You Can Pass This Exam For Free
Choose Your Study Path
Limited experience with AI, privacy law, or governance frameworks. You need to build foundational knowledge across all four domains before tackling scenario-based questions.
Week 1Read the AIGP Body of Knowledge v2.1 end-to-end. Learn AI fundamentals: types of AI (supervised, unsupervised, reinforcement learning), neural networks, deep learning, NLP, generative AI, LLMs, and foundation models. Understand black box vs. interpretable models.
Week 2Study responsible AI principles: fairness, transparency, accountability, explainability, privacy. Learn the NIST Trustworthy AI characteristics (7 characteristics). Understand the differences between ethical AI, responsible AI, and trustworthy AI.
Week 3Deep dive into GDPR applied to AI: Articles 5, 6, 9, 13-14, 22, 35-36. Understand lawful basis for processing, automated decision-making rights, and DPIA requirements. Learn how data privacy law applies to AI training and deployment.
Week 4Study the EU AI Act comprehensively: risk classification tiers (unacceptable, high, limited, minimal), provider vs. deployer obligations, FRIA requirements, GPAI provisions, conformity assessments, and enforcement timeline.
Week 5Learn additional AI-specific laws: South Korea AI Basic Law, Colorado AI Act repeal and replacement, Texas TRAIGA. Study non-discrimination and IP law applied to AI, including copyright, fair use, and AI-generated content ownership.
Week 6Study NIST AI RMF in depth: GOVERN, MAP, MEASURE, MANAGE functions. Learn NIST AI 600-1 (Generative AI Profile) and its 12 risk categories. Study ISO/IEC 42001 structure, Annex A controls, and ISO/IEC 23894 and 42005.
Week 7Focus on Domain III: AI system design governance, data governance, model training and testing, bias detection and mitigation, red teaming, model cards, datasheets for datasets, AI impact assessments, and go/no-go decision processes.
Week 8Focus on Domain IV: deployment decisions, human oversight models (HITL, HOTL, HIC), vendor AI assessment, monitoring and drift detection (data drift, concept drift, model drift), incident response, retraining triggers, and system decommissioning.
Week 9Study privacy-enhancing technologies (differential privacy, federated learning, homomorphic encryption, SMPC) and algorithmic fairness definitions (demographic parity, equalized odds, equal opportunity, disparate impact). Practice cross-framework translation exercises.
Week 10Take full-length practice exams. Review all incorrect answers with emphasis on case study scenarios. Focus on your weakest domains. Re-study any domain where you score below 65%. Schedule your exam when consistently scoring 75%+.
Exam Overview
Format
100 multiple-choice and multi-select questions (85 scored + 15 unscored pilot questions) in 165 minutes (2 hours 45 minutes). Multi-select questions require selecting all correct answers with no partial credit. Approximately 30% of questions are connected to case studies presenting real-world AI governance challenges. No penalty for wrong answers — always answer every question.
Scoring
Scaled score 100-500. Passing threshold: 300 out of 500. The scaled scoring accounts for question difficulty, so the exact number of correct answers needed varies by exam form. There is no penalty for incorrect answers.
Domains & Weights
- Understanding the Foundations of AI Governance21%
- Understanding How Laws, Standards, and Frameworks Apply to AI25%
- Understanding How to Govern AI Development27%
- Understanding How to Govern AI Deployment and Use27%
Registration
$799 USD. Register through the IAPP website (iapp.org) and schedule at Pearson VUE testing centers or remotely via OnVUE online proctoring. Exam fee is $799 USD for non-members or $649 USD for IAPP members. IAPP membership costs $295/year and includes discounts on all IAPP exams, making membership worthwhile if you plan to take the exam.
Topic Priority Table
Not all topics are tested equally. Focus your study time on Tier 1 first, then Tier 2. Tier 3 topics rarely appear — just recognize what they do.
Domain 121% of exam
Understanding the Foundations of AI Governance
This domain covers what AI is, why it needs governance, responsible AI principles, and how to establish organizational policies and procedures for the AI lifecycle. Expect 16-20 questions covering AI definitions and types, risk identification, governance roles, accountability structures, data governance policies, IP considerations, and third-party risk management. The v2.1 update changed 'AI models' to 'AI systems' throughout, reflecting that governance extends beyond models to entire systems, supply chains, and downstream uses.
