks, such as bias and discrimination in loan approvals. Applying a risk mitigation hierarchy ensures that controls are implemented proactively rather than reactively. Only after risks are assessed and mitigated should pilot testing occur to validate system performance in a controlled environment. Other options either delay risk assessment until after deployment or focus on limited aspects like benchmarking or explainability without addressing core risk management principles. A proactive, risk-first approach is essential for compliance, fairness, and responsible AI deployment.

Under the EU AI Act, organizations that develop and deploy high-risk AI systems are required to provide several key disclosures to ensure transparency and accountability. These include the human oversight measures employed, how individuals can contest decisions made by the AI system, and informing individuals that an AI system is being used. However, there is no specific requirement to disclose the exact locations where data is stored. The focus of the Act is on the transparency of the AI system ' s operation and its impact on individuals, rather than on the technical details of data storage locations.

According to the GDPR, individuals have the right to not be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects them. However, there are exceptions to this right, one of which is when the decision is based on the data subject ' s explicit consent. This means that if an individual explicitly consents to the automated decision-making process, there is no requirement for human intervention to confirm or replace the decision. This exception ensures that individuals can have control over automated decisions that affect them, provided they have given clear and informed consent.

The correct answer is D because typical AI impact assessments focus on evaluating risks to individuals and society, particularly in areas such as fundamental rights, data protection, and safety. Frameworks like Data Protection Impact Assessments and Fundamental Rights Impact Assessments are designed to assess how AI systems may affect privacy, fairness, human rights, and potential harm to users. These assessments are core components of AI governance and are often required or recommended by regulations such as the GDPR and the EU AI Act. While options A, B, and C reference technical or operational considerations, they do not capture the broader societal and legal impacts that impact assess ments are intended to address. AI governance emphasizes a human-centric approach, ensuring systems are safe, lawful, and respectful of individual rights before deployment.

The correct answer is D. Key stroke dynamics, used to identify individuals, fall under biometric data, which is a special category of personal data under the GDPR and other frameworks.

From the AI Governance in Practice Report 2025:

“Keystroke dynamics may constitute biometric data if used to uniquely identify an individual… Biometric data is classified as special category personal data and requires higher protection standards.”

Also reflected in ILT Participant Guide:

“Biometric data, such as facial images, voiceprints, iris scans or keystroke patterns, are treated as special category data when they are used for the purpose of uniquely identifying individuals.”

The correct answer is B because ISO/IEC 42005 emphasizes integrating AI risk management into existing enterprise risk management frameworks rather than creating siloed or duplicative processes. Effective AI governance requires embedding AI-specific risks into established governance structures such as risk registers, controls, and monitoring systems. This ensures consistency, scalability, and alignment with organizational risk practices. Options C and D introduce parallel or fragmented processes, which contradict the principle of integrated governance and may create inefficiencies or gaps. Option A focuses only on data collection and does not address governance integration. The AI Governance in Practice Report highlights that organizations should incorporate AI risks into broader enterprise risk management and maintain unified risk registers to ensure visibility, accountability, and coordinated mitigation across the organization.

Performing an impact assessment is the best step to mitigate the possibility of discrimination before training and testing the AI solution. An impact assessment, such as a Data Protection Impact Assessment (DPIA) or Algorithmic Impact Assessment (AIA), helps identify potential biases and discriminatory outcomes that could arise from the AI system. This process involves evaluating the data and the algorithm for fairness, accountability, and transparency. It ensures that any biases in the data are detected and addressed, thus preventing discriminatory practices and promoting ethical AI deployment. Reference: AIGP Body of Knowledge on Ethical AI and Impact Assessments.

The correct answer is A because developing a social media presence typically does not require AI and can be effectively achieved through traditional digital marketing strategies, content planning, and manual engagement. AI governance principles emphasize that organizations should first determine whether AI is necessary or proportionate to the problem being solved. Using AI where simpler, deterministic, or human-driven solutions suffice can introduce unnecessary complexity, cost, and risk. In contrast, options B, C, and D involve tasks such as campaign optimization, personalization, and automation, which benefit significantly from AI capabilities like pattern recognition, predictive analytics, and natural language processing. Responsible AI governance encourages a “fit-for-purpose” approach, ensuring AI is only deployed when it provides clear added value over non-AI alternatives.

The correct answer isC. Thechoice of architecture(e.g., neural networks vs. decision trees) is typically part of thedesign and developmentphase, not the initial planning.

From the AIGP Body of Knowledge – AI Lifecycle Module:

“Planning involves scoping, context definition, stakeholder identification, governance planning, and assumptions—not yet model selection.”

