AI Governance Professional (AIGP) 2026 Complete Training

In this lecture we discussed at a high level the unique characteristics of AI that make governance necessary. We started off with an overview of the seven key characteristics aligned with the Body of Knowledge and also looked at how exam questions may test these through real life situations. Then we discussed each characteristic one by one, including complexity, opacity, autonomy, speed and scale, potential for harm or misuse, data dependency, and probabilistic outputs, and understood what each one means and why it creates governance challenges. Finally, we looked at real examples from the AI Incident Database for every characteristic to see how these issues appear in practice and why it is important to carefully analyze AI systems from multiple angles when answering scenario based questions.

In this lecture we discussed the common principles of Responsible AI at a high level. We started off by clarifying the difference between AI governance and Responsible AI using the latest IAPP definitions, where AI governance refers to the organizational frameworks, processes, and oversight used to manage AI systems, while Responsible AI focuses on the ethical principles and standards that AI systems should follow to avoid harm and build trust. Then we discussed each Responsible AI principle one by one including fairness, privacy, safety, security, accountability, transparency, explainability, interpretability, robustness, reliability, resilience, human centricity, and sustainability, and understood their meaning in simple terms. Finally we looked at several real world incidents from the AI Incident Database to see how these principles apply in practice and how failures in these areas can lead to bias, privacy violations, safety risks, misinformation, unreliable systems, and environmental concerns in real world AI deployments.

In this lecture, we discussed the AI development lifecycle as a bonus section that was previously part of Domain 5. We started off with understanding that the AI lifecycle is not a sequential approach but rather an iterative one, where each stage interconnects with others. The lecturer emphasized that key processes like data labeling and model training are not one-time activities but may need to be revisited and refined throughout the development process.

We then took a deep dive into the planning stage, particularly focusing on determining business objectives and requirements. The lecturer explained this using real-life examples from e-commerce personalization and fraud detection in financial services. We saw how to break down the planning process into understanding the problem statement, mapping business challenges to objectives, and defining desired outcomes in terms of both functional and technical requirements. For instance, if a business is facing low customer engagement, the objective might be to increase engagement by 30%.

We also explored the scope of AI projects, using an e-commerce recommendation engine as an example. The lecturer explained how scope encompasses various dimensions including datasets (like customer browsing history and product catalogs), geography, customer segments, product hierarchies, technical constraints, compliance requirements, and evaluation metrics. The final part touched on AI governance and risk management, emphasizing the importance of integrating AI risk management with existing organizational frameworks and embedding responsible AI principles into company culture. Remember that understanding the iterative nature of the AI lifecycle and the detailed planning phase is very important for the exam.

In this lecture, we took a deep dive into the design phase of the AI lifecycle. We started off with two main categories: implementing a data strategy and determining AI architecture/model selection. Within data strategy, we looked at three key areas: data understanding, data wrangling, and data labeling. We also explored Privacy Enhancing Techniques (PETs) like data minimization, differential privacy, and federated learning, which are particularly important from an exam perspective.

Next, we delved into AI system architecture, which consists of three layers: application layer, model layer, and infrastructure layer. The application layer is where users interact with the system through interfaces like web apps or mobile apps. The model layer houses the core AI and machine learning models, while the infrastructure layer provides the necessary hardware and software resources. Remember that understanding the relationship between these layers is crucial for the exam, as they work together to create a complete AI system.

Finally, we explored model selection and the important tradeoffs to consider. We looked at key concepts like accuracy versus interpretability and bias versus variance. It's essential to remember that high bias leads to underfitting, while high variance leads to overfitting - this relationship is particularly important for the exam. We also discussed other tradeoffs like training time versus performance, feature engineering versus automatic feature engineering, and model simplicity versus flexibility. Each of these tradeoffs presents unique challenges and considerations when selecting the right model for your AI project.

In this lecture, we did a deep dive into the Development stage of the AI/ML lifecycle. We started off with an overview of four key substages: feature engineering, model building, model training and validation, and model testing. Each of these substages plays a crucial role in developing effective AI models, and the instructor emphasized several concepts that are particularly important from an exam perspective.

Moving into the specifics, we first explored feature engineering, which is all about creating new features or transforming existing ones to improve model performance. The instructor used a great real-world example of fraudulent transactions to show how raw data can be transformed into meaningful features. Then we looked at three different model building approaches: building from scratch, fine-tuning, and retraining. It's interesting to note how the field has shifted from building models from scratch to more fine-tuning approaches, especially after the advent of generative AI like GPT models.

The final part of the lecture covered model training, validation, and testing. We learned about the important distinction between training, validation, and test datasets - remember, this is particularly crucial for the exam! The instructor explained how validation happens alongside training, while testing comes after the model is trained to a decent state. We also explored the concepts of overfitting and underfitting, their symptoms, and mitigation strategies. For overfitting, key signs include high training accuracy but low validation/test accuracy, while underfitting shows low accuracy across all datasets. Each of these issues has specific mitigation strategies that are important to understand from an exam perspective.

In this lecture, we discussed the Implementation phase of AI systems, which comes after the planning, designing, and development phases. We started off with readiness assessments, where we looked at various aspects like adversarial testing (also called red teaming), scalability testing, and checking the model's transparency. In this, we took a deep dive into how to ensure the model is ready for real-world deployment by testing it against edge cases and unexpected inputs.

