Step-by-step

Your 8-Week Study Plan

A realistic, week-by-week path to the AAIA exam. It assumes roughly 6–8 hours per week — about an hour a day plus a longer weekend session. In a hurry? Run it at double pace and you can compress the whole plan into 4 weeks.

How this plan works

Each week below lists a small set of focused tasks: pages to read on this guide, frameworks to absorb, and practice questions to attempt. Tick a box when you finish a task and your progress is saved locally in your browser — close the tab, come back tomorrow, and the bar in the sidebar picks up exactly where you left off. Nothing is uploaded anywhere; clearing your browser data (or the Reset progress button) wipes it.

🔑

Follow the exam weighting

Domain 2 (AI Operations) is 46% of the exam, so it gets two full weeks. Domain 1 is 33% and Domain 3 is 21%. Spend your hours where the marks are.

✅

Make it stick

Read actively: after each domain section, close the page and try to explain the auditor's angle out loud — what risk it creates and what evidence you'd ask for. Then do the matching practice questions while it's fresh.

1 Week 1 — Foundations & exam logistics ~6 hrs

Get the lay of the land: what the exam is, who it's for, how it's scored, and the vocabulary you'll need before any of the domains make sense. End the week by booking a target date so the rest of the plan has a deadline.

Read the full guide overview and "exam at a glance" on the Home page.
Understand the exam format: 90 scenario questions, 2.5 hours, scaled 200–800, 450 to pass — confirm against the official ISACA page ↗.
Check your eligibility (active CISA, or CIA/CPA in an IT-audit role, or CISM/CRISC/CGEIT with AI-audit experience).
Skim the glossary to meet the core AI terms — model, training/inference, supervised vs. unsupervised, LLM, generative AI.
Learn the difference between traditional ML and generative AI, and why each creates different audit risks (preview the Domain 1 intro).
Set a target exam date (8 weeks out) and put your weekly study block in the calendar.
Bookmark this study plan and confirm the progress bar saves after you tick a box.

2 Week 2 — Domain 1 (A): AI & governance ~7 hrs

Start the biggest conceptual block: how AI models and their requirements are defined, and how an organization governs AI as a program. Bring in your first framework — the NIST AI RMF — because Domain 1 lives and breathes it.

Read the AI models & requirements section of Domain 1.
Study AI governance and program management — roles, policies, accountability, and the three lines model (Domain 1).
Read the Frameworks intro and the NIST AI RMF — its four functions: Govern, Map, Measure, Manage.
Skim ISO/IEC 42001 (AI management system) and note how it maps to governance controls (Frameworks).
Note the governance roles you must recognize: model owner, data steward, risk function, internal audit — and who owns what.
Work through every "worked example" in the Domain 1 governance sections.
Add the week's new vocabulary to your glossary review list.

3 Week 3 — Domain 1 (B): risk, privacy & ethics ~7 hrs

Finish Domain 1 with the risk, privacy, ethics, and regulatory material — including the EU AI Act risk tiers the exam loves. Then lock it in with a full pass of Domain 1 practice questions.

Read AI risk management in Domain 1 — identifying, assessing, and treating AI-specific risks.
Study privacy & data governance, including when a DPIA is required (Domain 1).
Read the ethics, fairness, and bias material and the auditor's angle on each (Domain 1).
Learn the EU AI Act risk tiers — prohibited, high-risk, limited, minimal — and what each requires (Frameworks).
Review the regulation & standards landscape and how it shapes audit scope (Domain 1).
Do all Domain 1 practice questions (filter to Domain 1) and read every explanation.
Re-do any Domain 1 question you got wrong until you understand the trap.

4 Week 4 — Domain 2 (A): data & lifecycle ~8 hrs

Domain 2 is 46% of the exam, so it gets two weeks. Week one covers the build side: data management, the AI/ML development lifecycle and MLOps, and change management.

Read the data management section of Domain 2 — quality, lineage, labeling, and bias in data.
Study the AI development lifecycle and MLOps — from problem framing through deployment (Domain 2).
Read change management for models: versioning, approvals, and rollback (Domain 2).
Map the lifecycle stages to NIST AI RMF Map/Measure functions (Frameworks).
Learn what a model card documents and why an auditor asks for one (Domain 2 / glossary).
Work through the lifecycle worked examples in Domain 2.
Add the new MLOps and data terms to your glossary review.

