CY0-001 Questions and Answers

Basic Concept: OWASP has published the Top 10 vulnerabilities for Large Language Model Applications, each addressing a distinct category of LLM security risk. Understanding which OWASP category maps to specific LLM vulnerability scenarios is a key competency in the CompTIA SecAI+ Study Guide under securing AI systems.

Why D is Correct: Improper output handling (OWASP LLM02) occurs when an application passes LLM-generated outputs to downstream systems such as plug-ins, web browsers, or databases without proper validation, sanitization, or encoding. This can enable XSS, SQL injection, remote code execution, or other injection attacks against plug-ins and downstream systems. The scenario exactly matches this: unsanitized AI responses are automatically passed to multiple plug-ins, which could execute malicious content in the model ' s output.

Why A is Wrong: Misinformation refers to the AI generating false or misleading content that users might believe. It is a content accuracy concern related to hallucinations and false information propagation, not a vulnerability describing how model outputs are handled by downstream systems.

Why B is Wrong: Prompt injection involves crafting inputs to manipulate model behavior and override instructions. While it can be a contributing cause of unsafe outputs, the vulnerability described — passing unsanitized outputs to plug-ins — is specifically the output handling failure, not the injection mechanism itself.

Why C is Wrong: Unbounded consumption (OWASP LLM10) refers to resource exhaustion attacks including denial-of-wallet and denial-of-service through excessive token consumption. It addresses resource management vulnerabilities, not the security implications of passing model outputs to downstream systems.

Basic Concept: Security assessment of AI-generated code requires a systematic review of the code itself to understand what has been generated and identify potential vulnerabilities before remediation steps are taken. Security assessments follow a structured methodology beginning with understanding the current state. CompTIA SecAI+ Study Guide covers AI-generated code security assessment under AI-assisted security.

Why D is Correct: Performing a source code review is the first and most fundamental step in assessing AI-generated code security. Before removing secrets, enforcing access controls, or scanning for sensitive data, the analyst must understand what the AI tool has generated by reviewing the code for security vulnerabilities, insecure patterns, logic flaws, and policy violations. The review provides the baseline knowledge needed to prioritize and direct all subsequent remediation actions.

Why A is Wrong: Removing hard-coded secrets is a specific remediation action for a specific finding. This step should come after the source code review has identified the presence and location of hard-coded secrets, not before the initial assessment reveals whether they exist.

Why B is Wrong: Enforcing access controls for code repositories is a security hardening measure for the repository infrastructure. It protects access to existing code but does not constitute an assessment of what the AI tool has generated from a security standpoint.

Why C is Wrong: Enabling sensitive data discovery scans repositories for PII and sensitive information patterns. While valuable as part of the assessment, it is a specific automated scanning tool best used after or alongside a manual code review that provides contextual understanding of the codebase.

Basic Concept: AI agents in SOC environments can automate repetitive, rules-based response actions that previously required human intervention. When the primary concerns are enterprise uptime and case resolution time, the AI agent ' s ability to autonomously execute containment actions through SOAR is the most impactful application. CompTIA SecAI+ Study Guide covers AI agent use cases in security operations.

Why A is Correct: Using the AI agent to analyze incidents and execute containment actions through SOAR playbooks directly addresses both uptime and resolution time concerns. The agent can immediately analyze alert details, determine the appropriate playbook, and execute containment actions such as isolating compromised hosts or disabling compromised accounts autonomously, without waiting for human intervention. This dramatically reduces mean time to contain threats, improving both uptime and resolution speed.

Why B is Wrong: Enriching alerts with open-source intelligence improves analyst context but is a preparatory step rather than a response action. While valuable, it does not directly reduce resolution time by taking containment actions to stop ongoing threats.

Why C is Wrong: Aggregating metrics and generating leadership reports is an administrative function that consumes agent capacity for non-operational purposes. It improves visibility but does not directly improve uptime or case resolution time for active incidents.

Why D is Wrong: Creating tabletop exercises improves team preparedness over time through training scenarios. While beneficial for long-term capability development, it does not directly address the immediate concerns of enterprise uptime and active case resolution time.

Basic Concept: Agentic AI systems that execute shell commands based on model-generated output are vulnerable to prompt injection attacks where malicious actors craft inputs that cause the agent to run unauthorized commands. Input validation using allowlists is a critical defense mechanism. CompTIA SecAI+ Study Guide covers agentic AI security controls.

Why A is Correct: Adding logic that validates shell commands against an approved allowlist before execution is the most direct and effective defense. This ensures only pre-approved, safe commands can be executed regardless of what the agentic system ' s model generates, preventing malicious command injection from reaching the operating system. This principle of allowlist-based input validation is a foundational secure agentic AI control.

Why B is Wrong: Deprecating and retraining the model is a lengthy process that addresses root cause training issues but does not provide immediate protection against ongoing injection attacks in the current deployed system.

Why C is Wrong: Modifying the application to ignore a specific tag merely removes one attack surface while leaving the system vulnerable to other injection vectors. It is not a comprehensive defense.

Why D is Wrong: Using only approved libraries controls which code libraries the agentic system can call, but does not validate or restrict the shell commands generated by the model at runtime based on arbitrary user input.

