AIGP IAPP Artificial Intelligence Governance Professional Free Practice Exam Questions (2025 Updated)

The correct answer isB. The EU AI Act assigns atiered penalty systembased on the severity of the violation. A breach ofobligations related to high-risk AI systemsfalls into the mid-tier category, triggering fines of €15 million or 3% of annual global turnover.

From the AIGP ILT Guide – EU AI Act Module:

“Providers of high-risk AI systems must comply with strict documentation, testing, monitoring, and registration obligations. Breaches of these result in significant fines of up to €15 million or 3% of turnover.”

AI Governance in Practice Report 2024 supports this:

“Non-compliance with obligations under Title III (high-risk systems) leads to financial penalties under Article 71(3) of the EU AI Act.”

Note: Thehighest penalty (€35 million or 7%)applies toprohibited AI uses, not to obligations for high-risk systems.

===========

The GDPR privacy principles that this scenario violates are Purpose Limitation and Data Minimization. Purpose Limitation requires that personal data be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Data Minimization mandates that personal data collected should be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. In this case, collecting extensive personal information (e.g., IP address, location, gender) and potentially using it beyond the necessary scope for the app's functionality could violate these principles by collecting more data than needed and possibly using it for purposes not originally intended.

The correct answer isD.Keystroke dynamics, used to identify individuals, fall underbiometric data, which is aspecial category of personal dataunder the GDPR and other frameworks.

From the AI Governance in Practice Report 2024:

“Keystroke dynamics may constitute biometric data if used to uniquely identify an individual… Biometric data is classified as special category personal data and requires higher protection standards.”

Also reflected in ILT Participant Guide:

“Biometric data, such as facial images, voiceprints, iris scans or keystroke patterns, are treated as special category data when they are used for the purpose of uniquely identifying individuals.”

The GDPR's transparency principle requires that when personal data is processed for automated decision-making, including profiling, data subjects must be informed about the existence of such automated decision-making. Additionally, they must be provided with meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for them. This requirement ensures that data subjects are fully aware of how their personal data is being used and the potential impacts, thereby promoting transparency and trust in the processing activities.

The correct answer isB – The tech company. The party thatdevelops and trains the foundational modelis responsible for ensuring thelawful collection of training data.

From the AIGP ILT Guide – Foundational Models & Data Governance:

“Responsibility for the lawfulness of data collection typically lies with the party that trains the model—usually the provider or developer of the foundational model.”

AI Governance in Practice Report 2024 confirms:

“General Purpose AI providers are required to ensure that training data is lawfully acquired, including compliance with intellectual property and privacy requirements.”

The marketing agency is only auserordownstream integrator, not responsible for original data collection.

The correct answer isA. While location of processors may have implications (such as for data transfers under GDPR), there isno absolute requirementthat third-party processors be based in the same country.

From the AI Governance in Practice Report 2024 and ILT Guide:

“Data controllers are responsible for ensuring that third-party processors have adequate protections, but not necessarily that they reside in the same jurisdiction. What is required is legal safeguards (e.g., SCCs) for international transfers, not same-country location.”

In contrast, DPIAs, DSARs, and implementation of technical/organizational safeguards areexplicitly requiredunder GDPR and responsible AI frameworks.

===========

In the selection and implementation of the AI hiring tool, involving Finance and Legal is crucial. The Finance team is essential for assessing cost implications, budget considerations, and financial risks. The Legal team is necessary to ensure compliance with applicable laws and regulations, including those related to data privacy, employment, and anti-discrimination. Involving these stakeholders ensures a comprehensive evaluation of both the financial viability and legal compliance of the AI tool, mitigating potential risks and aligning with organizational objectives and regulatory requirements.

Defining the roles and responsibilities of AI stakeholders is crucial for encouraging accountability over AI systems. Clear delineation of who is responsible for different aspects of the AI lifecycle ensures that there is a person or team accountable for monitoring, maintaining, and addressing issues that arise. This accountability framework helps in ensuring that ethical standards and regulatory requirements are met, and it facilitates transparency and traceability in AI operations. By assigning specific roles, organizations can better manage and mitigate risks associated with AI deployment and use.

The correct answer isExplainable AIbecause it specifically refers to theability of a system todescribe the logic behind its decisions or outputsin a way that is understandable to humans. This is a key part of regulatory and ethical frameworks and is directly related to addressing theblack-box problemin AI.

From the AIGP ILT Participant Guide (Module on Transparency and Explainability):

“Explainability refers to the understanding of how a black-box model works. The black-box problem exists because some models are too complex for human interpretation. Explainability methods aim to provide meaningful insight into the logic and decision-making of AI systems.”

