My phone has been busy lately. Three calls this week alone, all variations of the same question: “Ken, my company wants me to get one of these new ISACA AI certs. Which one do I actually take?” And honestly, I get the confusion. ISACA dropped three AI credentials inside about 18 months. AAISM in 2025. AAIA expanded eligibility right after. AAIR launched on April 15, 2026. Three letters apart in name, very different in purpose, and the marketing copy on the ISACA site does not always make the differences obvious if you are skimming.
I spent years inside ISACA before joining Training Camp, so I have a soft spot for these credentials. I also know exactly how people pick the wrong one because the prerequisite paths look similar at first glance. So let’s cut through it. This is the conversation I have with clients on a daily basis, written down once so you can stop guessing and pick the cert that matches the job you actually do.
AAISM is for security managers. AAIA is for auditors. AAIR is for risk professionals. Same parent organization, three different audiences. Pick based on what your day job already looks like, not based on which one sounds the most impressive.
What ISACA Actually Built (And Why Three Certs Instead of One)
Here’s the thing nobody tells you about ISACA’s strategy. They could have built one big “AI for everyone” certification. Plenty of vendors did exactly that. ISACA went the opposite way. They split AI into three specialty extensions that bolt onto their existing flagship credentials. If you already hold CISM or CISSP, you’re the AAISM candidate. If you hold CISA (or one of several global audit equivalents), you’re the AAIA candidate. If you hold CRISC or one of about 25 qualifying risk and governance creds, AAIR is your lane.
That design choice tells you something. ISACA decided AI is too big and too role-specific to compress into one exam. The way an auditor evaluates an AI model is not the same as the way a security manager defends one, and neither one looks like the way a risk officer reports on it to the board. So they wrote three exam blueprints, each one assuming you already know your domain cold and just need the AI overlay.
The exam mechanics are mostly identical across the set. Each one is a practice-driven 90-question exam, scored on ISACA’s 200 to 800 scale with 450 as the pass mark. Pricing is the same too: $575 for ISACA members or $760 if you’re not, plus a $50 application fee that hits after you pass. Past that point, the similarities mostly stop.
The Three Certs at a Glance
If you only have time to read one section of this article, read this one. This is the side-by-side that answers most of the questions I get.
AAISM: The Security Manager’s AI Specialty
The ISACA Advanced in AI Security Management (AAISM) is the right cert if you spend your day thinking about how to defend systems, only now those systems include large language models, ML pipelines, and AI services that nobody on your team fully understands yet. AAISM is the one I push toward CISM and CISSP holders specifically because that’s who can actually sit for it. The prerequisite is hard-coded. No CISM or CISSP, no AAISM. There’s no workaround.
The exam splits across three domains: AI Governance and Program Management (covering policy, regulatory frameworks, and incident response for AI), AI Risk Management (the threat and vulnerability side, including supply chain), and AI Technologies and Controls (the technical layer, including model lifecycle, data management controls, and security monitoring tailored to AI). Pull up the official outline on the ISACA AAISM exam content page if you want the full subtopic breakdown.
A real-world test: if your boss came to you tomorrow and said “we just rolled out a copilot tool to 4,000 employees, write me the security policy and threat model,” would you know where to start? AAISM is built around exactly that scenario. If you want the longer breakdown of who AAISM was designed for and what the cert actually covers, I wrote a full deep dive on ISACA’s AAISM certification that goes deeper than the comparison view here.
AAIA: The Auditor’s AI Toolkit
The Advanced in AI Audit (AAIA) was the first of the three out the door, and the design intent shows. This one is laser focused on the audit profession. The single biggest domain on the AAIA exam is AI Operations at 46% of the test, which is unusual. Most ISACA exams spread weights more evenly. ISACA put the heavy weight on Operations because that’s exactly where audit pros tend to have the biggest gap. You probably know how to evaluate controls and write findings. You probably do not know MLOps, model drift, data poisoning, or how to test the secure deployment of a fine-tuned model. AAIA forces you to learn that material because you cannot pass without it.
The other two domains carry the rest. AI Governance and Risk (33%) is the policy and regulatory layer, including the EU AI Act, ISO/IEC 42001, and the NIST AI RMF. AI Auditing Tools and Techniques (21%) is the smallest piece but covers the audit-specific work: scoping AI audits, evidence collection in AI environments, AI-enabled analytics applied to audit work, and how you communicate findings. The full subtopic list lives on ISACA’s AAIA exam content outline if you want to map your study plan against the official source.