Basic Concept: When AI models are deployed in production, they interact with real data including sensitive business information, personal data, and confidential records. The intersection of AI capabilities and sensitive data creates significant security risks. CompTIA SecAI+ Exam Objectives identify data exposure as the primary production security risk for AI deployments.

Why D is Correct: Data exposure is the primary security risk in production AI deployments. AI models in production process sensitive data through queries and responses, and vulnerabilities such as prompt injection, model inversion attacks, insecure output handling, and misconfigured access controls can expose confidential training data, user PII, proprietary information, or system credentials. The consequences include regulatory violations, legal liability, and reputational damage, making data exposure the most critical ongoing security concern.

Why A is Wrong: GPU acceleration is a performance optimization technique that uses graphics processors for faster AI computation. While hardware security is important, GPU acceleration itself is not a security risk — it is a performance feature that does not inherently expose data.

Why B is Wrong: Model overfitting is a model quality issue where a model performs poorly on new data after memorizing training data too specifically. While it can indirectly contribute to data memorization, it is primarily a performance and generalization concern during development rather than a primary production security risk.

Why C is Wrong: Model encryption is a security control used to protect AI model weights from unauthorized access, not a risk itself. Framing a protection mechanism as a primary risk conflates controls with threats.

Basic Concept: Prompting techniques determine how effectively an LLM is guided to produce desired outputs. Providing a single example within a prompt is a well-established technique known as one-shot prompting, which leverages in-context learning. CompTIA SecAI+ Study Guide covers prompting strategies under basic AI concepts.

Why C is Correct: One-shot prompting involves providing exactly one example of the desired input-output format within the prompt to guide the model ' s responses. In this scenario, the HR officer includes one example resume matching a successful candidate to show the model what a qualifying candidate looks like. This single example instructs the model on the evaluation criteria through demonstration rather than explicit description.

Why A is Wrong: Distillation is a model training technique where a smaller student model is trained to replicate the behavior of a larger teacher model. It is a model compression methodology, not a prompting technique used at query time.

Why B is Wrong: A prompt template is a reusable, structured format for prompts with placeholders that can be filled in for different queries. While templates may incorporate examples, the term specifically describes the structural framework, not the act of providing a single example.

Why D is Wrong: A system role defines the AI model ' s persona, context, and behavioral guidelines at the system level before user interaction begins. It sets the model ' s overall behavior, not a specific technique of providing examples within queries.

Basic Concept: Creating realistic deepfake videos that convincingly replicate a real person ' s facial expressions, movements, and voice requires deep learning models capable of learning and synthesizing complex spatial and temporal features from existing video data. CompTIA SecAI+ covers deepfake technologies under basic AI concepts.

Why B is Correct: Convolutional Neural Networks are foundational to deepfake video generation. CNNs excel at learning spatial features from visual data and are used within deepfake architectures to analyze source and target faces, extract facial features, and synthesize realistic face swaps or face animations. Modern deepfake systems typically combine CNNs with autoencoders and GANs to generate convincing video content showing a person saying or doing things they never did.

Why A is Wrong: Statistical analysis involves mathematical methods for analyzing data distributions and relationships. It does not have the capability to generate synthetic video content or replicate a person ' s visual likeness in motion.

Why C is Wrong: An ML classifier assigns input data to predefined categories. Classification models detect and label content rather than generating new synthetic video content of a person ' s likeness. They are detection tools, not generation tools.

Why D is Wrong: Random forest is an ensemble ML method using multiple decision trees for classification and regression tasks. It works on structured, tabular data and cannot process or generate visual, spatial data needed for realistic deepfake video synthesis.

Basic Concept: RAG-based AI systems retrieve information from knowledge bases to augment their responses. The differential access to sensitive employee data based on user role demonstrates that role-based data access controls are functioning correctly, restricting what data different users can retrieve through the AI interface. CompTIA SecAI+ Study Guide covers data access controls as the primary mechanism for preventing sensitive data exposure in RAG systems.

Why A is Correct: Data access controls define what information each user role is permitted to retrieve from the knowledge base. In this scenario, administrator-level users can access employee directory information while employee-level users cannot. The RAG system enforces these permissions when retrieving data for the AI ' s responses, preventing unauthorized users from accessing sensitive employee data through the chatbot interface regardless of how they phrase their queries.

Why B is Wrong: Model-specific guardrails filter responses based on content policies. While they can prevent certain categories of sensitive information from being disclosed, the scenario specifically shows differential access based on user role, which is the characteristic of access control enforcement, not content-based guardrail filtering.

Why C is Wrong: Rate limiting restricts request frequency. It does not differentiate what data different users can access; it only controls how often they can make requests. Both the administrator and employee could be subject to the same rate limit while still receiving different data based on their access controls.

Why D is Wrong: Prompt templates standardize how queries are structured. They do not implement user role-based data access restrictions or prevent specific user types from accessing sensitive information in the underlying knowledge base.