Key Topics
AI System Types and DefinitionsNIST Trustworthy AI CharacteristicsResponsible AI PrinciplesAI Governance StructuresAI Lifecycle GovernanceData Governance for AIThird-Party Risk ManagementAI Risk Identification
Must-Know Concepts
- Know generally accepted definitions of AI and types of AI systems — supervised learning (labeled data), unsupervised learning (pattern discovery), reinforcement learning (reward-based)
- Understand unique characteristics of AI requiring governance: complexity, opacity, autonomy, speed and scale, potential for harm or misuse, data dependency, probabilistic vs. deterministic outputs
- Know all seven NIST Trustworthy AI characteristics and be able to distinguish them from plausible-sounding distractors like 'Tested and Effective' or 'Commercially Viable'
- Distinguish between ethical AI (moral principles), responsible AI (operational governance framework), and trustworthy AI (systems meeting technical and governance standards)
- Understand AI governance roles: AI Governance Officer develops policy, Responsible AI Program Manager operationalizes it, AI Risk Analyst identifies and assesses risks
- Know how AI creates value AND introduces organizational risk — the exam tests both sides, not just risks
- Understand the v2.1 shift from 'AI models' to 'AI systems' — governance extends to entire systems, supply chains, and downstream uses, not just the model itself
- Know how to evaluate and update data governance AND intellectual property policies for AI applications
- Understand third-party risk management across the AI supply chain: vendor assessment, contract management, risk documentation
- Be able to articulate how to integrate AI governance principles into organizational operations, not just state the principles
Common Exam Traps
Confusing ethical AI vs. responsible AI vs. trustworthy AI — these require scenario-based distinction, not memorized definitions. The exam presents subtle differences in context
Overlooking that governance applies to entire AI SYSTEMS, not just models. A question about supply chain risk or deployment infrastructure is still Domain I
Missing third-party risk throughout the supply chain — vendors, data providers, cloud infrastructure, and downstream users all require governance
Not understanding that the seven NIST characteristics are specific and testable — 'Tested and Effective' sounds plausible but is NOT one of the seven
Treating AI governance as a one-time setup rather than an ongoing program with continuous improvement and cross-functional collaboration
Domain 225% of exam
Understanding How Laws, Standards, and Frameworks Apply to AI
The heaviest single-topic domain at 25% — expect 19-23 questions. Covers GDPR applied to AI, nondiscrimination and IP law, the EU AI Act in comprehensive detail, and governance frameworks including NIST AI RMF, ISO/IEC 42001, ISO/IEC 23894, ISO/IEC 42005, and international guidelines. The v2.1 update broadened AI-specific laws beyond the EU AI Act to include South Korea AI Basic Law and US state regulations, while removing NIST ARIA.
Key Topics
GDPR Applied to AIEU AI ActNondiscrimination and IP LawNIST AI RMFNIST AI 600-1ISO/IEC 42001ISO/IEC 23894 and 42005Global AI Regulations
Must-Know Concepts
- GDPR Article 22: automated decision-making rights — right not to be subject to solely automated decisions with legal or significant effects; three legal bases (explicit consent, contractual necessity, legal authorization); must provide meaningful information about logic
- GDPR Article 35: DPIAs required before processing likely to result in high risk — for AI, must assess model error rates across demographics, evidence of disparate impact, meaningful human oversight, and training data quality
- EU AI Act risk tiers: unacceptable (banned — social scoring, subliminal manipulation, emotion recognition in workplaces), high (strict requirements — hiring, credit scoring, biometrics), limited (transparency only — chatbots, deepfakes), minimal (no requirements)
- EU AI Act provider obligations: design, technical documentation, conformity assessment, CE marking, registration in EU AI database, post-market monitoring
- EU AI Act deployer obligations: operate as intended, ensure human oversight, monitor performance, conduct FRIAs where required. Article 4 requires AI literacy for anyone operating AI systems
- FRIA (Article 27): mandatory for deployers of high-risk AI in employment and similar domains, must be completed BEFORE deployment, must notify national market surveillance authority
- GPAI obligations: technical documentation, transparency, copyright compliance. Systemic risk GPAI has additional requirements: risk tracking, mitigation, incident reporting, cooperation with AI Office
- NIST AI RMF four functions: GOVERN (cross-cutting policies), MAP (context identification), MEASURE (risk analysis tools), MANAGE (risk treatment and response). GOVERN infuses throughout other three
- ISO/IEC 42001 Annex A: 38 controls across 9 domains (AI Policy, Internal Organization, Resources, Assessing Impacts, AI System Lifecycle, Data, Information for Interested Parties, Use of AI Systems, Third-Party Relationships)
- Cross-framework fluency: EU AI Act Article 9 maps to NIST MAP+MEASURE and ISO 42001 A.5; Article 14 maps to GOVERN+MANAGE and A.9; Article 10 maps to MAP 2.x and A.7
Common Exam Traps
Memorizing laws without understanding role-specific obligations — the exam tests whether you know WHICH obligation applies to providers vs. deployers in a given scenario
Treating frameworks as isolated rather than interconnected — real organizations apply EU AI Act, NIST AI RMF, and ISO 42001 simultaneously, and the exam tests cross-framework translation
Missing how the EU AI Act creates obligations throughout the AI supply chain — importers, distributors, and downstream deployers all have specific obligations
Controller vs. processor role confusion under GDPR when applied to generative AI models — who is the controller when a foundation model provider processes data for a deployer?
