- What CPE Means for AAISM Holders
- Annual Minimums vs. Three-Year Cycle Requirements
- CPE Activities That Count Toward AAISM Renewal
- What "AI-Specialized Topics" Actually Means
- Aligning CPE to AAISM Domains
- Managing CPE Across AAISM and Your Prerequisite Credential
- Annual Maintenance Fees and Administrative Requirements
- Building a Realistic CPE Plan
- Staying Audit-Ready
- Frequently Asked Questions
- AAISM requires a minimum of 10 CPE hours per year, all in AI-specialized topics, for three consecutive years.
- The full certification cycle demands 30 CPE hours total across three years - not interchangeable with CISM or CISSP CPE pools.
- Annual maintenance fees are $20 for ISACA members and $35 for non-members, billed separately from exam and application fees.
- Your underlying CISM or CISSP must remain active throughout the entire AAISM lifecycle - letting either lapse risks your AAISM status.
What CPE Means for AAISM Holders
Earning the Advanced in AI Security Management (AAISM) credential from ISACA is not a one-time achievement. Like every credential governed by ISACA - the Information Systems Audit and Control Association, headquartered in Schaumburg, Illinois - AAISM carries ongoing obligations designed to ensure that certified professionals stay current as the field evolves. For a certification that specifically addresses artificial intelligence security management, those obligations are especially meaningful: AI is not a stable domain. New model architectures, emerging attack surfaces, and shifting regulatory expectations mean that knowledge earned in 2025 can become incomplete within a year or two.
Continuing Professional Education (CPE) is the mechanism ISACA uses to verify that you are actively investing in your expertise. For AAISM holders, CPE hours must be earned in AI-specialized topics - a requirement that is more specific than the general cybersecurity CPE you may already be accumulating for CISM or CISSP. Understanding exactly what qualifies, how many hours you need, and how to document them properly will save you from scrambling at renewal time.
Annual Minimums vs. Three-Year Cycle Requirements
AAISM certification is valid for three years. Within that period, you face two overlapping obligations:
- Annual minimum: At least 10 CPE hours per year, earned in AI-specialized topics.
- Cycle total: At least 30 CPE hours across the full three-year certification period.
At first glance these numbers seem identical - 10 hours per year times three years equals 30 hours. But the annual minimum matters independently. You cannot bank 30 hours in year one and coast through years two and three. ISACA tracks compliance on an annual reporting cycle, and failing to meet the 10-hour annual threshold in any single year creates a compliance gap, regardless of whether your three-year total eventually reaches 30.
This structure also means that the minimum pace - exactly 10 hours per year - leaves very little cushion. If a qualifying activity falls through, a conference gets cancelled, or documentation from an employer-provided training turns out to be incomplete, you may find yourself short at the annual deadline. Most experienced certification holders plan for 12 to 15 hours per year to create a reasonable buffer.
| Requirement | Threshold | Reporting Period | Notes |
|---|---|---|---|
| Annual CPE minimum | 10 hours | Each certification year | AI-specialized topics only |
| Three-year cycle total | 30 hours | Full certification period | Cannot be front-loaded to skip annual minimums |
| Annual maintenance fee (ISACA member) | $20 | Per year | Paid separately from exam or application fees |
| Annual maintenance fee (non-member) | $35 | Per year | ISACA membership may offer net savings |
CPE Activities That Count Toward AAISM Renewal
ISACA recognizes a broad range of professional activities as CPE, provided they contribute to your competency in the relevant subject matter. For AAISM, the content filter is stricter than for broader credentials - the hours must be in AI-specialized topics, which we explore in the next section. Subject to that filter, qualifying activity types typically include:
- Professional education courses and seminars delivered by accredited organizations
- Vendor-neutral and vendor-specific training programs covering AI security, AI governance, or AI risk management
- ISACA-sponsored events, webinars, and chapter meetings with AI-relevant content
- Academic coursework at accredited institutions in relevant fields
- Self-directed study using structured learning programs (with appropriate documentation)
- Teaching, lecturing, or presenting on AI security topics at professional events
- Authoring published articles, white papers, or books on qualifying subjects
- Participation in qualifying research projects or working groups
Documentation is non-negotiable. ISACA conducts audits of CPE records, and holders who cannot produce certificates of completion, attendance records, or equivalent evidence risk having hours disallowed. Maintain a CPE log with dates, provider names, activity descriptions, and hour totals. Store supporting certificates digitally in a dedicated folder - not buried in a general downloads directory you will struggle to navigate at audit time.
Key Takeaway
A CPE hour you cannot document is effectively a CPE hour you did not earn. Start a dedicated AAISM CPE folder the day you receive your certification and add documentation immediately after completing each activity, while the details are fresh.