Basic Concept: AI chatbots that generate non-answers — responses that do not actually address user questions — consume CPU resources for processing without delivering value. This can indicate the model is attempting to generate responses for queries outside its knowledge domain or confidence threshold. CompTIA SecAI+ Study Guide covers AI performance optimization and response quality management.

Why B is Correct: Implementing a response confidence level threshold allows the chatbot to recognize when it lacks sufficient confidence to provide a meaningful answer and respond accordingly, either with a helpful redirect or a clear indication that it cannot answer the query. This reduces the costly processing cycles spent generating poor-quality non-answers, lowers CPU utilization from failed response generation, and improves customer experience by setting appropriate expectations rather than returning unhelpful responses.

Why A is Wrong: Guardrails filter content for safety and policy compliance. They prevent harmful or out-of-policy responses but do not address the underlying issue of the model generating low-confidence non-answers to legitimate customer queries.

Why C is Wrong: Prompt logging records user inputs for analysis and auditing. While useful for identifying what types of questions cause non-answers, logging alone does not solve the problem or reduce CPU utilization from failed response generation.

Why D is Wrong: Cost monitoring tracks AI system expenditure. It can identify that costs are high due to excessive CPU usage but does not implement a solution to reduce the non-answer rate or improve response generation efficiency.

Basic Concept: Suspicious queries in AI system logs indicate that potentially malicious or policy-violating prompts are reaching the AI model. Proactively intercepting and filtering suspicious prompts before they are processed requires a prompt-level security control. CompTIA SecAI+ Study Guide identifies prompt firewalls as the appropriate control for blocking suspicious AI queries.

Why A is Correct: A prompt firewall analyzes incoming queries using a combination of pattern matching, semantic analysis, and policy rules to identify and block suspicious prompts before they reach the AI model. It can detect prompt injection attempts, jailbreaking patterns, sensitive data extraction queries, and other suspicious prompt characteristics. By intercepting malicious prompts at the perimeter, it prevents them from influencing model behavior or extracting sensitive information.

Why B is Wrong: Data size controls limit the volume or size of data in requests. While controlling input size can prevent some attacks, it does not analyze the content or semantics of queries to detect suspicious patterns. A small suspicious prompt can be just as harmful as a large one.

Why C is Wrong: Rate limiting controls the frequency of requests from a source. While it can slow down automated attack campaigns, it does not inspect query content for suspicious patterns and allows suspicious queries through as long as they are submitted below the rate threshold.

Why D is Wrong: Agentic AI is an AI architecture for autonomous multi-step task execution. It is a type of AI system, not a security control for filtering suspicious queries from an existing AI system ' s logs.

Basic Concept: Preventing prompt injection and ensuring output sanitization requires a control that can inspect both the semantic content of incoming prompts and the safety of outgoing responses. This requires an intelligent, context-aware filtering layer specifically designed for LLM traffic. CompTIA SecAI+ Study Guide identifies LLM firewalls as a primary control for prompt security and output safety.

Why C is Correct: An LLM firewall is specifically designed to inspect, filter, and sanitize both incoming prompts and outgoing AI responses. It can detect and block prompt injection attempts using pattern matching, semantic analysis, and behavioral heuristics, while also sanitizing output to remove sensitive data, harmful content, or policy violations before responses reach users. This dual capability makes it the primary control addressing both requirements simultaneously.

Why A is Wrong: Least privilege restricts what resources and actions users and systems can access. It reduces the potential impact of successful attacks but does not inspect prompt content for injection attempts or sanitize model outputs.

Why B is Wrong: Encryption protects data confidentiality in transit and at rest. It does not analyze prompt content for malicious patterns or filter AI-generated responses for unsafe content. Encrypted traffic can still carry prompt injection attacks.

Why D is Wrong: Rate limiting controls request frequency. While it can slow down automated injection attack campaigns, it does not inspect the content of individual prompts to detect injections, nor does it sanitize output responses. Malicious prompts can still succeed within rate limits.

Basic Concept: LLM-based chatbots accepting user-uploaded files face two critical risk categories: malicious input injection and resource or cost abuse. CompTIA SecAI+ Study Guide highlights prompt security controls and resource management as key defensive layers for public-facing LLM applications.

Why A is Correct: Prompt guardrails intercept and filter user inputs and model outputs, blocking malicious prompts, prompt injection attempts, and harmful file content before affecting model behavior. Since users can upload files, guardrails are essential for sanitizing and validating that content before processing.

Why D is Correct: Model token quotas directly limit how much of the LLM ' s processing capacity a user can consume. This prevents abuse beyond the SLA, including denial-of-wallet attacks or resource exhaustion through excessively large inputs or repeated requests.

Why B is Wrong: Role-based access controls manage who can access what resources. While useful for internal systems, they do not address malicious input content or enforce LLM resource consumption limits for a public-facing chatbot.

Why C is Wrong: Firewall rules operate at the network layer and can block unauthorized IPs or ports but cannot inspect or filter the semantic content of prompts or control token-level LLM usage.

Basic Concept: Threat modeling for AI systems requires a framework specifically designed to address AI-specific attack techniques, tactics, and procedures. General cybersecurity or governance frameworks do not capture the unique adversarial attack surface of AI and ML systems. CompTIA SecAI+ Exam Objectives identify MITRE ATLAS as the primary AI threat modeling resource.

