When I started teaching certification programs, the job of a risk professional was pretty well defined. You understood the exposure, helped leadership weigh the options, and kept the organization from stepping on landmines. The frameworks grew more sophisticated over the years, but the work stayed recognizable. AI has changed that. Not just incrementally, but in ways that existing risk credentials were never built to handle. ISACA noticed, and the result is a new certification called AAIR.
The ISACA Advanced in AI Risk certification is scheduled to launch in Q2 2026, with registration and official prep materials opening April 15. If you hold CRISC and have spent the last couple of years watching AI show up in your organization without a clear framework for evaluating it, this credential was built for that exact situation. Here is what you need to know.
AAIR is not a general AI awareness credential. It is a practice-level certification for experienced risk professionals who need to evaluate AI risk with the same rigor they bring to traditional IT risk environments.
What AAIR Actually Is
AAIR stands for Advanced in AI Risk. ISACA announced it in December 2025 and ran a beta program through early 2026 before setting the formal launch for this spring. The credential is built on top of an existing ISACA risk foundation, meaning CRISC is the primary prerequisite pathway, and it is designed to extend that expertise into AI-specific territory.
The certification validates the ability to evaluate AI-related vulnerabilities, assess the opportunities and risks AI systems introduce, and manage the complete AI risk lifecycle inside an organization. That scope is broader than it might sound at first. Risk professionals working with AI have to grapple with things that simply did not exist a few years ago: model drift, algorithmic bias, opaque automated decision-making, and the speed at which an AI-driven process can compound a governance failure before anyone catches it. These are not problems that map cleanly onto traditional risk frameworks, and AAIR is built around that reality.
Worth being specific about what this credential is not: AAIR is not a technical AI development certification. You are not learning to build models or train neural networks. The focus stays on risk identification, assessment, governance, and response, which is the territory people with a CRISC background already know. What the exam adds is the AI-specific layer, namely how these systems introduce unique exposures and how to manage them with the same discipline applied to traditional IT risk.
ISACA also describes AAIR as a cross-functional credential, and that language matters. AI risk does not live neatly inside one department. A risk professional with AAIR is expected to communicate effectively across legal, compliance, data science, and executive leadership rather than operating in technical isolation. The credential is as much about communication and governance as it is about understanding the technology.
Where AAIR Sits in the ISACA AI Credential Family
AAIR completes a set of three AI-specific credentials ISACA has released in the past year. Seeing how they relate to each other makes it easier to understand which one belongs on your roadmap.
The logic across all three is consistent. Each credential takes a practitioner who already holds an ISACA certification and adds an AI layer suited to their specific role. Auditors get AAIA. Security managers get AAISM. Risk professionals get AAIR. CRISC holders who watched colleagues in audit and security management pick up AI credentials while nothing comparable existed in the risk space have been waiting on this one. That wait ends in April.
Who Should Pursue AAIR
This credential targets experienced IT risk professionals who are already working in environments where AI has become a meaningful part of operations. Think about a risk manager at a financial institution where automated lending decisions now run through machine learning models. Or a GRC professional at a hospital where AI diagnostic tools are influencing care pathways. In both cases, the professional is being asked to assess risk in systems that behave differently from conventional software. Models drift over time. They can fail in ways that are difficult to predict, and they can introduce bias that only shows up after the fact at scale.
AAIR is not the right starting point for someone early in their risk career. The prerequisite structure exists for good reason. If you are still building your foundational risk credentials, earning CRISC first is the appropriate path. AAIR is designed for practitioners who already know risk management and need the AI-specific layer on top of that foundation.
The roles where AAIR makes the most immediate sense include IT risk managers and GRC professionals in sectors where AI deployment is moving fast, enterprise risk analysts who are increasingly being pulled into AI governance conversations without a formal credential to back them up, and senior risk professionals looking to formalize expertise they have been building informally as AI has entered their environments. Consulting and advisory professionals who advise clients on risk programs are another natural fit, particularly as client organizations start asking whether their advisors hold credentials specific to AI risk rather than just general IT risk qualifications.
