- What the AAISM Exam Delivery System Actually Looks Like
- Remote Proctoring: Eligibility, Rules, and Setup
- PSI Testing Centers: Who Must Use Them and How
- Registration, Fees, and Your 12-Month Eligibility Window
- Exam Day Format: What the 90 Questions Actually Test
- Domain Weighting and Why It Shapes Your Preparation
- Scheduling Your Seat Around Domain Complexity
- Frequently Asked Questions
- Remote proctoring is available globally except India, Mainland China, and Hong Kong, where PSI physical centers are mandatory.
- The AAISM exam is 90 scenario-based multiple-choice questions answered in 150 minutes, with a passing scaled score of 450 out of 800.
- Exam fees are $459 for ISACA members or $599 for non-members, plus a $50 one-time post-pass application processing fee.
- You have a 12-month eligibility window from registration to schedule and sit your exam through PSI.
What the AAISM Exam Delivery System Actually Looks Like
The Advanced in AI Security Management certification, launched by ISACA on August 19, 2025, is delivered exclusively through PSI, ISACA's authorized testing provider. PSI operates two channels: a global network of authorized physical testing centers, and an online remote proctoring system that brings the exam to your own workspace. Understanding exactly how each channel works-and which one you are required to use-is the first logistical decision every AAISM candidate must make.
ISACA governs the certification from its headquarters in Schaumburg, Illinois. PSI handles all scheduling, identity verification, and proctoring on ISACA's behalf. The exam is available in two languages: English and Spanish. Whether you sit remotely or in a center, the same 90 questions, the same 150-minute clock, and the same 200-800 scaled scoring applies universally.
Remote Proctoring: Eligibility, Rules, and Setup
Who Can Use Remote Proctoring
Remote proctoring is available to AAISM candidates in virtually every country except India, Mainland China, and Hong Kong. If you are based in any of those three locations, skip to the testing center section below-remote delivery is not a legal or logistical option for you under PSI's current operating agreements.
For everyone else, remote proctoring through PSI allows you to sit the exam from a personal computer in a private, controlled environment. Given that AAISM is an enterprise-focused credential aimed at AI security management professionals, many candidates are working practitioners who may prefer the schedule flexibility of home testing over traveling to a center.
Technical Requirements and Room Setup
PSI's standard remote proctoring requirements apply to AAISM. Before scheduling remotely, confirm the following:
- Hardware: A desktop or laptop computer with a working webcam, microphone, and speaker. Tablets and mobile devices are not accepted.
- Operating system compatibility: Run PSI's system check tool on PSI's website before the day you register your time slot-not the morning of the exam.
- Internet connection: A stable, wired or high-speed wireless connection. Shared office networks with aggressive firewalls frequently cause disconnection issues.
- Room conditions: A private, enclosed room with no other people present. Your desk must be clear of notes, books, and unauthorized materials. The proctor conducts a 360-degree room scan via your webcam before the exam begins.
- Lighting: The room must be sufficiently lit that your face is clearly visible throughout the session.
- Identification: Government-issued photo ID that matches your registration name exactly. Discrepancies cause disqualification before the session starts.
Key Takeaway
Run the PSI system compatibility check at least 48 hours before your scheduled remote exam. Discovering a firewall or browser extension conflict the morning of your session typically means forfeiting that appointment and rescheduling fees may apply.
What the Remote Proctor Monitors
PSI proctors actively monitor your audio, video, and screen throughout the 150-minute session. The following behaviors will trigger a proctor intervention or session termination:
- Looking away from the screen for extended periods
- Speaking aloud or whispering (even self-talk during difficult questions)
- Using a second monitor or display
- Having another person enter the room
- Using a phone or any secondary device
- Attempting to access external applications or browsers during the exam
Because AAISM questions are scenario-based-presenting real-world AI security management situations and asking you to select the best control, governance action, or risk response-the exam demands sustained concentration. A proctor interruption mid-scenario is both disruptive and time-consuming.
PSI Testing Centers: Who Must Use Them and How
Mandatory Center Attendance: India, Mainland China, and Hong Kong
Candidates based in India, Mainland China, or Hong Kong must sit the AAISM exam at an authorized PSI testing center. There are no exceptions. PSI maintains a network of centers across all three regions, and candidates in those locations should confirm available center locations and seats through the PSI candidate portal when registering.