Why B is Correct: MITRE ATLAS (Adversarial Threat Landscape for AI Systems) is specifically designed as an AI and ML threat modeling framework. It catalogs real-world adversarial tactics, techniques, and procedures targeting AI systems, enabling security architects to identify and assess threats unique to ML models such as data poisoning, model extraction, and evasion attacks. It is the industry standard for AI-specific threat modeling.

Why A is Wrong: Responsible AI is a set of ethical principles and governance guidelines for developing and deploying AI systems fairly and safely. It addresses ethics and fairness, not technical adversarial threat modeling.

Why C is Wrong: The OECD provides non-binding policy recommendations and principles for AI governance at an international level. It does not provide technical threat modeling taxonomies or AI-specific attack catalogs.

Why D is Wrong: ISO standards such as ISO 42001 establish management system requirements for AI governance. They are compliance and management frameworks, not threat modeling tools for identifying adversarial AI attack vectors.

Basic Concept: Adding validation layers to software development processes improves security assurance by catching issues that human reviewers might miss. AI-assisted validation provides an automated, systematic review that complements human judgment. CompTIA SecAI+ Study Guide covers AI-assisted development security controls.

Why A is Correct: AI-assisted approval adds an intelligent automated review layer that works alongside existing human review. AI can systematically analyze code for security vulnerabilities, coding standard violations, dependency risks, and policy compliance with greater consistency and speed than manual review. This creates a defense-in-depth validation approach where both AI and human reviewers must approve changes, catching issues that either layer might miss independently.

Why B is Wrong: A low-code plug-in provides simplified visual development tools that reduce the amount of manual code writing required. It is a development productivity tool, not a security validation layer for reviewing already-written code.

Why C is Wrong: Automated rollback is a deployment safety mechanism that reverts a deployment to the previous version when errors are detected after deployment. It is a recovery control, not a validation layer applied during the development review process.

Why D is Wrong: Regression testing verifies that new code changes have not broken existing functionality. It tests functional correctness, not security vulnerabilities, and does not add an AI-powered security validation capability to the existing human review process.

Basic Concept: Input validation is a fundamental security principle that checks incoming data against expected criteria before processing it. For AI systems, this requires a mechanism capable of inspecting the semantic content and structure of inputs — not just their volume or format. CompTIA SecAI+ Study Guide identifies prompt firewalls as the primary input validation control for AI systems.

Why A is Correct: A prompt firewall validates incoming inputs by inspecting their content against security policies, detecting malicious patterns such as injection strings or jailbreaking attempts, enforcing structural rules, and blocking non-compliant inputs before they reach the AI model. Unlike network firewalls that operate on packet headers, a prompt firewall understands the semantic content of AI prompts, making it the appropriate input validation mechanism for AI systems.

Why B is Wrong: Rate limits control how frequently inputs are submitted, not what those inputs contain. A malicious prompt submitted within rate limits will not be detected or blocked — rate limiting does not validate the content or intent of individual inputs.

Why C is Wrong: Token limits cap the maximum length of inputs and outputs in terms of tokens. While this can prevent excessively long inputs from being processed, it does not inspect input content for malicious patterns or validate that inputs conform to policy requirements.

Why D is Wrong: Input quantity is a generic term that might refer to limiting the number or size of inputs. Like token limits and rate limits, quantity controls do not validate the content of inputs for security compliance or detect malicious prompt patterns.

Basic Concept: Generative AI chatbots interact with users in natural language and may access organizational knowledge bases, databases, or prior conversations. The conversational nature of these systems creates unique risks around sensitive information disclosure. CompTIA SecAI+ Study Guide ranks data leakage as the primary security concern for generative AI chatbots.

Why B is Correct: Data leakage occurs when a generative AI chatbot inadvertently reveals sensitive information including PII, confidential business data, intellectual property, training data, or system configurations in its responses. This can happen through prompt injection attacks, insufficient output filtering, or the model memorizing and reproducing sensitive training data. The impact is immediate, potentially irreversible, and can result in regulatory violations, competitive disadvantage, and reputational damage.

Why A is Wrong: Overly permissive access is a contributing factor that can exacerbate data leakage but is an access control design issue rather than the most directly impactful runtime risk of operating a generative AI chatbot.

Why C is Wrong: Weak encryption is a data protection concern for data in transit or at rest. While important, it is a configuration issue separate from the generative AI chatbot ' s core operational risks and is not specific to chatbot technology.

Why D is Wrong: Model validation ensures a model performs as expected before deployment. While important for quality assurance, it is a development lifecycle activity rather than an ongoing operational security risk associated with running a chatbot.

Basic Concept: Identifying AI-specific application vulnerabilities requires consulting a resource that has cataloged and documented the unique vulnerability types that affect AI systems, particularly LLMs. Different security standards serve different purposes, and selecting the right reference for AI application vulnerabilities is essential. CompTIA SecAI+ Study Guide references OWASP for AI application vulnerability guidance.