Not understanding that v2.1 REMOVED NIST ARIA from the BoK and ADDED ISO 42005 — studying from older materials may include removed content
Domain 327% of exam
Understanding How to Govern AI Development
The largest domain at 27% — expect 21-25 questions. Covers governance of AI system design, data governance, model training and testing, bias detection and mitigation, red teaming, documentation requirements, and release readiness decisions. This domain tests HOW to operationalize ethical principles into controls, processes, and documentation throughout the AI development lifecycle. The v2.1 update emphasizes 'AI models and systems' governance.
Key Topics
AI System Design GovernanceData Governance in AI DevelopmentModel Training GovernanceBias Detection and MitigationRed Teaming and Adversarial TestingModel CardsDatasheets for DatasetsRelease Readiness and Go/No-Go
Must-Know Concepts
- Data governance for AI includes provenance (WHERE data came from), lineage (HOW data was transformed), quality standards, validation, labeling accuracy, and representativeness across demographic groups
- Model cards must document: model purpose, training data description, evaluation metrics and results, known limitations, intended use cases, ethical considerations, and performance across demographic groups
- Datasheets for datasets must document: dataset characteristics, collection methodology, intended uses, limitations, potential biases, and maintenance/update plans
- Bias detection approaches: pre-processing (modify training data), in-processing (modify training algorithm), post-processing (adjust model outputs) — know when each is appropriate
- Algorithmic fairness definitions are mathematically incompatible — you cannot satisfy demographic parity, equalized odds, and calibration simultaneously. The exam tests WHEN each is appropriate
- Red teaming should occur BEFORE go/no-go deployment decisions. It tests for vulnerabilities, biases, harmful outputs, safety failures, and adversarial robustness
- Go/no-go decision processes require: completed risk assessment, documentation review, fairness testing results, security testing results, stakeholder sign-offs, and identified halt conditions
- AI Impact Assessments use structured methodologies to identify consequences — the Microsoft RAI Template is an important reference. Know what must be assessed and when
- Feature engineering and selection must consider governance implications — using protected attributes or proxies for protected attributes as features introduces discrimination risk
- Testing and validation methodologies include cross-validation, shadow deployment (parallel running without user impact), and A/B testing (subset of users see new model)
Common Exam Traps
Studying ethics as theory rather than operational implementation — the exam asks HOW to operationalize ethical principles into controls, processes, and documentation, not just what the principles are
Misunderstanding documentation timing — model cards are completed before deployment, datasheets during data governance, impact assessments before AND after deployment
Conflating pre-deployment governance with post-deployment monitoring — red teaming and go/no-go decisions are Domain III (pre-deployment); drift detection and incident response are Domain IV (post-deployment)
Not understanding that governance applies to entire AI SYSTEMS, not just models — data pipelines, infrastructure choices, and third-party components are all governance concerns
Assuming that bias testing at one point in time is sufficient — bias can emerge from data changes, concept drift, or evolving social contexts, requiring ongoing assessment
Domain 427% of exam
Understanding How to Govern AI Deployment and Use
Equal to Domain III at 27% — expect 21-25 questions. This is the domain candidates are most under-prepared for, as they tend to over-focus on pre-deployment topics. Covers deployment decisions, human oversight models, vendor assessment, continuous monitoring, drift detection, incident response, retraining, and system decommissioning. The v2.1 update added RAG and agentic architectures as deployment options.
