New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Isaca AAISM Exam - Topic 3 Question 4 Discussion

Actual exam question for Isaca's AAISM exam
Question #: 4
Topic #: 3
[All AAISM Questions]

After implementing a third-party generative AI tool, an organization learns about new regulations related to how organizations use AI. Which of the following would be the BEST justification for the organization to decide not to comply?

Show Suggested Answer Hide Answer
Suggested Answer: C

The AAISM framework clarifies that compliance decisions must always be tied to an organization's risk appetite and tolerance. When new regulations emerge, management may choose not to comply if the associated risk remains within the documented and approved risk appetite, provided that accountability is established and governance structures support this decision. Other options such as widespread industry use, third-party audits, or lack of cost assessment do not justify noncompliance under the governance principles. The risk appetite framework is the only recognized justification under AI governance principles.


AAISM Study Guide -- AI Governance and Program Management

ISACA AI Risk Guidance -- Risk Appetite and Compliance Decisions

by Stefania at Oct 04, 2025, 09:42 AM

Limited Time Offer

25%

Off

Get Premium AAISM Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Adria
10 hours ago
Exactly! Compliance is crucial, even if the risk is low.
upvoted 0 times
...
Tashia
6 days ago
Option A seems weak. Just because others do it doesn't mean it's right.
upvoted 0 times
...
Lawrence
11 days ago
Still, regulations are there for a reason. We shouldn't ignore them.
upvoted 0 times
...
Jolene
16 days ago
I agree with Nickie. If it fits our risk appetite, we should be fine.
upvoted 0 times
...
Jacinta
21 days ago
But what about option D? Not knowing the cost is risky!
upvoted 0 times
...
Ivette
26 days ago
D) The cost of noncompliance was not determined? That's a huge red flag!
upvoted 0 times
...
Karl
1 month ago
C) The risk is within the organization's risk appetite makes sense.
upvoted 0 times
...
Brittni
1 month ago
Wait, is it really okay to ignore regulations just because others do?
upvoted 0 times
...
Nicholle
1 month ago
I disagree, compliance is key no matter what!
upvoted 0 times
...
Gabriele
2 months ago
A) The AI tool is widely used within the industry.
upvoted 0 times
...
Kaycee
2 months ago
I recall that regular audits can help mitigate risks, but I’m not convinced that option B would be a solid justification for noncompliance.
upvoted 0 times
...
Eun
2 months ago
I practiced a similar question where the cost of noncompliance was a factor, so I wonder if option D could be a valid reason too, but it feels a bit weak.
upvoted 0 times
...
Nickie
2 months ago
I think option C is the best. If the risk is manageable, why comply?
upvoted 0 times
...
Michael
3 months ago
I think option C makes sense because if the risk is within the organization's appetite, they might feel justified in not complying, but I’m not entirely confident.
upvoted 0 times
...
Reta
3 months ago
I remember discussing how industry standards can sometimes influence compliance decisions, but I’m not sure if that’s a strong enough reason on its own.
upvoted 0 times
...
Raelene
3 months ago
Audits are great, but they don't automatically make an AI tool compliant. Option B is not the best answer.
upvoted 0 times
...
Kristeen
3 months ago
I'm not sure the industry-wide usage of the AI tool is a valid justification for noncompliance. Option A is a weak argument.
upvoted 0 times
...
Catrice
4 months ago
Compliance is important, but the cost of noncompliance needs to be weighed carefully. Option D is the way to go.
upvoted 0 times
...
Carman
4 months ago
Option C is the best choice. The organization's risk appetite should be the primary consideration.
upvoted 0 times
...
Janine
4 months ago
I'm going to go with C. As long as the organization has carefully evaluated the risks and determined they are acceptable, that seems like the strongest justification here.
upvoted 0 times
...
Pearly
4 months ago
I'm a bit confused on this one. I'll need to think through the pros and cons of each option and how they relate to the regulations. Might be good to consult with our legal team on this.
upvoted 0 times
...
Josephine
4 months ago
I don't think A or B are good justifications. Just because something is widely used or audited doesn't mean you can ignore regulations. D also seems like a weak excuse.
upvoted 0 times
...
Dannie
4 months ago
Hmm, I'm leaning towards C. If the risk is within the organization's appetite, that seems like a reasonable justification not to comply, as long as they've properly assessed the risk.
upvoted 0 times
...
Elliot
5 months ago
I'm not sure about this one. I'll need to carefully review the regulations to see what the specific requirements are.
upvoted 0 times
Kris
2 months ago
But regulations are there for a reason. We should follow them.
upvoted 0 times
...
Emogene
2 months ago
I think option C makes sense. If the risk is manageable, why comply?
upvoted 0 times
...
...

Save Cancel