Which statement best describes the EU AI Act's risk categorization compared to the NIST RMF?

Prepare for the ISACA Advanced in AI Security Management (AAISM) Test. Study with in-depth multiple choice questions, each offering insightful hints and detailed explanations. Equip yourself with expert knowledge and get exam-ready!

Multiple Choice

Which statement best describes the EU AI Act's risk categorization compared to the NIST RMF?

Explanation:
The statement reflects how risk is structured in these two frameworks. The EU AI Act defines distinct risk levels for AI systems—such as high risk, limited risk, minimal risk, and even unacceptable risk—with specific obligations that change based on which category the AI falls into. This creates a detailed, AI-specific mapping of risk to requirements. NIST RMF, on the other hand, is a flexible, industry-agnostic process for managing risk across information systems. It uses impact levels and a broad set of controls that organizations tailor to their particular system and environment, rather than applying fixed AI-centered risk categories. So the EU Act uses detailed categories with concrete obligations for each level, while NIST RMF remains adaptable across sectors, making the best fit for this comparison. The other choices don’t fit because the EU Act doesn’t rely on a numeric scoring approach, and the RMF does not impose uniform controls across all sectors.

The statement reflects how risk is structured in these two frameworks. The EU AI Act defines distinct risk levels for AI systems—such as high risk, limited risk, minimal risk, and even unacceptable risk—with specific obligations that change based on which category the AI falls into. This creates a detailed, AI-specific mapping of risk to requirements.

NIST RMF, on the other hand, is a flexible, industry-agnostic process for managing risk across information systems. It uses impact levels and a broad set of controls that organizations tailor to their particular system and environment, rather than applying fixed AI-centered risk categories.

So the EU Act uses detailed categories with concrete obligations for each level, while NIST RMF remains adaptable across sectors, making the best fit for this comparison. The other choices don’t fit because the EU Act doesn’t rely on a numeric scoring approach, and the RMF does not impose uniform controls across all sectors.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy