The artificial intelligence (AI) life cycle refers to the creation, implementation, operation, and decommissioning of AI solutions. The phases of the AI life cycle may seem very similar to those of software and systems development, with some AI-specific considerations. Risk should be considered at all phases of the AI life cycle to ensure that it is properly managed to avoid unpredicted exposures or costly redesign and model retraining downstream. This chapter examines the phases of the AI life cycle and the risk associated with each step.
This domain represents 21% (approximately 20 questions) of the exam.
Domain 2: Exam Content Outline
A: AI Design, Development/Procurement, and Documentation
B: AI Model Training, Testing, and Validation
C: AI Implementation, Maintenance, and Decommissioning
D: AI Data and Asset Management
Learning Objectives/Task Statements
Evaluate risk related to AI models/solutions including design, suitability, algorithms, training, drift, and AI life cycle.
Conduct risk assessments to identify and classify risks associated with AI.
Assess compliance with applicable AI-related regulations, laws, frameworks, standards, and guidelines.
Evaluate AI use cases based on the organization’s risk appetite.
Monitor and test organizational processes to identify AI risks.
Collaborate with stakeholders to develop and integrate AI risk concepts into enterprise-wide awareness training.
Conduct and/or evaluate threat and vulnerability assessments on AI projects/programs.
Collaborate with stakeholders to integrate AI risk scenarios into the enterprise incident management program.
Evaluate controls to manage AI-related risk within the organization’s risk tolerance.
Advise on AI-related risk within contracts and service agreements, including data usage and intellectual property.
Evaluate AI risk as part of supply chain risk management.
Collaborate with stakeholders to address AI trustworthiness and impacts including ethics, bias, privacy, safety, and environmental, social, and governance (ESG) implications.
Leverage AI to support the risk management program (e.g., risk profile, reporting, evaluation, risk models, and analysis).
Integrate AI-related risk considerations into the change management process.
Assess human oversight controls at critical decision points for risk and AI impact.
Suggested Resources for Further Study
Banno, T.; “Infusing Artificial Intelligence Into Software Engineering and the DevSecOps Continuum,” Computer, vol. 57, 2024, 140-148, doi:10.1109/MC.2024.3423108
EU AI Act, “Article 61: Informed Consent to Participate in Testing in Real World Conditions Outside AI Regulatory Sandboxes,” link
ISACA, Artificial Intelligence Audit Toolkit, link