What "AI-Specialized Topics" Actually Means
The phrase "AI-specialized topics" is the most consequential qualifier in AAISM's CPE requirements. It excludes a significant portion of the professional development that information security managers routinely pursue. A three-day incident response workshop, a GDPR compliance seminar, or a cloud architecture course - all valuable to your overall career - would not count toward AAISM CPE unless AI security is a substantive component of the content.
Qualifying subject matter maps directly to the three domains tested on the AAISM exam:
Domain 1: AI Governance and Program Management (31%)
CPE in this area covers how organizations establish frameworks, policies, and accountability structures for AI deployment. Relevant learning includes AI ethics frameworks, regulatory developments (such as the EU AI Act or NIST AI Risk Management Framework), AI strategy alignment, and governance committee structures for AI oversight.
- AI policy development and enforcement
- Regulatory and legal compliance for AI systems
- Organizational roles and accountability for AI security
- AI audit and assurance program design
Domain 2: AI Risk Management (31%)
CPE in this domain addresses identifying, assessing, and treating risks that are specific to AI systems - distinct from conventional IT risk. Topics include adversarial machine learning threats, AI supply chain risk, data poisoning, model drift, and bias as a security and compliance risk.
- AI-specific threat modeling and risk assessment methodologies
- Third-party AI vendor risk evaluation
- AI incident classification and response planning
- Privacy risks in AI training data and inference outputs
Domain 3: AI Technologies and Controls (38%)
This is the highest-weighted domain on the AAISM exam and should anchor a significant portion of your annual CPE. Topics include AI and machine learning architecture, security controls for model development pipelines, AI testing methodologies, and continuous monitoring of deployed AI systems.
- Secure ML pipeline design and DevSecOps for AI
- Adversarial robustness testing and red-teaming for AI models
- Explainability and interpretability controls
- AI system monitoring, anomaly detection, and response
When evaluating whether a training activity qualifies, ask yourself: does this content appear in the AAISM exam's three domains? If the answer is clearly yes, document it. If the answer is marginal - for example, a general cybersecurity conference session that mentions AI briefly - use judgment and err toward documenting the specific AI-relevant segment's hours rather than the entire event.
Aligning CPE to AAISM Domains
Strategic CPE planning is not just about accumulating hours - it is about ensuring that your professional development actually deepens the competencies AAISM was designed to verify. Given that Domain 3 carries 38% of the exam weight, your ongoing learning should reflect a similar emphasis. If you are spending most of your AI CPE hours on governance frameworks (Domain 1) and neglecting technical controls and testing methodologies (Domain 3), you are building an unbalanced professional profile.
A practical approach is to allocate your annual 10 hours with domain weighting in mind: roughly four hours toward AI technologies and controls topics, three hours toward AI risk management content, and three hours toward AI governance and program management. Adjust based on your day-to-day role - practitioners who work primarily in governance may need to invest extra hours in technical content to stay credible, while engineers transitioning into management roles may need the reverse.
Managing CPE Across AAISM and Your Prerequisite Credential
One of the most practically important facts about AAISM is that it requires you to hold an active CISM (Certified Information Security Manager) or CISSP (Certified Information Systems Security Professional) as a prerequisite - and that prerequisite must remain active for the entire duration of your AAISM certification. This creates a parallel CPE management challenge.
CISM requires 20 CPE hours per year. CISSP requires 40 CPE hours per year (120 over three years). These are separate obligations from AAISM's 10-hour annual AI-specialized requirement. You cannot typically apply AAISM CPE hours toward CISM or CISSP renewal without verifying that the content also satisfies those credentials' broader requirements - and even then, the documentation must be submitted to each credential's renewal system separately.
The good news is that some AI security management content is broad enough to qualify for both AAISM and your prerequisite credential. An advanced course on AI governance and regulatory compliance might satisfy AAISM's Domain 1 CPE requirement while also counting toward CISM's management-focused CPE pool. Document the overlap carefully and confirm eligibility with ISACA's official guidance for each credential.
If you are still preparing for the AAISM exam itself, review the AAISM Exam Schedule: Registration and Booking Guide for details on registration, testing windows, and the 12-month eligibility period from the date you register.
Annual Maintenance Fees and Administrative Requirements
Beyond CPE hours, maintaining AAISM requires annual payment of a maintenance fee. ISACA members pay $20 per year; non-members pay $35 per year. These fees are distinct from the one-time $50 application processing fee paid after passing the exam, and they are separate from the original exam fee ($459 for ISACA members, $599 for non-members).
The fee differential is one of several reasons many AAISM candidates find ISACA membership financially worthwhile. If you are already paying ISACA membership dues, the combined benefit of reduced exam fees, reduced annual maintenance fees, and access to ISACA's CPE resources often provides measurable value - particularly for candidates holding multiple ISACA credentials simultaneously.
