nerdexam
Isaca

AAISM · Question #140

An organization is adopting an agentic AI solution from an external vendor to support internal IT operations. Which of the following provides the MOST reliable and independently verifiable evidence of

The correct answer is B. Third-party audit reports. Third-party audit reports (e.g., SOC 2 Type II, ISO 27001 certifications) are conducted by independent, accredited auditors who verify the actual operation of controls against established standards over a defined period. This independence and rigor make them the most reliable evi

AI Security Assurance and Resilience

Question

An organization is adopting an agentic AI solution from an external vendor to support internal IT operations. Which of the following provides the MOST reliable and independently verifiable evidence of implemented security controls?

Options

  • AIndustry benchmarking peer review
  • BThird-party audit reports
  • CInternal red-team testing reports
  • DGeneral AI security whitepapers

How the community answered

(45 responses)
  • A
    2% (1)
  • B
    80% (36)
  • C
    7% (3)
  • D
    11% (5)

Explanation

Third-party audit reports (e.g., SOC 2 Type II, ISO 27001 certifications) are conducted by independent, accredited auditors who verify the actual operation of controls against established standards over a defined period. This independence and rigor make them the most reliable evidence. Industry benchmarking peer reviews (A) are informal and not control-specific. Internal red-team reports (C) are self-generated and not independently verified. General AI security whitepapers (D) are marketing documents with no attestation of actual control implementation. Third-party audits provide objective, externally validated assurance.

Topics

#Vendor risk management#Security assurance#Third-party audit#Evidence of controls

Community Discussion

No community discussion yet for this question.

Full AAISM Practice