- What the AAISM Exam Actually Is
- Prerequisites Before You Can Register
- Step-by-Step Registration Process
- Exam Fees and Application Costs Explained
- Scheduling Your Test: PSI Centers vs. Remote Proctoring
- Exam Format and What 90 Questions Look Like
- Domain Weights and What You Must Know
- A Domain-Weighted Preparation Timeline
- Managing Your 12-Month Eligibility Window
- After You Pass: Application Fee and Certification Maintenance
- Frequently Asked Questions
- AAISM requires an active CISM or CISSP before you can register - no exceptions.
- Exam fee is $459 for ISACA members and $599 for non-members, plus a $50 post-pass processing fee.
- You have a 12-month eligibility window from registration date to sit the exam.
- Remote proctoring is available globally except India, Mainland China, and Hong Kong.
What the AAISM Exam Actually Is
The Advanced in AI Security Management (AAISM) certification is governed by ISACA - the same organization behind CISM, CRISC, and CGEIT - and was launched on August 19, 2025. It sits at the intersection of two disciplines that have converged rapidly: enterprise security management and the governance of artificial intelligence systems. This is not a foundational AI literacy certificate. It is an advanced, scenario-heavy credential designed for practitioners who are already credentialed security leaders and need a formal, auditable qualification for AI-specific security responsibilities.
ISACA administers the exam through PSI, its authorized testing provider, which operates physical testing centers globally and offers remote proctoring in most jurisdictions. Understanding both the registration mechanics and the exam's structural demands before you book is the most efficient use of your preparation time - and it prevents costly mistakes like missing your eligibility window or misallocating study hours across domains.
Prerequisites Before You Can Register
AAISM has a hard prerequisite that distinguishes it from most vendor certifications: you must hold an active CISM (Certified Information Security Manager) or CISSP (Certified Information Systems Security Professional) at the time of registration. That credential must also remain active for the entire lifecycle of your AAISM certification. If your CISM or CISSP lapses, your AAISM status is also at risk.
This prerequisite exists for a specific reason. AAISM questions are scenario-based and assume you can make governance, risk, and control decisions in complex enterprise environments. You are not being introduced to security management concepts - you are expected to apply them to AI-specific architectures, threat surfaces, and regulatory contexts. Candidates who attempt AAISM without deeply internalizing their CISM or CISSP foundations typically find the scenario-based questions disorienting because each scenario layers AI-specific variables on top of core security management principles.
Prerequisite Credential Requirements
Before registering, confirm the following:
- You hold an active, current CISM or CISSP (not expired, not in grace period)
- Your CPE and maintenance fees for that credential are current with the issuing body
- You understand how to maintain both credentials simultaneously - AAISM adds its own CPE obligations post-certification
Step-by-Step Registration Process
Registration for AAISM is handled through ISACA's online candidate portal. The process follows a sequence that candidates familiar with CISM registration will recognize, though there are AAISM-specific steps worth noting.
- Verify your ISACA account. Log in to your ISACA account or create one. Your membership status at this point determines which fee tier you will pay.
- Submit prerequisite documentation. During registration, you will need to confirm your active CISM or CISSP status. ISACA can cross-reference CISM credentials directly; CISSP holders may need to provide their ISC² member number for verification.
- Select your exam language. AAISM is available in English and Spanish. This selection is made during registration, not at the testing center.
- Pay the exam fee. Payment is collected at registration. Once processed, your 12-month eligibility window begins from this date - not from when you schedule with PSI.
- Receive your authorization to test (ATT). ISACA will issue your ATT, which you use to book your actual exam date and format through PSI's scheduling portal.
- Book with PSI. Through PSI's portal, choose between a physical testing center and remote proctoring (subject to geographic restrictions discussed below). Confirm your appointment details carefully - rescheduling may incur fees.
Exam Fees and Application Costs Explained
AAISM has a layered fee structure that candidates often underestimate when budgeting. The exam registration fee is only the beginning.
| Fee Item | ISACA Member | Non-Member |
|---|---|---|
| Exam Registration Fee | $459 | $599 |
| One-Time Application Processing Fee (post-pass) | $50 | $50 |
| Annual Certification Maintenance Fee | $20/year | $35/year |
| 3-Year Total Maintenance Cost | $60 | $105 |
The membership differential is significant. At $140 in exam fee savings alone, candidates who are not already ISACA members should calculate whether the cost of an ISACA annual membership offsets the non-member exam surcharge. For most candidates, particularly those also holding or pursuing CISM, ISACA membership pays for itself across multiple credentials and resources.