We then looked at the steps needed to deploy a model into production. We started with choosing between batch and real-time deployment methods, setting up infrastructure (either on-premise, cloud, or hybrid), and containerizing the model using Docker. We also saw these concepts like CI/CD pipelines and deployment strategies which are very important from an exam perspective. Remember, understanding Docker and containers is crucial for the exam as they're fundamental to model deployment.

Finally, we covered how to monitor, validate, and maintain models once they're in production. We learned about important concepts like data drift (changes in statistical properties of input data over time) and model drift (degradation of model performance). We also explored setting up automated monitoring systems, implementing feedback loops through reinforcement learning from human feedback (RLHF), and establishing criteria for model retraining. The key definitions of data drift and model drift are particularly important for the exam, as they carry significant marks.

In this lecture, we discussed key leftover technical terms in AI governance at a high level. We started off by revisiting AI terminology and classification frameworks including strong and weak AI, different machine learning methods, and the AI lifecycle. Then we explored the importance of IAPP’s official glossary by walking through several critical terms that are often missed but likely to appear in exams, using comparative examples to simplify learning. Finally, we looked at technical building blocks like models, algorithms, parameters, and hyperparameters; architectural terms like preprocessing, postprocessing, and deployment types; and important safety terms such as watermarking, synthetic data, and AI assurance.

In this lecture we looked at implementing responsible AI governance and risk management at a high level. We started off by understanding why competencies 1B and 1C have been combined into one section, because both of them focus on foundational AI governance and together carry a much higher exam weight than domain 1A. Then we discussed the difference between the current body of knowledge and the older body of knowledge, and why the older structure gives a more logical and organized pathway for learning these concepts. Finally, we looked at how this section will be covered in the coming videos, starting with interoperability of AI risk management with other operational risk strategies, then integration of AI governance principles into the organization, and finally establishing AI governance infrastructure from scratch.

In this lecture we discussed the interoperability of AI risk at a high level. We started off by understanding what interoperability means and how AI risk management should work efficiently with existing risk frameworks instead of being treated as something completely separate. Then we discussed why organizations do not need to build AI risk management from scratch, because most of them already have security risk, privacy risk, operational risk, and business risk frameworks in place. Finally, we looked at examples of existing frameworks such as the NIST Cybersecurity Framework, ISO/IEC 27001, MITRE ATT&CK, NIST Privacy Framework, ISO/IEC 27701, GDPR compliance practices, COSO ERM, and ISO 31000, and discussed how AI-specific risks like hallucination, sycophancy, and other emerging AI risks can be integrated into these existing frameworks instead of reinventing the wheel.

In this lecture we discussed integrating AI governance principles at a high level and understood how these principles are different from responsible AI principles like fairness, privacy, and transparency. We started off by clarifying that AI governance principles are more about creating a cultural shift inside the organization, where governance becomes part of how teams think, plan, and build AI systems. Then we discussed the six key principles one by one, including adopting a pro-innovation mindset, making governance risk-centric, ensuring planning and design are consensus-driven, keeping teams outcome-focused, following a non-prescriptive approach, and building a framework that is law, industry, and technology agnostic. Finally, we looked at these principles with simple examples from financial services, healthcare, e-commerce, manufacturing, and technology companies to understand how AI governance professionals can apply them in real organizational settings and answer tricky scenario-based exam questions more confidently.

In this lecture we discussed how to establish AI governance infrastructure at a high level. We started off by understanding why the scattered performance indicators from the current and previous body of knowledge need to be arranged into a more logical sequence, and then we looked at three broad steps: understanding the organization, getting leadership buy-in, and establishing governance processes. Then we discussed how to understand the organization by identifying whether it is a developer, deployer, or user of AI, understanding its responsibilities, reviewing existing AI governance roles, and studying relevant local and global regulatory requirements. After that, we looked at how to get leadership buy-in by understanding the pressure on technical teams, learning how data science and model operations teams work, and influencing behavioral and cultural change through training, champions, and better alignment with business goals. Finally, we looked at how to establish governance processes by comparing centralized, decentralized, and hybrid governance models, understanding why AI governance approaches differ across organizations, and organizing governance work across people, AI, risk management, and third-party dimensions, including roles and responsibilities, AI policies, taxonomy, AI inventory, maturity assessment, organizational risk strategy, existing privacy and data governance practices, vendor assessment, procurement processes, and third-party risk policies.

In this lecture, we discussed Domain 2 at a high level, which focuses on how laws, regulations, standards, and frameworks apply to AI. We started off by understanding the overall structure and weightage of Domain 2, including its four main competency areas: data privacy laws, other existing laws that apply to AI, AI-specific laws, and key industry standards such as NIST, OECD, and ISO. Then we looked more closely at Domain 2A, which focuses on how existing data privacy laws apply to AI, with GDPR being the most important law covered in this section. We also discussed how the current Body of Knowledge has added important topics such as transparency, lawful basis, and automated decision-making, which makes them especially important for the exam. Finally, we looked at how the GDPR section has been organized into five simple parts, including principles and definitions, transparency, notice, choice, consent, purpose limitation, data minimization, privacy by design, lawfulness of processing, and automated decision-making, so that learners can build a clear mental map, remember the structure more easily, and prepare for the four to six questions expected from this competency.

