How to Pass the ISACA AAIA Exam: A First-Attempt Playbook from Someone Who Did

I took the ISACA Advanced in AI Audit (AAIA) exam in January 2026 and passed on the first attempt. I'm writing this because most of the AAIA prep content that currently ranks was written by people who haven't taken it. The exam outlines and domain weights they cite are accurate. The advice often isn't — not because it's wrong in spirit, but because it's generic where the exam is specific.

This is the playbook I'd hand my past self the week I registered. It covers what the exam actually tests, a six-week plan that worked, what I'd cut if I had to start over, and what to ignore.

The Short Version

• The AAIA is a multiple-choice exam covering three domains. Third-party consensus and widely circulated study materials cite 90 questions in 150 minutes, with a 200–800 scaled score and 450 to pass. Confirm the current figures in the official ISACA Exam Candidate Guide before you register.
• Eligibility requires an active CISA, or one of CIA / US CPA / Canadian CPA / Australian CPA or FCPA / Japanese CPA / ACCA / FCCA with an IT audit or IT advisory role.
• Registration costs US$459 for ISACA members and US$599 for non-members, plus a US$50 application processing fee after you pass.
• The three domains are weighted unevenly: AI Governance and Risk (33%), AI Operations (46%), AI Auditing Tools and Techniques (21%). Allocate study hours to match. Most candidates over-study Domain 1 and under-study Domain 2.
• Plan on 120–150 hours over six weeks, weighted toward scenario practice in the back half. Memorizing definitions is the wrong investment; the exam rewards judgment.
• The single highest-leverage habit is doing timed mixed-domain question sets rather than reading the manual end-to-end a second time.

Why This Guide Is Different

Three things you should know about the source:

• First-hand pass: I'm a working IT auditor, not a training reseller. I took the AAIA because I needed the credential for client work, not to write about it.
• The app came after the exam: I built the AAIA Prep App as a personal study tool first. It went on the App Store after the exam, when the engine had been validated by a pass.
• NDA-compliant: The exam is under an NDA. I won't reproduce questions. What I can describe is the shape of the questions, the cognitive moves they ask for, and the traps I almost fell into — all fair game and far more useful than another rephrased exam outline.

If you want only the official mechanics, the ISACA AAIA exam candidate guide is the authoritative source. Read that first. Come back here for the parts ISACA can't write for you.

What the AAIA Actually Tests

The official exam content outline lists three domains with these exact weights:

The weights matter more than they look. Domain 2 is almost half the exam, and it's the domain where audit instinct meets unfamiliar terrain: model performance drift, retraining triggers, monitoring evidence, and incident response inside an MLOps lifecycle. If you come from a traditional IT audit background, this is where the hours go.

• Definitions are a floor, not a ceiling: Knowing what 'explainability' or 'model card' means is necessary and insufficient. The questions push you into application: given this scenario, which control would you test first, with what evidence, citing what risk?
• The exam rewards audit thinking in unfamiliar packaging: If you're a CISA, the muscle memory transfers. You're still scoping, still testing design and operating effectiveness, still asking what evidence holds up under review. The vocabulary changes. The discipline doesn't.
• Strong bias toward continuous controls: Wherever an answer choice involves ongoing monitoring, explainability, or evidence integrity versus a one-time fix, the continuous answer is almost always the better candidate. Not always, but often enough to treat as a rebuttable presumption.

Exam Mechanics, in One Paragraph

The widely cited figures across third-party prep materials are 90 multiple-choice questions, 150 minutes, scaled scoring from 200 to 800, and 450 to pass. The retake policy circulated in study guides — four attempts per rolling 12-month period, with a 30-day cooldown after the first attempt and 90 days between subsequent attempts — mirrors ISACA's other credentials. Verify question count, time, scoring, and retake policy in the official ISACA Exam Candidate Guide before you book. ISACA periodically adjusts these mechanics across its credentials.

A Six-Week Study Plan That Worked

This plan assumes you're already a working IT auditor with a CISA, you have a full-time job, and you can find 2–3 hours on weekdays and 4–6 on weekends. Adjust the slope to your reality.

Total: ~120–140 hours over six weeks. This matches what most credible third-party summaries quote, and matches what I actually did within a few hours per week.

• Don't start practice questions in Week 1: You'll just confirm what you don't know yet and erode confidence. Read first, then practice once you have something to attach the questions to.
• Diagnose by category of mistake, not by topic: When you get a question wrong, the real problem is one of four: you didn't know the concept, you knew it and misread the stem, you knew it and were lured by a near-miss distractor, or you knew it but ran out of time. Each has a different fix. Tracking the category beats tracking the topic.

What the Scenario Questions Actually Feel Like

The AAIA leans heavily on case-style stems: a paragraph describing an organization, an AI system, a control gap, an incident, or an audit moment, followed by a question that asks you to choose the best next move. The right answer is rarely the cleverest one. It's almost always the one a senior auditor would defend in a workpaper review.

The AAIA scenario heuristic: when two answer choices both look defensible, pick the one that produces evidence that survives review — documentation, monitoring artifacts, signed-off testing — over the one that produces only a fix. The exam is written by auditors. They want the answer an auditor would write down.

• Prevent vs. detect: Lean toward the answer that aligns with the stage of the AI lifecycle described in the stem. A pre-deployment scenario rewards prevention; a post-deployment monitoring scenario rewards detection.
• Fix the technical vs. fix the governance: The governance answer is right far more often than instinct suggests. ISACA writes for auditors, not engineers.
• 'Should the auditor first': Pause. The first action is almost always scoping, risk assessment, or evidence preservation — not remediation. Auditors don't fix things; they evaluate and report.

None of this is a substitute for content knowledge. It's the second-layer skill that turns 60% scores into pass scores.

