| 🏠 Back to Exam Syllabus | 📺 RooCloud on YouTube | 🌐 RooCloud Practice Exams |
AI Risk Identification: Threat Landscape and Risk Categories
This eleventh episode of the ISACA Advanced in AI Audit (AAIA) exam prep series teaches auditors how to spot dangers in AI systems before they cause harm. It tours the threat landscape, the recognized categories of harm, the criteria and regulatory levels used to size risk, and the unique hurdles that make AI risk management harder than traditional IT risk.
What this episode covers
- Integrating AI risk identification into the wider risk program and applying professional skepticism.
- The four AI threat actors and how each one weaponizes or undermines the technology.
- The three NIST categories of harm — people, organizations, and ecosystems.
- The OECD criteria of scale, scope, and optionality used to size a risk.
- The EU AI Act risk levels that dictate how strictly a system is governed.
- The seven-stage AI lifecycle and the actors who can introduce risk at each step.
- The six challenges that make AI risk management uniquely difficult.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
Who are the four main AI threat actors?
The four threat actors are insider threats, which are an organization’s own employees who cause harm on purpose or by accident; nation states, which are countries using AI for cyberespionage, warfare, or surveillance; cybercriminals, which are hackers using AI to make attacks faster and harder to catch; and AI developers themselves, who sometimes fail to align their tools with human ethics and create biased algorithms.
What are the three NIST categories of AI harm?
The National Institute of Standards and Technology divides harm into three categories: harm to people, which can be individual, group, or societal; harm to an organization, including disrupted operations, financial loss, and reputational damage; and harm to an ecosystem, which damages interconnected global systems like the supply chain, financial markets, or the natural environment.
What are scale, scope, and optionality in AI risk?
According to the OECD framework, scale looks at how serious the negative impact is and how likely it is to happen, like the difference between a papercut and being struck by lightning. Scope measures how wide the application reaches and how many people are affected, like a broken coffee maker versus a citywide power outage. Optionality evaluates whether people actually have a choice to interact with the AI or if its effects are forced upon them.
What are the four risk levels in the EU AI Act?
The European Union AI Act categorizes risks into four levels to dictate how strictly they are governed: unacceptable risk, which is banned entirely such as dangerous biometric surveillance or social scoring; high risk; limited risk; and minimal risk. By analogy, unacceptable is like a car with no brakes, high risk is driving on a highway, limited risk is riding a bicycle, and minimal risk is going for a walk in the park.
📚 Master the ISACA AAIA Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISACA AAIA certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in AI Risk Identification: Threat Landscape & Risk Categories.