Key Topics
Deployment Risk EvaluationHuman Oversight ModelsVendor AI AssessmentPerformance MonitoringDrift Detection and ResponseIncident ResponseRetraining GovernanceSystem Decommissioning
Must-Know Concepts
- Human oversight models: HITL (approve each action — high risk), HOTL (monitor and intervene — medium risk), HIC (strategic authority — all risk levels). The key distinction is TIMING of human involvement
- Three types of drift: data drift (feature/label distribution shifts), concept drift (input-output relationship changes from external factors), model drift (overall performance degradation over time)
- Concept drift is the hardest to detect because input distributions may look unchanged while the underlying relationship has shifted — requires monitoring output quality, not just input statistics
- Retraining triggers: threshold-based (performance drops below acceptable level), time-based (scheduled periodic retraining), data volume-based (significant new data available)
- Incident response must include: defined escalation paths, stakeholder notification requirements with specific timeframes, regulatory reporting obligations, and root cause analysis processes
- Deployment options now include RAG (retrieval-augmented generation) and agentic architectures (v2.1 addition) — each has distinct governance requirements around data access, autonomy, and tool use
- Vendor AI assessment requires due diligence on third-party AI systems including evaluating vendor governance practices, data handling, model documentation, and contractual protections
- System decommissioning requires planned data retention, model archival, stakeholder communication, transition planning, and ensuring dependent processes are not disrupted
- Cross-functional collaboration is essential during live operation — governance, legal, technical, and business teams must coordinate on monitoring, incidents, and updates
- Monitoring must cover fairness metrics in production, not just accuracy — a model can maintain accuracy while developing demographic bias over time
Common Exam Traps
This is the most under-prepared domain — candidates focus heavily on pre-deployment (Domains I-III) and under-prepare for operational governance, monitoring, and incident response
Confusing when HITL vs. HOTL vs. HIC applies — HITL for each individual decision, HOTL for ongoing monitoring with exception handling, HIC for overall strategic control
Missing incident response timelines and notification requirements — the exam tests specific obligations, not just the concept of incident response
Not understanding monitoring metrics that trigger human review escalation — automated monitoring must have defined thresholds that escalate to human decision-makers
Treating retraining as a simple technical task rather than a governance event — retraining requires re-validation, updated documentation, stakeholder communication, and potentially new impact assessments
Concepts You Must Not Confuse
These pairs appear on nearly every exam. Learn the difference and you'll avoid the most common traps.
Top Mistakes to Avoid
Confusing provider and deployer obligations under the EU AI Act — providers design and build, deployers use under their authority. Missing that deployers can become providers by rebranding or substantially modifying high-risk systems
Mixing up DPIA (GDPR Article 35, data protection focus, controller obligation) with FRIA (EU AI Act Article 27, fundamental rights focus, deployer obligation) — both may be required for the same AI system
Treating NIST AI RMF, EU AI Act, and ISO 42001 as interchangeable or isolated — NIST is voluntary guidance, EU AI Act is enforceable law, ISO 42001 is certifiable standard. Organizations apply all three simultaneously
Over-studying pre-deployment governance (Domains I-III) while under-preparing for operational governance (Domain IV) — monitoring, drift detection, incident response, and decommissioning are 27% of the exam
Confusing explainability (WHY a specific decision was made) with interpretability (HOW the model works generally) and transparency (open access to model structure and logic)
Memorizing algorithmic fairness definitions without understanding that they are mathematically incompatible — the exam tests WHEN each is appropriate, not just what they mean
Not understanding the shift from model-centric to system-centric governance in v2.1 — governance extends to data pipelines, infrastructure, supply chain, and downstream uses
Confusing HITL (human approves each action), HOTL (human monitors and intervenes for exceptions), and HIC (human has strategic authority) — the key distinction is timing of involvement
Studying from pre-v2.1 materials that include NIST ARIA (removed) but miss ISO 42005 (added) and the expanded AI-specific laws coverage (South Korea, Colorado repeal, Texas TRAIGA)
Treating documentation (model cards, datasheets, impact assessments) as optional best practices rather than governance requirements with specific timing in the AI lifecycle
Exam-Ready Checklist
Can explain all 4 exam domains and their relative weights (21%, 25%, 27%, 27%) and identify which domain each topic belongs to
Know the EU AI Act risk classification tiers and can identify which tier applies in any scenario — including all prohibited use cases
Can distinguish provider vs. deployer obligations under the EU AI Act and identify when a deployer becomes a provider
Understand GDPR Articles 22 and 35 applied to AI: automated decision-making rights, DPIA requirements, and how they overlap with EU AI Act obligations
Know all four NIST AI RMF functions (GOVERN, MAP, MEASURE, MANAGE) and how GOVERN cross-cuts the other three
Can describe ISO/IEC 42001 purpose, Annex A control domains, and what a Statement of Applicability requires — and can distinguish it from non-certifiable ISO standards
Know all seven NIST Trustworthy AI characteristics and can reject plausible-sounding distractors
Can define and distinguish all algorithmic fairness definitions (demographic parity, equalized odds, equal opportunity, disparate impact, individual fairness, calibration) and explain their mathematical incompatibility
Understand all three drift types (data, concept, model) and can match each to appropriate detection and response strategies
Can apply human oversight models (HITL, HOTL, HIC) to scenarios based on risk level and operational context
Know the documentation requirements (model cards, datasheets, impact assessments) including what goes in each and when in the lifecycle they must be completed
Scored 70%+ on at least two full-length practice exams (300/500 passing score) with particular strength in Domains III and IV which together represent 54% of the exam
Recommended Resources
Free & Official Resources
Paid Courses & Practice Exams
These are recommended if you prefer a structured learning path. They can save time but are not required to pass.