By Dr. Baz Abouelenein (AAIA, CISA, CISM, CRISC, CISSP, PMP) · May 11, 2026 · 14 min read
ISACA now offers three AI certifications. AAIA for AI audit, launched May 2025. AAISM for AI security management, launched August 19, 2025. AAIR for AI risk, launched April 15, 2026. Pick the one that matches your current role and credential: CISA holders go to AAIA, CISM or CISSP holders to AAISM, CRISC and risk-track holders to AAIR. Stacking two is rarely worth the cost in time, money, and 40-CPE-per-year recertification load.
ISACA shipped three AI certifications inside a single fiscal year. AAIA launched first because audit was the function most behind on AI and CISA holders are the largest installed base. AAISM followed for CISM and CISSP holders fielding AI security questions from boards. AAIR arrived third for the CRISC-anchored risk function, mapping to 25 qualifying credentials.
AAIA domains: AI Governance and Risk (33%), AI Operations (46%), AI Auditing Tools and Techniques (21%). AAISM domains: AI Governance and Program Management (31%), AI Risk Management (31%), AI Technologies and Controls (38%). AAIR domains: AI Risk Governance and Framework Integration (37%), AI Life Cycle Risk Management (21%), AI Risk Program Management (42%).
Prerequisites: AAIA requires CISA or equivalent audit credential. AAISM requires active CISM or CISSP. AAIR accepts 25 qualifying credentials including CISA, CISM, CRISC, CGEIT, CDPSE, CISSP, and others.
CISA: recommended AAIA. CISM: recommended AAISM. CISSP: recommended AAISM. CRISC: recommended AAIR. CGEIT: recommended AAIR. CISA + CISM: role-dependent (audit → AAIA, security → AAISM). CISA + CRISC: role-dependent (audit → AAIA, risk → AAIR). CISM + CRISC: role-dependent (security → AAISM, risk → AAIR). CIA: AAIA only. CPA (AICPA): AAIA only.
Two ISACA AI certs cost roughly $1,200 in exam and application fees at member rates, plus 160 hours of prep and 80 CPEs per year in renewal load. For most working professionals, one cert done well backed by actual project work is worth more than two certs done in parallel. The case for stacking exists in three narrow situations: hybrid roles, consulting practices where breadth is a market signal, or employer-funded study.
AAIA: six to eight weeks at 10 hours per week for a CISA holder with 3+ years of audit experience. Domain 2 (AI Operations, 46%) requires the most investment. AAISM: Domain 3 (AI Technologies and Controls, 38%) is the gap for most CISM holders. AAIR: Domain 2 (AI Life Cycle Risk Management, 21%) is the new material for CRISC holders; third-party resources are still developing as of May 2026.
Written by Dr. Baz Abouelenein, AAIA, CISA, CISM, CRISC, CISSP, PMP. The AAIA Prep app has 1,155 original practice questions for the AAIA exam, mapped to all three domains.