AAISM CPE Topics: What Qualifies for AI Hours

What the AAISM CPE Requirement Actually Demands

Earning the Advanced in AI Security Management (AAISM) certification is only the beginning. Because AI risk and technology move faster than nearly any other domain in information security, ISACA built an unusually specific ongoing education requirement directly into the credential's structure. It is not enough to accumulate generic professional development hours and report them. The AAISM maintenance framework demands that a meaningful portion of your continued learning stays tightly focused on artificial intelligence.

The numbers are straightforward: you must earn a minimum of 10 CPE hours per year in AI-specialized topics, and at least 30 CPE hours total across the full three-year certification cycle. ISACA governs both the standard and what qualifies. Because AAISM launched on August 19, 2025, and is still in its inaugural version as of early 2026, ISACA's published guidance should be treated as the authoritative source - and candidates should monitor any clarifying bulletins as the credential matures.

There is also an often-overlooked prerequisite dimension: you must maintain an active CISM or CISSP throughout the entire AAISM lifecycle. That means your CPE planning must simultaneously satisfy ISACA's CISM renewal schedule (or (ISC)²'s CISSP requirements) alongside AAISM's own AI-specific CPE mandate. Neglecting either piece can collapse the whole structure. If you want to understand the full cost picture before mapping out your multi-year commitment, the AAISM Exam Fee: Member vs Non-Member Cost 2026 article breaks down not just the initial exam fee but the ongoing maintenance fees of $20 per year for ISACA members and $35 per year for non-members.

What Counts as an "AI-Specialized" CPE Hour

The phrase "AI-specialized topics" is deliberate. ISACA uses this language to carve out a distinct category from the broader professional education universe. The practical test for whether a CPE activity qualifies is whether its primary subject matter involves artificial intelligence in a professional or technical context - not whether AI is mentioned in passing during a broader security or governance course.

A session on zero-trust network architecture that dedicates one slide to AI-powered threat detection does not qualify as an AI-specialized hour. A dedicated course on machine learning model security, adversarial attack mitigation, or AI governance frameworks does qualify. The distinction matters, and ISACA auditors will look at activity descriptions, not just titles.

CPE Topics Mapped to Each AAISM Domain

Because AAISM is structured around three distinct domains - each with its own weight - it makes sense to think about CPE not as an undifferentiated pile of hours but as a portfolio that reflects where the credential places its emphasis. Here is how qualifying AI CPE topics map onto each domain.

Domain 1: AI Governance and Program Management (31%)

This domain addresses how organizations structure AI oversight, establish accountability, and build governance programs that are defensible to auditors, regulators, and boards. CPE that qualifies here includes courses on building AI governance frameworks, implementing NIST AI RMF controls, structuring AI review boards, and managing policy development for AI deployment. Training on specific AI-related regulations - including sector-specific rules in financial services, healthcare, or critical infrastructure - falls squarely here.

Domain 2: AI Risk Management (31%)

AI risk management goes well beyond traditional IT risk frameworks. CPE that qualifies for this domain should address how AI-specific threats are identified, assessed, and treated. Topics include AI model risk management, third-party AI vendor risk, dataset integrity and provenance risk, and emerging risk categories like prompt injection, model inversion, and data poisoning. Courses covering AI-specific business impact analysis or AI continuity planning also qualify.

Domain 3: AI Technologies and Controls (38%)

This is the heaviest domain at 38%, and it is where many candidates need the most rigorous CPE investment. Qualifying topics include AI architecture security (covering both training and inference pipeline security), technical security controls for AI systems, AI penetration testing methodologies, model monitoring and drift detection, and MLOps security practices. Deep dives into specific AI platforms, cloud AI service security configurations, and AI-specific logging and observability tools all fit here.

Practicing scenario-based questions that mirror real exam conditions is one of the most efficient ways to identify which domain is consuming your CPE budget without returning knowledge gains. Our AAISM practice tests are built around all three domain areas and can help you audit your knowledge before your next CPE renewal window.

What Does Not Qualify for AI Hours

This is where most AAISM holders are most likely to make an error. The following categories of professional education do not qualify as AI-specialized CPE hours, even if they involve adjacent topics:

The double-counting trap is particularly common: professionals assume that hours logged for CISM or CISSP renewal automatically satisfy AAISM's AI-specialized requirement. They do not. You are running parallel CPE obligations, and only the AI-specific hours count toward AAISM's annual 10-hour minimum.

Where to Earn Qualifying AI CPE Hours

Given the specificity of the requirement, it helps to think systematically about where legitimate AI-specialized CPE actually comes from. The following categories represent some of the most credible and auditable sources:

• ISACA-delivered training: Any ISACA course, webinar, or conference session with AI as its primary subject qualifies and is the easiest to document.
• Academic courses: University courses covering AI security, machine learning, or AI ethics from accredited institutions are well-regarded.
• Industry conferences: AI-focused conference tracks at events like DEF CON AI Village, Black Hat AI-specific sessions, or AI governance summits generate qualifying hours if primary content is AI-focused.
• Research and self-study: Reading ISACA-recognized publications, peer-reviewed AI security research, or authoritative standards documents (NIST AI RMF, ISO/IEC 42001) may qualify under self-study provisions - check current ISACA guidelines for hour caps on self-study.
• Teaching and presenting: Delivering a session on AI security topics at a recognized conference or within your organization may qualify, often at a multiplied hour credit.
• Vendor-neutral certification preparation: Formal study for other AI-related credentials can qualify if the content is substantively AI-security focused.

Before logging hours, keep contemporaneous records: activity name, provider, date, number of hours, and a brief description of content. ISACA conducts audits, and vague logs are a liability. AAISM practice test resources can also serve as a structured self-study component when used systematically alongside formal CPE activities.

Annual Minimums vs. Three-Year Cycle Strategy

Ten qualifying hours per year sounds manageable until you account for the dual obligation of maintaining your CISM or CISSP simultaneously. Strategically, the goal is to identify CPE activities that are genuinely AI-specialized - satisfying AAISM - while potentially running parallel to your broader certification maintenance needs.

Some ISACA members find it useful to front-load AI-specialized CPE in the first half of each calendar year, treating the annual minimum as a floor rather than a target. This creates buffer room if professional commitments compress your schedule in Q3 or Q4. It also ensures that if ISACA updates its AI CPE standards (likely as the field evolves), you have completed hours under current guidance rather than scrambling under a new framework at year-end.

Scheduling CPE Around AAISM Domain Weights

Because AAISM's three domains carry meaningfully different weights, a thoughtful CPE schedule reflects that structure rather than distributing hours arbitrarily. Here is one practical approach for planning annual CPE aligned to domain emphasis:

This structure is not rigid - the right allocation depends on your current role, where your knowledge gaps are sharpest, and what qualifies as AI-specialized under ISACA's current guidance. What the structure prevents is arriving at December with eight hours logged and a scramble to find two more qualifying activities before the annual cutoff.

For a broader picture of what the AAISM credential costs across its lifecycle - including how annual maintenance fees compound over three years - see the AAISM Exam Fee: Member vs Non-Member Cost 2026 breakdown. Planning CPE investment alongside financial commitment gives a more realistic view of the full credential cost.

If you are still working toward passing the exam itself and want to make your study hours count toward both exam readiness and eventual CPE-quality knowledge, the AAISM CPE Topics: What Qualifies for AI Hours page is your reference point to bookmark and revisit each renewal year.

Frequently Asked Questions