ISACA Certified AI Security Manager — Question 11

After implementing a third-party generative AI tool, an organization learns about new regulations related to how organizations use AI. Which of the following would be the BEST justification for the organization to decide not to comply?

Answer options

• A. The AI tool is widely used within the industry.
• B. The AI tool is regularly audited.
• C. The risk is within the organization's risk appetite.
• D. The cost of noncompliance was not determined.

Correct answer: C

Explanation

The correct answer is C because if the risk associated with noncompliance falls within the organization's risk appetite, they may decide to accept it. Options A and B do not provide valid justifications for noncompliance as industry practices and audits do not exempt an organization from legal obligations. Option D is irrelevant since failing to determine the cost does not justify the decision to ignore compliance requirements.