Also, according to the AI Governance in Practice Report 2024:

“Explainability refers to the representation of the underlying mechanisms of the AI system’s operation... a key tenet of AI governance due to the desire to understand how AI systems are built, managed and maintained.”

Thus, while Trustworthy and Responsible AI are broader concepts,explainabilityspecifically targets theregulatory concern about understanding outputs.

===========

Strong AI, also known as artificial general intelligence (AGI), refers to AI that possesses the ability to understand, learn, and apply intelligence across a broad range of tasks, similar to human cognitive abilities. For the self-driving car to be classified as "strong" AI, it would need to possess full human cognitive abilities to make independent decisions beyond pre-programmed instructions. Reference: AIGP BODY OF KNOWLEDGE and AI classifications.

Autoregression is not a common optimization technique in deep learning to determine weights for artificial neurons. Common techniques include gradient descent, momentum, and backpropagation. Autoregression is more commonly associated with time-series analysis and forecasting rather than neural network optimization. Reference: AIGP BODY OF KNOWLEDGE, which discusses common optimization techniques used in deep learning​​.

AI's resource-intensive computing demands pose significant environmental risks. High-performance computing required for training and deploying AI models often leads to substantial energy consumption, which can result in increased carbon emissions and other environmental impacts. This is particularly relevant given the growing concern over climate change and the environmental footprint of technology. Organizations need to consider these environmental risks when developing AI systems, potentially exploring more energy-efficient methods and renewable energy sources to mitigate the environmental impact.

The correct answer isC.Registration in the EU databaseis an obligation ofprovidersof high-risk AI systems—not distributors.

From the AIGP ILT Guide – Roles & Obligations Module:

“Distributors must verify CE marking, ensure instructions for use are provided, inform authorities of risks, and take corrective action when necessary. However, registration duties in the EU database lie with the provider.”

Also from the AI Governance in Practice Report 2024:

“The AI Act differentiates responsibilities for developers, providers, importers, and distributors. Only providers of high-risk systems are obligated to register their systems in the EU AI Database.”

Distributors focus onverification and communication, not formal registration.

The correct answer isB – Procedural. TheOECD Framework for Classifying AI Systemscategorizescodes of conduct and collective agreementsasprocedural toolsbecause they guide internal governance and decision-making processes.

From the AIGP ILT Participant Guide – Global Governance Models:

“Procedural tools include internal codes of conduct, collective agreements, and procedural audits that guide governance without necessarily involving technical measurement.”

AI Governance in Practice Report 2024 elaborates:

“These procedural tools support internal accountability mechanisms and ethics compliance frameworks… they are part of soft governance.”

These toolsdo not measure or analyze technical performance, hence they arenot technical or analytic.

===========

When the accuracy of a model deteriorates, the best first step is to conduct champion/challenger testing. This involves deploying a new model (challenger) alongside the current model (champion) to compare their performance. This method helps identify if the new model can perform better under current conditions without immediately discarding the existing model. It provides a controlled environment to test improvements and understand the reasons behind the deterioration. This approach is preferable to directly replacing the model, performing audits, or running red-teaming exercises, which may be subsequent steps based on the findings from the champion/challenger testing.

The White House Executive Order from November 2023 requires companies developing dual-use foundation models to report on their current training or development activities, the results of red-team testing, and the physical and cybersecurity protection measures. However, it does not mandate reports on environmental impact studies for each dual-use foundation model. While environmental considerations are important, they are not specified in this context as a reporting requirement under this Executive Order.

While transparency is encouraged,publicly disclosing forecasts of secondary harmsisnot a required or standard practicefor internal performance evaluation. Risk assessments and reporting typically remaininternal or shared with regulators.

From theAI Governance in Practice Report 2024:

“Organizations must assess secondary risks… but disclosure is subject to context, regulatory requirements, and risk management discretion.” (p. 30)

The primary purpose of conducting ethical red-teaming on an AI system is to simulate model risk scenarios. Ethical red-teaming involves rigorously testing the AI system to identify potential weaknesses, biases, and vulnerabilities by simulating real-world attack or failure scenarios. This helps in proactively addressing issues that could compromise the system's reliability, fairness, and security. Reference: AIGP Body of Knowledge on AI Risk Management and Ethical AI Practices.

Testing results need to bedocumented thoroughlyto ensuretraceability, accountability, and compliance. This is central to enabling audits, investigations, or regulatory inquiries into the system’s development and performance.

From theAI Governance in Practice Report 2024:

“Documentation and recordkeeping are essential components… to demonstrate AI system compliance, trace system behavior, and support audits and conformity assessments.” (p. 34–35)

“Maintaining audit trails across development and deployment enables transparency and accountability.” (p. 12)

AandBare benefits, but not theprimary governance justification.

D– Limiting future testing is not a recommended goal.