Your organization adopts an AI tool that processes employee performance data to recommend terminations. The privacy officer warns that no data protection impact assessment has been conducted. The HR director insists the tool is urgently needed. What should you do FIRST? A. Allow limited deployment while the impact assessment is completed in parallel B. Conduct a data protection impact assessment before operational deployment C. Require legal review of the vendor contract to confirm data processing terms D. Restrict the tool to anonymized data until privacy concerns are resolved I think this question is a great example of why CISSPs will remain relevant. The tools replacing people still need implementation and governance, the future of cyber is not necessarily about turning technical control knobs. Do you think CISSPs will stay more relevant than other certifications over the next 5–10 years, given the shift toward AI and automation? Come back for the answer tomorrow, or study more now!

Your organization operates an AI-powered network monitoring tool that inspects encrypted internal traffic using TLS interception. Employees raise privacy concerns, and the legal team warns that interception may violate data protection laws in three operating jurisdictions. What should you do FIRST? A. Disable TLS interception until legal confirms compliance in all jurisdictions B. Conduct a legal and privacy impact assessment across all affected jurisdictions C. Limit interception to high-risk network segments to reduce privacy exposure D. Notify employees of the monitoring practice and obtain written consent Come back for the answer tomorrow, or study more now!

Your organization trains proprietary AI models using curated datasets purchased from multiple vendors. A vendor notifies you that one dataset was later found to contain data collected without proper consent. The model using this data is already in production. What is your PRIMARY concern? A. The financial loss from purchasing a non-compliant dataset B. Whether the tainted training data can be surgically removed from the model C. Your organization's regulatory liability for processing non-consensual data D. Renegotiating vendor contracts to include data provenance guarantees Come back for the answer tomorrow, or study more now!

Your engineering team integrates a third-party AI API that generates dynamic access control policies based on user behavior analytics. During testing, the API occasionally grants excessive permissions that violate least privilege. What should you address FIRST? A. Implement a policy validation layer that enforces least privilege before applying AI-generated rules B. Request the AI vendor to retrain the model to reduce permission over-granting C. Revert to static role-based access control until the AI system is reliable D. Log all AI-generated policy decisions for quarterly audit review Come back for the answer tomorrow, or study more now!

Your organization's AI ethics board recommends prohibiting facial recognition in employee monitoring. The COO objects, arguing it's needed for physical security in high-clearance areas. Both sides present valid business justifications. Who should make the FINAL risk acceptance decision? A. The AI ethics board since they have specialized governance authority B. The CISO based on security domain expertise and risk ownership C. The COO as the senior operational business leader with budget authority D. Senior management or the risk committee based on organizational risk tolerance Come back for the answer tomorrow, or study more now!