The AIGP Exam
Preparation Playbook

Four Risk Tiers

Unacceptable (Prohibited): Social scoring by public authorities, real-time remote biometric identification in public spaces by law enforcement (with narrow exceptions), subliminal manipulation causing harm, exploiting vulnerabilities of specific groups, predicting criminality solely from profiling or personality traits, emotion recognition in workplace and education settings (except medical/safety), and untargeted scraping for facial recognition databases.

High Risk: Biometric ID, critical infrastructure, education, employment, essential services, law enforcement, migration, administration of justice (Annex II/III).

Limited Risk: Transparency obligations apply regardless of risk tier - AI interaction disclosure, emotion recognition disclosure, AI-generated content labeling.

Minimal Risk: No specific obligations. Most AI systems fall here.

Prohibited Practice Exceptions

Biometric identification exceptions: Searching for victims of abduction or human trafficking, preventing imminent terrorist threats, and locating suspects of serious crimes (with judicial authorization) are permitted despite the general prohibition on real-time biometric surveillance.

Emotion recognition exceptions: Medical and safety contexts are excepted from the workplace/education prohibition. Detecting patient emotions in a telemedicine session for healthcare purposes is permitted. Workplace emotion recognition for employee morale has no exception and remains prohibited.

Roles

Provider: Creates compliance artifacts - CE marking, conformity assessment, technical documentation (Annex IV), risk management system, human oversight mechanisms, post-market monitoring.

Deployer: Verifies proper use - FRIA before deployment (public bodies/public service providers), maintain logs and documentation of outputs and decisions (retain for at least 6 months), human oversight during operation, monitor AI system performance regularly, report serious incidents.

Importer: Verifies artifacts exist and are valid. Gatekeepers for non-EU providers.

Substantial modification of a system = becomes a provider and assumes all provider obligations.

Conformity Assessment

Most high-risk AI systems undergo internal self-assessment by the provider. Third-party conformity assessment is required only for specific categories, primarily biometric identification systems. A third-party bias audit is NOT a requirement under the EU AI Act - this is sometimes confused with NYC Local Law 144 which does require third-party bias audits for automated employment decision tools.

Responding to Jurisdictional Restrictions

When regulators restrict AI features in specific jurisdictions, the most robust technical approach is implementing feature flags that enable or disable specific AI features based on user location - maintaining the core product globally while complying with jurisdiction-specific restrictions.

GPAI & Systemic Risk

Tier 1 (all GPAI): Technical documentation + copyright compliance policy incl. text/data mining opt-outs.

Tier 2 (systemic risk): Training data summary, adversarial testing, cybersecurity, report incidents to EU AI Office, energy consumption reporting.

Systemic risk threshold: >10²⁵ FLOPs OR Commission designation. GPAI obligations are parallel to - not overlapping with - high-risk system obligations.

Penalties

Prohibited practices: €35M or 7% global turnover. Provider breaches (high-risk): €15M or 3%. Misleading info: €7.5M or 1%.

Seven Principles (Article 5)

Lawfulness/fairness/transparency · Purpose limitation · Data minimization · Accuracy · Storage limitation · Integrity & confidentiality · Accountability

Purpose Limitation - Most Tested GDPR Concept

Original consent for service delivery does NOT automatically cover AI model training. "Research and development" licenses may not cover commercial AI product development. Publicly available data does not come with blanket permission for any use. Voluntary sharing of data (especially in employment or insurance contexts where power imbalances exist) does not automatically constitute valid GDPR consent. "Research & development" licenses may not cover commercial AI. Publicly available data ≠ blanket permission. Voluntary sharing in employment/insurance contexts ≠ valid GDPR consent.

Controller vs Processor

Controller determines purposes and means. Processor acts on behalf of controller. Roles are activity-specific, not entity-specific - same company can be both. When a processor uses data for its own purposes, it becomes a controller for that processing.

International Data Transfers

GDPR does not require that processors be located in the same country as the controller. Controllers can engage processors in any jurisdiction provided appropriate safeguards are in place - such as Standard Contractual Clauses (SCCs), adequacy decisions, or Binding Corporate Rules (BCRs) for international transfers.

Seven Principles (Article 5)

Lawfulness, fairness, and transparency - Purpose limitation - Data minimization - Accuracy - Storage limitation - Integrity and confidentiality - Accountability. Data minimization is particularly important for AI - it serves as a counterbalance to AI teams natural tendency to collect as much data as possible.

