The ISACA AAIA (Advanced in AI Audit) exam is the first major credential built specifically for auditing artificial intelligence systems — not securing them, not governing the policy around them, but independently assessing whether AI is designed, operated, and controlled the way an organization claims. If you are a credentialed auditor staring at AI systems newly added to your audit plan, this is the certification aimed squarely at you. Here is exactly what to expect from the AAIA exam in 2026.
AAIA Exam Format at a Glance
ISACA launched the AAIA credential on May 19, 2025, according to its launch announcement carried on Business Wire, making it one of the newest exams in ISACA's portfolio. The exam specifications are:
| Detail | Value | |--------|-------| | Questions | 90 multiple-choice | | Duration | 150 minutes (2.5 hours) | | Passing score | 450 out of 800 (scaled) | | Fee | $459 (ISACA members) / $599 (non-members) | | Application fee | $50 (after you pass) | | Delivery | Pearson VUE (online or test center) |
At 90 questions in 150 minutes, you have roughly 1 minute 40 seconds per question. That is comfortable for recall items but tight for the scenario questions that ask you to reason through an AI audit situation. ISACA uses a scaled 200–800 scoring model, and 450 is the pass mark — the same threshold used across CISA, CISM, and CDPSE, so the scaled score does not map directly to a raw percentage.
AAIA Exam Domains and Weights
The AAIA exam is organized into three domains. Note how heavily it weights the operational, hands-on side of AI auditing:
| Domain | Weight | |--------|--------| | AI Governance and Risk | 33% | | AI Operations | 46% | | AI Auditing Tools and Techniques | 21% |
AI Operations (46%)
Nearly half the exam lives here, which surprises candidates who assume an "audit" certification is mostly about governance paperwork. AI Operations tests whether you can audit the AI solution lifecycle end to end — from design and data sourcing through deployment, monitoring, and decommissioning. Expect questions on:
- The AI/ML model lifecycle and where audit controls belong at each stage
- Data management, data quality, and training-data lineage
- Algorithmic alignment with business objectives and intended use
- Model monitoring, drift, and performance degradation over time
- Decommissioning and retirement of AI systems
This is the domain that separates AAIA from a generic governance credential. You are not just asked what should be controlled — you are asked to evaluate whether the controls actually work.
AI Governance and Risk (33%)
The second-heaviest domain covers the structures that surround AI systems:
- AI policies, accountability, and ownership of AI-related risk
- Legal and regulatory compliance, including the EU AI Act and emerging US rules
- Ethical implications, fairness, transparency, and bias
- Mapping AI risk to recognized frameworks
The AAIA exam is explicitly framework-aligned. ISACA's own description ties the credential to leading standards including the NIST AI RMF, the EU AI Act, and ISO/IEC 42001. You should be able to recognize these frameworks by name and understand what each is for — governance management system (ISO 42001), risk management framework (NIST AI RMF), and binding regulation (EU AI Act).
AI Auditing Tools and Techniques (21%)
The smallest domain, but a meaningful one: it covers the core audit methodologies you apply to AI systems and, increasingly, how to use AI-enabled tools to make the audit itself more effective. Topics include evidence gathering for AI controls, testing model behavior, and applying analytics to large datasets during fieldwork.
Prerequisites: Can You Even Take It?
This is the question that trips up the most candidates, because AAIA is an advanced credential with a gate in front of it. According to ISACA, you must hold an active, qualifying credential before you can certify:
- CISA holders automatically qualify.
- Holders of certain accounting and audit designations — CIA, US CPA, ACCA/FCCA, and several international CPA bodies — qualify if their role focuses on IT audit or IT advisory.
In other words, AAIA is not an entry point into the field. It is a specialization layered on top of an existing audit credential. If you do not yet hold CISA or an equivalent, the most common path is to earn CISA first, then stack AAIA on top. ISACA expanded eligibility in 2025, so check the current eligibility list on the official exam page before assuming you do or do not qualify.
