Question 36
Domain 1 — AI Governance and Risk ManagementDuring an AI audit, you find that the organization has a well-documented model validation policy requiring bias testing before deployment, but 15 of the last 30 model deployments have no bias testing documentation. This finding BEST represents:
Correct answer: B
Explanation
An operating effectiveness gap exists when a control is designed properly but is not performed consistently. Here, the policy requires bias testing before deployment, yet "15 of the last 30 model deployments have no bias testing documentation," showing the control was not followed in practice. This is a failure of operating effectiveness, not design.
Why each option is right or wrong
A. A design effectiveness gap — the control doesn't address the right risk
B. An operating effectiveness gap — the control is well-designed but not consistently followed
Under the COSO internal control framework, a control can be appropriately designed yet still fail in operating effectiveness if it is not performed as prescribed. The documented policy requires bias testing before deployment, but the sample shows 15 of 30 deployments—50% of the population—lacked any bias-testing evidence, which is a repeated execution failure rather than a design flaw.
C. A risk appetite violation — the residual risk exceeds the stated appetite
D. A third-party risk finding — vendors are not following the policy