Worth noting: ISACA expanded AAIA eligibility a few months after launch. The original prereqs were CISA, CIA, and CPA. The current list includes ACCA, FCCA, Canadian CPA, CPA Australia, FCPA, and Japanese CPA. If you are a global accounting professional who got told a year ago you didn’t qualify, check again. The door has opened up.
AAIR: The Risk Pro’s AI Lens
AAIR is the new kid. It launched on April 15, 2026, after a beta program ISACA ran through the back half of 2025 and early 2026. The full name is Advanced in AI Risk. If you hold CRISC, AAIR is the cleanest path. CRISC was already the ISACA cert for IT risk practitioners, and AAIR extends that into AI-specific territory the same way AAISM extends CISM into AI security territory.
Three domains, like the others. AI Risk Governance and Framework Integration is about plugging AI risk into the enterprise risk management program you already run. AI Risk Program Management is the operational side: how you actually run AI risk reviews, third-party AI assessments, and recurring controls. AI Life Cycle Risk Management is the meaty technical part, dealing with model risk across training, deployment, monitoring, and decommissioning.
The prerequisite list is the most flexible of the three. ISACA approved roughly 25 qualifying credentials, including CRISC, CISA, CISM, CGEIT, CDPSE, CISSP, CGRC, CRMP, CRMA, and CRCM. So if you came up through audit (CISA), security management (CISM), governance (CGEIT), or financial risk (CRMP), you can still sit for AAIR. Jeff Porch wrote a deeper guide on AAIR specifically if you want more on what the credential covers. And if you’re still working on whether CRISC itself is the right base credential to start with, my piece on whether CRISC is worth it walks through the ROI math.
How to Pick (Without Overthinking It)
Most people overcomplicate this decision. I’m going to make it simple. Look at your job title, look at your existing credential, and the right answer usually picks itself.
If your day is spent inside a security operations team, defending infrastructure, building security programs, or managing security engineers, and CISM or CISSP is already on your wall, you’re an AAISM candidate. The audit version of that test sounds different. You sit in an internal or external audit function, evaluate controls, write assurance reports, and you hold CISA, CIA, CPA, or one of the expanded global equivalents. That puts you on the AAIA track. AAIR is for the third profile: the practitioner who builds risk registers, briefs the board on enterprise risk, and sits on the GRC committee, holding CRISC, CGEIT, or any of the other 25 qualifying creds.
The trickiest case is the person who lives at the intersection. Someone who holds CISM and works in a hybrid GRC role that does both security policy and AI risk reporting. In those cases, I look at where the bigger gap is. If you’ve never been hands-on with AI implementations, AAISM teaches you the technical layer faster. If you’re already comfortable with AI tech but need to formalize how AI fits into the enterprise risk register, AAIR will give you more pull with executive stakeholders. There’s no wrong answer there. Just a better fit for what you actually need.
A pattern I see with clients: the wrong cert is usually the one chosen because of “career FOMO.” Someone reads about AAISM, decides AI security is hot, and registers without actually holding CISSP or CISM. They get blocked at the prerequisite check. Or worse, they pass the exam and find out they cannot get certified because their underlying credential lapsed. Verify your prereq is current before you spend a dollar on study materials. ISACA does not waive the prereq for anyone, no matter how much experience you have.
Should You Stack Multiple AI Certs?
Some people will. Most people shouldn’t. Stacking AAISM, AAIA, and AAIR makes sense for a small group of professionals who actually wear three hats: senior consultants, principal advisors at the Big 4, AI governance leads at large enterprises that span security, audit, and risk functions. For everyone else, it’s overkill.
A more practical stack for most people is one ISACA AI specialty plus a complementary AI governance cert from outside ISACA, like the IAPP AIGP, which covers global AI policy and the EU AI Act in more depth. That combo signals to hiring managers that you understand both the operational side (AAIA, AAISM, or AAIR) and the policy side (AIGP). Two certs from two different bodies signals deliberate specialization to a hiring manager. Stacking all three ISACA AI certs in a row mostly signals indecision.
One nice mechanic if you do stack: CPE credits earned through ISACA activities can count across multiple ISACA credentials. So the maintenance overhead does not triple just because you hold three certs. ISACA member fees and the per-cert annual maintenance still apply, but the CPE hour requirement is more efficient than people assume.