Practical logistics worth knowing: registration is continuous (no fixed exam windows), you get a six-month eligibility period to sit the exam after registering, and you have up to five years after passing to formally apply for the certification.
How Hard Is the AAIA Exam?
There is not yet a published official pass rate — the credential is too new for ISACA to release one. Based on the exam blueprint and early candidate reports, here is an honest read on difficulty:
- It is conceptually hard, not trivia-hard. With 46% of the exam on AI Operations, rote memorization of definitions will not carry you. You need to reason about where controls fail in a real AI lifecycle.
- Framework breadth is the trap. The exam references a wide set of AI governance frameworks. You do not need to memorize every clause, but you must know what each major framework covers and when an auditor would invoke it.
- Audit experience helps more than AI experience. Seasoned CISA-holders often find the audit methodology intuitive and spend their study time on the AI-specific operations content. AI practitioners without an audit background tend to struggle with the independent assessment mindset.
If you already think like an auditor, your prep is mostly about learning how AI systems break. If you come from a data science or ML background, your prep is mostly about learning how auditors test and evidence controls.
Who Should Take the AAIA?
The AAIA is the right certification for:
- IT auditors and CISA holders who now have AI systems on their audit universe
- Internal audit and risk professionals in banking, insurance, healthcare, and other regulated sectors where AI risk is a board-level concern
- External auditors and consultants advising clients on AI assurance and AI Act readiness
- GRC and model-risk professionals who validate models and need an independent-assurance credential
The market signal here is unusually strong relative to the number of holders. As IT Audit Prep notes, the supply of auditors who genuinely understand AI is near zero while demand is accelerating under the EU AI Act and tightening regulatory expectations — and because the credential is early-stage, holding it is a clear differentiator today. Salary figures circulating online (for example, IT Audit Prep estimates an experienced-holder range around $163,000–$171,000) are third-party projections, not official ISACA data, so treat them as directional rather than guaranteed.
AAIA vs AAISM: Don't Confuse Them
ISACA released two AI credentials close together, and they are easy to mix up:
- AAIA — Advanced in AI Audit — for auditors who independently assess AI systems.
- AAISM — Advanced in AI Security Management — for security managers who protect and govern AI systems.
As FlashGenius frames it in its AAISM vs AAIA comparison, the split mirrors the classic CISA/CISM divide: AAIA is the audit-and-assurance lens (built on the CISA lineage), while AAISM is the security-management lens (built on the CISM lineage). Choose AAIA if your job is to provide independent assurance over AI; choose AAISM if your job is to build and run AI security programs. Pick based on which side of the "three lines" you sit on.
How to Prepare for the AAIA
Because the credential is new, free study material is thin and much of what exists online is low-quality dump content. A focused plan beats hunting for leaked questions:
- Anchor on the three frameworks. Learn the purpose and structure of NIST AI RMF, ISO/IEC 42001, and the EU AI Act first. They recur across every domain.
- Map controls to the AI lifecycle. For each stage — data, training, validation, deployment, monitoring, decommissioning — ask "what could go wrong, and how would I test that it hasn't?" That mindset is exactly what AI Operations tests.
- Translate your existing audit methodology. If you hold CISA, you already know risk assessment, evidence, and sampling. Re-apply each technique to an AI context rather than relearning auditing from scratch.
- Drill scenario questions. The exam rewards applied judgment over definitions, so practice with realistic AI-audit scenarios and read the explanations for why each control answer is right or wrong.
Plan for roughly 6–10 weeks of part-time study if you are an experienced auditor, and longer if AI systems are new to you.
Start Practicing Now
The fastest way to find your weak domains is to test yourself against realistic questions. Our free ISACA AAIA practice questions cover all three domains — AI Governance and Risk, AI Operations, and AI Auditing Tools and Techniques — with detailed explanations that teach the auditor's reasoning behind each answer.
Review the full AAIA exam details for prerequisites and scheduling, follow the AAIA study guide for a structured domain-by-domain plan, or grab the AAIA cheat sheet for a final-review framework refresher before exam day.