AAISM logo
Focused certification exam prep
Start practice
Home / Study Resources / Exam Preparation / AAISM Exam Time Limit: 90 Questions in 150 Minutes

AAISM Exam Time Limit: 90 Questions in 150 Minutes

Updated 10 min read AAISM Exam Prep
Table of Contents
TL;DR
  • The AAISM exam is 90 multiple-choice questions in exactly 150 minutes - roughly 100 seconds per question.
  • Domain 3 (AI Technologies and Controls) carries the highest weight at 38%, making it the single most important domain to master.
  • You must already hold an active CISM or CISSP to sit for the AAISM; that prerequisite must stay active throughout the credential's lifecycle.
  • Passing requires a scaled score of 450 on a 200-800 scale; raw correct-answer counts do not map directly to pass/fail.

The Clock Breakdown: 150 Minutes, 90 Questions

The AAISM exam gives you exactly 150 minutes to answer 90 scenario-based multiple-choice questions. That averages to 100 seconds - just under one minute and forty seconds - per question. On paper that sounds generous. In practice, the scenario-based format means each question arrives with a paragraph of contextual detail about an AI deployment, a governance failure, or a control gap, and you must parse that context before the four answer choices even become meaningful.

Understanding the time structure is the first tactical decision you make before you ever register. Candidates who train on timed sets of 90 questions before exam day consistently report less cognitive fatigue than those who practice only in short untimed bursts. The AAISM Exam Time Limit: 90 Questions in 150 Minutes is a constraint you can engineer around - but only if you treat it as a training variable, not an afterthought.

Why 150 Minutes Matters More Than It Seems: ISACA's scenario-based questions are designed to test applied judgment, not memorized definitions. A question about selecting a compensating control for a large language model in a regulated financial environment requires you to reason through AI architecture, regulatory obligations, and risk tolerance simultaneously. That process takes time, and 100 seconds per question is the ceiling, not a buffer.

What the Questions Actually Look Like

The AAISM is delivered exclusively in a multiple-choice, scenario-based format. ISACA is deliberate about this: questions are not trivia recalls. They present real-world AI security management situations - a Chief Information Security Officer evaluating a third-party AI vendor's model governance documentation, an AI risk team identifying gaps in a deployed natural language processing pipeline, or a security architect choosing between two AI monitoring architectures. You select the best answer, which often means eliminating three plausible-sounding distractors.

The exam is available in English and Spanish, so candidates whose primary professional language is Spanish can elect that option at registration. This is a meaningful accessibility decision for a credential that governs AI security management in global enterprises.

What "Scenario-Based" Means for Preparation

Scenario questions penalize rote memorization in a specific way: they reward candidates who understand why a control exists, not just what it is. For example, knowing that adversarial testing is an AI security control matters less than understanding when adversarial testing is the appropriate response to a specific threat model in a specific deployment context. Candidates who spend the majority of their study time reading definitions will struggle; candidates who spend it working through applied cases will not.

Practicing with realistic scenario questions before exam day is the single highest-leverage preparation activity available. The AAISM Exam Prep practice tests are built around this format, presenting questions structured to mirror the contextual reasoning the actual exam demands.

Domain Weights and Where Your Time Goes

The AAISM is organized into three domains. Their weights are not equal, and that asymmetry should directly shape how you allocate preparation time and how you prioritize questions mid-exam.

Domain 1: AI Governance and Program Management (31%)

Covers the organizational structures, policies, and accountability frameworks that govern AI systems across the enterprise. Candidates must understand how to build and operate an AI security program, align it with enterprise risk appetite, and communicate AI risk to executive stakeholders.

  • AI governance frameworks and policy design
  • Roles, responsibilities, and accountability for AI security
  • AI program lifecycle management
  • Regulatory and legal compliance considerations for AI deployments
  • Integration of AI security programs with existing ISMS structures

Domain 2: AI Risk Management (31%)

Addresses how organizations identify, assess, treat, and monitor risks specific to AI systems - including risks that do not exist in traditional IT environments, such as model drift, data poisoning, and algorithmic bias.

  • AI-specific threat modeling and risk identification
  • Third-party and supply chain risk for AI models and datasets
  • Risk treatment options including model retirement and control implementation
  • Continuous risk monitoring for deployed AI systems
  • Incident response frameworks tailored to AI-related security events

Domain 3: AI Technologies and Controls (38%)

This is the highest-weighted domain and covers the technical architecture of AI systems, the security controls applied to them, and the testing and monitoring mechanisms that validate those controls over time. A candidate cannot pass AAISM by excelling at governance alone - technical depth in AI security controls is mandatory.

