ISACA Launches Advanced AI Risk Certification AAIR

ISACA announced the launch of the Advanced in AI Risk certification, AAIR, on 15 April 2026 to formalize practical expertise for IT risk professionals managing AI across the enterprise. The credential is aimed at practitioners who already hold established risk credentials and require applied capability to govern systems that evolve post-deployment. ISACA CEO Erik Prusch said, "The launch of AAIR gives risk professionals the practical skills they need now to understand, assess and manage AI risk." The program requires proven IT risk experience plus one of 25 prerequisite certifications.

The AAIR exam and competency model center on three practice domains that reflect governance and operational control needs:

• •AI risk governance and framework integration
• •AI lifecycle risk management
• •AI risk program management

Candidates are expected to translate technical uncertainty into board-level evidence, recommend responses to AI-specific vulnerabilities, and design lifecycle monitoring and third-party oversight. ISACA provides study materials including the AAIR Online Review Course, the AAIR Questions, Answers & Explanations Database, and the AAIR Review Manual. Prerequisite certifications cited as qualifying include CISA, CISM, CRISC, CGEIT, CDPSE, CRMP, CRMA, CGRC, CISSP, CERP, and CRCM among others.

The certification arrives as a practical response to a recurring problem: AI adoption outpacing organizational controls and governance. ISACA's parallel content explains why mere awareness is insufficient and argues for structured capability that can operate under pressure during go-live decisions, vendor model failures, or regulatory scrutiny. The organization also published operational frameworks such as a four-phase approach to assessing AI coding assistant vulnerabilities that delivered a 36% reduction in remediation time in deployment case studies. AAIR therefore bundles governance theory with applied, auditable practice-positioning holders to bridge technical, security, and board-level conversations.

For practitioners, this matters because it standardizes a set of expectations and artifacts that auditors, boards, and regulators will begin to recognize. The credential is not an entry-level certificate; it presumes experience and an existing certification footprint, making it a signal that a practitioner can operationalize AI-specific controls, monitor model drift, and manage third-party model risk in production.

Adoption by large regulated sectors-financial services, healthcare, and government-will determine AAIR influence. Expect organizations to reference AAIR competencies in vendor oversight, procurement requirements, and internal hiring for model risk and AI governance roles. Also watch for vendor training tie-ins and whether regulators cite AAIR as a recognized professional standard in enforcement or guidance documents.

AAIR codifies applied AI risk capability for experienced practitioners, aligning ISACA educational assets and practical frameworks to close a growing operational gap between AI deployment velocity and enterprise controls.