Why C is Correct: OWASP maintains the OWASP Top 10 for Large Language Model Applications, which specifically catalogs the most critical and common vulnerabilities in AI applications including prompt injection, sensitive information disclosure, excessive agency, insecure output handling, and training data poisoning. This AI-specific vulnerability list is the most directly relevant and accessible resource for a presentation on AI application vulnerabilities.

Why A is Wrong: ISO 27001 is a general information security management system standard covering broad organizational security controls. It does not specifically catalog AI application vulnerabilities or LLM-specific weakness categories.

Why B is Wrong: CWE catalogues software weakness types at a code and design level for traditional software. While some weaknesses apply to AI systems, CWE does not have a dedicated AI application vulnerability taxonomy comparable to the OWASP LLM Top 10.

Why D is Wrong: NIST RMF is a risk management framework providing guidance for managing and reducing information security risk. It is a process framework, not a vulnerability catalog, and does not list specific AI application vulnerability types suitable for a vulnerabilities presentation.

Basic Concept: Prompt engineers are responsible for designing and refining the prompts and instructions that guide an LLM ' s behavior. When user experience is declining after an LLM launch, this signals that the model ' s outputs are not meeting quality standards. CompTIA SecAI+ addresses prompt engineering quality management under securing and optimizing AI systems.

Why C is Correct: Quality control should be the highest priority when user experience is declining. Prompt engineers must systematically evaluate model responses against quality benchmarks, identify failure patterns causing poor user experience, and iteratively refine prompts to produce accurate, relevant, and appropriately formatted responses. Quality control encompasses testing, evaluation, and continuous improvement of prompt performance.

Why A is Wrong: Customer success management is a business function focused on customer relationship management and retention. While related to user experience outcomes, it is not a technical priority that prompt engineers can directly address through their core competency of prompt design and refinement.

Why B is Wrong: Sales life cycle management is a business process for managing customer acquisition and revenue. It is entirely outside the scope of prompt engineering activities and does not address declining LLM user experience.

Why D is Wrong: Business objectives define what the organization aims to achieve with the LLM deployment. These are set at the strategic level and inform the direction for prompt engineering. They are inputs to the quality control process rather than the priority action prompt engineers should take when experience is declining.

Basic Concept: Different ML model architectures are optimized for different data types and tasks. Unstructured data such as images, raw network packet captures, and visual content requires models capable of automatically extracting hierarchical spatial features. CompTIA SecAI+ covers ML model selection for security tasks under basic AI concepts.

Why B is Correct: Convolutional Neural Networks (CNNs) are specifically designed for pattern recognition in unstructured data, particularly image and grid-structured data. CNNs use convolutional layers to automatically extract local and hierarchical features without requiring manual feature engineering. They excel at recognizing patterns in raw, unstructured inputs, making them the optimal choice for pattern recognition on unstructured datasets in cybersecurity contexts such as image-based malware analysis or visual traffic pattern recognition.

Why A is Wrong: Long Short-Term Memory (LSTM) networks are recurrent neural networks optimized for sequential and time-series data such as network traffic flows over time or log sequences. While they handle unstructured sequential data, they are not specifically designed for spatial pattern recognition in general unstructured data.

Why C is Wrong: Decision trees work on structured, tabular data with defined features. They require feature extraction and engineering before processing unstructured data and are not designed for raw pattern recognition in unstructured inputs.

Why D is Wrong: Logistic regression is a linear classification algorithm that requires structured, numerical input features. It cannot directly process unstructured data and requires extensive preprocessing and feature extraction, making it unsuitable for pattern recognition on raw unstructured datasets.

Basic Concept: Different ML model architectures offer varying degrees of explainability. In cybersecurity, understanding why a model classified a log entry as malicious or benign is critical for analyst trust, investigation, and regulatory compliance. CompTIA SecAI+ covers model explainability under responsible AI and basic AI concepts.

Why C is Correct: Decision trees are inherently interpretable models that classify data through a series of transparent if-then rules. Every classification decision can be traced through the exact path of conditions that led to it, showing precisely which log entry features triggered the classification. Analysts can read and understand the decision path, making decision trees the gold standard for explainable ML classification in security applications where understanding the reason for a classification is as important as the classification itself.

Why A is Wrong: Large language models are complex transformer architectures with hundreds of billions of parameters. They function as black boxes — their internal decision-making processes are not human-interpretable, making them poor choices when explainability is the primary requirement.

Why B is Wrong: Neural networks are non-linear black box models. While they can achieve high classification accuracy, their multi-layer architecture makes it extremely difficult to explain why specific decisions were made in human-understandable terms.

Why D is Wrong: Generative adversarial networks are designed for generating synthetic data, not for classification tasks. They consist of competing generator and discriminator networks and are fundamentally unsuitable for log entry classification with explainability requirements.

Basic Concept: Advances in AI generative technology have enabled the creation of highly realistic synthetic video and audio content that convincingly impersonates real individuals. These AI-generated impersonations are called deepfakes and represent a significant threat for corporate fraud, misinformation, and social engineering. CompTIA SecAI+ covers deepfakes under basic AI concepts and cybersecurity threats.