Special Category Data

Health data, genetic data, biometric data, racial/ethnic origin, political opinions, religious beliefs, trade union membership, and sexual orientation require explicit and specific legal basis under Article 9. General consent or legitimate interest is insufficient.

Data Access Requests and AI

The most challenging aspect of managing data access requests for AI systems is unstructured data intermingling - when an individual's data is tangled with other individuals' data across multiple unstructured sources (chatbot logs, social media scrapes, behavioral data). Extracting one person's complete data without exposing another person's data is the core practical challenge.

DPIA Triggers (2+ = generally required)

Profiling and prediction · Systematic/extensive evaluation · Sensitive data · Automated decision-making with significant effects · Large-scale processing · Combining datasets

Automated Decision-Making Transparency

Controllers must proactively disclose: (1) existence of ADM, (2) meaningful info about logic, (3) significance and envisaged consequences. This is distinct from Article 15 access rights (reactive, upon request).

Data Is the Root

Data attributes and variability are the most important factors for fairness. No amount of architectural sophistication can overcome fundamentally unfair training data.

What Counts as Bias

IS bias: Content of lower quality for a minority group · Stereotyped images of protected groups · Advertising that focuses on appearance over function for female audiences.

IS NOT bias: Directing ads to companies rather than individuals (business targeting decision) · Producing less content for a segment if determined by business scope, not demographics.

Prioritization Order

1. Discrimination against protected groups (fairness + legal compliance) → 2. Regulatory compliance gaps (transparency and explainability) → 3. Technical performance issues (robustness and reliability) → 4. Aggregate metrics (overall accuracy) — last. A model can be 95% accurate overall while systematically failing for specific populations. A fairness violation based on a protected characteristic always outranks a technical performance gap even if it affects more people numerically, because the legal, ethical, and regulatory consequences of discrimination are categorically more severe.

Bias Reduction by Lifecycle Phase

Planning/Design: Stakeholder involvement, feature selection, data collection planning — proactive measures that address bias before a model exists.

Operational: Human oversight, disparity testing, performance monitoring. Human oversight is a deployment/operational activity — NOT a planning and design activity.

Four Core Functions

Govern: Organizational foundation - policies, accountability structures, risk tolerance, culture. Cross-cutting, underpins all others. "How is our org set up for AI risk?"

Map: System-specific risk identification - context, risks, stakeholders for a specific AI system. "What are the risks of THIS system?"

Measure: Quantitative/qualitative risk assessment. "How severe are these risks?"

Manage: Respond, mitigate, monitor. "What do we do about them?"

Risk tolerance and risk appetite = Govern decisions (organizational), not Map (system-specific).

Seven Trustworthy AI Characteristics

Valid & Reliable · Safe · Secure & Resilient · Accountable & Transparent · Explainable & Interpretable · Privacy Enhanced · Fair with Bias Managed

ARIA Program

Assessing Risks and Impacts of AI - NIST's primary program to provide organizational resources for managing AI-specific risks. ARIA's main purpose is to provide organizational resources to manage risks - not to pilot standards, promote interoperability, or create regulatory sandboxes. ARIA ≠ Standard-setting (provides resources and guidance, not binding standards) · ARIA ≠ Interoperability initiative · ARIA ≠ Regulatory sandbox · ARIA ≠ Red-teaming program (red-teaming is one possible technique within AI risk assessment, not ARIA's main purpose).

Cross-Functional Teams and Accountability

The most important reason for requiring collaboration among cross-functional stakeholder teams during the AI development lifecycle is to establish accountability. Cross-functional teams create distributed ownership and clear responsibility assignment across domains — legal, technical, ethical, business, and operational. Without defined accountability, governance has no anchor point — no one owns the risk, the decision, or the outcome.

Other valid but secondary reasons (user-centric design, liability reduction) are consequences of accountability, not the primary purpose. Accountability also answers the "who is responsible when something goes wrong" question that regulators ask.

Defining Roles as Accountability Mechanism

Among the mechanisms that encourage organizational accountability over AI systems, defining the roles and responsibilities of AI stakeholders is the most direct. It assigns ownership, creates enforceable expectations, and makes accountability auditable. Accountability requires named owners — not just good processes.

Lifecycle Phases

Planning: Objectives, governance approach, operational context. Does NOT include architecture selection.

Design: Select architecture, choose algorithms, estimate risks, plan data approach, map data sources and identify fits and gaps. Architecture choice belongs here because it requires planning outputs as inputs - it is a technical decision, not a strategic one.

Data Preparation: Collect, clean, label, augment, de-duplicate.

