Question 12
Domain 2 — AI Operations, Lifecycle, and Control EnvironmentDuring an AI change management audit, the auditor is PRIMARILY verifying that:
Correct answer: B
Explanation
Change management controls require that modifications be approved, tested, and recorded before release to production. This verifies that AI model changes are "authorized, tested, and documented" so only controlled updates reach the live environment, reducing the risk of unintended behavior or unauthorized alterations.
Why each option is right or wrong
A. AI models achieve defined benchmark accuracy scores before deployment
B. Changes to AI models are authorized, tested, and documented before deployment to production
Under standard change-control practice, the auditor is checking that model updates follow a formal approval, testing, and release trail before they reach the live environment. In an AI context, that means the change record should show authorization by the appropriate owner, evidence of testing in a non-production setting, and documentation of the version deployed; without those controls, the production model could be altered without traceability or validation.
C. All AI systems in production use explainability tools such as SHAP or LIME
D. All training data is encrypted at rest using approved encryption standards