  • AI and machine learning architecture from a security perspective
  • Data pipeline security: training data integrity, poisoning prevention
  • Adversarial attack types: evasion, model inversion, membership inference
  • Security testing methodologies for AI models (red teaming, adversarial testing)
  • AI monitoring, logging, and anomaly detection in production environments
  • Explainability and transparency controls for high-risk AI systems
Domain 3 Dominates the Exam: At 38% of the exam, Domain 3 (AI Technologies and Controls) accounts for more questions than either other domain individually. If you have 90 questions total, approximately 34 of them will probe your technical understanding of AI architecture, security controls, and testing methodologies. Candidates with a governance background who underinvest in Domain 3 are most at risk of failing.

Registration, Fees, and Eligibility Windows

The AAISM is governed by ISACA, headquartered in Schaumburg, Illinois. Registration and testing are administered through PSI, ISACA's testing provider. Before you can register, you must hold an active CISM (Certified Information Security Manager) or CISSP (Certified Information Systems Security Professional). This is a hard prerequisite - not a "preferred" qualification - and it must remain active throughout the AAISM credential's lifecycle.

Fee Item ISACA Member Non-Member
Exam Registration Fee $459 $599
Application Processing Fee (post-pass, one-time) $50 $50
Annual Maintenance Fee $20/year $35/year
CPE Requirement (Annual Minimum) 10 hours in AI-specialized topics
CPE Requirement (3-Year Cycle Total) 30 hours total

Once you register, you have a 12-month eligibility window to schedule and sit for the exam. That window is more than enough time if you build a structured preparation plan, but candidates who register impulsively and then delay scheduling often find themselves cramming in month eleven. Register when you have a realistic preparation timeline - not before.

The AAISM launched on August 19, 2025, making it ISACA's newest AI-focused credential. As of early 2026, no pass rate data has been published, which is expected for a credential this new. What is published is the passing score: 450 on a scaled score of 200 to 800. Scaled scoring means a raw score of, say, 63 correct answers does not automatically translate to a pass - the difficulty of the specific question set you receive is factored into the final score calculation.

Testing Options: Remote vs. Physical Centers

PSI administers the AAISM through a global network of authorized testing centers and also offers remote proctoring for most candidates. The geographic exceptions matter: candidates in India, Mainland China, and Hong Kong must test at physical PSI centers - remote proctoring is not available in those locations.

For candidates in other regions, remote proctoring is a legitimate option that removes the logistics of traveling to a center. However, remote proctoring introduces its own variables: stable internet, a clean testing environment, functioning webcam and microphone, and compliance with PSI's workspace requirements. A failed remote session due to a technical issue on exam day is not an outcome you want to engineer.

Details on locating authorized PSI centers, understanding remote proctoring system requirements, and navigating booking logistics are covered thoroughly in AAISM Testing Centers: PSI Locations and Requirements. Whether you test remotely or in person, confirm your setup - hardware, environment, and identification requirements - well before your scheduled date.

Building a Pacing Strategy Around AAISM's Format

With 150 minutes and 90 questions, the math favors a three-pass strategy adapted to the AAISM's specific domain distribution:

  1. First pass (60-70 minutes): Work through all 90 questions. Answer those you're confident about immediately. Flag questions where you've narrowed to two choices but aren't certain. Flag questions where the scenario requires deeper analysis. Do not spend more than 90 seconds on any single question during this pass - leave it flagged and move on.
  2. Second pass (40-50 minutes): Return to flagged questions. At this point, you've seen the full question set and may find that later questions jogged your memory on earlier ones. Work through your two-choice dilemmas with fresh eyes.
  3. Third pass (remaining time): Review any remaining flags. Check that you haven't left blanks - there is no penalty for wrong answers, so a guess is always better than no answer.

Practicing this strategy under real time pressure requires simulating the full 90-question, 150-minute experience. The AAISM Exam Prep practice platform includes full-length timed practice exams specifically designed to condition this pacing.

Key Takeaway

Domain 3 questions often carry more cognitive load because they involve technical architecture scenarios. If you encounter a complex AI controls question early in the exam, flag it and return - burning 4-5 minutes on one Domain 3 question in the first pass is a pacing error that compounds across the exam.

A Domain-Anchored Study Schedule

Generic study templates don't account for the AAISM's specific domain weights or the technical depth Domain 3 requires. The following schedule is built around the actual exam structure for a candidate with a 10-week preparation window.