Development: Build and train.

Testing & Validation: Evaluate performance, explainability, bias testing, TEVV.

Deployment: Launch; conformity assessment happens BEFORE deployment.

Monitoring: Disparity testing, drift detection, champion/challenger testing.

Data Subsets

Training = textbook (learns patterns) · Validation = practice quiz (prevents overfitting during dev) · Testing = the final exam the model has never seen (robust evaluation of the final model)

Model Maintenance

Accuracy deterioration → champion/challenger testing is the best first step - deploying an alternative model alongside the current one to compare performance in a controlled environment. This is both diagnostic and solution-oriented. Retraining addresses data drift, concept drift, hyperparameter tuning. Retraining does NOT fix interpretability - that requires architecture changes.

Documentation Purpose by Phase

Development = preserves design decisions · Post-testing = verifiable audit trail · Post-deployment = captures current state · Post-incident = demonstrates due diligence. The common thread is verifiability and traceability.

Post-Deployment Documentation

After deploying an AI model, essential documentation covers: the model's architecture (system design and structure), performance metrics (accuracy, fairness, reliability benchmarks), and updates (changes, modifications, retraining, or patches applied). Post-deployment documentation captures the model's current state and evolution — not its historical development inputs.

Ethical Red-Teaming

The primary purpose of ethical red-teaming is to simulate model risk scenarios — deliberately probing the AI system to discover harmful outputs, biased responses, and unintended behaviors. Red-teaming is broader than security testing — it covers ethical risks, bias, harmful content, and societal harms. It is about risk simulation and discovery, not accuracy improvement or legal compliance.

Functional Performance Monitoring

When monitoring a deployed model's functional performance, concerns include feature drift, model drift, and data loss — factors that directly affect how the model performs its task. System cost is an operational and business concern, not a functional performance concern.

Key PETs

Federated Learning: Multi-party training without sharing raw data. Each party shares only model updates (gradients/weights). Best for multi-institution collaboration.

Differential Privacy: Adds calibrated mathematical noise. Mathematical guarantee against membership inference attacks and training data reconstruction. Homomorphic encryption protects during computation but doesn't prevent output identification.

Homomorphic Encryption: Computation on encrypted data without decryption. Powerful but computationally expensive.

Data Anonymization: Removes PII. Difficult to achieve truly, especially for health data. Residual re-identification risk remains.

Synthetic Data: Artificially generated data that preserves the statistical properties and patterns of real data without containing actual personal information. Synthetic data is purpose-built from scratch — it was never real personal data, so it creates no residual re-identification risk. Best suited when: real data is insufficient for training, consent cannot be obtained at sufficient scale, or sensitive data cannot be used directly.

Core Principle

Accountability follows deployment, not development. Deploying a third-party AI system = accountable for outcomes regardless of who built it.

Policy Hierarchy (Operational Relevance)

1. Acceptable Use Policy (AUP) - defines what is permitted (most operationally relevant, review first) · 2. Privacy Policy - data handling · 3. Security Policy - access controls · 4. Code of Conduct - behavioral norms

The AUP comes first because it determines whether the intended use is even permissible. If AUP prohibits a use, privacy/security policies are irrelevant.

Procurement Governance

"Trust us, it's audited" is never sufficient. Review terms of use and license agreements before using external data - most important first step. Finance and Legal are the most critical additional procurement stakeholders.

IP indemnification = standard contractual mechanism for IP protection. Creates vendor obligation to defend against third-party IP claims.

Deployer Responsibilities

Deployers are responsible for: ethical testing (outputs for fairness), technical performance, regulatory compliance. NOT responsible for: ethical design (provider's domain), system documentation (provider's obligation).

Responsible AI Training Strategy

In large organizations, responsible AI training is role-differentiated and governance-mode calibrated — not uniform. Effective approaches include: ethics training proportional to the organization's responsible AI culture; role-specific training calibrated to whether governance is centralized, federated, or decentralized; and customer/user education about AI capabilities and limitations.

What is NOT a governance training approach: Providing all technical employees with full AI development education so they can retool and participate in development. This is a workforce development initiative — valuable for talent strategy but outside the scope of AI governance training.

Key Principles

AI cannot bear legal responsibility - liability flows to humans and organizations. Fair use for AI training is unsettled law, not a guaranteed defense. The entity that commercially benefits from AI-generated output bears responsibility for it.

