CertPrepNow
AIGPIAPPAI GovernanceCertification Update

AIGP 2026 Update: Body of Knowledge v2.1 Changes

The AIGP 2026 update reshapes AI governance certification. See every change in BoK v2.1 and how to adjust your study plan.

CertPrepNow Team

The IAPP released AIGP Body of Knowledge version 2.1 on February 2, 2026, introducing changes that shift the exam's focus from governing isolated AI models to governing AI systems across their full lifecycle. If you're studying for the AIGP exam, here's exactly what changed and what it means for your preparation.

How Big Is This Update?

IAPP has stated that annual updates to its certification exams include no more than 10-15% new content. The v2.1 update keeps the same four-domain structure introduced in v2.0.1 (February 2025), so this is not a complete overhaul. But the changes are targeted and meaningful — they reflect how AI governance is evolving in practice.

The four domains and their weights remain:

  • Domain I: Understanding the Foundations of AI Governance (21%)
  • Domain II: Understanding How Laws, Standards, and Frameworks Apply to AI (25%)
  • Domain III: Understanding How to Govern AI Development (27%)
  • Domain IV: Understanding How to Govern AI Deployment and Use (27%)

The Big Shift: From Models to Systems

The most important change in v2.1 is a terminology shift across Domains III and IV. The curriculum now consistently uses "AI system" or "AI model and system" instead of just "AI model." This is not cosmetic — it signals that the exam now expects candidates to think about governance at the system level, including data pipelines, integrations, user interfaces, and deployment contexts, not just the model weights.

According to Privacy Study Group, the updated exam focuses on "applied governance reasoning across systems and contexts" rather than isolated definitions.

Domain-by-Domain Changes

Domain I: Foundations of AI Governance

Two new performance indicators were added:

  • I.C.2: Evaluation of data governance and intellectual property policies for AI — candidates must now understand how IP rights, data licensing, and provenance affect lawful AI development
  • I.C.3: Third-party risk documents, assessments, contracts, and acceptable use policies — reflecting the growing importance of vendor and supply chain governance for AI systems

Domain II: Laws, Standards, and Frameworks

This domain saw the most changes.

Expanded legal coverage (Competency II.C): The exam previously focused primarily on the EU AI Act. It now covers "the main elements of AI-specific laws" broadly, including the South Korean AI Basic Law and U.S. federal and state AI laws. The question allocation for this competency increased from 5-7 questions to 6-8 questions.

New privacy framework emphasis (II.A.1 and II.A.3): The curriculum shifted from "notice, choice, and consent" to a framework based on transparency, lawful basis, and purpose limitation — more closely reflecting GDPR's actual structure. A new indicator covers automated decision-making rules under data privacy laws.

New standards added:

  • ISO/IEC 42005 is now explicitly included for structured impact analysis of AI systems on individuals, organizations, and society
  • Executive Order 14110 is reclassified as a "historical milestone rather than an active policy instrument" following its 2025 revocation

Removed: The NIST ARIA program (methodologies, tools, metrics) was removed as a standalone topic, though its conceptual influence remains embedded in governance principles.

Question rebalancing: Competency II.D decreased from 4-6 questions to 3-5 questions, while II.C increased.

Domain III: Governing AI Development

  • Standalone "legal identification" was removed as a separate development task — legal compliance is now embedded throughout design, development, deployment, and monitoring
  • Laws applying to AI models specifically (III.A.3) was removed, consistent with the shift toward system-level governance

Domain IV: Governing AI Deployment and Use

Agentic architectures (IV.A.3): This is the most forward-looking addition. Candidates must now understand governance implications of agentic AI systems, including autonomy, feedback loops, and escalation of privileges. As AI agents become more common in production systems, the exam expects candidates to reason about how to govern systems that can take autonomous actions.

New provider role: A formal "provider" category was introduced with distinct obligations around transparency about system capabilities, documentation of limitations, and communication of usage constraints.

Removed: Laws applying to AI models (IV.B.2) — again reflecting the model-to-system shift.

Why These Changes Matter

The v2.1 update is not just an academic reshuffling — it reflects real shifts happening in the AI governance profession right now.

Agentic AI is forcing new governance questions. As organizations deploy AI agents that can browse the web, write code, call APIs, and take autonomous actions, governance teams face problems that didn't exist two years ago. How do you audit a system that makes decisions in real time? What happens when an AI agent escalates its own privileges? The AIGP exam now expects candidates to grapple with these questions, which is a direct response to the rapid adoption of agentic systems in enterprise settings.