Five Things That Surprised Me on Exam Day

• The clock is forgiving if you don't panic: At 90 questions in 150 minutes, the average is 1 minute 40 seconds per question, which is comfortable. But you will hit two or three questions in a row that take three minutes each, and the temptation to spiral is real. Mark and move. The exam interface lets you come back.
• The wording of the question matters more than the answers: I caught at least four questions where I had picked an answer in my head before I'd finished reading the stem. Every one of those was a trap. Read every word of the stem before you look at choices.
• The exam tests judgment on tools you may not have used: You don't need to have shipped an MLOps pipeline. You do need to understand what controls would apply if you were auditing one.
• Privacy and data governance crosses every domain: It's not its own section in the outline, but it shows up everywhere. If your privacy fundamentals are rusty, refresh them.
• The pass result is immediate but provisional: You see a preliminary indicator at the test center; the formal score arrives later. Plan to not check email obsessively for 48 hours after.

Mistakes I'd Avoid on a Second Attempt

• Over-studying Domain 1: It's the most intuitive domain for an experienced auditor, which makes it feel productive to study. It's also the smallest weight. Diminishing returns hit hard around hour 30.
• Reading the manual twice: Reading it once carefully and then living inside practice questions for three weeks would beat reading it twice. The bottleneck is recall under pressure, not exposure.
• Skipping the full-length mock: I did exactly one full-length 90-question, 150-minute mock the week of the exam, and it was the single most useful day of preparation. Two would have been better. The fatigue of question 70 onward is real and worth rehearsing.
• Treating practice scores as predictions: Practice question banks vary wildly in difficulty calibration. A 75% on one bank and a 60% on another doesn't mean you're inconsistent — it means the banks are. Use practice for diagnosis, not prediction.

Tools I Actually Used

I built the AAIA Prep App because the practice resources I could find when I registered were uneven, and I wanted scenario-style questions that mirrored the cognitive moves of the real exam, not memorization drills dressed up as practice. The App Store version is the same engine I used to prepare. If it's useful to you, use it. If it isn't, the rest of this guide stands on its own.

• ISACA official course and question bank: Worth the price if your employer covers it. The questions are calibrated by the exam authors.
• ISACA member virtual study group: Free and underrated. Real candidates, working through real material, with experts in the thread.
• One third-party practice bank: For cross-calibration. Not three. Variance across banks is information; bouncing between five of them is noise.

Is the AAIA Worth It in 2026?

The AAIA launched in May 2025. As of mid-2026, it sits in the early-adopter window: small enough that holding it differentiates you, established enough that hiring managers, regulators, and clients increasingly recognize the acronym. The window of any credential being scarce-but-recognized is short. CISA is universal now. Ten years ago it was a differentiator. AAIA is in the differentiator phase.

• Internal audit in AI-active firms: Banks, insurers, healthcare, large platforms — where regulators are starting to ask explicit AI governance questions.
• External audit and advisory: Shops building AI assurance practices and competing for the first wave of AI audit engagements.
• Solo or boutique consultants: Whose marketing benefits from a precise, regulator-aligned credential rather than another general 'AI strategy' claim.
• Where it pays back slowest: Pure engineering or data science roles. AAIA is an audit credential. Engineers building AI systems should look at vendor or technical certifications instead.

The credential is not a job guarantee — no certification is. It is a credible signal that you can speak the language of AI governance and audit in a way that survives scrutiny.

After the Exam

ISACA's credential maintenance rules for AAIA mirror its other certifications: 20 CPE hours per year (120 over a three-year cycle), a tri-annual reporting cycle, and a maintenance fee. Check the current figures on the ISACA AAIA page before you commit, as ISACA periodically adjusts CPE thresholds.

You will also be expected to document and verify your work experience in IT audit or advisory before the credential is formally granted. Passing the exam is necessary, not sufficient.

FAQ

• How hard is the AAIA compared to the CISA?: Different muscle, similar level of effort. CISA tested breadth of IT audit; AAIA tests depth of judgment in a narrower, newer domain. If you found CISA passable with serious effort, expect the same of AAIA.
• What's the AAIA pass rate?: ISACA does not publish pass rates. Candidates who hit 120+ hours of preparation and treated scenario practice as the central activity pass on their first attempt at a healthy rate. Candidates who under-study Domain 2 or skip full-length mocks struggle.
• Can I take the AAIA without a CISA?: Yes, if you hold a CIA, US/Canadian/Australian/Japanese CPA, ACCA, or FCCA and an IT audit or advisory role. Most candidates come from the CISA pathway because the audit-thinking transfer is cleanest.
• Are dumps worth using?: No. They damage your judgment muscle — the thing the exam actually tests — violate ISACA's candidate agreement, and risk credential revocation if traced.
• How current does my AI knowledge need to be?: Current enough to understand generative AI, model lifecycle stages, and explainability concepts in plain language. You're not being tested as an ML engineer; you're being tested as the auditor who can evaluate one.
• Is there an AAIA prep app?: Yes — that's mine. AAIA Prep: ISACA AI Audit Exam. I wrote all 1,155 questions after passing the exam, so the difficulty calibration comes from someone who's been on the other side of it.

One-Paragraph Verdict

The AAIA is a real exam with real teeth, but it is passable on the first attempt with six weeks of focused preparation, the right mix of reading and scenario practice, and an honest read of your own weak domains. Most of the guides ranking for "AAIA prep" can teach you the exam outline. None of them can replace the experience of taking it. This one tries to close that gap. If it helped, the AAIA Prep App is the next thing to put in your prep stack.

Last updated May 2026. Verify exam mechanics on the ISACA AAIA credential page before registration — ISACA periodically adjusts scoring, retake, and CPE policies.