Question 9
Domain 5: Deployment, Scaling, Safety, and ComplianceAn organization is deploying an agentic AI system that automates sensitive decision-making tasks. Which of the following is the most appropriate practice to ensure both security and accountability in the system's operations?
Correct answer: D
Explanation
Role-based access control limits who can initiate or modify sensitive actions, enforcing least privilege for an agentic AI system. Immutable audit trails preserve a tamper-resistant record of decisions and actions, supporting accountability and post-incident review when the system automates sensitive decision-making tasks.
Why each option is right or wrong
A. Store all system logs in local memory for faster access
B. Allow all engineers unrestricted access to logs for faster debugging
C. Anonymize user inputs before storing them in the audit log
D. Implement role-based access control and immutable audit trails
Role-based access control is the standard least-privilege control under access-control frameworks such as NIST SP 800-53 AC-2/AC-6, ensuring only authorized users or services can trigger, alter, or approve sensitive AI actions. Immutable audit trails align with NIST SP 800-53 AU-2, AU-6, and AU-9 by preserving tamper-resistant logs of who did what and when, which is essential when the system is making consequential decisions that must be reviewable after the fact.