In this lecture we discussed GDPR principles and key definitions at a high level. We started off with understanding what GDPR means, how it protects the privacy rights of individuals, defines obligations for organizations that process personal data, supports compliance, and also applies to cross-border transfers of personal data outside the EU. Then we discussed where GDPR applies, including EU member states, the European Economic Area, and even non-EU companies that collect, process, or store the personal data of people in the EU. After that, we looked at what kind of personal data is covered under GDPR, including names, identification numbers, location data, electronic data, and even non-automated paper records when they are part of an organized filing system. Then we discussed the core GDPR principles such as lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability. Finally, we looked at important GDPR definitions such as personal data, processing, profiling, pseudonymization, controller, processor, third party, consent, genetic data, biometric data, main establishment, representative, supervisory authority, and cross-border processing so that the basic GDPR vocabulary becomes clear before moving into transparency, notice, choice, consent, and purpose limitation in the next lecture.

In this lecture we discussed transparency, notice, consent and lawfulness of processing under GDPR at a high level. We started off with the notice and transparency requirements under Articles 12, 13 and 14, where we looked at how GDPR expects communication with data subjects to be concise, transparent, intelligible, easily accessible, written in clear and plain language, available in written or electronic form, and generally free of charge. Then we discussed the difference between direct collection and indirect collection of personal data, and how GDPR provides rules for both situations. After that, we looked at consent and understood that valid consent must be freely given, specific, informed and unambiguous, and must be shown through a clear affirmative action. We also discussed that the controller must be able to demonstrate consent and maintain records showing how and when consent was obtained. Finally, we looked at lawfulness of processing under Article 6 of GDPR, where we discussed that processing becomes lawful if at least one legal basis applies, such as consent, performance of a contract, legal obligation, vital interest, public interest or legitimate interest.

In this lecture we looked at data minimization and privacy by design at a high level. We started off with a quick recap of important GDPR principles like data minimization, purpose limitation and storage limitation, and how these principles are connected to exam-relevant concepts. Then we discussed privacy by design under Article 25, where privacy should be built into the system from the beginning through appropriate technical and organizational measures such as pseudonymization, data minimization, regular reviews and privacy-focused design choices. After that, we looked at privacy by default, which means only the necessary personal data should be collected, processed, stored and accessed by default, with privacy-preserving settings, no automatic opt-ins, limited access and deletion after the purpose is fulfilled. Finally, we looked at certification mechanisms under GDPR, including how approved and voluntary certifications can help demonstrate compliance, along with key factors organizations must consider such as the risk level of processing, available technology and cost of implementation.

In this lecture we discussed controller obligations under GDPR at a high level. We started off with the meaning of a controller and understood that a controller is the entity that decides the purpose and means of processing personal data, while the processor carries out the actual processing on behalf of the controller. Then we discussed what obligations mean and looked at the key legal duties controllers must follow, including Data Protection Impact Assessments, processor requirements, cross-border transfers, breach notification, and record keeping. We spent more time on DPIA because it is very important for the exam, especially when processing is likely to create a high risk to the rights and freedoms of individuals, and we also looked at the mandatory DPIA cases and required contents. Finally, we looked at controller and processor record keeping requirements, breach notification timelines such as the 72-hour rule, cross-border transfer exceptions, and how GDPR often includes exceptions within exceptions, which makes these topics important but sometimes tricky for the exam.

In this lecture we discussed automated individual decision-making, or ADM, including profiling, at a high level. We started off by understanding the difference between ADM and AI, where ADM is a process in which decisions are made entirely by automated means without any human involvement, while AI is a technology that may or may not be used in ADM. Then we discussed Article 22 of GDPR and understood that ADM applies when there is a decision, the decision is based solely on automated processing, and it produces legal effects or similarly significant effects on the data subject. After that, we looked at the three main exceptions where such automated decisions may be allowed, including when it is necessary for a contract, authorized by EU or member state law, or based on explicit consent. Finally, we looked at the safeguards that still apply in contract and consent-based cases, such as the right to obtain human intervention, express one’s point of view, and contest the decision, and we understood this with the help of an online loan application example.

In this lecture we discussed sensitive or special categories of personal data under GDPR at a high level. We started off by understanding the difference between personal data, sensitive data, and special categories of personal data, and why special categories under Article 9 receive a higher level of protection. Then we discussed the formal GDPR meaning of special categories, including racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, and data related to sex life or sexual orientation. After that, we looked more closely at biometric data and understood that raw images or fingerprints are not automatically biometric data unless they go through specific technical processing to uniquely identify a person. Finally, we looked at the key exceptions that allow processing of special category data, the additional safeguards that EU member states can introduce, and a few real-world GDPR penalty examples to connect the legal concepts with practical privacy violations.

In this lecture we discussed the relevance of privacy laws beyond the GDPR at a high level. We started off by addressing a common question about why the AIGP syllabus focuses heavily on the GDPR and clarified that while most questions are based on it, a few simple scenario-based questions may refer to other global privacy laws. Then we discussed ten key laws such as China’s PIPL, Brazil’s LGPD, California’s CCPA and CPRA, India’s DPDP Act, Singapore’s PDPA, South Korea’s PIPA, and more, emphasizing just a basic awareness of the country and nature of each law is sufficient. Finally, we looked at two sample scenarios showing how to identify the applicable law using contextual clues like region or biometric data, and we concluded with a reminder to stay informed about local privacy laws as they increasingly intersect with AI governance.

