Your organization's AI ethics board recommends prohibiting facial recognition in employee monitoring. The COO objects, arguing it's needed for physical security in high-clearance areas. Both sides present valid business justifications. Who should make the FINAL risk acceptance decision? A. The AI ethics board since they have specialized governance authority B. The CISO based on security domain expertise and risk ownership C. The COO as the senior operational business leader with budget authority D. Senior management or the risk committee based on organizational risk tolerance Come back for the answer tomorrow, or study more now!

A regulated organization designs a system where business users submit high value transactions through an application, while a separate service validates and commits them. Auditors later find administrators could bypass the application and update records directly in the database. Management wants assurance this cannot occur again. What is the MOST appropriate architectural control to implement NEXT? A. Stronger privileged user authentication and session recording B. Mandatory access control enforced at the database layer C. Constrained interfaces with enforced well formed transactions D. Increased database activity monitoring and alerting Come back for the answer tomorrow, or study more now!

During an active breach investigation, the incident response team discovers indicators suggesting a third party service provider may be the initial intrusion vector. Legal warns that premature notification could expose the company to liability, while operations wants immediate coordination to contain spread. What is the MOST appropriate action to take NEXT? A. Notify the service provider immediately with full technical findings B. Isolate affected integrations and preserve evidence before notification C. Escalate directly to law enforcement to avoid vendor disputes D. Delay all action until legal approves external communication Come back for the answer tomorrow, or study more now!

An organization deploys agentic AI systems that autonomously query external sources, make decisions, and trigger actions across business workflows. In one case, an agent exceeds its intended authority by chaining actions across systems without human approval. Leadership wants innovation but defensible governance. What is the MOST appropriate control to establish FIRST? A. Continuous monitoring of agent activity with real time alerting B. Strong authentication and API rate limiting for agent actions C. Clearly defined authority boundaries and risk ownership for agents D. Periodic audits of agent decisions and outcomes Come back for the answer tomorrow, or study more now!

A regulated enterprise relies on continuous automated control testing dashboards for audit readiness. An external auditor notes controls appear effective, but underlying test logic was recently modified by the same team being assessed. Management wants minimal disruption. What is the MOST appropriate action to take NEXT? A. Accept results since controls are continuously monitored B. Perform an independent validation of assessment tools and methods C. Increase testing frequency to offset potential bias D. Document the issue as an accepted audit limitation Study more now!