If you already audit for a living and hold a CISA, the AAIA is passable on the first attempt — but it is not a CISA reskin with "AI" pasted on top. The audit reasoning will feel familiar. The friction is the AI fluency underneath it: model behavior, monitoring, and the governance frameworks that are still new to most auditors.
So: moderately hard for a working auditor, genuinely hard if AI concepts are new to you, and very doable with the right prep.
No — ISACA does not publish a pass rate for the AAIA, the same as CISA. Anyone quoting a specific "AAIA pass rate" is guessing or repeating a vendor's marketing number. The scoring mechanic: scaled 200–800, you need 450 to pass. A scaled score is not a raw percentage. You do not have to be perfect; you have to clear the bar across a weighted spread.
90 questions in 150 minutes — roughly 100 seconds per question. What will not hurt you: the audit scaffolding — evidence, sampling, control design versus operating effectiveness, reporting. That is CISA home turf. What will: AI-specific fluency — reasoning about how a model behaves and breaks (drift, bias, monitoring), and the difference between a governance policy on paper and one that actually operates.
AI Operations & Monitoring: 46% of the exam — hardest, least intuitive, most prep time. AI Governance & Risk: 33% — moderate, most familiar if you know NIST AI RMF and ISO 42001. AI Auditing Tools & Techniques: 21% — lightest weight, most technical surface per question.
Nearly half the exam, and the least intuitive domain for traditional auditors. This domain covers the operational reality of a model after deployment: monitoring for drift, catching performance degradation, recognizing when what worked in testing stops working in production. The instinct to test a control "as of a date" is exactly what this domain punishes — AI risk is continuous, not point-in-time.
The most CISA-adjacent domain and the most forgiving. The new vocabulary is the frameworks: NIST AI Risk Management Framework and ISO/IEC 42001. Learn those two well and this domain becomes bankable points.
The lightest weight, but not skippable. This domain has the most technical surface area per question. A focused pass through it, not a deep dive, is the right allocation.
Scenario-based, judgment over recall. Rarely "define this term"; usually "what should the auditor do first" or "which finding matters most." Several options are defensible; the exam wants the best one.
Anchor on the weighting — most hours into AI Operations & Monitoring (46%). Close the AI-fluency gap first, frameworks second. Practice in the exam's format — answering scenario questions under time is a different skill than reading about AI audit, and it is the one being graded.
Hard enough to respect, not hard enough to fear if you are a working auditor who does the AI-fluency homework. Your audit instincts carry a third of the exam; the other two-thirds reward whether you understand how AI systems behave and how you would assure them over time. Close that gap, practice in the real format, and a first-attempt pass is a reasonable goal.
Written by Dr. Baz Abouelenein, AAIA, CISA, CISM, CRISC, CISSP, PMP. The AAIA Prep App has 1,155 original practice questions mapped to all three AAIA exam domains.