In this lecture we discussed the existing laws that interact with AI use at a high level. We started off by understanding that these are not privacy laws or new AI-specific laws, but older legal areas like non-discrimination, consumer protection, product liability, safety, sector-specific laws, and intellectual property that now interact heavily with AI systems. Then we discussed why this competency is important for the IAPP exam, how the questions are usually more direct and straightforward, and why the discussion will mainly follow a US-focused approach with some EU context, especially for product liability. We also looked at the basic structure of the US government, including the legislative branch that creates and passes laws, the executive branch that enforces laws, the judiciary that interprets laws, and independent agencies and commissions like the FTC, CFPB, EEOC, and CPSC that play an important enforcement role. Finally, we looked at how the scattered body of knowledge has been reorganized into a more logical learning sequence, starting with non-discrimination laws, followed by consumer protection laws, safety and sector-specific laws, product liability laws, and intellectual property laws.

In this lecture we discussed non-discrimination laws at a high level, especially the key U.S. laws that interact with AI use and may appear in exam scenarios. We started off with a quick summary of five important laws and focused on remembering their core purpose rather than going into deep legal detail. Then we discussed Title VII of the Civil Rights Act, which prohibits employment discrimination based on race, color, religion, sex, or national origin, and the Americans with Disabilities Act, which focuses on discrimination against qualified individuals with disabilities in employment settings. After that, we looked at the Fair Credit Reporting Act and understood how consumer reports can be used not only for credit but also for employment, insurance, and other purposes. We then discussed the Equal Credit Opportunity Act, which applies when creditors make credit decisions, and the Fair Housing Act, which deals with discrimination in sale, rental, financing, and other housing-related transactions. Finally, we looked at how to spot these laws in exam questions by carefully checking whether the question asks for the most directly applicable law or the least directly applicable law, so that learners can avoid silly mistakes in an otherwise easy scoring section.

In this lecture we discussed consumer protection laws at a high level and understood how these existing laws interact with AI use, especially in consumer-facing systems. We started off with Section 5 of the FTC Act and looked at how the FTC addresses unfair or deceptive acts or practices, including advertising claims, data practices, algorithmic bias, AI-generated content, and automated decision tools. Then we discussed COPPA and understood how it protects children under 13 by regulating the online collection of their personal information. After that, we looked at the Consumer Product Safety Act and the Consumer Product Safety Improvement Act, focusing on product safety, hazardous consumer products, recalls, reporting duties, and additional protections for children’s products. Finally, we discussed the EU Digital Services Act and looked at its important requirements for online platforms, recommender systems, online advertising, protection of minors, public ad repositories, restrictions on sensitive-data-based targeting, and transparency around sponsored content and ad targeting.

In this lecture we looked at safety and sector specific laws at a high level. We started off with a quick summary of important US specific laws and guidance, focusing on the name, abbreviation, and core purpose of each. Then we discussed HIPAA and how it protects Protected Health Information, especially when personal identifiers are connected with health data. After that, we looked at the FDCA and the role of the FDA in regulating foods, drugs, cosmetics, and medical devices, including the three risk classes for medical devices where Class I is lowest risk and Class III is highest risk. We then discussed OSHA and how it focuses on safe and healthful working conditions by requiring employers to provide workplaces free from recognized hazards. Finally, we looked at SR 11-7, which is not a law but supervisory guidance on model risk management for banks, covering model development, validation, governance, policies, and controls, with the key idea that model risk management should be proportionate to model complexity, use, and potential impact.

In this lecture we discussed product liability laws at a high level, especially from the perspective of AI systems and digital products. We started off with the basic legal terms needed to understand this topic, including plaintiff, defendant, liability, tort, tort law, and negligence, using simple AI-related examples like faulty medical tools, self-driving cars, and biased hiring systems. Then we discussed the difference between strict liability and fault-based liability with the help of an autonomous vehicle example, where strict liability focuses on proving that the product was defective and caused harm, while fault-based liability requires proving negligence or breach of duty. After that, we looked at the EU Product Liability Directive, including the original PLD from 1985 and the revised PLD from December 2024, and understood that both follow a strict liability approach. Finally, we looked at the key reforms under the revised PLD, especially its expanded scope covering software, software updates, digital manufacturing files, and digital services, along with the new presumptions that reduce the burden of proof for victims by making it easier to show defectiveness and the causal link between the defect and the harm.

In this lecture we discussed intellectual property laws at a high level and understood why they are important in the context of AI systems. We started off with basic IP terms such as copyright, patent, trademark, infringement, indemnification, license, trade secret, derivative work, right of publicity, personality rights, and safe harbor so that the legal language becomes easier to understand. Then we discussed the fair use doctrine in US copyright law and looked at its four important factors, including the purpose of use, nature of the copyrighted work, amount used, and effect on the market value. After that, we looked at key AI and copyright challenges such as the legality of training data collection, fair use not being a blanket shield, human inventorship in patents, whether model weights store protected works, ownership of AI-generated outputs, and the role of licensing, liability, and indemnification in AI contracts. Finally, we looked at important US intellectual property laws such as the DMCA, US Copyright Act, US Patent Act, and Lanham Act, along with the role of the US Copyright Office and USPTO in addressing emerging AI-related IP issues.

In this lecture we looked at the EU AI Act at a high level. We started off with a quick overview of the EU’s government structure and its lawmaking process, introducing the roles of the European Commission, Parliament and Council to understand how the Act came into being. Then we discussed the structure of the Act itself including its 13 chapters, 113 articles, 13 annexes and 180 recitals, and saw how to approach new AI laws by mapping them to the AIGP body of knowledge. Finally we looked at the scope of the Act including who it applies to and who it does not, along with key definitions like AI system, general-purpose AI model, systemic risk, provider, deployer and other actors involved, and wrapped up with enforcement dates and a heads-up on possible delays.