Why C is Correct: The scenario describes a video in which the CEO ' s likeness was convincingly replicated to deliver a false message about bankruptcy. This is a textbook deepfake attack — AI-generated synthetic media using the target ' s face and potentially voice to make it appear they said something they never said. Deepfake technology uses GANs and CNNs to create this type of convincing impersonation, and the attack specifically exploited AI generation for deception.

Why A is Wrong: An on-path attack intercepts network communications between two parties to eavesdrop or modify traffic. It requires positioning in the network path, not creating synthetic media of a person ' s likeness.

Why B is Wrong: Phishing is a social engineering attack that uses deceptive messages typically via email to trick recipients into taking harmful actions such as clicking malicious links or providing credentials. While this attack has social engineering elements, the use of AI-generated video to impersonate the CEO specifically categorizes it as a deepfake attack.

Why D is Wrong: Social engineering broadly describes psychological manipulation tactics to deceive individuals. While deepfakes can be used as part of social engineering campaigns, the specific technical technique used — AI-generated synthetic video — makes deepfake the most precise and accurate categorization.

Basic Concept: Responsible AI encompasses a set of principles designed to ensure AI systems operate ethically, fairly, and accountably. These principles guide AI development and deployment to minimize harm and maximize trustworthiness. CompTIA SecAI+ Exam Objectives list transparency and explainability as foundational responsible AI principles under Domain 4.

Why B is Correct: Transparency and explainability are cornerstone principles of responsible AI. Transparency means AI systems are open about their nature, capabilities, limitations, and how they make decisions. Explainability means the system can articulate the reasons behind its decisions in human-understandable terms. Together, they enable accountability, support regulatory compliance, allow bias detection, and build user trust. The CompTIA SecAI+ Study Guide and responsible AI frameworks including OECD and NIST AI RMF consistently identify this as a key principle.

Why A is Wrong: Using protected data for training would violate privacy and intellectual property rights. This is not a responsible AI principle — responsible AI actually requires ensuring that training data respects privacy, consent, and legal protections.

Why C is Wrong: Human-in-the-loop is an important operational practice for high-stakes AI decisions, but it is one design pattern rather than the key overarching principle of responsible AI. Not all responsible AI systems require human-in-the-loop operation for every decision.

Why D is Wrong: Maximizing model security is a cybersecurity objective for AI systems. While important, it is an operational security concern rather than a responsible AI governance principle focused on fairness, accountability, and trustworthiness in AI decision-making.

Basic Concept: AI systems that rely on knowledge bases, vector databases, or reference documents are vulnerable to attacks that corrupt or manipulate that source data. When an adversary deliberately modifies the data an AI uses, this is a form of data poisoning. CompTIA SecAI+ Study Guide covers data poisoning as a core AI vulnerability.

Why C is Correct: Data poisoning is an attack where an adversary intentionally corrupts or manipulates the data that an AI system uses for training, inference, or reference. In this scenario, the employee modified the company policies document that the chatbot uses as its knowledge base, causing the chatbot to provide incorrect, misleading, or confusing information to users. This is a classic indirect data poisoning attack targeting the AI ' s reference data rather than its model weights.

Why A is Wrong: Data reduction refers to techniques that decrease the volume or dimensionality of data for processing efficiency. It is a data engineering concept, not an attack vector or vulnerability classification.

Why B is Wrong: Data masking replaces sensitive data values with anonymized equivalents to protect privacy. It is a data protection control used legitimately, not an attack that an employee would exploit to cause disruption.

Why D is Wrong: Data leaking involves unauthorized disclosure of sensitive information from an AI system or its associated data stores. The employee ' s action of manipulating data is an integrity attack, not a confidentiality violation involving leakage of data to unauthorized parties.

Basic Concept: Unstructured data such as free-form text, images, and audio does not have predefined labels or rigid schema. Training an AI model effectively on unstructured data requires techniques that can leverage patterns within the data itself or adapt a pre-trained model to new data types. CompTIA SecAI+ covers AI training methodologies under basic AI concepts.

Why B is Correct: Fine-tuning takes a pre-trained foundation model that has already learned rich representations from massive unstructured datasets and further trains it on a specific, potentially smaller unstructured dataset. This adapts the model to a new domain, task, or data type without requiring labeled data for every training example. Fine-tuning is the most practical and effective approach for working with unstructured data in modern AI development.

Why A is Wrong: Statistical learning typically refers to classical machine learning approaches that often assume structured, numerical data with defined features. These methods generally struggle with high-dimensional unstructured data without significant preprocessing.

Why C is Wrong: Supervised learning requires labeled training data where each example has an associated correct output label. Applying supervised learning to unstructured data requires extensive manual labeling, which is the opposite of working with raw unstructured data.

Why D is Wrong: Reinforcement learning trains models through reward signals based on actions taken in an environment. It is designed for sequential decision-making tasks and is not the standard approach for learning representations from unstructured data at scale.

Basic Concept: When implementing guardrails for compliance purposes, organizations need a recognized framework or standard that provides authoritative guidance on what guardrails should address and how to implement them. Compliance guardrails require industry-recognized standards as their basis. CompTIA SecAI+ Study Guide identifies OWASP as the primary reference for LLM application security controls including guardrails.