Weeks 1-2

Domain 1: AI Governance and Program Management

  • Map ISACA's AI governance frameworks to organizations you know
  • Study AI program lifecycle: initiation, design, operation, and retirement
  • Review how AI security programs integrate with ISO 27001 or NIST CSF structures you already know from CISM/CISSP
  • Practice 15-20 Domain 1 scenario questions daily
Weeks 3-4

Domain 2: AI Risk Management

  • Study AI-specific threat models: data poisoning, model inversion, evasion attacks
  • Understand third-party AI vendor risk assessment frameworks
  • Work through AI incident response scenarios - how does an AI security incident differ from a traditional breach?
  • Use spaced repetition for terminology specific to AI risk (this is one area where flashcard-style review pays off)
Weeks 5-7

Domain 3: AI Technologies and Controls (heaviest investment)

  • Build a working mental model of ML pipeline architecture: data ingestion, training, validation, deployment, monitoring
  • Study each adversarial attack category and its corresponding defensive control
  • Deep dive into AI red teaming methodologies and adversarial testing frameworks
  • Review explainability tools and when regulators require them for high-risk AI
  • Practice 25-30 Domain 3 questions per session - this domain's volume demands more repetition
Weeks 8-9

Integrated Practice and Weak Domain Reinforcement

  • Take two full-length 90-question timed practice exams
  • Identify your lowest-scoring domain and schedule targeted review sessions
  • Re-read ISACA's published AAISM materials and any released study guidance
  • Practice the three-pass pacing strategy under exam conditions
Week 10

Final Consolidation

  • One additional full-length timed practice exam - no new material
  • Confirm your PSI testing logistics: center location or remote setup check
  • Light review of flagged weak areas; no cramming new topics
  • Rest 48 hours before exam day

After You Pass: Maintaining the AAISM

The AAISM is valid for three years from the date of certification. Maintaining it requires:

  • A minimum of 10 CPE hours per year in AI-specialized topics - not general security CPE, but specifically AI-relevant continuing education
  • A total of 30 CPE hours across the full three-year cycle
  • An active CISM or CISSP throughout the credential's lifecycle - if your underlying credential lapses, your AAISM status is also at risk
  • Adherence to the ISACA Code of Professional Ethics
  • Payment of annual maintenance fees: $20/year for ISACA members or $35/year for non-members

The AI-specific CPE requirement is notable. ISACA is deliberately excluding general cybersecurity CPE from counting toward AAISM maintenance, signaling that credential holders are expected to remain current specifically in AI security developments - a field that evolves faster than most areas of traditional information security.

Who Pursues the AAISM: The credential is designed for senior security professionals - those already holding CISM or CISSP - who are taking on AI governance, AI risk management, or AI security architecture responsibilities. Roles include AI Security Managers, Chief AI Security Officers, AI Risk Officers, and senior consultants advising enterprises on AI deployment security. The prerequisite ensures a baseline of enterprise security maturity before candidates engage with the AI-specific content.

Frequently Asked Questions

Can I take the AAISM exam without holding a CISM or CISSP?

No. An active CISM or CISSP is a hard prerequisite for AAISM registration. You cannot substitute other certifications or experience in place of one of these two credentials. Additionally, your CISM or CISSP must remain active not just at the time you sit for the AAISM, but throughout the entire lifecycle of the AAISM certification.

What is the passing score for the AAISM exam?

The passing score is 450 on a scaled score that ranges from 200 to 800. Because the exam uses scaled scoring, the number of questions you need to answer correctly to reach 450 will vary slightly depending on the difficulty level of the specific question set you receive. There is no published raw-score cutoff.

How much time do I have after registering to take the exam?

Once you register for the AAISM, you have a 12-month eligibility window to schedule and sit for the exam. If you do not test within that window, you would need to re-register and pay the exam fee again. Use this window strategically - register when you have a realistic preparation plan already underway.

Is remote proctoring available for all candidates?

Remote proctoring through PSI is available for most candidates globally, but there are three geographic exceptions: candidates in India, Mainland China, and Hong Kong are required to test at authorized physical PSI testing centers. Remote proctoring is not available in those locations regardless of circumstances.

Which domain should I prioritize most heavily in my preparation?

Domain 3 (AI Technologies and Controls) carries the highest weight at 38% of the exam and covers the most technically demanding material - AI architecture, adversarial attacks, security controls, and monitoring. Candidates with primarily governance backgrounds should invest disproportionate study time in Domain 3. Domains 1 and 2 each account for 31%, but Domain 3 alone will determine more of your outcome than either of them individually.

Continue reading:

Ready to pass your AAISM exam?

Put this into practice with free AAISM questions across every exam domain.