AI regulation is going global fast. The EU AI Act was the first major AI-specific law, but it's no longer the only one. South Korea's AI Basic Law, Colorado's AI consumer protection act, and proposed federal legislation in the U.S. are creating a patchwork of requirements. Governance professionals need to navigate multiple frameworks simultaneously, and the updated exam reflects this reality.

Supply chain governance is the next frontier. Most organizations don't build their own foundation models — they use APIs, fine-tune open-source models, or integrate third-party AI services. The new third-party risk indicators in Domain I acknowledge that governing AI means governing your vendors, their data practices, and their model documentation, not just your own systems.

Fundamental Rights Impact Assessments (FRIAs) are becoming mandatory. The EU AI Act requires FRIAs for high-risk systems before deployment. According to Privacy Study Group, the updated AIGP curriculum positions FRIAs as "practical governance tools that inform deployment decisions before harm occurs" — a shift from treating them as a compliance checkbox to viewing them as a core governance practice.

What This Means for Your Study Plan

Increase focus on these areas:

  • Agentic AI governance — understand what makes governing autonomous AI systems different from traditional model governance. Think about multi-step reasoning, tool use, and delegation
  • Multi-jurisdiction AI law — you now need working knowledge of the EU AI Act, South Korean AI Basic Law, and emerging U.S. state AI legislation, not just the EU framework
  • System-level thinking — when studying any governance concept, think about how it applies to the full system (data, model, deployment, monitoring, third parties), not just the model in isolation
  • Third-party and supply chain risk — vendor assessments, AI acceptable use policies, and contract provisions for AI systems
  • IP and data governance — copyright restrictions on training data, licensing, and data provenance

Decrease focus on:

  • NIST ARIA as a standalone program
  • Individual AI model governance separate from system context
  • Executive Order 14110 as active policy (know it historically, but don't study it as current regulation)

Recommended study approach:

The IAPP recommends candidates have familiarity with AI fundamentals plus experience in governance, privacy, or compliance roles. Given the v2.1 changes, preparation should emphasize primary source documents — the EU AI Act text, NIST AI RMF, and ISO/IEC standards — over third-party summaries that may not reflect the updated exam focus.

For the newly expanded legal coverage, create a comparison matrix of the EU AI Act, South Korean AI Basic Law, and key U.S. state AI laws (Colorado, Illinois). Focus on how each jurisdiction classifies AI risk, what obligations they impose on providers versus deployers, and where they diverge on transparency requirements.

For agentic architectures, study real-world deployment patterns: retrieval-augmented generation (RAG) pipelines, multi-agent orchestration systems, and AI tools that can execute code or make API calls autonomously. Understand the governance challenges each pattern introduces — data leakage through tool use, unintended privilege escalation, and difficulty auditing multi-step autonomous decisions.

Who Should Get the AIGP?

The AIGP is designed for professionals who oversee AI governance at an organizational level. Strong candidates include:

  • Privacy and compliance officers expanding into AI governance responsibilities
  • Legal professionals advising on AI regulation and risk
  • Data protection officers adapting existing privacy programs for AI systems
  • AI product managers responsible for responsible AI deployment
  • Risk managers incorporating AI-specific risks into enterprise risk frameworks

The exam costs $799 and takes 165 minutes with 100 questions. IAPP does not require formal prerequisites, but the v2.1 content assumes working knowledge of both AI fundamentals and governance principles. Candidates without prior privacy or compliance experience should consider starting with the IAPP CIPP or CIPM before attempting the AIGP.

If you're more interested in the technical security side of AI rather than governance and policy, consider the CompTIA SecAI+ certification instead — it focuses on securing AI systems and using AI for cybersecurity operations.

AIGP Exam Quick Facts

| Detail | Value | |--------|-------| | Exam Code | AIGP | | Questions | 100 | | Duration | 165 minutes | | Passing Score | 300 / 500 | | Exam Fee | $799 | | Domains | 4 | | Prerequisites | None (experience recommended) |

Start Practicing

The best way to prepare for the updated AIGP exam is to test yourself on the concepts that matter most. Our free AIGP practice questions cover all four domains, including the new v2.1 content areas. Use them alongside the AIGP study guide to identify your weak areas and focus your study time where it counts.

You can also review the complete AIGP exam details for format, scheduling, and registration information, or grab the AIGP cheat sheet for a quick-reference summary of key concepts across all domains.

Found this article helpful?

Buy us a coffee