The ISACA AAISM certification (Advanced in AI Security Management) is the first credential built specifically for the people who have to secure and govern artificial intelligence inside an organisation. If you already hold CISM or CISSP and your remit now includes AI risk, governance and controls, AAISM is the credential ISACA designed for you. This guide breaks down the exam domains, the full cost, the entry requirements and gives you an honest verdict on whether the ISACA AAISM is worth it in 2026.
AI security management has gone from a niche concern to a board-level priority in under two years. Regulators, auditors and insurers now expect organisations to show they govern AI responsibly, and most security leaders are being asked to own that problem without a recognised credential to back them. That is the gap AAISM is trying to fill.
What Is the ISACA AAISM Certification?
AAISM stands for Advanced in AI Security Management. ISACA launched it in 2025 and positions it as the first and only credential of its kind, aimed at experienced security and risk leaders rather than entry-level practitioners.
The clue is in the word "Advanced". This is not a beginner certification and it is not a hands-on technical exam like a penetration testing cert. AAISM sits at the governance and management layer. It validates that you can advise stakeholders, set AI security policy, manage AI-specific risk and select the right controls for AI systems across an enterprise.
Crucially, AAISM is a bolt-on credential, not a standalone one. You cannot earn it from scratch. You must already hold an active CISM or CISSP, which immediately tells you who ISACA is targeting: serving security managers, architects and leaders who want to formalise their AI governance expertise.
Exam Tip: AAISM is an add-on to CISM or CISSP, not a replacement. Treat it as a specialisation that extends an existing leadership credential into the AI domain.
AAISM Exam Domains
The AAISM exam is organised around three job-practice domains. Together they cover the full lifecycle of managing AI security, from setting policy through to selecting technical controls.
Domain 1: AI Governance and Program Management
This domain is about the leadership layer. It tests your ability to advise stakeholders on AI security solutions through effective policy, data governance, programme management and incident response. Expect questions on building an AI security programme, aligning it with regulation and embedding accountable governance across the business.
Domain 2: AI Risk Management
The second domain focuses on assessing and managing the risks that come with enterprise-wide AI adoption. That includes threats, vulnerabilities and the supply chain issues that AI introduces, such as third-party models, training data provenance and the dependencies hidden inside an AI pipeline.
Domain 3: AI Technologies and Controls
The third domain is the most technical of the three, though still framed from a management perspective. It covers the security technologies, techniques and controls tailored specifically to AI systems, so you can recommend and oversee the right safeguards rather than implement every one yourself.
Here is how the three domains compare at a glance.
| Domain | Focus | What it tests |
|---|---|---|
| AI Governance and Program Management | Policy and leadership | Advising stakeholders, AI policy, data governance, programme management, incident response |
| AI Risk Management | Risk and threat | Assessing AI threats, vulnerabilities and supply chain risk across the enterprise |
| AI Technologies and Controls | Controls | Selecting and overseeing security technologies and controls built for AI systems |
If you have already studied for CISM, this structure will feel familiar. AAISM essentially reapplies the govern, assess, control logic of mainstream security management to the specific problem of artificial intelligence.
AAISM Exam Format and Passing Score
The AAISM exam is a computer-based test made up of a blend of scenario-based and standard multiple-choice questions. The scenario questions are where the "advanced" label earns its place, because they ask you to make governance and control decisions in realistic enterprise situations rather than recall definitions.
The key exam facts you need to know are below.
- The AAISM exam contains 90 questions.
- The exam is timed at roughly 2.5 hours (150 minutes).
- Your score is reported on a scale of 200 to 800.
- You need a scaled score of 450 or higher to pass.
- Once your registration is approved, you have a six-month eligibility window to sit the exam.
Exam Tip: The 450 pass mark is a scaled score, not a raw percentage. ISACA equates scores across exam versions, so do not assume 450 out of 800 means you can drop a fixed number of questions. Aim to master every domain rather than bargain with the maths.
The scenario-based questions reward judgement, not memorisation. The single most effective way to prepare is repeated exposure to realistic, exam-style questions so the decision-making becomes second nature. That is exactly what timed practice exams are built to develop.
AAISM Eligibility Requirements
This is the requirement that catches people out, so it is worth stating plainly.
To register for the AAISM exam you must hold an active CISM or CISSP certification. There is no alternative route, no experience-only waiver and no equivalent credential ISACA accepts in their place. If your CISM or CISSP has lapsed, you will need to bring it back into good standing first.
This gate is deliberate. By restricting AAISM to people who already hold a recognised security management or security professional credential, ISACA keeps the candidate pool small and the credential scarce. For holders, that scarcity is part of the value. For everyone else, it means AAISM is a second or third certification, not a first.