Prerequisites, Exam Content, and Cost
AAIR requires candidates to hold a qualifying ISACA credential before sitting for the exam. CRISC is the primary and most direct prerequisite, though ISACA has indicated other qualifying designations may also be accepted. Because the full exam details had not been officially released as of early April 2026, specific work experience requirements were still being finalized. Checking the ISACA AAIR credential page directly when registration opens April 15 is the most reliable way to confirm current eligibility. One practical note worth keeping in mind: your prerequisite certification needs to be active and in good standing when you apply. A lapsed CRISC does not qualify you.
The exam is organized around three domains covering AI risk identification and assessment, AI risk response and governance, and the operational and technology context needed to evaluate AI systems in practice. Full domain weightings had not been released at publication, but ISACA has consistently described the credential as practice-driven rather than conceptual recall, which aligns with the pattern of its newer certifications. Expect scenario-based questions that require applying judgment rather than reciting definitions.
From an instructional design standpoint, that distinction matters more than it might seem. Certifications that test recall can be prepared for with practice questions and memory techniques. Certifications that test applied judgment require candidates to actually understand the subject well enough to reason through novel scenarios. AAIR appears to be in the second category, which means preparation should look less like drilling question banks and more like building genuine fluency with AI risk concepts and how they play out in real organizational contexts. Candidates who have been working through AI governance challenges on the job are probably better prepared than they realize. The exam will reward practitioners who can think through a problem, not just ones who studied hard in the weeks before testing.
Based on ISACA’s pricing structure across its AI credential family, AAIR exam fees are estimated at approximately $575 for members and $760 for non-members, with a $50 application fee. Annual maintenance is expected to run around $45 for members and $85 for non-members. If you are not already an ISACA member, joining before registering saves you money on the exam fee alone, since membership costs $135 annually. Confirm all figures at isaca.org when registration opens, as these are estimates based on comparable credentials.
Why the Timing on This Credential Is Significant
I try to be honest with students about the difference between a credential that reflects where the market is heading versus one that reflects where the market already is. AAIR sits at an interesting point between those two. AI risk as a formal discipline is still being defined at most organizations, but the pressure to define it is real and compounding quickly.
Regulatory expectations have solidified considerably in the past eighteen months. The EU AI Act is in force. U.S. financial regulators have published model risk management guidance that increasingly applies to machine learning systems. Healthcare organizations face mounting scrutiny over AI diagnostic tools. What changed is that regulators stopped treating AI governance as a best practice and started treating it as a compliance expectation, which means organizations now need people who can own the risk function for AI the same way they own it for everything else.
The professionals I have spoken with who pursued AAISM on the security side consistently said the credential made it easier to position themselves for AI-focused roles and to have substantive conversations with executive leadership. AAIR should work the same way in risk management. It signals that you have not just read about AI risk in a trade publication but have actually built the knowledge base to assess it at an organizational level.
Salary data specific to AAIR holders does not exist yet given the credential is brand new. Projections drawn from comparable ISACA AI credentials and the broader AI governance job market suggest experienced AAIR professionals could expect compensation somewhere in the $150,000 to $210,000 range depending on role and industry, with the upper end concentrated in financial services and heavily regulated sectors where formal AI risk oversight is quickly moving from optional to expected.
What to Do Before April 15
Official study materials arrive when registration opens, not before. That said, candidates who spend the next week or two building background will be in a noticeably better position than those who wait for the review manual to drop and start cold.
The NIST AI Risk Management Framework is freely available and genuinely useful here. It maps closely to how ISACA approaches AI governance and is referenced broadly in policy and regulatory contexts. Reading through it carefully will build the conceptual foundation that AAIR content is likely to test. ISACA has also released AI courses through its learning platform, including an Introduction to AI for Auditors course that, while audit-focused, covers model governance, AI transparency, and ethical AI considerations that overlap meaningfully with risk territory. Those materials are worth reviewing now.
Register for ISACA milestone notifications directly through the AAIR credential page. ISACA has been sending updates to interested professionals throughout the beta process, and that mailing list will be the fastest way to get the exam content outline and registration link when they go live.