CompTIA SecAI+ v1 Exam CY0-001 Practice Questions

Answer : A

Basic Concept: AI models trained on unrepresentative data can produce systematically inaccurate results for certain population groups. This is a form of algorithmic bias where the model's performance varies significantly across demographic segments, creating disparate outcomes. CompTIA SecAI+ Exam Objectives cover bias as a core AI governance and risk concept.

Why A is Correct: Bias in AI occurs when a model produces systematically skewed results for certain groups due to biased training data, flawed data collection, or model design choices. In this healthcare scenario, the inability to reliably predict illnesses for specific population segments indicates the training data likely underrepresented those segments, causing the model to learn inadequate patterns for them. This is a critical bias risk with serious health equity implications.

Why B is Wrong: Consistency refers to the model producing the same output given the same input across different runs or time periods. The problem described is not about inconsistent outputs for the same input but about systematically poor performance for specific population groups.

Why C is Wrong: Transparency refers to openness about how the AI model operates, what data it uses, and how it makes decisions. The compliance officer has already assessed the system, suggesting sufficient transparency exists to identify the performance gap.

Why D is Wrong: Inclusiveness is a design principle ensuring AI systems are designed to serve all users regardless of background. While related to the outcome, the specific risk type described --- differential predictive accuracy across population segments --- is most precisely categorized as bias.

Answer : A

Basic Concept: Cybersecurity threats evolve continuously, with new attack variants emerging regularly. The choice between traditional statistical models and ML models for attack classification depends on which better handles the complexity and dynamism of the threat landscape. CompTIA SecAI+ covers ML model advantages for cybersecurity under basic AI concepts.

Why A is Correct: ML models can learn arbitrarily complex, non-linear relationships from training data and adapt to new patterns when retrained with updated data. For attack classification, this means ML can recognize sophisticated, multi-feature attack patterns that exceed the capabilities of simple statistical models and can be updated to detect new attack variants as the threat landscape evolves. This adaptability to complex and changing problems is the primary reason analysts prefer ML over static statistical approaches.

Why B is Wrong: ML model development pipelines are generally more complex than statistical models, requiring data preparation, feature engineering, model selection, training, validation, and deployment steps. Simplicity of development is not a characteristic advantage of ML over statistical models.

Why C is Wrong: ML models typically require large amounts of training data to perform well. Statistical models often perform better than ML with small datasets. Performance with small datasets is actually an advantage of statistical models over ML, not ML over statistical.

Why D is Wrong: Community support and expert availability are ecosystem considerations rather than technical reasons to prefer ML for cybersecurity classification tasks. These factors might influence tool selection but do not explain the fundamental technical preference for ML's superior handling of complex attack patterns.

Answer : D

Basic Concept: LLM API pricing is primarily based on token consumption --- the number of tokens processed in both input prompts and output responses. Controlling token usage is the most direct lever for managing and reducing LLM API costs. CompTIA SecAI+ Study Guide covers AI cost management and resource controls under securing AI systems.

Why D is Correct: Adjusting token limits directly caps the maximum number of tokens used per request for both input and output. By setting appropriate token limits, the organization prevents excessively long prompts or verbose responses from consuming unnecessary tokens, directly translating to lower API costs and providing hard budget control.

Why A is Wrong: Prompt templates standardize how queries are structured, which can indirectly improve efficiency. However, they do not enforce a hard cap on token usage and cannot prevent costs from escalating with large volumes or verbose responses.

Why B is Wrong: Increasing CPU and memory addresses computational infrastructure performance on the client side. LLM API costs are billed by the API provider based on token usage, not on the client's hardware resources.

Why C is Wrong: Reducing model size means using a smaller, less powerful model version. While this may lower cost per token, it is a model selection decision, not an ongoing operational control that can be adjusted to manage cost in real time.

Answer : A

Basic Concept: Data integrity ensures that data has not been tampered with, corrupted, or modified during storage or transmission. For AI training data that is procured from external sources, cryptographic integrity verification is essential to confirm the data arrived unmodified. CompTIA SecAI+ Study Guide covers data integrity controls for AI data pipelines.

Why A is Correct: Implementing checksums provides cryptographic verification of data integrity. A checksum or hash value such as SHA-256 is computed from the dataset at the source. The receiver computes the same hash and compares it to the provided value. Any modification to the data during transit or storage will produce a different hash, immediately detecting tampering or corruption. This is the most reliable, automated, and scalable strategy for ensuring the integrity of procured training data.

Why B is Wrong: Human evaluation can verify data quality and relevance but is impractical for verifying integrity across large datasets of medical records. Human reviewers cannot detect subtle bit-level corruption or intentional small modifications, and the process is not scalable.

Why C is Wrong: Querying the model tests model performance rather than verifying the integrity of the underlying training data. The model cannot tell you whether its training data was modified after collection or during procurement.

Why D is Wrong: Log monitoring tracks system activities and events over time. While useful for auditing access to data, it cannot retroactively confirm that data content has not been modified and does not provide cryptographic integrity guarantees.

Answer : D

Basic Concept: AI systems interact with different resource layers including models, data stores, and infrastructure. Controlling what data an AI system can access requires implementing access controls at the data layer. CompTIA SecAI+ Study Guide differentiates between model access, data access, and network access controls for AI systems.

Why D is Correct: Data access controls govern what data resources an AI system can interact with, including which databases, tables, and records it can read or modify. To control an AI system's ability to list database tables, the administrator must implement data access controls that define precisely which tables the AI can enumerate and query, following the principle of least privilege for data interactions.

Why A is Wrong: Agentic AI access refers to permissions granted to autonomous AI agents to perform actions and use tools. It is a broader concept about what an AI agent can do operationally rather than a specific data-layer access control mechanism.

Why B is Wrong: A Network Access Control List controls network traffic at the IP and port level, determining which hosts can communicate with which network resources. It operates at the network layer and cannot enforce fine-grained control over which database tables an AI system is allowed to list.

Why C is Wrong: Model access controls govern who and what can interact with the AI model itself --- who can query it, update it, or access its parameters. This is distinct from data access, which controls what the model can read from data stores during operation.

Answer : B

Basic Concept: Generative AI chatbots interact with users in natural language and may access organizational knowledge bases, databases, or prior conversations. The conversational nature of these systems creates unique risks around sensitive information disclosure. CompTIA SecAI+ Study Guide ranks data leakage as the primary security concern for generative AI chatbots.

Why B is Correct: Data leakage occurs when a generative AI chatbot inadvertently reveals sensitive information including PII, confidential business data, intellectual property, training data, or system configurations in its responses. This can happen through prompt injection attacks, insufficient output filtering, or the model memorizing and reproducing sensitive training data. The impact is immediate, potentially irreversible, and can result in regulatory violations, competitive disadvantage, and reputational damage.

Why A is Wrong: Overly permissive access is a contributing factor that can exacerbate data leakage but is an access control design issue rather than the most directly impactful runtime risk of operating a generative AI chatbot.

Why C is Wrong: Weak encryption is a data protection concern for data in transit or at rest. While important, it is a configuration issue separate from the generative AI chatbot's core operational risks and is not specific to chatbot technology.

Why D is Wrong: Model validation ensures a model performs as expected before deployment. While important for quality assurance, it is a development lifecycle activity rather than an ongoing operational security risk associated with running a chatbot.

Answer : B, D

Basic Concept: AI GRC implementation requires roles that combine understanding of AI technical capabilities and limitations with security risk assessment, control design, and compliance framework expertise. Identifying which roles naturally contribute to AI GRC is essential for team design. CompTIA SecAI+ Study Guide covers AI governance role responsibilities under Domain 4.

Why B is Correct: Data Scientists possess deep understanding of AI model capabilities, limitations, data requirements, and failure modes. For GRC implementation, their technical expertise is essential for identifying AI-specific risks such as bias, model drift, and data quality issues, assessing compliance implications of model design choices, and evaluating whether AI systems meet governance requirements.

Why D is Correct: Security Architects design comprehensive security frameworks and risk management strategies. For AI GRC, they translate governance requirements into technical controls, design AI security architectures that satisfy compliance obligations, assess the risk posture of AI deployments, and ensure security principles including least privilege, defense-in-depth, and audit logging are built into AI system designs.

Why A is Wrong: Desktop specialists manage user workstation hardware and software. Their role focuses on endpoint management and user support, not on the strategic risk assessment, compliance evaluation, or technical AI governance activities required for AI GRC implementation.

Why C is Wrong: Software developers write application code. While they implement security controls when directed, they typically lack the broad risk management, compliance framework expertise, and security architecture perspective needed to lead AI GRC implementation.

Why E is Wrong: SOC analysts focus on monitoring, detecting, and responding to security incidents in operational environments. Their expertise is in reactive security operations rather than the proactive governance framework design and compliance management that AI GRC requires.

Why F is Wrong: Network engineers design and maintain network infrastructure. Their expertise is in network connectivity and protocols, not in AI system governance, risk assessment frameworks, or compliance requirements.