ISACA launches Advanced in AI Risk certification for practitioners

The launch responds to a widening gap between how quickly European organisations are adopting AI and their ability to manage the risks it brings. ISACA’s research, drawn from the 2026 AI Pulse Poll, finds that 59% of digital trust professionals don’t know how quickly their organisation could halt an AI system in the event of a security incident. Only one-in-five (21%) could do so within half an hour.

A further 20% of respondents don’t know who would be accountable if an AI system caused harm. This is a finding that points to a structural accountability gap at the heart of how most organisations govern AI today.

AI risk has moved from a technical concern to a Board-level business issue. It’s acting as a stress test for accountability inside organisations that adopted AI before they had the structures to oversee it.

Less than half (42%) of European digital trust professionals are confident that their organisation could investigate and explain a serious AI incident to leadership or regulators. Only 11% are completely confident.

With the European Union’s AI Act coming into force and placing explicit demands around accountability and oversight, these gaps carry direct regulatory and reputational consequences.

Governance gap

ISACA’s research points to a structural problem rather than a technical one. One-third of organisations (33%) don’t require employees to disclose when AI has been used, while only 38% identify the Board or an executive as the ultimate owner of AI risk.

The picture painted is one of widespread AI use without the matching infrastructure of accountability, audit and response. AI is being adopted into core business processes, but the controls, reporting lines and skilled people needed to manage it are not yet in place at scale.

The AAIR certification is not designed for those starting from scratch. It’s built for experienced IT risk professionals who already hold strong foundations and need to extend them into AI governance.

The credential validates the candidate’s ability to evaluate AI-related vulnerabilities, assess opportunities and impacts and govern AI across its full lifecycle (including the evaluation of vulnerabilities before and after deployment, assessing business impact across uncertain and evolving systems and explaining risk posture credibly to a Board or regulator). It covers three areas: AI risk governance and framework integration, AI lifecycle risk management and AI risk programme management.

AAIR is open to candidates who hold one of 25 prerequisite certifications, including CISA, CISM, CRISC, CGEIT, CDPSE, CGRC and CISSP.

Skills problem

Chris Dimitriadis, chief global strategy officer at ISACA, said: “The enthusiasm to adopt AI has outpaced the skills needed to govern it. Many organisations cannot tell you how quickly they could stop an AI system, who’s accountable if it goes wrong or how they would explain any failure to a regulator. That’s not a technology problem. Rather, it’s a governance and skills problem.”

Dimitriadis added: “The tools to manage AI risk already exist. Risk management, prevention controls, detection, incident response and recovery are all foundations of good cyber security practice and they need to be applied to AI with the same rigour. The AAIR certification exists to build the profession that can do that work. Closing the governance gap will take more than a handful of experts. We all need to be involved.”

Additional resources are available for those seeking to become AAIR certified, including the AAIR Online Review course, the AAIR Questions, Answers and Explanations database and the AAIR Review Manual (the latter available in digital format or print).

*Further information is available online at www.isaca.org