In this lecture we looked at the EU AI Act’s risk classification framework at a high level. We started off with understanding the core idea behind risk-based regulation, using the example of a company building 100 AI use cases, not all of which require the same level of scrutiny. Then we discussed the four official risk levels under the Act: prohibited systems that are banned for violating rights or EU values, high-risk systems that are allowed but subject to strict regulatory requirements, limited-risk systems that only have light obligations like transparency, and minimal-risk systems that face no mandatory rules. Finally, we looked at how this classification sets up the structure for the next few lessons where we will go deeper into real-world examples, legal requirements, and enforcement penalties under each category.

In this lecture we looked at prohibited use cases under the EU AI Act at a high level. We started off with a quick recap of the four risk levels and why identifying the risk category is crucial for answering exam questions that depend on it. Then we discussed how to distinguish prohibited from high-risk categories and began exploring each prohibited scenario in detail, starting with subliminal manipulation and emotional exploitation. We walked through practical examples for each such as social media targeting emotional lows, VR influencing political views, exploitation of vulnerable groups like children or the elderly, social scoring systems, and predictive policing based on personality traits. Finally we looked at prohibitions around untargeted facial image scraping, emotion recognition in workplaces and schools, biometric categorization of sensitive traits like religion or sexual orientation, and real-time biometric surveillance by law enforcement, including the specific exceptions allowed.

In this lecture we discussed high-risk use cases under the EU AI Act at a high level. We started off by exploring Article 6 which defines when an AI system qualifies as high-risk, focusing first on products that are either AI-based or have AI as a safety component and require third-party checks under Annex I. Then we discussed how even if AI is not part of such products, it can still be high-risk if it is used in sensitive areas listed under Annex III such as biometric identification, critical infrastructure, education, employment, access to essential services, law enforcement, migration and asylum, and administration of justice. Finally, we looked at detailed examples of each high-risk category and closed the lecture by highlighting how some use cases may overlap with the prohibited category, using emotion recognition as a key comparison to help you distinguish the two better.

In this lecture we discussed the remaining two risk levels under the EU AI Act at a high level. We started off with the limited risk category, clarifying that while the Act does not explicitly use this term, Article 50 outlines transparency obligations for certain AI systems which are generally treated as limited risk. Then we discussed four use cases that fall under this category including conversational AI like chatbots and voice assistants, synthetic media generators such as image or voice generation tools, emotional recognition or biometric categorization where context determines the risk level, and deepfakes which are now widely seen across media platforms. Finally we looked at the minimal or no risk category, which includes common AI systems like spam filters and gaming AI that pose no significant threat, and we clarified that general-purpose AI is not automatically classified as minimal risk due to its separate set of requirements.

In this lecture, we looked at the requirements for high-risk AI systems at a high level. We started off with a quick overview of Chapter 3, Section 2 of the EU AI Act, covering Articles 9 to 15, and clarified the difference between requirements and obligations. Then we discussed each of the seven core requirements that providers must fulfill including setting up a continuous risk management system, ensuring quality data and data governance, preparing technical documentation before deployment, maintaining ongoing record-keeping, enabling transparency and providing information to deployers, ensuring human oversight, and designing for accuracy, robustness, and cybersecurity.

In this lecture we looked at the obligations for high-risk and certain other AI systems at a high level. We started off by revisiting the four main stakeholders defined under the EU AI Act-providers, importers, distributors, and deployers-and discussed how their roles are sequentially linked in the value chain. Then we discussed how specific obligations are assigned to each of them, especially focusing on the provider as the baseline since most articles and duties start from that point. We then explored how importers and distributors primarily carry verification responsibilities rather than executing tasks themselves, and how deployers carry unique duties related to user interaction and fundamental rights. Finally, we looked at the obligations for limited-risk systems, including transparency, marking of AI content, and disclosure duties for both providers and deployers, along with registration and AI literacy requirements.

In this lecture, we discussed the obligations for providers of general-purpose AI models at a high level. We started off by recalling the definition of general-purpose AI and the meaning of systemic risk, as described in the EU AI Act, and then explored how a model crosses the threshold to be considered as having systemic risk when it uses more than 10^25 FLOPs. Then we discussed the four core obligations that apply to all providers regardless of systemic risk, such as maintaining technical documentation, sharing model information with downstream providers, complying with copyright law, and publishing a training data summary. Finally, we looked at four additional obligations that apply only to models with systemic risk, including the need for adversarial testing, systemic risk mitigation at the EU level, incident reporting to the AI Office, and ensuring robust cybersecurity for both the model and its infrastructure.

In this lecture we looked at the enforcement and penalties section of the EU AI Act at a high level. We started off with understanding the corrective actions and duty of information for high-risk AI providers and deployers, where we discussed what steps must be taken in case of non-compliance or risk. Then we discussed the rules around serious incident reporting, including timelines and how preliminary reports can be filed. After that, we explored remedies available to affected individuals or organizations, including the right to explanation and filing complaints with market surveillance authorities. Finally, we looked at how enforcement responsibilities are divided between national and EU-level bodies, and we concluded with the penalties section, where we broke down the fine amounts for different types of violations and the key factors authorities consider when deciding penalty amounts.