Why B is Correct: OWASP provides the OWASP Top 10 for Large Language Model Applications, which is a recognized industry resource defining the most critical vulnerabilities in LLM applications and the guardrails needed to mitigate them. Using OWASP as the reference for compliance-required guardrails provides a defensible, industry-standard basis for the security controls implemented, satisfying compliance requirements with authoritative guidance on what guardrails should prevent and how they should function.

Why A is Wrong: RAG is an AI architecture that enhances LLM responses with retrieved external context. It is a capability enhancement technique, not a framework for defining or implementing security guardrails for compliance purposes.

Why C is Wrong: LLM libraries are software development toolkits that provide functions for working with language models. While they may include built-in guardrail features, they are implementation tools, not the governance resource or standard that compliance guardrail requirements should be based upon.

Why D is Wrong: A SIEM is a security monitoring and alerting platform that aggregates and analyzes log data. It is a detection and monitoring tool, not a framework that defines what guardrails are required for LLM application compliance.

Basic Concept: AI GRC implementation requires roles that combine understanding of AI technical capabilities and limitations with security risk assessment, control design, and compliance framework expertise. Identifying which roles naturally contribute to AI GRC is essential for team design. CompTIA SecAI+ Study Guide covers AI governance role responsibilities under Domain 4.

Why B is Correct: Data Scientists possess deep understanding of AI model capabilities, limitations, data requirements, and failure modes. For GRC implementation, their technical expertise is essential for identifying AI-specific risks such as bias, model drift, and data quality issues, assessing compliance implications of model design choices, and evaluating whether AI systems meet governance requirements.

Why D is Correct: Security Architects design comprehensive security frameworks and risk management strategies. For AI GRC, they translate governance requirements into technical controls, design AI security architectures that satisfy compliance obligations, assess the risk posture of AI deployments, and ensure security principles including least privilege, defense-in-depth, and audit logging are built into AI system designs.

Why A is Wrong: Desktop specialists manage user workstation hardware and software. Their role focuses on endpoint management and user support, not on the strategic risk assessment, compliance evaluation, or technical AI governance activities required for AI GRC implementation.

Why C is Wrong: Software developers write application code. While they implement security controls when directed, they typically lack the broad risk management, compliance framework expertise, and security architecture perspective needed to lead AI GRC implementation.

Why E is Wrong: SOC analysts focus on monitoring, detecting, and responding to security incidents in operational environments. Their expertise is in reactive security operations rather than the proactive governance framework design and compliance management that AI GRC requires.

Why F is Wrong: Network engineers design and maintain network infrastructure. Their expertise is in network connectivity and protocols, not in AI system governance, risk assessment frameworks, or compliance requirements.

Basic Concept: End users are the employees who interact with AI systems daily and may inadvertently create compliance risks through their AI usage behaviors. Equipping users with clear guidance on acceptable and compliant AI use is the most effective way to reduce compliance violations at the user level. CompTIA SecAI+ Study Guide emphasizes policies and procedures as the foundational compliance tool for end users.

Why B is Correct: Policies and procedures directly inform end users of what AI-related behaviors are compliant, what is prohibited, and how to use AI tools safely and legally. Comprehensive AI usage policies covering acceptable use, data handling requirements, prohibited data inputs, and reporting obligations give users the knowledge they need to avoid compliance violations. Without clear policies, users cannot reliably identify compliant from non-compliant behavior.

Why A is Wrong: An AI center of excellence governs AI adoption at the organizational level, developing standards and approving use cases. While it benefits the organization overall, its governance activities are directed at organizational processes and technical standards rather than providing direct day-to-day compliance guidance to individual end users.

Why C is Wrong: Data loss prevention (DLP) technology automatically prevents the transmission of sensitive data through monitoring and blocking capabilities. While effective at preventing certain compliance violations technically, it cannot guide users on why certain behaviors are non-compliant or how to make compliant choices in situations DLP doesn ' t cover.

Why D is Wrong: MFA secures user authentication and prevents unauthorized account access. It is an identity security control that protects accounts, not a mechanism that helps users understand or comply with AI governance requirements.

Basic Concept: AI-specific threat modeling requires consulting resources that catalogue adversarial attacks specifically developed for AI and ML systems. General cybersecurity frameworks may miss AI-unique attack vectors such as model inversion, data poisoning, and adversarial examples. CompTIA SecAI+ Study Guide identifies MITRE ATLAS as the authoritative source for AI system TTPs.

Why D is Correct: MITRE ATLAS provides a comprehensive, curated knowledge base of adversarial tactics, techniques, and procedures specifically targeting AI and ML systems, derived from real-world attack case studies. Analyzing ATLAS enables the architect to enumerate realistic AI-specific attacks applicable to the system being threat-modeled, which directly answers the question of which attacks can be performed.

Why A is Wrong: Using an LLM to map attack paths introduces uncertainty and potential hallucination risk. LLMs may generate plausible-sounding but inaccurate attack paths and cannot guarantee comprehensive coverage of AI-specific attack techniques.