Choosing a Testing Center (All Locations)
Even candidates who are eligible for remote proctoring may prefer a physical PSI center. Common reasons include unreliable home internet, shared living spaces that cannot meet the private room requirement, or employer policies that require in-person credentialing activities. If you select a testing center:
- Arrive at least 15-30 minutes before your scheduled start time. PSI centers process check-in with biometric or photo ID verification.
- Personal items-including phones, smartwatches, wallets, and food-are typically stored in a locker. Only items explicitly permitted by the center staff are allowed at your workstation.
- You will be provided scratch paper or an erasable whiteboard for notes during the exam. These are collected at the end of the session.
- The testing center environment is monitored by both on-site staff and video surveillance.
Registration, Fees, and Your 12-Month Eligibility Window
Prerequisite Verification Comes First
Before you can register for the AAISM exam, you must hold an active CISM (Certified Information Security Manager) or CISSP (Certified Information Systems Security Professional). This is a hard gate-not a recommendation. ISACA verifies active status before approving your application. The prerequisite credential must remain active not just at registration but throughout the entire AAISM certification lifecycle.
If you are still working toward either prerequisite, review the detailed breakdown of credential requirements in the AAISM Exam Prerequisites: CISM and CISSP Requirements guide before investing in exam registration.
Exam Fees Broken Down
| Fee Item | ISACA Member | Non-Member |
|---|---|---|
| AAISM Exam Fee | $459 | $599 |
| One-Time Application Processing (post-pass) | $50 | $50 |
| Annual Maintenance Fee | $20/year | $35/year |
| Eligibility Window | 12 months from registration | 12 months from registration |
The exam fee is paid at registration. The $50 application processing fee is collected separately only after you pass. Annual maintenance fees apply throughout the 3-year certification cycle. Certification renewal requires a minimum of 10 CPE hours per year in AI-specialized topics, with 30 CPE hours total across the 3-year period.
Scheduling Within Your Eligibility Window
Once registered, you have 12 months to schedule and complete your exam through PSI. This is a generous window, but candidates who underestimate Domain 3's technical depth frequently run short on preparation time. Schedule your seat with a specific target date in mind rather than treating the window as an open-ended buffer. PSI scheduling fills quickly at popular testing centers, particularly during Q1 and Q4 when professional certification activity peaks.
Exam Day Format: What the 90 Questions Actually Test
The AAISM exam consists of 90 multiple-choice questions delivered over 150 minutes-that is exactly 100 seconds per question on average. The format is scenario-based: each question presents a realistic AI security management situation and asks you to select the most appropriate action, control, governance decision, or risk response from four options.
This is not a memorization exam. Questions are designed to assess judgment, not recall. A typical question might describe an organization deploying a machine learning model in a regulated environment and ask which control framework element the security manager should implement first. Another might present an AI audit finding and ask how to escalate it through the governance structure described in the scenario.
The passing score is 450 on a scaled score of 200 to 800. Scaled scoring means raw scores are adjusted for question difficulty variation across exam versions-answering harder questions correctly is weighted more favorably than breezing through the easy end of the item bank.
Domain Weighting and Why It Shapes Your Preparation
Domain 1: AI Governance and Program Management (31%)
Covers the structures, policies, accountability frameworks, and executive alignment required to operate AI programs securely at an organizational level.
- AI security strategy alignment with enterprise governance
- Policy development for AI lifecycle management
- Roles, responsibilities, and accountability for AI security
- Regulatory and compliance considerations for AI programs
Domain 2: AI Risk Management (31%)
Addresses identification, assessment, treatment, and monitoring of risks specific to AI systems, including model risk, data pipeline risk, and third-party AI risk.
- AI-specific threat modeling and risk assessment methodology
- Bias, explainability, and fairness as risk dimensions
- Third-party and supply chain risk for AI components
- Risk appetite and tolerance frameworks applied to AI
Domain 3: AI Technologies and Controls (38%)
The highest-weighted domain covers AI architecture security, technical control implementation, adversarial AI threats, testing, and continuous monitoring of AI systems.