In this lecture, we discussed federal and state AI laws at a high level that apply to private sector organizations in the United States. We started off by understanding the difference between federal laws and executive orders, especially in the context of how they affect private entities. Then we discussed the major federal developments in 2025, including Executive Orders 14179 and 14365, and the AI Action Plan released by the White House. We explored how these documents aim to harmonize AI regulation across states and promote American leadership through innovation, infrastructure, and diplomacy. Finally, we looked at the detailed roles of key federal agencies under both the AI Action Plan and the executive order, and we compared how responsibilities differ across documents to help clarify potential exam questions.

In this lecture we discussed state-level AI laws in the United States at a high level. We started off by understanding how these differ from federal laws and noted that while the US has no standalone federal AI law yet, several states have passed their own AI-specific regulations. Then we looked at a list of 10 such laws from states like California, New York, Texas, Colorado, and Utah, and emphasized that only those laws applicable to private sector organizations are relevant for the AIGP exam. We discussed how California has multiple laws focused on frontier AI safety, chatbot disclosures, training data transparency, and watermarking, while Colorado’s law centers on algorithmic discrimination and clearly splits responsibilities between developers and deployers. We also explored Utah’s evolving stance, including liability rules, disclosure obligations for professionals, and the extension of its AI law through amendments. Finally, we looked at New York’s hiring bias audit requirements and frontier model safety rules, and concluded with Texas’ law that introduces transparency mandates, AI use restrictions, biometric protections, and a regulatory sandbox for innovation.

In this lecture we discussed Italy’s national AI law at a high level and how it complements the EU AI Act. We started off by clarifying the difference between the European Union and its member states and explained that since the EU AI Act is a regulation, it applies directly across all 27 EU countries including Italy. Then we discussed why Italy still enacted its own law, highlighting that it does not override the EU AI Act but adds national-level details such as institutional roles and sector-specific provisions. Finally we looked at the structure of the Italian AI law, including its short six-chapter format, key additions like the anthropocentric AI principle, the role of national agencies AGID and ACN in enforcement, the amendment to the criminal code for AI misuse, and sectoral guidelines in areas like healthcare, labour, and public administration.

In this lecture we looked at the South Korean AI Basic Law at a high level. We started off with its outline, covering six chapters from general provisions to penalties, and explained how each chapter builds on the last, including key topics like national AI planning, infrastructure development, ethics, safety, and enforcement. Then we discussed its dual-purpose focus on both ethics and innovation, highlighted key definitions and stakeholders such as AI business operators and domestic representatives, and explained the unique classification of high impact AI systems based on specific risk domains. Finally, we looked at the responsibilities for high impact systems, transparency rules for both generative and high impact AI, special provisions for large compute AI, and enforcement mechanisms including criminal penalties and administrative fines, while consistently comparing it with the EU AI Act to aid understanding.

In this lecture we discussed Vietnam’s AI Law at a high level. We started off with the context around the earlier Digital Technology Industry (DTI) law, which broadly covered AI and digital assets, and then moved to the creation of a standalone AI Law in December 2025 that features 8 chapters and 35 articles. Then we discussed the scope and definitions, emphasizing the law’s extra-territorial reach and how it covers foreign entities operating in Vietnam. We looked at the stakeholder terminology and noted differences from the EU AI Act before examining prohibited AI activities such as using AI to commit crimes, spread fake content, or bypass human oversight. Finally, we looked at the three-tier risk classification of AI systems, requirements for conformity assessment, transparency duties, provider and deployer obligations for high and medium-risk systems, audit and inspection mechanisms, compensation rules, and exemptions.

In this lecture,  we took a comprehensive look at Domain 2D, which focuses on understanding the main industry standards and tools that apply to AI. We started off with OECD (Organization for Economic Cooperation and Development), an intergovernmental organization with 38 member countries that works to promote sustainable economic growth and international trade. We explored their AI Public Observatory (OECD.AI) and their framework for classifying AI systems across five key dimensions: people and planet, economic context, data and input, AI model, and tasks and output. We also learned about seven fundamental AI task types defined by OECD: recognition, event detection, forecasting, personalization, interaction support, goal-driven optimization, and reasoning with knowledge.

Next, we delved into OECD's recommendations on AI, which were first adopted in May 2019 and have undergone important revisions in 2023 and 2024 to keep up with developments in generative AI. We looked at three fundamental elements: key terminology (like AI system, AI system lifecycle, AI actors, AI knowledge, and stakeholders), five high-level principles (inclusive growth, respect for human rights, transparency, robustness, and accountability), and five specific recommendations for national policies (investing in R&D, fostering an inclusive ecosystem, shaping policy environment, building human capacity, and international cooperation). These components are very important from an exam perspective, as they form the foundation of AI governance.

Finally, we explored OECD's tools, data, and other AI policy resources. We looked at their framework for comparing implementation tools for trustworthy AI systems, which includes dimensions like tool description, categorization, origin, and alignment with AI principles. Remember that OECD's recent updates in 2023-2024 are particularly important for the exam, especially the changes made to address generative AI, misinformation, and safety considerations. We also saw how OECD compared different technical tools like LinkedIn Fairness Toolkit and Google Model Card Toolkit, and learned about their AI incidents monitor that tracks key AI incidents globally. The lecture concluded by highlighting OECD's rich repository of tools and policy resources that are valuable for AI governance.

