AI Act

AAIR: Advanced in AI Risk

The ISACA advanced credential for risk managers building an AI risk programme. AI risk assessment, risk treatment, AI risk governance. Three-day intensive, CRISC recommended as foundation.

ISACAExpert3 daysLiveSelf-pacedIn-house
  • Practitioner-led, taught by a working CISO
  • Exam & certificate included
  • Re-sit covered if needed

Right fit if you are.

  • IT risk managers expanding portfolio to AI.
  • CROs and deputy CROs adding AI to the enterprise risk taxonomy.
  • GRC managers building the AI risk workstream.
  • Compliance officers in regulated industries quantifying AI exposure for board sign-off.

NOT for. When to skip it.

We'd rather you keep your money than buy the wrong path.

  • Practitioners with no risk management background. CRISC or ISO 31000 Lead Risk Manager first.
  • AI engineers wanting to learn risk. AAIR assumes risk-practitioner fluency.
  • Junior risk analysts under two years of experience.

What you'll be able to do

  • 1Integrate AI risk into the enterprise risk-management framework alongside cyber, operational and strategic risk.
  • 2Assess AI risk across the model lifecycle (intake, design, deployment, monitoring, retirement) using AIMS-aligned methodology.
  • 3Quantify AI-specific risks (bias, hallucination, model drift, regulatory exposure under the AI Act) for board reporting.
  • 4Design AI risk treatment options balancing innovation velocity against regulatory and reputational exposure.
  • 5Build AI risk monitoring and reporting telemetry for ongoing oversight.

Upcoming public sessions

Open-enrolment cohorts. Pick a date and book your seat. Want a private cohort for your team instead? Request an in-house quote.

No confirmed live cohort right now. You can still:

Buyers always ask

Is CRISC required to take AAIR?+

CRISC is strongly recommended. The AAIR curriculum assumes risk-management fluency (risk identification, assessment methodology, treatment options, monitoring). Without that foundation, the methodology discussions are uphill.

Equivalents accepted: ISO 31000 Lead Risk Manager, ISO/IEC 27005 Lead Risk Manager, or three years operating an enterprise risk programme. Cyber Academy assesses prerequisites case-by-case.

How does AAIR differ from ISO 23894 (AI risk management)?+

ISO/IEC 23894 is the international standard for AI risk management, published in 2023, aligned with ISO 31000. AAIR (ISACA) is a personal credential that draws on ISO 23894 alongside the AI Act, NIST AI RMF and ISACA risk standards. Many practitioners working in the AI risk space will reference ISO 23894 as the methodology; AAIR is the credential that attests they apply it competently.

What AI risks does AAIR specifically cover?+

Regulatory exposure under the AI Act (classification, conformity assessment, transparency obligations). Model risk (bias, fairness, hallucination, model drift). Data risk (training-data quality, lineage, consent under GDPR). Operational risk (model downtime, fallback handling, human-in-the-loop design). Reputational risk (visible AI failures, public sector deployments, vulnerable populations). Third-party AI risk (foundation-model dependency, vendor lock-in, supply-chain attacks).

How long is the AAIR exam?+

Three hours, scenario-based plus multiple-choice. Computer-based at a PSI testing centre. Same scoring scale as other ISACA credentials (200 to 800, 450 to pass).

Ready to get certified?

Taught by a practicing CISO. Prices shown up front. Certified or refunded.