The AAIA exam divides into three domains weighted 33/46/21. Most IT auditors pass Domain 1 and struggle with Domain 2. Domain 2 is the largest section by weight, the most technical in content, and the section that feels least like a traditional CISA exam — most of what's tested here didn't exist in the audit world ten years ago. Here is what the operations domain actually tests and where preparation breaks down.
Domain 1 covers the governance structures, frameworks, and risk management approaches that organizations use to oversee AI systems. It is the domain most familiar to CISA holders because it maps closely to IT governance concepts they already know.
What it tests: AI strategy and policy development. Risk identification and assessment for AI systems. The 21 AI governance frameworks ISACA references by name — NIST AI RMF, EU AI Act, ISO/IEC 42001, OECD AI Principles, UNESCO AI Ethics, and 16 others. Ethical AI principles and their application to organizational AI programs. Regulatory compliance requirements including the EU AI Act's risk-based classification system.
Domain 2 is the highest-weighted domain and where most AAIA candidates lose points. It covers the operational lifecycle of AI systems — from data ingestion through model deployment and ongoing monitoring.
What it tests: Data quality controls and data governance for AI training datasets. The Machine Learning Operations (MLOps) lifecycle — how AI models are built, tested, deployed, and retrained. Data drift and concept drift detection — how to identify when a model's performance is degrading because production data has diverged from training data. Model performance metrics — accuracy, precision, recall, F1 score, and how to interpret them in an audit context. Bias detection and fairness assessment in AI systems. Adversarial attacks and model robustness controls. Incident response for AI system failures.
Why candidates struggle: CISA holders are trained to audit deterministic systems. Domain 2 requires understanding probabilistic systems where the same input can produce different outputs, and where model behavior changes over time without any code change. This requires a different mental model for what constitutes a control.
Domain 3 applies traditional audit methodology to AI-specific scenarios. It is the smallest domain by weight but requires synthesizing knowledge from Domains 1 and 2.
What it tests: Audit planning for AI systems — scoping, risk assessment, and audit program development. Evidence gathering techniques for AI systems, including how to audit black-box models that cannot be fully explained. Explainability tools — SHAP (SHapley Additive exPlanations), LIME (Local Interpretable Model-agnostic Explanations), and how auditors use them. Audit reporting for AI systems — how to communicate AI-specific findings to non-technical stakeholders. The 23 cross-domain skills ISACA identifies in the exam content outline, including the ability to utilize AI solutions to enhance audit processes.
Based on the domain weighting and where candidates typically struggle: Domain 2 (46%) deserves roughly half your preparation time. The MLOps lifecycle, drift detection, and model performance metrics are the highest-yield topics. Domain 1 (33%) requires learning the 21 frameworks by name and structure. CISA holders have a head start on the governance concepts but need to learn the AI-specific frameworks. Domain 3 (21%) builds on Domains 1 and 2. Study it last, after you have the governance and operations foundation.
The AAIA Prep app's Weakest Subject mode automatically identifies which domain topics you are weakest on and surfaces those questions preferentially. Most candidates who pass on the first attempt spend 6 to 8 weeks in focused study until their readiness score holds above 75%.