Key Takeaway
The $50 application processing fee is only collected after you pass - it is part of the formal certification issuance step, not the exam registration. Budget for it in advance so it does not catch you off guard during the celebration of passing.
Scheduling Your Test: PSI Centers vs. Remote Proctoring
PSI provides two delivery modes for AAISM, and the right choice depends almost entirely on your location and your home or office environment.
Remote Proctoring
Remote proctoring through PSI is available in most countries and allows you to sit the exam from any quiet, private space with a stable internet connection and a compatible device. PSI's remote proctoring system includes identity verification, environmental scans, and live or AI-assisted monitoring. Candidates should test their system using PSI's pre-check tool well before exam day - technical failures during check-in do not automatically entitle you to a reschedule.
Physical PSI Testing Centers
Candidates in India, Mainland China, and Hong Kong are required to sit the exam at an authorized PSI physical testing center. Remote proctoring is not available in these jurisdictions. If you are located in one of these regions, identify your nearest PSI center early in the registration process, as seat availability at physical centers can be limited and lead times longer than you might expect.
Exam Format and What 90 Questions Look Like
The AAISM exam consists of 90 multiple-choice questions completed within 150 minutes (2.5 hours). The passing score is 450 on a scaled score range of 200 to 800. Scaled scoring means your raw number correct is converted to account for question difficulty - a practice standard across ISACA certifications.
What distinguishes AAISM questions from lower-level AI certifications is the scenario-based structure. Each question typically presents a realistic enterprise situation - a CISO evaluating an AI vendor's model transparency claims, a security architect selecting controls for a generative AI deployment, a risk manager responding to an AI model drift incident - and asks what the most appropriate action or decision is. There is almost always one clearly best answer, one plausible-but-wrong answer, and two weaker distractors. The skill being tested is judgment, not recall.
Practicing with scenario-format questions before exam day is not optional - it is the single most impactful preparation activity. The AAISM practice test platform provides questions structured in this format, mapped to the three exam domains, so you can identify where your scenario reasoning is weakest before it costs you points on exam day.
Domain Weights and What You Must Know
The AAISM exam blueprint divides content across three domains with specific percentage weights. Understanding these weights before you build a study plan determines whether you allocate your time strategically or accidentally over-study lower-weighted content.
Domain 1: AI Governance and Program Management (31%)
This domain covers how organizations establish, govern, and operationalize AI security programs at the enterprise level.
- AI governance frameworks, policies, and accountability structures
- Roles and responsibilities for AI security oversight (CISOs, AI ethics boards, program managers)
- Regulatory and compliance landscape for AI (including emerging global frameworks)
- Integrating AI governance with existing security program management practices
- Metrics, reporting, and board-level communication on AI security posture
Domain 2: AI Risk Management (31%)
This domain addresses identifying, assessing, and treating risks that are specific to AI systems - risks that differ meaningfully from traditional IT risk.
- AI-specific threat modeling (adversarial attacks, model poisoning, prompt injection, data exfiltration through model outputs)
- Third-party and supply chain risk in AI model procurement and MLOps pipelines
- Privacy risk from training data and inference outputs
- Risk treatment decisions for AI systems in high-stakes environments (healthcare, finance, critical infrastructure)
- Business impact analysis for AI system failures and degraded performance
Domain 3: AI Technologies and Controls (38%)
The highest-weighted domain at 38%, this section tests deep technical and control knowledge across the AI development and deployment lifecycle.
- AI and ML architecture types (supervised, unsupervised, reinforcement learning, generative AI, LLMs)
- Security controls specific to training environments, model storage, and inference endpoints
- AI model testing: adversarial robustness testing, red-teaming, fairness and bias evaluation
- Monitoring AI systems in production for drift, anomalies, and security events
- Data pipeline security from ingestion through model training
- Secure MLOps practices and CI/CD pipeline controls for AI
A Domain-Weighted Preparation Timeline
Because Domain 3 carries 38% of the exam, a proportional study schedule front-loads it without neglecting the equally-weighted Domains 1 and 2. The following four-week structure reflects those weights. It is not a generic template - every week maps to specific AAISM domain content.