What These Cost and What You Actually Get
All three exams sit at the same price point. $575 if you’re an ISACA member, $760 if you’re not. Membership runs $135 a year, so if you’re going to register for any of these and you don’t already have a membership, doing the math takes about 10 seconds. Membership wins. After you pass, the $50 application processing fee kicks in, and then you’re on the maintenance treadmill: annual maintenance fees in the $45 to $85 range depending on member status, and CPE requirements (typically 10 AI-domain CPEs per year, 30 over three years for the AI specialty creds).
The salary uplift question gets asked on every call. Honestly, it’s too early for clean salary data on AAISM, AAIA, or AAIR specifically. The credentials are not even all 18 months old yet. What I can say is that AI-related roles in security, audit, and risk are commanding premium pay right now, and the people getting interviewed for those roles all share one thing: a credential that proves they took the AI specialty seriously. Whether the cert itself drives the raise or whether it’s a marker of someone who invested in their own development, the outcome is the same. The role posts, you have the cert, you get the call.
For more context on how the wider ISACA portfolio fits together (including which ones to pursue first), the complete guide to ISACA certifications is a useful next read. And if you’re trying to compare the ISACA AI lineup against CompTIA’s recently launched AI security cert, I wrote a separate breakdown on CompTIA SecAI+ vs the ISACA AI certifications.
Frequently Asked Questions
Can I take AAISM, AAIA, or AAIR without an existing ISACA certification?
No. All three require an active prerequisite credential. AAISM needs CISM or CISSP. AAIA needs CISA, CIA, CPA, or one of the global accounting equivalents. AAIR accepts roughly 25 different qualifying credentials including CRISC, CISA, CISM, CGEIT, CDPSE, and CISSP. There is no way to sit for any of these without holding the underlying cert in good standing.
How much do the AAISM, AAIA, and AAIR exams cost?
All three are priced identically: $575 for ISACA members, $760 for non-members. Add a $50 application processing fee after you pass. ISACA membership is $135 per year, so members come out ahead on a single attempt and significantly ahead if you stack multiple certs.
Which ISACA AI certification has the highest demand?
AAISM currently has the most market visibility because it launched first and aligns with the AI security manager role that most enterprises are actively hiring for. AAIR is too new to draw clean conclusions, but the audience is large since CRISC and the broader risk credential pool feeds it. AAIA has steady demand inside Big 4 and internal audit teams that are being asked to evaluate AI implementations.
How long does it take to prepare for AAISM, AAIA, or AAIR?
Most candidates need 6 to 12 weeks of focused study. Experienced professionals with strong AI familiarity may finish in 6 to 8 weeks. People newer to AI concepts should plan on 10 to 12 weeks, especially for AAIA where the AI Operations domain weighs 46% of the exam and trips up audit pros without technical AI exposure.
Are AAISM, AAIA, and AAIR exams the same format?
Yes, the format is consistent across all three. 90 multiple-choice and scenario-based questions, scaled scoring on a 200 to 800 scale, and 450 is the passing score. AAISM allows up to 150 minutes for the exam. All three are delivered through PSI testing centers globally or via remote proctoring (with the standard exclusion for residents of India, Mainland China, and Hong Kong, who must use a physical test center).
Should I get AAISM, AAIA, or AAIR before pursuing CISSP or CRISC?
No, and you can’t anyway. The prerequisite structure means you have to earn the foundation cert first. If you’re early in your career and want to point yourself toward an AI specialty later, get CISM or CISSP for an AAISM track, CISA for an AAIA track, or CRISC for an AAIR track. The flagship cert is the door, and the AI specialty is the room behind it.
Will ISACA add more AI certifications after AAIR?
ISACA hasn’t announced a fourth AI cert as of May 2026, but the pattern suggests they could. Each of the three current AI specialty creds maps to a specific ISACA flagship: CISM/CISSP, CISA, CRISC. The remaining flagship is CGEIT (governance), and an AI governance specialty extension would round out the set. Nothing official yet, but I’d be watching ISACA’s announcements closely through the back half of 2026.
Vice President of Sales. Training Camp
Ken Sahs is the Director of Sales at Training Camp, where he leads the company's sales team and oversees all ISACA certification programs. He helps organizations navigate the world of IT governance and risk management certifications – including CISA, CISM, and CRISC. He works directly with enterprise clients to create training programs that not only get their teams certified but also solve real business challenges.