When we started building AI governance content into our curriculum, I watched something interesting happen in the classroom. Students who had passed CISSP, CISM, and CIPP/E exams in the past few years would sit down with the AIGP material, work through Domain I, and look comfortable with the material. Then we’d hit a Domain III lifecycle scenario, ask them to walk through how a governance team would handle a third party AI model going into production, and the room would go quiet. The knowledge was there in pieces. The connective tissue was not.
That’s the actual teaching problem with the IAPP AIGP. The topics aren’t obscure. What trips candidates up is that AI governance lives at the intersection of law, technology, risk, ethics, and product operations, and most candidates come in fluent in one or two of those domains and unfamiliar with the rest. The exam doesn’t reward people who can recite definitions. It rewards people who can read a scenario, see the operational context, and pick the answer that fits the role and lifecycle stage being described. That’s a different skill, and it has to be built deliberately.
AIGP rewards translation more than memorization. Candidates who pass on the first attempt are the ones who learned to take a principle, identify the role and lifecycle stage in front of them, and pick the operational action that fits both at once. That’s a buildable skill, but it has to be practiced as a skill.
What the AIGP Actually Measures
The Body of Knowledge moved to version 2.1 on February 2, 2026. IAPP kept the four domain structure introduced in February 2025, but the rewrite shifted weight toward operational lifecycle work and third party governance. The exam is 100 questions across three hours, with 85 scored items and 15 unscored pilot items mixed in. Scoring is scaled from 100 to 500, with 300 to pass. Around 30% of items sit inside case study scenarios where you read a short fact pattern and answer multiple questions tied to it.
Here’s the part that matters from a learning design perspective. The four domains aren’t equally weighted. Domain I (foundations) sits at 16 to 20 questions, roughly 21%. Domain II (laws and frameworks) sits at 19 to 23 questions, roughly 25%. Domains III and IV (governing AI development and governing AI deployment) each carry 21 to 25 questions, roughly 27% apiece. The lifecycle domains combine for more than half the exam.
If you build your study plan in the order the BoK is written, you’ll spend most of your energy on the lightest weighted material. Most candidates do exactly that. They open the official training course, work linearly through the modules, feel productive, and run out of time before they get to the parts where the actual points are.
A small thing that changes everything in the classroom: I now have students annotate the BoK with question ranges in the margin before they start studying. Seeing “6 to 8 questions” next to a competency forces a conversation about how much time it deserves. That visual cue does more than any verbal reminder I can give about exam weighting.
The Skill the Exam Tests That Most Courses Don’t Teach
The hardest thing about AI governance, and the thing the AIGP tests harder than any other current credential, is what I’d call operational translation. It’s the ability to take a principle (say, “ensure human oversight”) and figure out what that means at a specific point in the lifecycle for a specific role under a specific framework. Most prep materials teach the principle. The exam tests the translation.
Here’s a worked example. The principle says high risk AI systems must have human oversight. Fine. Now read this scenario: a regional bank is buying a third party model to score loan applications. What does human oversight require? The answer depends on whether the bank is acting as a provider or a deployer under the EU AI Act. It depends on which NIST AI RMF function the oversight question falls under (Govern, Map, Measure, or Manage). It depends on whether the question is about pre deployment, deployment, or post deployment monitoring. The principle is the same in all cases. The right operational answer is different in each.
Building this skill takes practice that looks different from flashcard drilling. It looks like reading a short scenario, identifying the three context variables (role, framework, lifecycle stage), then choosing the action that fits that combination. The IAPP practice exam and good third party scenario banks teach this skill if you use them correctly. They don’t teach it if you treat them as recall checks.
Read that paragraph again before you start your prep. Internalizing the role, framework, lifecycle triad is the single biggest thing you can do for your pass rate.
A Learning Path Built Around the Exam Blueprint
For an eight week study plan starting from a reasonable working knowledge of privacy and risk concepts, the sequencing that’s worked best for our students looks like this. Weeks one and two cover Domain I, with an emphasis on the responsible AI principles and the harm taxonomy. These are the lenses you’ll apply for the rest of the prep, so they need to be solid, but they don’t need to consume more than two weeks.
Weeks three and four are Domain II. The big three you have to know cold are the EU AI Act, the NIST AI Risk Management Framework, and ISO/IEC 42001. For the EU AI Act, the single biggest payoff for your study time is learn the obligations of providers versus deployers versus importers versus distributors. That role distinction shows up across many questions, and getting it wrong on a case study cascades into wrong answers on the follow up items. For the NIST AI RMF, learn the four function structure (Govern, Map, Measure, Manage) and be able to assign activities to functions. For ISO/IEC 42001, know that it’s a management system standard structured like ISO/IEC 27001, that it sits alongside the AI specific standards in the ISO/IEC 23894 risk family, and that it works as the certifiable AI management standard.
Weeks five and six belong to Domain III. This is governance during AI development. Use case definition. Impact assessments. Data governance through the training pipeline. Model documentation. Pre release evaluation. The pedagogical mistake here is to read these topics as concepts. They’re better learned as artifacts. Sketch a one page model card. Write a sample fundamental rights impact assessment for a hiring tool. Build a mock release readiness checklist. The act of producing the artifact teaches the underlying competency in a way that reading about the artifact cannot.
