ISACA Certified AI Security Manager — Question 27

Which of the following should be done FIRST when developing an acceptable use policy for generative AI?

Answer options

• A. Consult with risk management and legal.
• B. Review AI regulatory requirements.
• C. Determine the scope and intended use of AI.
• D. Review existing company policies.

Correct answer: C

Explanation

The first step in developing an acceptable use policy for generative AI is to determine the scope and intended use of AI, as this will guide the overall policy framework. Consulting with risk management and legal, reviewing regulatory requirements, and assessing existing policies are important, but they should follow the initial understanding of how AI will be utilized within the organization.