Question 15
Domain 1 — AI Governance and Risk ManagementWhich of the following would be of GREATEST concern to an IS auditor reviewing an organization’s AI policies and procedures?
Correct answer: B
Explanation
Production changes to AI models should be controlled because unapproved updates can alter outputs, introduce bias, or create security and compliance risks. An approval process is a core governance control for change management, and its absence means the organization cannot ensure changes are reviewed, tested, and authorized before deployment.
Why each option is right or wrong
A. The documentation of AI models does not address business resiliency and disaster recovery.
B. The AI model does not have an approval process for production changes.
AI governance frameworks treat model updates as controlled production changes: NIST AI RMF 1.0 (MAP/MEASURE/MANAGE) and ISO/IEC 42001 both require documented change control, approval, and traceability for AI systems in operation. If a production model can be altered without formal authorization, testing, and sign-off, the organization cannot evidence who approved the change, when it was deployed, or whether it was assessed for performance, bias, and security impact—an especially serious control gap for a live AI system.
C. External validation is not required for AI systems before deployment.
D. The data privacy policy has not been reviewed in the past three years.