Copyright for AI-Generated Content

Purely AI-generated content is generally NOT eligible for copyright protection in the US - human authorship required. However, when a human takes AI output and modifies it with sufficient creative expression, the resulting work may qualify. Key test: demonstrating human creative input. Prompts alone are generally insufficient to establish authorship.

Model Disgorgement

When a model was trained on improperly obtained data, disgorgement removes the effects of that data. Simply deleting the original data is insufficient - the model retains learned patterns. May require full model destruction + retraining, machine unlearning, or partial retraining from a checkpoint.

Open Source

Open-source licensing does NOT exempt high-risk AI systems from the EU AI Act. Risk profile determines regulatory treatment, not the licensing model.

OECD AI Principles

Self-regulation model - voluntary, not legally binding. Balances AI innovation with ethical considerations. Five principles: inclusive growth & sustainable development · human-centered values & fairness · transparency & explainability · robustness & security & safety · accountability.

OECD Assessment Tool Types: Procedural (codes of conduct, governance committees) · Technical (auditing software, bias tools) · Educational (training programs, guidelines) · Analytical (risk assessments, impact assessments). Codes of conduct = procedural, not technical.

US Regulatory Approach

Sectoral approach, not comprehensive legislation. Key laws: anti-discrimination (Title VII, ECOA, ADA, ADEA) · privacy (CCPA/CPRA) · consumer protection (FTC Act) · NYC Local Law 144 for AI hiring tools. Product liability applies to vendors/manufacturers - NOT deployers of third-party AI.

Canadian AIDA

Minister of Innovation must be notified when a high-impact AI system causes or is likely to cause material harm. Notification trigger is harm-based, not deployment-based.

Framework Comparison

EU AI Act: prescriptive, risk-based classification, legally binding · NIST AI RMF: structured methodology, voluntary · OECD: principles-based, balance-oriented, voluntary · IEEE 7000-21: system design methodology, voluntary · HUDERIA: Human rights, democracy, rule of law - impact assessment tool.

OECD AI Assessment Tool Taxonomy

Procedural tools — Organizational processes, governance mechanisms, behavioral commitments. Examples: codes of conduct, collective agreements, governance committees, ethics review boards.

Technical tools — Technology-based instruments. Examples: algorithmic auditing software, bias detection tools, privacy-enhancing technologies, monitoring systems.

Educational tools — Resources that build knowledge and capacity. Examples: training programs, guidelines, awareness campaigns.

Analytical tools — Methods for systematic evaluation. Examples: risk assessments, impact assessments, cost-benefit analyses.

US Liability Landscape for AI Deployers

Organizations that deploy (but do not develop) AI systems face liability under anti-discrimination laws (Title VII, ECOA, ADA, ADEA), privacy laws (CCPA), and accessibility laws — but NOT product liability law. Product liability applies to manufacturers and vendors who place products in the stream of commerce, not to deployers who use third-party systems.

The exam signal: When a question asks about deployer liability for using a third-party AI tool, product liability is the correct EXCEPT answer.

When to Use What

RAG (Retrieval-Augmented Generation): Combines LLM conversational capability with retrieval from external knowledge bases. The retrieval component accesses current data; the generation component produces natural language responses grounded in that data. Best suited for non-regulated, non-deterministic contexts with frequently changing information.

Expert Systems: Regulated, rule-based decisions requiring accuracy, consistency, explainability, auditability (financial offers, insurance quotes, compliance decisions). Frequently changing data does NOT automatically mean RAG - if rules are structured, expert system with updated rule base is better.

Classic ML models: When customization and vendor lock-in avoidance is the priority.

Content Responsibility

Organizations using generative AI to produce content are responsible for that content. Using AI as a tool doesn't transfer professional responsibility to the tool.

Generative AI in Education

When teachers use generative AI for educational content, model accuracy is the highest concern. LLMs can hallucinate - generating plausible but incorrect information that students absorb as fact. When evaluating AI risks for specific stakeholders, match the risk to the stakeholder's core responsibility - a teacher's primary responsibility is student learning, making accuracy paramount.

Deepfakes Risk

Most significant risk = downstream harms (disinformation, non-consensual deepfakes, erosion of media trust, societal destabilization). Downstream harms is the broadest concept, outweighing narrower risks like copyright infringement.

Paid vs Free GenAI

Paid tools: convenient, extra privacy/security controls, frequent updates. Do NOT provide transparency into model decision-making. Do NOT eliminate data concerns.

Defining an AI Model

An AI model is a program that has been trained on a set of data to find patterns within that data, which it then applies to generate predictions, classifications, or decisions. The two defining elements are: (1) training on data, and (2) pattern recognition applied to new inputs.