Administrative requirements also include adherence to ISACA's Code of Professional Ethics throughout the certification period. This is not merely a formality: ethical obligations are integral to ISACA's credentialing model, and violations can result in credential suspension or revocation independent of CPE compliance.
Building a Realistic CPE Plan
Ten hours per year sounds manageable, and for most active AI security professionals it genuinely is - if planned in advance. The risk is treating CPE as an end-of-year scramble rather than an ongoing practice. Below is a lightweight quarterly structure that distributes your 10-hour minimum without creating crunch periods.
Foundation and Governance (Domain 1 Focus)
- Attend one ISACA webinar or chapter event on AI policy or regulatory developments (1-2 hours)
- Complete a structured course module on AI governance frameworks (1-2 hours)
- Document all activity immediately after completion
Risk Management Deep Dive (Domain 2 Focus)
- Participate in an AI-specific threat modeling workshop or vendor training (2 hours)
- Read and document structured self-study on adversarial ML threats (1 hour)
Technical Controls and Testing (Domain 3 Focus)
- Complete a technical course on AI security testing, red-teaming, or model monitoring (2-3 hours)
- Supplement with practice scenarios to reinforce applied understanding via AAISM exam prep resources
Buffer, Review, and Documentation Audit
- Attend year-end AI security conferences or symposia for remaining hours (1-2 hours)
- Audit your CPE log to confirm you have met the 10-hour annual minimum with documentation
- Submit annual CPE report to ISACA and pay the annual maintenance fee
This structure uses Domain 3's 38% weight as a signal to place the most technically intensive CPE activity in the middle of the year, when conference season is often richest and when you still have Q4 as a safety net. Adjust timing based on your employer's training calendar and any major AI security events you plan to attend.
Staying Audit-Ready
ISACA audits a portion of credential holders each renewal cycle. Being selected for an audit does not imply wrongdoing - it is a routine quality assurance measure. However, holders who cannot produce documentation for claimed CPE hours face potential revocation of those hours and possible certification suspension.
Audit-readiness means maintaining, at minimum:
- A CPE log listing each activity, its date, the provider or sponsor, the subject matter, and the hours claimed
- Certificates of completion, attendance records, or equivalent evidence for each entry
- Brief notes explaining how each activity relates to AI security management (especially useful for activities where the AI relevance is not immediately obvious from the title)
If you are in the early stages of your AAISM journey - perhaps still preparing for the exam - this is also a good moment to review how the exam itself is structured. The AAISM Exam Schedule: Registration and Booking Guide covers registration mechanics, PSI testing center options, and the remote proctoring availability that makes the exam accessible globally (with the exception of India, Mainland China, and Hong Kong, where physical PSI centers are required).
Frequently Asked Questions
ISACA's standard practice for most credentials does not permit carrying over excess hours to satisfy the following year's annual minimum. You must meet the 10-hour annual AI-specialized CPE requirement in each of the three certification years independently, even if you significantly exceeded the threshold in a prior year. Confirm the exact carry-over policy in your AAISM certification maintenance documentation from ISACA, as policies can be updated after the credential's August 2025 launch.
Hours may overlap only when the content is genuinely AI-specialized. A general information security management course that satisfies CISM CPE requirements would not automatically count toward AAISM unless its content directly addresses AI security management topics covered by one or more of the AAISM domains. You must evaluate each activity against the AI-specialized content standard and document your reasoning.
Because holding an active CISM or CISSP is a prerequisite condition for AAISM - not just for initial eligibility - allowing your prerequisite credential to lapse puts your AAISM certification at risk. ISACA requires that the underlying credential remain active throughout the AAISM certification lifecycle. If you are at risk of a CISM or CISSP lapse due to CPE non-compliance, prioritize restoring that credential's status before addressing AAISM-specific renewal obligations.
ISACA chapter events and webinars qualify when their content addresses AI security management topics. Not all ISACA events focus on AI; a general IT governance webinar or a CISA-focused chapter session would not satisfy AAISM's AI-specialized requirement even though the source is ISACA itself. Review event agendas before attendance and retain documentation that clearly identifies the AI-relevant subject matter covered.
Immediately. Your first certification year begins from the date your certification is issued, not from the date you begin feeling prepared to pursue CPE. Many new AAISM holders make the mistake of treating the first year as a grace period and then scrambling in Q4 to accumulate 10 hours. Set a CPE calendar reminder in the first week after receiving your certificate, and aim to earn your first qualifying hours within the first quarter of certification.
Ready to Start Practicing?
Whether you are preparing for the AAISM exam or maintaining the expertise that keeps your certification meaningful, scenario-based practice is one of the most effective tools available. Our platform delivers questions aligned to all three AAISM domains - with the same real-world scenario format used on the actual exam - so you can identify gaps, build confidence, and stay sharp across AI governance, risk management, and technical controls.
Start Free Practice Test