Why B is Wrong: Quantifying risk of known vulnerabilities is a risk assessment step that occurs after identifying which attacks are possible. The architect must first identify attack possibilities before quantifying their risk impact.

Why C is Wrong: OWASP Top 10 covers web application vulnerabilities and, in its LLM edition, certain LLM-specific risks. However, MITRE ATLAS provides a more comprehensive and structured catalog of AI and ML-specific adversarial TTPs for systematic threat modeling.

Basic Concept: AI chatbot operational costs are primarily driven by token consumption — the number of tokens processed in requests and generated in responses. Unexpected cost increases in LLM-based chatbots almost always trace back to abnormal token usage patterns. CompTIA SecAI+ Study Guide covers AI cost monitoring and token-based billing under securing AI systems.

Why D is Correct: Model token usage logs directly show how many tokens are being consumed per request, by which users or endpoints, and whether usage has increased abnormally. Examining token usage data is the most direct path to identifying the root cause of unexpected cost increases — whether from a denial-of-wallet attack, user abuse, a new feature generating verbose responses, or legitimate organic growth in usage. This is the first and most relevant examination point for LLM cost analysis.

Why A is Wrong: Firewall logs capture network-level traffic information. While they can reveal unusual access patterns or volumes, they do not contain token consumption data that directly explains LLM billing increases.

Why B is Wrong: WAF rules define filtering policies for web traffic. Reviewing rule configurations does not reveal whether token usage has increased or why costs have risen; it shows security policy settings rather than consumption metrics.

Why C is Wrong: Vector database IOPS performance measures how quickly the database processes read and write operations. While relevant to RAG system performance, IOPS metrics do not directly explain LLM API cost increases driven by token consumption.

Basic Concept: This is a Performance-Based Question (PBQ) — a simulation item requiring interactive drag-and-drop assignment of threat categories to appropriate frameworks in the actual exam. It tests knowledge of how different AI threat frameworks categorize and address specific threat types for agentic systems.

Key Concept — Framework-to-Threat Mapping: MITRE ATLAS covers ML-specific adversarial tactics such as model evasion, data poisoning, model extraction, and prompt injection for agentic systems. OWASP LLM Top 10 addresses application-level LLM vulnerabilities such as insecure output handling, excessive agency, and supply chain risks. NIST AI RMF addresses governance-level risks across the AI lifecycle. STRIDE addresses architectural threats including spoofing, tampering, repudiation, information disclosure, DoS, and elevation of privilege.

Why This Matters: Agentic AI systems have a unique threat landscape combining traditional software vulnerabilities with AI-specific attacks. Correctly mapping threat categories to frameworks is essential for comprehensive threat modeling of systems that autonomously execute multi-step tasks with tool access and real-world consequences.

Basic Concept: Successful AI adoption at an organizational level requires a centralized governance body that standardizes AI practices, promotes best practices, and ensures consistent, safe, and effective AI deployment across the organization. CompTIA SecAI+ Study Guide covers AI organizational governance structures under Domain 4.

Why A is Correct: An AI Center of Excellence (CoE) is an organizational unit specifically designed to govern, standardize, and advance AI adoption. It develops and publishes policies, creates approved patterns for AI usage, evaluates new AI use cases, provides expert guidance, and maintains governance oversight. The CoE exactly matches the described need for a structure to evaluate, publish, and approve AI usage patterns across the organization.

Why B is Wrong: An AI legal affairs office focuses on legal compliance, intellectual property, and regulatory matters related to AI. While important for legal risk management, it does not fulfill the broader governance mandate of establishing and approving AI usage patterns and best practices across the organization.

Why C is Wrong: An AI audit department conducts post-implementation reviews and compliance assessments of existing AI systems. It is a retrospective and oversight function rather than a proactive body for developing and approving AI usage patterns and policies.

Why D is Wrong: An AI data science division is a technical team focused on building AI models and solutions. It is a development function rather than a governance structure designed to create policies, evaluate AI patterns, and provide cross-organizational oversight of AI adoption.

Basic Concept: When authentication is enabled on an LLM system, users must prove their identity before the system processes any requests. The authentication process must occur at the point where users first attempt to access the system before any data can be transmitted. CompTIA SecAI+ Study Guide covers the order of authentication controls in AI system access architectures.

Why B is Correct: Endpoint access control is the first requirement when authentication is enabled, as it governs the initial connection from the user ' s device to the system. Before any prompt can be sent or response received, the endpoint must be authenticated and authorized to access the LLM service. Endpoint access control verifies user identity and device compliance at the earliest possible point in the request flow, gating all subsequent processing.

Why A is Wrong: A front-end web proxy gateway routes and manages web traffic between users and backend services. While it may participate in the authentication flow, it is a routing and mediation component that operates after the endpoint has been validated, not the first authentication requirement.

Why C is Wrong: An API gateway manages API traffic, authentication tokens, and rate limiting for API interactions. It processes requests after initial endpoint authentication has been established and the request is being routed to the LLM backend.

Why D is Wrong: A back-end access gateway controls access to backend services and resources. It operates downstream from both endpoint authentication and API gateway processing, representing a deeper layer of the access control architecture rather than the first authentication requirement.