AAISM Certification Guide 2026: ISACA's Advanced AI Security Credential
What Is AAISM?
Launched in August 2025, the Advanced in AI Security Management (AAISM) is ISACA's first AI-specific security certification. It's designed for security professionals who need to govern, assess risk from, and implement controls for AI systems — not just traditional IT infrastructure.
AAISM requires an active CISM or CISSP certification as a prerequisite, which signals its positioning: this is an advanced credential for experienced security managers stepping into AI governance roles.
Why AAISM Is Gaining Momentum
The EU AI Act, NIST AI RMF, and emerging enterprise AI deployments have created an urgent need for professionals who understand AI-specific risks — data poisoning, adversarial attacks, model drift, bias — and can manage them within an enterprise governance framework.
AAISM is the first certification to formally credential that expertise from a governance and risk perspective (as opposed to a purely technical ML focus).
The 3 AAISM Domains
- Domain 1 — AI Governance and Program Management (31%): Stakeholder alignment, EU AI Act/NIST AI RMF compliance, AI asset lifecycle, BCP for AI systems
- Domain 2 — AI Risk and Opportunity Management (31%): AI-specific threat landscape (data poisoning, model inversion, adversarial inputs), supply chain AI risk, bias and fairness assessment
- Domain 3 — AI Technologies and Controls (38%): The largest domain — AI security architecture, model training controls, data governance, privacy and trust controls, monitoring and detection
AAISM Exam Format
- 90 questions, 150 minutes
- Scored 200–800; passing score is 450
- Prerequisite: active CISM or CISSP
- Computer-based at PSI testing centers or remote proctoring
What Makes AAISM Questions Different
Like all ISACA certifications, AAISM tests managerial judgment — not technical implementation. The "correct" answer to an AI security scenario is almost never "retrain the model" or "update the algorithm." It's usually "assess the risk, document it against your AI risk appetite, implement governance controls, and report to the board."
Candidates with CISM backgrounds will find the governance domains (1 and 2) intuitive. The challenge is Domain 3, which requires understanding AI system architecture, training pipelines, and AI-specific controls that differ significantly from traditional IT controls.
Key Concepts to Master
- EU AI Act risk tiers — unacceptable, high-risk, limited-risk, minimal-risk
- NIST AI RMF — Govern, Map, Measure, Manage functions
- AI attack taxonomy — data poisoning, model inversion, membership inference, adversarial examples, prompt injection
- MLSecOps — integrating security into the ML pipeline
- Explainability and transparency — XAI requirements for high-risk AI systems
Who Should Pursue AAISM
AAISM is ideal if you hold CISM or CISSP and your organization is deploying AI systems — or if you want to specialize in the fastest-growing area of enterprise risk management. The certification positions you at the intersection of AI and governance, a space with very few credentialed professionals today.
Practice for AAISM
ExamCopilot's AAISM question bank has 680+ scenario-based questions covering all three domains, with explanations grounded in ISACA's management-first reasoning framework. It's the only dedicated AAISM practice platform available.