- Secure AI system architecture and model lifecycle security
- Adversarial attack types: prompt injection, model inversion, data poisoning
- Security testing methodologies specific to AI/ML systems
- Continuous monitoring and anomaly detection for deployed models
- Controls for training data integrity and output validation
Domain 3 accounts for 38% of your scaled score. If you have a CISSP background, your existing knowledge of technical security controls gives you a foundation-but AI-specific attack surfaces like adversarial examples, model extraction, and training data poisoning require dedicated study that goes well beyond general cybersecurity controls. If your background is primarily CISM governance-focused, Domain 3 will likely require the most preparation time.
Candidates holding CISM may find Domains 1 and 2 more intuitive given the governance and risk management focus of that credential. Conversely, CISSP holders may have stronger footing in Domain 3 but need to build depth in AI governance program design. For a detailed breakdown of how each prerequisite credential maps to AAISM domain coverage, see the AAISM Exam Prerequisites: CISM and CISSP Requirements article.
Scheduling Your Seat Around Domain Complexity
Given the domain weights and the scenario-based question format, a structured preparation schedule that addresses domains in order of complexity rather than order of appearance in the blueprint is more effective for most candidates.
Domain 3 Foundation: AI Technologies and Controls
- Study AI architecture security concepts: model lifecycle, training pipeline, deployment infrastructure
- Learn adversarial AI attack taxonomy: prompt injection, data poisoning, model inversion, evasion attacks
- Map existing cybersecurity control frameworks (from your CISM/CISSP knowledge) to AI-specific scenarios
Domain 1 and Domain 2: Governance and Risk in AI Context
- Work through AI governance structures, accountability models, and regulatory landscape
- Study AI-specific risk assessment frameworks and third-party AI risk considerations
- Practice scenario questions that blend governance decisions with technical context
Full Scenario Practice and Gap Closure
- Complete timed full-length practice tests on the AAISM practice test platform to simulate the 150-minute exam environment
- Identify weak domain areas from practice results and schedule targeted review sessions
- Book your PSI exam seat (remote or center) with a target date in this final preparation week
This schedule assumes a candidate who is actively working and dedicating focused evening and weekend study time. The 12-month eligibility window allows more flexibility, but most exam-ready candidates are well-prepared within 6-10 weeks of structured effort. Front-loading Domain 3 study is the most consistent recommendation given its 38% weight and the depth of AI-specific technical content required.
For AAISM-format practice questions that mirror the scenario-based style of the actual PSI exam, the AAISM practice tests provide domain-mapped question sets across all three domains with detailed answer explanations tied to ISACA framework concepts.
Frequently Asked Questions
No. Remote proctoring is not available to candidates in India, Mainland China, or Hong Kong. You must schedule your exam at an authorized PSI physical testing center in your region. Use the PSI candidate portal to find available centers and appointment slots near you.
PSI proctors have protocols for brief disconnections, but extended connectivity loss typically results in session termination. If the session terminates through no fault of the candidate, PSI and ISACA have escalation processes-contact PSI support immediately. This is why running PSI's system check tool and using a wired connection when possible is strongly recommended.
Yes. Holding an active CISM or CISSP is a condition of the AAISM certification throughout its entire lifecycle, not just at the point of application. If your prerequisite credential lapses, your AAISM certification status is also affected. Review the full prerequisite maintenance requirements in the AAISM Exam Prerequisites: CISM and CISSP Requirements guide.
You have a 12-month eligibility window from the date of your registration approval to schedule and sit the exam through PSI. If you do not test within that 12-month period, you will need to re-register and pay the exam fee again. Set a target exam date early in your eligibility period to avoid losing your window.
Yes. The AAISM exam is currently available in both English and Spanish. Language selection is made during the PSI scheduling process. All scenario-based questions and answer options are presented in the language you select for the duration of your session.
Ready to Start Practicing?
The AAISM exam's scenario-based format rewards candidates who practice under realistic conditions. Work through AAISM-specific questions across all three domains-AI Governance, AI Risk Management, and AI Technologies and Controls-with detailed explanations tied to ISACA's framework. Start building the judgment and speed the 150-minute exam demands.
Start Free Practice Test