Three-way distinction: Rule-based system = applies human-defined rules, explicitly programmed, never trained. AI model = program trained on data to find patterns, trained not programmed. AI system = broader ecosystem: model + data + infrastructure + processes.

Why distractors fail: "A system that applies defined rules" = rule-based system, NOT an AI model. "A system of controls to govern an AI algorithm" = governance framework, not the model. "A corpus of data which an AI algorithm analyzes" = the training dataset, not the model itself.

Critical Definitions

Machine Learning: Systems automatically improve from experience through predictive patterns. Key signal on exam: "automatically improve from experience" — statistics infers, data mining discovers, AI mimics, only ML automatically improves.

Inference: Process of using a trained model on new data. A process, not a model type.

Cognitive learning: NOT a recognized type of ML — it is a term from human psychology, not a ML methodology.

Taxonomy: XAI vs Trustworthy AI vs Responsible AI

Explainable AI (XAI): Processes and methods allowing human users to understand and trust AI outputs. When question asks about "making AI outputs understandable to humans" → answer is XAI. XAI focuses on outputs and their interpretability to users and decision-makers.

Interpretable AI: Degree to which the internal mechanics of an AI model can be understood. Narrower and technically-facing vs XAI which is user-facing.

Trustworthy AI: Full set of properties - valid, reliable, safe, secure, explainable, fair, privacy-preserving. Broader than XAI. NIST's seven trustworthy AI characteristics define this concept.

Responsible AI: Organizational commitment and culture. Broader than both. Aspirational framework for practice, not a specific technical property.

Narrow vs Strong AI

Narrow AI (Weak AI): AI designed to perform a specific well-defined task. It can excel within its domain but has no capability, reasoning, or awareness beyond the task it was built for. The vast majority of current AI — self-driving vehicles, image recognition, language models, medical diagnosis tools, recommendation engines — is narrow AI.

Strong AI / AGI: AI that possesses full generalized human cognitive abilities across all domains. Would independently reason, learn, adapt, and apply intelligence across any domain without specific training for each task. AGI does not exist in any commercially deployed system.

Learning Types

Supervised learning uses labeled training data with predefined categories. The model learns to map inputs to known outputs. Used for classification and regression.

Unsupervised learning uses no labels. The model discovers hidden patterns and structures independently. Used for clustering and dimensionality reduction.

Small Language Models (SLMs) are designed for efficiency, agility, and lower-resource settings - the opposite of large, resource-intensive models.

Model Taxonomy

Discriminative: Classifies existing data (random forests, SVMs, logistic regression) → classifies inputs → discriminative.

Generative: Creates new data (GANs, VAEs, LLMs, diffusion models) → LLMs generate text → generative.

Symbolic: Explicit logic and rules (expert systems, knowledge graphs). NLP is a domain of application, not a model type.

System Properties

Robust = withstands adversarial conditions ("despite") · Reliable = consistent under normal conditions · Resilient = recovers after disruption · Brittle = opposite of robust

AI-Unique Characteristics

Unique to AI: Autonomy, Adaptability. NOT unique: Automation (decades old), Speed & scale (all modern computing - it's a risk amplifier).

What Impact Assessments Evaluate

Impact assessments are fundamentally people-centered. They evaluate:

• Fundamental rights (dignity, non-discrimination, privacy, freedom of expression)
• Data protection (lawful processing, purpose limitation, data minimization)
• Safety (physical, psychological, societal harm prevention)

What They Do NOT Focus On

Organizational risk categories (third-party risk, model risk, legal risk) · Technical components (datasets, behavior, tooling) · Model quality metrics (toxicity, accuracy, development).

FRIA (Fundamental Rights Impact Assessment)

A deployer obligation - only for public bodies or private entities providing public services (banks, schools, hospitals, insurers). Must be conducted before putting high-risk AI into use.

Opt-Out Rights: What Factors Matter

When assessing whether users should be given the right to opt out of an AI system: Risk to users - the primary driver; high risk strengthens the case for opt-out. Feasibility - whether opt-out mechanisms can practically be implemented. Cost of alternative mechanisms - whether viable alternatives exist.

The least relevant factor is industry practice. What other companies do is not a principled basis for determining user rights. Rights are grounded in risk, feasibility, and availability of alternatives - not in what the market has normalized. Industry practice that ignores user rights is not a justification for doing the same. · Feasibility of opt-out mechanisms · Cost of alternative mechanisms. Industry practice = least relevant factor for rights decisions.