Confirmed in the ILT Participant Guide:

“Design decisions such as architecture or algorithm type come after planning—usually during development based on technical feasibility and data availability.”

The correct answer is D, model disgorgement. This technique refers to removing or eliminating the influence of improperly obtained, biased, or unlawfully used data from a trained machine learning model. It is increasingly discussed in AI governance and regulatory enforcement, particularly where models have been trained on data collected without proper consent or in violation of legal requirements. Instead of merely cleaning datasets, model disgorgement may require retraining or discarding the model entirely to ensure that problematic data no longer influences outputs. This aligns with accountability and compliance principles in AI governance, where organizations must ensure lawful data use throughout the AI lifecycle. Other options like data cleansing and de-duplication address data quality but do not fully remove learned patterns already embedded in trained models.

Ensuring fairness when training an AI system largely depends on the data attributes and variability. This involves having a diverse and representative dataset that accurately reflects the population the AI system will serve. Fairness can be compromised if the data is biased or lacks variability, as the model may learn and perpetuate these biases. Diverse data attributes ensure that the model learns from a wide range of examples, reducing the risk of biased predictions. Reference: AIGP Body of Knowledge on Ethical AI Principles and Data Management.

Supervised learning is a subcategory of AI and machine learning where labeled datasets are used to train algorithms. This process involves feeding the algorithm a dataset where the input-output pairs are known, allowing the algorithm to learn and make predictions or decisions based on new, unseen data. Reference: AIGP BODY OF KNOWLEDGE, which describes supervised learning as a model trained on labeled data (e.g., text recognition, detecting spam in emails)​​.

Minimizing human involvement to the extent practicable is not a best practice during the testing of an ML model. Human oversight is crucial during testing to ensure that the model performs correctly and ethically, and to interpret any anomalies or issues that arise. Best practices include using representative test data, anonymizing data to the extent practicable, and performing testing specific to the intended uses of the model. Reference: AIGP Body of Knowledge on AI Model Testing and Human Oversight.

All of the options listed may pose copyright risks when teachers use generative AI to create course content, except for students must expressly consent to this use of generative AI. While obtaining student consent is essential for ethical and privacy reasons, it does not directly relate to copyright risks associated with the creation and use of AI-generated content.

The EU AI Act outlines specific penalties and enforcement mechanisms to ensure compliance with its regulations. Among these, fines for violations of banned AI applications can be as high as €35 million or 7% of the global annual turnover of the offending organization, whichever is higher. Proportional caps on fines are applied to SMEs and startups to ensure fairness. General Purpose AI rules are to apply after a 6-month period as a specific provision to ensure that stakeholders have adequate time to comply. However, there is no provision for an " AI Pact " acting as a transitional bridge until the regulations are fully enacted, making option C the correct answer.

When monitoring the functional performance of a model deployed into production, concerns typically include feature drift, model drift, and data loss. Feature drift refers to changes in the input features that can affect the model ' s predictions. Model drift is when the model ' s performance degrades over time due to changes in the data or environment. Data loss can impact the accuracy and reliability of the model. However, system cost, while important for budgeting and financial planning, is not a direct concern when monitoring the functional performance of a deployed model. Reference: AIGP Body of Knowledge on Model Monitoring and Maintenance.

When assessing whether users should be given the right to opt out from an AI system, the primary considerations are feasibility, risk to users, and industry practice. Feasibility addresses whether the opt-out mechanism can be practically implemented. Risk to users assesses the potential harm or benefits users might face if they cannot opt out. Industry practice considers the norms and standards within the industry. However, the cost of alternative mechanisms, while important in the broader context of implementation, is not directly relevant to the ethical consideration of whether users should have the right to opt out. The focus should be on protecting user rights and ensuring ethical AI practices.

Third-party risk management for AI systems should beproportional and risk-based, involvinginitial due diligenceandongoing monitoringthat reflects thelevel of risk posedby the third party ' s AI system.

From theAI Governance in Practice Report 2025:

“Third-party due diligence assessments to identify possible external risk and inform selection.” (p. 11)

“Legal due diligence may include verification of the personal data ' s lawful collection by the data broker, review of contractual obligations…” (p. 19)

Afocuses too narrowly on financial stability.

Cis excessive and not scalable or aligned with best practices.

Dinappropriately separates ethical and technical risks; both must be evaluated holistically.

The correct answer is C. This option concerns consent, which is generally a privacy, transparency, or institutional governance issue rather than a copyright issue. Copyright risk in AI governance usually relates to whether protected third party works were used in model training, whether generated outputs may reproduce copyrighted expression, and whether content is created without proper attribution or clear ownership boundaries. That makes options A, B, and D directly relevant to copyright and intellectual property concerns. In contrast, whether students must expressly consent deals with notice, fairness, and lawful or ethical use in an educational environment. For AIGP exam purposes, it is important to separate intellectual property risks from privacy and data protection obligations, even when both appear in the same classroom or organizational AI use case.