If you do not yet hold either prerequisite, the practical path is to earn one of them first. CertCrush has full preparation for both, so you can start with our CISSP practice and study resources or work towards CISM, then add AAISM once the prerequisite is locked in. If you are still weighing those two up, our guide on whether CISM is worth it and our CISSP vs CISM comparison will help you choose.
How Much Does AAISM Cost?
The exam fee is only part of the picture. Here is the full cost of earning and keeping AAISM in 2026.
| Item | ISACA member | Non-member |
|---|---|---|
| Exam registration | $459 | $599 |
| Application processing fee (one-off, after passing) | $50 | $50 |
| Official online review course (optional) | $449 | $549 |
| Annual maintenance fee | $20 | $35 |
A few things to note from that table.
First, ISACA membership changes the maths. The member exam fee saves you $140 versus the non-member price, and membership also discounts the review course and annual upkeep. If you are going to sit more than one ISACA exam, membership usually pays for itself.
Second, the certification is not a one-and-done purchase. To keep AAISM active you must pay the annual maintenance fee and earn Continuing Professional Education (CPE) credits, just like CISM and CISA. The requirement is a minimum of 10 CPE hours each year and 30 hours across a rolling three-year cycle.
Third, in-person boot camps are a separate and much larger cost, often in the region of $2,500 to $3,000. They are optional. Plenty of candidates pass using the official review materials plus self-study and a solid bank of practice questions.
Exam Tip: Budget for the full lifecycle, not just the exam. Between registration, the application fee and three years of maintenance, the realistic cost of earning and holding AAISM is meaningfully higher than the headline exam price.
Is the ISACA AAISM Worth It in 2026?
This is the question that matters, so here is a straight answer: AAISM is worth it if you are an experienced security or risk leader whose role already touches AI governance, and it is not worth it if you are early in your career or your work does not involve AI.
The case in favour is built on three points.
The demand is real and the supply is thin. AI governance has become a requirement rather than a nice-to-have, driven by regulation, customer due diligence and insurer expectations. Very few professionals hold a recognised AI security management credential, so AAISM can position you as a scarce, high-value specialist in an emerging market.
The salary signal is strong. AI governance and security roles command a premium over general security management, commonly reported in the region of $20,000 to $40,000 above comparable non-AI roles. Mid-level AI risk and governance roles are frequently cited around $130,000 to $160,000, with senior AI security and governance leaders earning $180,000 to $240,000 or more. A credential alone does not guarantee those figures, but it helps you compete for the roles that pay them.
It compounds your existing credential. Because AAISM requires CISM or CISSP, it does not replace your current standing, it extends it. You end up with a leadership credential plus a recognised AI specialisation, which is a sharper profile than either on its own.
The case against is just as important to be honest about.
- The prerequisite gate means AAISM is out of reach until you hold CISM or CISSP, so it is never a first certification.
- It is a management and governance credential, so it will not, on its own, prove hands-on technical AI security skill.
- It is new. As with any recently launched certification, employer recognition is still building, so part of its value today is being an early adopter rather than ticking a box every job advert already asks for.
Here is the simple decision rule. If you already hold CISM or CISSP, your role is moving toward AI risk and governance, and you want to be ahead of the curve while the credential is still scarce, AAISM is a strong, defensible investment. If you are still earning your first leadership credential, focus there first and revisit AAISM later.
For context on where AAISM sits in ISACA's wider line-up, it complements rather than competes with the practitioner-level ISACA CCOA, which targets cybersecurity operations, and with the broader wave of AI certifications now flooding the market.
How to Prepare for AAISM
Because AAISM is scenario-heavy and assumes existing security maturity, your preparation should look different from a knowledge-recall exam.
- Lean on your CISM or CISSP foundation. The governance, risk and controls logic carries straight over. Map what you already know onto the AI context rather than starting from zero.
- Study ISACA's official review material. The online review course is built to the exam content outline and is the most reliable source for scope.
- Drill scenario-based questions under time pressure. Judgement improves with repetition. Work through realistic questions until you can read a scenario and identify the best governance or control decision quickly.
- Stay current on AI risk. AI security moves fast. Keep up with model supply chain risk, data governance and emerging AI threats so the scenarios feel familiar rather than abstract.
- Mind the clock. With 90 questions in around 150 minutes, you have roughly a minute and a half per question. Practising to time stops the scenario questions from eating your schedule.
Ready to Start Practising?
The ISACA AAISM is a credible, forward-looking credential for the security leaders who will own AI governance over the next decade, provided you already hold the CISM or CISSP it builds on. The thin supply of qualified professionals and the salary premium attached to AI governance make it a smart early move for the right candidate.
Whether you are working towards the CISSP or CISM prerequisite first, or you are ready to specialise into AI security management, the fastest way to build exam-day confidence is realistic, timed practice. Create your free CertCrush account to start practising with exam-style questions, or browse our certification courses to find the right path for your next credential.
Pass the exam. Then go and own the AI security problem everyone else is still figuring out.