By Dr. Baz Abouelenein (AAIA, CISA, CISM, CRISC, CISSP, PMP) · May 14, 2026 · 12 min read
I took the ISACA Advanced in AI Audit (AAIA) exam in January 2026 and passed on the first attempt. Most AAIA prep content that currently ranks was written by people who have not taken it. The exam outlines and domain weights they cite are accurate. The advice often is not — not because it is wrong in spirit, but because it is generic where the exam is specific.
The AAIA is a multiple-choice exam covering three domains. Third-party consensus cites 90 questions in 150 minutes, with a 200–800 scaled score and 450 to pass. Verify the current figures in the official ISACA Exam Candidate Guide before you register. Eligibility requires an active CISA, or one of CIA, US CPA, Canadian CPA, Australian CPA or FCPA, Japanese CPA, ACCA, or FCCA with an IT audit or IT advisory role. Registration costs US$459 for ISACA members and US$599 for non-members, plus a US$50 application processing fee after you pass. Domain weights: AI Governance and Risk (33%), AI Operations (46%), AI Auditing Tools and Techniques (21%). Most candidates over-study Domain 1 and under-study Domain 2. Plan on 120–150 hours over six weeks, weighted toward scenario practice in the back half.
Domain 2 is almost half the exam, and it is the domain where audit instinct meets unfamiliar terrain: model performance drift, retraining triggers, monitoring evidence, and incident response inside an MLOps lifecycle. Definitions are a floor, not a ceiling. The exam rewards audit thinking in unfamiliar packaging. There is a strong bias toward continuous controls — wherever an answer choice involves ongoing monitoring or evidence integrity versus a one-time fix, the continuous answer is almost always the better candidate.
Week 1 (18–22 hours): Domain 1 — Governance and Risk foundations. Read the official manual. Build a one-page glossary in your own words. No question practice yet. Week 2 (22–26 hours): Domain 2 — Operations, Monitoring, and Controls (part 1). Half the exam lives here. Read slowly. Map every concept to a control you would actually test. Week 3 (22–26 hours): Domain 2 (part 2) plus Domain 3 — Auditing Tools and Techniques. Begin daily 15–20 question warm-ups on completed topics. Week 4 (22–26 hours): Full mixed-domain practice begins. Two timed 30-question sets per day. Diagnose wrong answers by category of mistake, not just topic. Week 5 (20–24 hours): Weakness repair and half-length mocks. Two half-length mocks (45 questions, 75 minutes) per week. Week 6 (14–18 hours): Full-length mocks under exam conditions and taper. Two full 90-question, 150-minute mocks early in the week. Hard taper the 48 hours before the exam.
When two answer choices both look defensible, pick the one that produces evidence that survives review — documentation, monitoring artifacts, signed-off testing — over the one that produces only a fix. The exam is written by auditors. They want the answer an auditor would write down. When choices split between prevent and detect, lean toward the answer that aligns with the stage of the AI lifecycle described in the stem. When choices split between fixing the technical issue and fixing the governance issue, the governance answer is right far more often than instinct suggests. When you see “should the auditor first” — pause. The first action is almost always scoping, risk assessment, or evidence preservation, not remediation.
The AAIA launched in May 2025. As of mid-2026, it sits in the early-adopter window: small enough that holding it differentiates you, established enough that hiring managers, regulators, and clients increasingly recognize the acronym. The credential pays back fastest in internal audit functions in AI-active firms, external audit and advisory shops building AI assurance practices, and solo or boutique consultants whose marketing benefits from a precise, regulator-aligned credential.
Written by Dr. Baz Abouelenein, AAIA, CISA, CISM, CRISC, CISSP, PMP. The AAIA Prep App has 1,155 original practice questions covering all three AAIA domains, including scenario-style questions that mirror the cognitive moves of the real exam.