5 Week 5 — Domain 2 (B): monitoring, testing & security ~8 hrs

The run side of Domain 2: keeping deployed models healthy (supervision and drift), testing techniques and metrics, AI-specific threats, and incident response. Finish with the Domain 2 practice set.

Read model supervision & monitoring — detecting model drift and data drift (Domain 2).
Study testing techniques and metrics — accuracy, precision/recall, F1, and fairness metrics (Domain 2).
Learn AI-specific threats: prompt injection, data poisoning, model inversion, and adversarial inputs (Domain 2).
Read AI incident response — detection, containment, and lessons-learned (Domain 2).
Connect threats and monitoring to the NIST AI RMF Manage function (Frameworks).
Do all Domain 2 practice questions (filter to Domain 2) and read every explanation.
Re-test on any Domain 2 misses; note recurring weak spots for Week 8.

6 Week 6 — Domain 3: auditing tools & techniques ~7 hrs

Now the auditor's own toolkit: how to plan an AI audit, sample and test, gather sufficient evidence, use analytics, and report — all while protecting independence. Close with the Domain 3 practice set.

Read audit planning & design for AI engagements — scoping and risk-based focus (Domain 3).
Study testing & sampling approaches and when each is appropriate (Domain 3).
Learn evidence collection and what makes evidence sufficient and appropriate (Domain 3).
Read data quality & analytics techniques used in AI audits (Domain 3).
Study AI audit reporting and how to frame findings and recommendations (Domain 3).
Review auditor independence — what an auditor advises vs. owns (Domain 3).
Do all Domain 3 practice questions (filter to Domain 3) and read every explanation.

7 Week 7 — Integration & first full run ~7 hrs

Tie the three domains together. Most exam questions cross domains — a governance gap surfaces during operations and gets caught in the audit. Deep-dive the frameworks, re-read the exam callouts, and take your first full practice run.

Deep-dive the Frameworks page: NIST AI RMF, ISO/IEC 42001, EU AI Act, and the AI lifecycle side by side.
Map each framework to the domains it touches so you can place any scenario quickly.
Re-read every "exam trap" / "what they test" callout across Domain 1, 2, and 3.
Do a full glossary review — use the search box to quiz yourself on definitions.
Take a full practice run with the filter on All and record your score.
List your three weakest topics from the practice run to target next week.
Confirm your exam booking, payment, and the 6-month eligibility window are all in order.

8 Week 8 — Exam readiness ~6 hrs

Final polish. Practice under time pressure, fix the weak areas you flagged, sort out the logistics, then taper off and rest. You cram less and pass more by arriving fresh.

Do a timed practice run to build pacing for 90 questions in 2.5 hours.
Drill your three weakest topics: re-read the relevant domain section, then re-test.
Re-skim all four frameworks and the EU AI Act tiers one more time.
Confirm logistics: valid government ID, and your online-proctoring setup or test-center location and time.
If sitting online, run the proctoring system check and clear your workspace per the rules.
Do a light glossary skim — no new material this late.
Take a rest day before the exam: sleep, light review only, no cramming.

Exam-day checklist

The small things that quietly cost candidates points. Tick these off the day before and the morning of.

Day before: confirm exam time and time zone, and locate your confirmation email.
Day before: set out your valid government-issued photo ID.
Day before: test your webcam, microphone, and internet (online proctoring) or plan your route (test center).
Day before: get a full night's sleep — no late cramming.
Day of: eat, hydrate, and arrive (or log in) early to handle check-in calmly.
Day of: clear your desk and surroundings to the proctoring requirements.
During: read each scenario carefully — answer what they're asking (FIRST / BEST / NEXT), and flag-and-move-on rather than stalling.
During: when stuck between two options, pick the one that addresses the root risk, fits the auditor's role, and follows proper sequence.

🎯

You've got this

If your full practice runs are consistently above the mid-70s percent and you can explain why each wrong answer is wrong, you're ready. Trust your preparation and pace yourself.