Appendix B: AAIR Job Practice

Knowledge Areas

Domain 1—AI Risk Governance and Framework Integration (37%)

• AI Models, Frameworks, Strategies, and Use Cases
• AI Organizational Processes and Alignment
• AI Ownership, Oversight, and Accountability
• AI Policies, Procedures, and Organizational Training
• AI Regulatory Compliance and Legal Considerations
• AI Trustworthiness, Ethical, and Societal Implications (e.g., ESG)

Domain 2—AI Life Cycle Risk Management (21%)

• AI Design, Development/Procurement, and Documentation
• AI Model Training, Testing, and Validation
• AI Implementation, Maintenance, and Decommissioning
• AI Data and Asset Management

Domain 3—AI Risk Program Management (42%)

• AI Risk Scenario Identification and Assessment (e.g., threats, vulnerabilities, and attacks)
• AI Risk Treatment Strategies
• AI Controls Management (e.g., evaluation, selection, and validation)
• AI Risk Metrics, Monitoring, and Reporting
• AI Supply Chain Risk Management (e.g., third party resources)
• AI Incident Response, BIA, Business Continuity, and Disaster Recovery

Secondary Classifications – Tasks

1. Evaluate risk related to AI models/solutions including design, suitability, algorithms, training, drift, and AI life cycle.
2. Facilitate the integration of AI risk management into an enterprise risk management framework and risk programs.
3. Develop and implement an AI risk management framework, including roles and accountability, AI risk policies and procedures, and acceptable risk tolerance levels.
4. Conduct risk assessments to identify and classify risks associated with AI.
5. Develop and recommend risk treatment strategies for identified AI risks.
6. Assess compliance with applicable AI-related regulations, laws, frameworks, standards, and guidelines.
7. Integrate AI risk considerations into existing governance programs.
8. Integrate AI risk considerations into existing risk register and control taxonomies.
9. Evaluate AI use cases based on the organization’s risk appetite.
10. Monitor and test organizational processes to identify AI risks.
11. Collaborate with stakeholders to develop and integrate AI risk concepts into enterprise-wide awareness training.
12. Capture AI risk considerations in enterprise risk metrics and reporting (e.g., board, management, operations).
13. Conduct and/or evaluate threat and vulnerability assessments on AI projects/programs.
14. Collaborate with stakeholders to integrate AI risk scenarios into the enterprise incident management program.
15. Continuously assess and monitor the risk landscape for emerging AI risk.
16. Evaluate controls to manage AI-related risk within the organization’s risk tolerance.
17. Advise on AI-related risk within contracts and service agreements, including data usage and intellectual property.
18. Evaluate AI risk as part of supply chain risk management.
19. Collaborate with stakeholders to address AI trustworthiness and impacts including ethics, bias, privacy, safety, and environmental, social, and governance (ESG) implications.
20. Leverage AI to support the risk management program (e.g., risk profile, reporting, evaluation, risk models, and analysis).
21. Integrate AI-related risk considerations into the change management process.
22. Incorporate AI-related risk considerations into incident response, BIAs, the BCP, and DRP.
23. Assess human oversight controls at critical decision points for risk and AI impact.