In this lecture we discussed the NIST AI Risk Management Framework at a high level. We started off with the background of NIST, where we learned that NIST is a US federal agency under the Department of Commerce and that it develops technology standards, metrics, and practical guidance. We then discussed why the NIST AI RMF is important for the exam, how it was released in January 2023, and how it helps organizations manage AI risks while supporting trustworthy, fair, transparent, and responsible AI systems. After that, we looked at how the NIST AI RMF document is organized into two broad parts: the first part explains the characteristics of trustworthy AI, the AI lifecycle, stakeholders, and risk management challenges, while the second part explains the core framework functions of Govern, Map, Measure, and Manage. We then discussed the key characteristics of trustworthy AI, including safe, secure and resilient, explainable and interpretable, privacy enhanced, fair with harmful bias managed, valid and reliable, and accountable and transparent, with special focus on why valid and reliable is shown as the base and accountable and transparent is shown as connected to all other characteristics. Finally, we looked at the AI lifecycle and dimensions adapted from the OECD framework, and ended with the major AI risk management challenges such as risk measurement, risk tolerance, risk prioritization, and the need to integrate AI risk into broader enterprise risk management.

In this lecture we discussed the four main functions of the NIST AI Risk Management Framework at a high level, namely Govern, Map, Measure and Manage. We started off by understanding that Govern is not the first step in a strict sequence, but a function that cuts across the entire risk management process by creating the right policies, accountability structures, people involvement, safety culture, stakeholder engagement and third-party controls. Then we discussed how Map is about understanding the AI use case context, categorizing the AI system, clarifying its capabilities and benefits, identifying risk components and understanding who may benefit or be harmed. After that, we looked at Measure, where the risks identified in the Map stage are tested, evaluated, tracked and improved through suitable methods, metrics and trustworthy AI assessments. Finally, we looked at Manage, where risks are prioritized and acted upon through mitigation strategies, third-party monitoring, incident response, appeals, recovery and continuous improvement, while also using a simple mind map and memory story to remember the categories clearly for exam-based scenario questions.

In this lecture, we discussed ISO standards at a high level, focusing on what they are, how they are structured, and why they matter for AI governance. We started off by understanding the basics of ISO as an organization, the voluntary nature of its standards, and how to read standard codes like ISO/IEC 42001. Then we discussed the three key ISO standards relevant to AI-ISO 22989 on AI concepts and terminology, ISO 42001 on AI management systems, and ISO 42005 on AI system impact assessment-explaining their purpose, scope, and coverage. Finally, we looked at the key processes described in these standards, such as the AI system lifecycle, risk-based planning and operation, and step-by-step implementation of AI impact assessments, closing with a brief overview of professional certifications like ISO 42001 Lead Implementer and Lead Auditor.

In this lecture we looked at how to govern the planning and design of AI systems at a high level. We started off by connecting this topic back to the AI lifecycle and understanding how Domain 3 focuses on the governance aspects of planning, design, and development, while implementation is covered later in Domain 4. Then we discussed the main governance steps for planning and design, including defining business objectives, understanding the use case, checking whether AI is truly needed, performing cost-benefit analysis, engaging diverse stakeholders, evaluating stakeholder salience, deciding engagement methods, and creating communication plans through tools like model cards and system cards. After that, we looked at high-level risk screening, where AI use cases are classified based on their riskiness so that organizations can prioritize higher-risk systems for deeper review. We also discussed risk scoring, mitigation hierarchy, detailed impact assessment frameworks such as ALTAI and Canada’s Algorithmic Impact Assessment tool, and key data governance concepts like data lineage, data provenance, representative data, and statistical sampling. Finally, we looked at decision criticality, human oversight models, optionality, redress, and TEVV, which stands for testing, evaluation, verification, and validation, so that learners can understand how these governance activities help reduce risk and prepare AI systems for responsible development.

In this lecture we discussed how to govern the development of AI systems at a high level. We started off by understanding where the development stage fits within the AI lifecycle and why it is important to evaluate AI systems not only from a technical perspective but also from a governance, fairness, bias, safety, privacy and trustworthiness perspective. Then we discussed different ways to test and evaluate AI systems, including the use of edge cases, unseen data, malicious inputs, repeatability assessments, model cards, counterfactual explanations, adversarial testing, threat modelling, OECD tools and metrics, multiple layers of mitigation and the tradeoffs between different mitigation strategies. After that, we looked at privacy enhancing techniques and privacy preserving machine learning techniques, including homomorphic encryption, secure multi-party computation, differential privacy, federated learning, trusted execution environments, model distillation, model pruning and adversarial training. Then we discussed why AI systems fail, covering important concepts such as brittleness, hallucinations, embedded bias, catastrophic forgetting, uncertainty and false positives. Finally, we looked at remediality, risk tracking and deployment strategy, where we discussed how to assess whether adverse impacts can be fixed, how to maintain a risk register, how to monitor key risk indicators and how to select the right deployment strategy based on data sensitivity, regulatory requirements, performance needs, available infrastructure and future model updates.

In this lecture we discussed how to govern the deployment and use of AI systems at a high level. We started off with understanding how this domain connects with the final implementation stage of the AI lifecycle and why governance and risk management must continue even after the AI system is deployed. Then we discussed post hoc testing, automation bias, internal and external risks, risk triage, incident response, deactivation, localization, service continuity, and continuous improvement of deployed systems through fine tuning, retraining, human feedback, and RLHF. After that, we looked at important deployment concepts such as champion versus challenger models, versioning of models, data and code, third-party and bad actor risks, communication plans for AI system updates, bug bashing, and red teaming. Finally, we looked at how organizations can forecast and reduce the risk of secondary uses, unintended uses, and downstream harms through scenario planning, risk assessment, safeguards, monitoring, stakeholder engagement, and adaptive governance.