For the artist to receive copyright protection, the most effective approach is to demonstrate that the final artwork includes sufficient creative input by the artist. By updating or altering the images in a way that reflects the artist ' s personal creativity, the artist can claim originality, which is a core requirement for copyright protection under U.S. law. The other options do not directly address the originality and creative input required for copyright. This is highlighted in the sections on copyright protection in the IAPP AIGP Body of Knowledge.

The AI risk that would not have been identified during the procurement process based on the categories of information requested by the third-party consultant is security. The consultant focused on accuracy rates, diversity of training data, and system functionality, which pertain to performance and fairness but do not directly address the security aspects of the AI system. Security risks involve ensuring that the system is protected against unauthorized access, data breaches, and other vulnerabilities that could compromise its integrity. Reference: AIGP Body of Knowledge on AI Security and Risk Management.

The correct answer isD. While modernization through software may support efficiency, it isnot a foundational or essential componentof designing an integrated strategy.

From the AI Governance in Practice Report 2025:

“Integrated strategies rely on senior management support, ethical reviews, and stakeholder engagement... The use of tools and platforms may come later as an operational enhancement.”

Also confirmed in AIGP Body of Knowledge:

“Key components of a governance framework include leadership buy-in, ethical analysis, and stakeholder input. Tools are supporting elements—not strategic drivers.”

===========

The correct answer is C, the Federal Trade Commission. The FTC plays a central role in U.S. AI governance by enforcing consumer protection and unfair or deceptive practices laws. In the context of AI systems such as companion chatbots, the FTC has authority to investigate risks related to user harm, transparency, safety, and misleading claims. AI governance frameworks emphasize regulatory oversight where AI systems may impact individuals psychologically, financially, or socially. Agencies like the FTC focus on ensuring that companies deploying AI systems do not cause harm through unsafe or deceptive practices and that they provide adequate disclosures about risks and system behavior. This aligns with broader AI governance principles of accountability, transparency, and risk management highlighted in the AI Governance in Practice Report 2024 , which stresses the importance of regulatory involvement in managing AI-related risks.

An AI system’sfunction,industry, anddeployment locationdefine itsrisk profile, which directly influences theinternal governance structuresan organization must put in place.

From theAI Governance in Practice Report 2025:

“There are many challenges and potential solutions for AI governance, each with unique proximityand significance based on an organization’s role, footprint, broader risk-governance profile and maturity.” (p. 4)

“AI governance starts with defining the corporate strategy for AI… and formulating policy standards and operational procedures to reflect industry, use case, and location.” (p. 11)

A– Organizational accountability is broader and not directly scoped by industry or function.

C– Diversity of data sources is tied to data strategy.

D– Explainability is more influenced by model type, not use context.

The primary concern for a company adopting a policy prohibiting the use of generative AI is the risk of accidental disclosure of confidential and proprietary information. Generative AI tools can inadvertently leak sensitive data during the creation process or through data sharing. This risk outweighs the other reasons listed, as protecting sensitive information is critical to maintaining the company’s competitive edge and legal compliance. This rationale is discussed in the sections on risk management and data privacy in the IAPP AIGP Body of Knowledge.

Forcustomizable, interpretable modelsthat allow organizations toretain control and avoid vendor lock-in,classic ML models(e.g., regression, decision trees, random forests) are optimal.

From theAI Governance in Practice Report 2025:

“Organizations seeking transparency, customizability, and control often prefer classic ML models due to their flexibility and ease of governance.” (p. 33)

AandCmay have limited transparency and are often tied to specific providers.

Dinvolves ongoing costs and limited model control.

The most critical reason for documenting AI-related risks is toreduce exposure to legal, regulatory, and reputational liabilities. Clear documentation demonstrates thatrisks were identified, assessed, and addressed, which is essential for accountability and defensibility in the face of audits, litigation, or enforcement actions.

From theAI Governance in Practice Report 2025:

“An effective AI governance model is about collective responsibility… which should encompass oversight mechanisms such as privacy, accountability, compliance.” (p. 13)

“Accountability… is based on the idea that there should be a person or entity that is ultimately responsible for any harm resulting from the use of the data, algorithm and AI system ' s underlying processes.” (p. 28)

While transparency, alignment with standards, and knowledge sharing are all secondary benefits,risk documentation’s primary role is liability mitigation.