Domain 3 Foundation: AI Architecture and Security Controls
- Study AI/ML architecture types and their distinct attack surfaces
- Map security controls to training, model storage, and inference phases
- Complete Domain 3-focused practice questions on the AAISM practice platform to baseline your scenario reasoning
Domain 3 Depth: Testing, Monitoring, and MLOps Security
- Deep dive into adversarial robustness testing and AI red-teaming methodologies
- Study production monitoring controls: drift detection, anomaly response, audit logging
- Review secure MLOps pipeline controls and CI/CD security for AI systems
Domains 1 and 2: Governance, Risk, and Regulatory Landscape
- Study AI governance frameworks and how they integrate with existing CISM-aligned security programs
- Work through AI-specific threat modeling scenarios: prompt injection, model poisoning, supply chain risk
- Review the emerging global AI regulatory landscape and its compliance implications
Full-Length Practice, Weak-Area Remediation, and Exam-Day Logistics
- Sit two full 90-question timed practice exams under realistic conditions
- Review every incorrect answer at the domain and sub-topic level
- Confirm PSI scheduling, technical requirements for remote proctoring or center location
- Review AAISM CPE requirements so you understand post-certification obligations before you sit
Managing Your 12-Month Eligibility Window
Once you pay your AAISM registration fee, ISACA grants you a 12-month eligibility window to sit the exam. This window begins at payment - not at the date you schedule with PSI. Candidates who register and then delay scheduling because they want more preparation time are inadvertently compressing their actual window.
The practical implication: do not register until you have a realistic study timeline mapped out and you are within four to eight weeks of your intended exam date. The 12-month window is generous, but candidates who register far in advance often discover their momentum fades or life events intervene, leading to rushed final preparation.
If you are still building your foundational knowledge of the three exam domains, use that time to work through practice questions and review domain content before committing the registration fee. The AAISM Exam Schedule: Registration and Booking Guide you are reading now covers the mechanics - but domain mastery takes consistent, structured effort over weeks, not days.
After You Pass: Application Fee and Certification Maintenance
Passing the exam is the entry point, not the endpoint. ISACA's certification issuance process requires a one-time $50 application processing fee, paid after you receive your pass notification. This is separate from the exam registration fee and is due at the time you formally apply for certification status.
Once certified, AAISM requires ongoing maintenance across three dimensions. First, you must complete a minimum of 10 CPE hours per year in AI-specialized topics, totaling 30 CPE hours over the 3-year certification cycle. Second, you must pay annual maintenance fees - $20 per year for ISACA members, $35 per year for non-members. Third, you must maintain your active CISM or CISSP and adhere to the ISACA Code of Professional Ethics throughout the AAISM certification lifecycle.
The CPE requirement specifically mandates AI-specialized content - general security CPEs from unrelated domains do not satisfy the AI-specialization standard. For a detailed breakdown of which activities qualify, what documentation ISACA requires, and how to organize your annual CPE accumulation, see the AAISM CPE Requirements: Maintaining Your Certification guide.
Frequently Asked Questions
No. ISACA requires your prerequisite credential - CISM or CISSP - to be fully active at registration. A credential in a grace period or lapsed status does not satisfy the prerequisite. Renew your CISM or bring your CISSP maintenance current before beginning the AAISM registration process.
Remote proctoring is not available in India, Mainland China, or Hong Kong. Candidates in these regions must book an appointment at an authorized PSI physical testing center. Use PSI's center locator tool to identify your nearest option and factor in potential lead times when planning your registration date.
Yes. As of Version 1 (launched August 19, 2025), AAISM is available in English and Spanish. You select your preferred language during registration with ISACA, before you book your PSI appointment. Confirm your language selection before submitting payment, as changes may require contacting ISACA directly.
ISACA uses scaled scoring, which means your raw number of correct answers is converted using a statistical model that accounts for the relative difficulty of the specific question set you received. A score of 450 on the 200-800 scale is the passing threshold. You do not need to calculate this yourself - PSI and ISACA deliver your scaled score automatically after the exam.
ISACA's standard retake policy applies - you must wait before reapplying, and retake registrations require a new exam fee. Your original 12-month eligibility window does not automatically extend after a failed attempt. Review ISACA's current candidate agreement for the specific waiting period, as AAISM is a new certification and retake policies are governed by ISACA's standard procedures. Use the time between attempts to address specific domain weaknesses identified in your score report.
Ready to Start Practicing?
The AAISM exam tests scenario-based judgment across three demanding domains - and the best way to sharpen that judgment is to practice with questions that mirror the real exam's structure, difficulty, and domain weighting. Start free today and identify your strongest and weakest areas before exam day.
Start Free Practice Test