In this lecture, we explored a comprehensive case study about implementing AI governance and risk management in healthcare, specifically focusing on a patient diagnosis system. We looked at a structured five-step approach that AI governance professionals use, starting with understanding the organization (Life Care Global Hospitals), analyzing the AI use case (a deep learning model for medical imaging), and conducting risk screening.

We then took a deep dive into how to classify the AI system using different frameworks like OECD's AI classification and AI task types. The case walked us through understanding the technical aspects, including the use of a 121-layer dense net architecture for processing chest X-rays. We also explored the AI tech stack and lifecycle stages, which are crucial concepts from an exam perspective. Remember that being able to properly classify an AI system and understand where it fits in these frameworks is very important for the exam.

Finally, we looked at how to conduct risk assessments using two different methods: the EU AI Act's risk-based approach and the Huderia framework. The case study showed us how to perform both high-level risk screening and detailed impact assessments, particularly focusing on fairness in healthcare AI systems. We saw how to analyze training data representation and model performance across different demographic groups, which revealed important insights about potential biases. It's especially important to remember that for high-risk AI systems, a detailed impact assessment is mandatory, and this involves both qualitative and quantitative analysis.

In this lecture, we discussed a case study about AI Credit Score Analysis, focusing on a hypothetical company called Trust Score Financial Services. We started off with understanding the organization and its credit scoring algorithm that processes over a million credit inquiries daily. The company serves over 200 million consumers across the United States, and its scores are used by banks, insurance companies, and landlords to make important decisions about loans, housing, and essential services.

Then we looked at the technical aspects of the AI system and its classification under various frameworks. The system uses random forest models to generate credit scores ranging from 300 to 850. We took a deep dive into how this use case aligns with the OECD AI classification framework, where it falls under both forecasting and reasoning with knowledge structures tasks. We also saw the design aspects from an AI technology perspective, including the three-layer architecture (application, model, and infrastructure) implemented in AWS.

Finally, we explored the regulatory and risk aspects of the system, which are very important from an exam perspective. Remember that this use case is classified as high-risk under the EU AI Act because it deals with essential services. We looked at several US laws that apply, including FCRA, ECOA, Fair Housing Act, and FTC regulations. The lecture concluded with different approaches to manage transparency and explainability risks, including global explanations, local feature-based explanations, and local instance-based explanations. It's particularly important to remember that transparency and explainability are two distinct concepts that shouldn't be used interchangeably - transparency focuses on system-wide openness while explainability deals with understanding specific outcomes.

In this lecture, we explore a comprehensive case study about an AI-based educational tutor called Edumantor AI. We begin by looking at the organization itself, which serves 2 million students across 5000 educational institutions in North America and Europe with its Advanced Learning Companion (ALC) system. The lecture then walks us through understanding the AI use case by examining its OECD classification, task types, and technology stack. We take a deep dive into the system's architecture, which uses GPT-4 through Microsoft Azure OpenAI, and see how it implements zero-shot prompt engineering, few-shot prompt engineering, and assessment modules. The lecture also covers the crucial aspects of AI governance, focusing particularly on safety and reliability. We explore how this educational AI system is classified as high-risk under the EU AI Act, and examine various risk management techniques, from simple prompt engineering to more advanced approaches using moderation APIs. The discussion concludes with practical examples of how to handle potentially harmful inputs and outputs, making this a thorough exploration of both the technical and governance aspects of AI in education.

In this lecture, we delve into a comprehensive case study about a Gen AI-powered recruitment assistant called AIRA. We start off with understanding two key organizations: Global Strategy Partners (GSP), a US-based consulting firm looking to improve their recruitment process, and Talent Finder, the company that developed AIRA. Then we take a detailed look at the RAG (Retrieval Augmented Generation) process, exploring its six key steps from data gathering to response generation. We examine how AIRA practically implements RAG through a real-world example of job matching. The lecture then transitions into analyzing the legal and compliance aspects, particularly focusing on the EU AI Act's classification of this system as high-risk and various US federal laws that apply to AI recruitment tools. Finally, we explore potential security and privacy risks, such as prompt injection attacks, and discuss various mitigation strategies including defensive prompting and privacy-preserving retrieval techniques.

In this lecture, we explore a case study about using Gen AI in legal systems, specifically focusing on the Digital Justice Initiative (DJI) in a hypothetical country called the Republic of Dharana. We start off with understanding how this country is dealing with a massive backlog of 3.2 million court cases by implementing an AI-powered system called Judiciary Assist. Then we look at four different technical approaches used in this system: baseline prompting, zero-shot chain of thought, legal syllogism, and RAG-based methods. In this, we take a deep dive into how these approaches work through practical examples like traffic violations and theft cases. The lecture then examines the risk classification of this system under various regulatory frameworks, particularly the EU AI Act, and explores how different countries like Canada, USA, China, Singapore, and Australia might approach such a system. Finally, we discuss potential risks like erosion of judicial accountability and loss of human-centric decision-making, along with strategies to address these challenges, concluding with recommendations for further reading through two research papers.