The correct answer is A because the most immediate governance step when a significant AI issue is identified is to formally log the incident within the organization’s incident management system. AI governance frameworks emphasize structured incident response processes to ensure issues are properly documented, tracked, escalated, and addressed in a controlled manner. Logging the incident triggers established workflows, including investigation, stakeholder notification, and remediation planning. While notifying stakeholders, auditing the system, or retraining the model are important follow-up actions, they should occur after the issue is formally recorded and managed through governance channels. This ensures accountability, traceability, and consistent handling of risks, particularly in cases involving bias and potential discrimination.

The best human oversight mechanism for the police department to implement is for a police officer to consider the AI recommendation as part of the criminal investigation. This ensures that the AI system ' s output is used as a tool to aid human decision-making rather than replace it. The police officer should integrate the AI ' s insights with other evidence and contextual information to make informed decisions, maintaining a balance between technological aid and human judgment. Reference: AIGP Body of Knowledge on AI Integration and Human Oversight.

In the context of AI, particularly generative models, " hallucination " refers to the generation of outputs that are not based on the training data and are factually incorrect or non-existent. The scenario described involves the generative AI tool providing incorrect and non-existent information about restaurants, which fits the definition of hallucination. Reference: AIGP BODY OF KNOWLEDGE and various AI literature discussing the limitations and challenges of generative AI models.

The EU AI Act imposes severalmandatory obligationson high-risk AI systems, butpublishing a detailed report on training dataisnotone of them.

From theAI Governance in Practice Report 2025:

“It mandates drawing up technical documentation for high-risk AI systems, and requires high-risk AI systems to come with instructions for use that disclose various information, including characteristics, capabilities and performance limitations.” (p. 34)

“To make high-risk AI systems more traceable, it also requires AI systems to be able to automatically allow for the maintenance of logs throughout the AI life cycle.”

“Conducting post-market monitoring” and “conformity assessments” areexplicitrequirements for high-risk systems. (p. 34–35)

However,publishingdetailed training data is typicallyrequired only for general-purpose AI systems with systemic risk, not standard high-risk AI systems.

A. Log retention,B. Post-market monitoring, andC. Conformity assessmentsareall requiredunder the EU AI Act for high-risk systems.

In the design phase of integrating data from different sources, identifying fits and gaps is crucial. This process involves understanding how well the data from the clinical research partner aligns with the healthcare network ' s existing data. It ensures that the combined data set is coherent and can be effectively used for training the AI algorithm. This step helps in spotting any discrepancies, inconsistencies, or missing data that might affect the performance and accuracy of the AI model. It directly addresses the integrity and compatibility of the data, which is foundational before applying any privacy-enhancing technologies, labeling, or evaluating the origin of the data. Reference: AIGP Body of Knowledge on Data Integration and Quality.

The correct answer isD.Emotion recognition in the workplaceis flagged asunacceptable or highly restrictedunder the EU AI Act due to its intrusive nature and potential for misuse.

From the AIGP ILT Guide – EU AI Act Training Module:

“AI systems that monitor individuals’ emotions in the workplace or educational settings are listed among prohibited or strictly limited practices under Article 5.”

AI Governance in Practice Report 2025 supports this interpretation:

“Emotion recognition systems, especially in sensitive contexts such as employment or education, raise significant concerns under EU fundamental rights law and are likely to be restricted.”

Other uses listed—such as emergency response or emotion detection in healthcare—may fall underlawful and beneficial uses, especially whenjustified by public interest.

===========

Retraining the model with data that reflects demographic parity is the best strategy to mitigate the bias uncovered in the loan applications. This approach addresses the root cause of the bias by ensuring that the training data is representative and balanced, leading to more equitable decision-making by the AI model.

Private LLMs offer advantages likecustomizability,reduced hallucination,confidentiality, andalignment with enterprise-specific tasks, but theydo not inherently reduce the time or effortneeded fordata validation or verification— which remains an essential step regardless of model privacy.

From the AI risk and quality sections:

“Ensuring the quality of the data… is highly contextual and must be validated regardless of the model’s deployment environment.” (p. 17)

B, C, Dare legitimate benefits of private LLMs.

Ais incorrect — validation still requires time and resources.

Differential privacy is a technique used to ensure that the inclusion or exclusion of a single data point does not significantly affect the outcome of any analysis, providing a way to mathematically prove that no specific piece of training data has more than a negligible effect on the model or its output. This is achieved by introducing randomness into the data or the algorithms processing the data. In the context of training large language models (LLMs), differential privacy helps in protecting individual data points while still enabling the model to learn effectively. By adding noise to the training process, differential privacy provides strong guarantees about the privacy of the training data.