Week seven covers Domain IV, which is governance during deployment and use. Vendor and licensing evaluation. Ongoing monitoring for drift, fairness, and security. Incident response. End of life and deactivation. Again, learn this through artifacts: a monitoring runbook, an incident escalation flowchart, a decommissioning checklist. The 2026 BoK update specifically reinforced third party governance, so spend extra time on vendor due diligence, contract requirements, and how to govern model providers you don’t directly control.
Week eight is mixed practice and weakness repair. Full length timed exams, scenario drills across all four domains, and targeted review of any subdomain where you’re consistently scoring below 70%. This is also the week to read the BoK from front to back one more time with all your study annotations in front of you. The synthesis happens in week eight, not week one.
The Three Background Profiles and How to Adjust
The eight week sequence assumes a reasonably blended background. Most candidates come in unbalanced, and the schedule needs to shift to match. After running this material with several cohorts, I see three common starting profiles, and each one needs a different adjustment.
The privacy and legal professional walks in fluent in Domain II already. GDPR, automated decision making, regulatory analysis, all comfortable territory. The gap is usually in Domains III and IV, where lifecycle artifacts and engineering vocabulary live. For this profile, compress Domains I and II into three weeks combined and reallocate the saved time to building model documentation, monitoring runbooks, and incident playbooks. The exam isn’t going to test whether you can recite GDPR Article 22. It’s going to test whether you can match a scenario to the right operational response.
The technical practitioner (data scientist, ML engineer, security architect) tends to find Domain III intuitive and Domain II frustrating. The frameworks feel abstract because they aren’t built like specs. For this profile, slow down Domains I and II to three or four weeks combined, treat the EU AI Act roles like a specification you’d implement, and force yourself to map every NIST AI RMF subcategory to a concrete activity you’ve seen in practice. The translation work goes the other direction here: from technical reality to regulatory language.
The risk, audit, or GRC professional has the cleanest starting position. Lifecycle thinking is already familiar from SOX, ISO 27001, or model risk management work in financial services. What’s usually missing is AI specific vocabulary and the substantive differences between governing a deterministic system and a probabilistic one. For this profile, the standard eight week plan works well, but it’s worth spending an extra few hours on AI specific risk concepts in Domain I (algorithmic bias, model drift, hallucination, alignment) before moving into the frameworks. Without that vocabulary, the lifecycle artifacts feel like familiar templates with unfamiliar contents.
How to Use Practice Questions Without Wasting Them
Most candidates burn through practice question banks by answering, checking, moving on, and remembering the right answer for next time. That trains pattern memory, not the underlying reasoning. On exam day, when the scenario is phrased differently from the practice item, pattern memory fails.
The discipline that works in our classrooms is to slow practice down dramatically in the first round. For each question, before you check the answer, write down which domain and competency the question is testing, what the three context variables are (role, framework, lifecycle stage), and why each of the wrong answers is wrong. Yes, every wrong answer. That last piece is where the real learning happens. Each wrong option is a small lesson about a common misconception, and forcing yourself to articulate it builds reasoning capacity you can apply to questions you’ve never seen before.
This is slow. A 50 question practice set might take three hours instead of 45 minutes. It’s also the single biggest difference between candidates who pass on the first attempt and those who don’t. Speed up the practice in the final two weeks, once the reasoning patterns are in place. By exam day you should be averaging well under a minute per question on standard items, with extra time banked for the case studies.
A note on the official training and the third party gap: The IAPP’s official AIGP training is a good foundation, but multiple practitioners and our own students consistently report that it doesn’t fully prepare candidates for the scenario weight of the actual exam. Plan to supplement with scenario heavy practice question banks, a copy of the BoK v2.1 annotated with question ranges, and primary source readings of the EU AI Act and NIST AI RMF. The gap between the official course and the exam is real, but it’s bridgeable with the right supplementary work.
What You Should Actually Know on Exam Day
If I had to compress AIGP readiness into a checklist of capabilities, here’s what it looks like. Given a scenario, you can identify which role the organization is acting in under the EU AI Act inside ten seconds. Mapping governance activities to the four NIST AI RMF functions feels mechanical at this point. When a scenario describes a harm, you can place it inside the responsible AI principles framework without much thought. The artifacts (impact assessment, model card, monitoring runbook, incident report) all have clear lifecycle stages in your head. And the moment you read a question stem, you know which of the four domains is being tested.
When candidates can do those things consistently in practice, they pass. When they can’t, they don’t, no matter how many hours they’ve put in. The skill set is buildable, the BoK is the map, and the eight week structure above is a reasonable starting plan that you adjust to your own profile and timeline. For more on whether the credential itself is the right fit for your career, our piece on what the AIGP covers and whether it’s worth pursuing goes deeper, and the cost and salary breakdown covers the financial side. You can also download the BoK v2.1 directly from the IAPP AIGP page, which I strongly recommend doing on day one of your study plan.
Frequently Asked Questions About Studying for the AIGP
How long does it take to study for the AIGP exam?
Most candidates need 80 to 120 hours of focused study time, which usually translates to six to ten weeks at one to two hours per day plus weekend sessions. Privacy and legal professionals often land at the lower end. Candidates without a privacy, risk, or AI background should plan for the higher end and supplement with primary source reading of the EU AI Act and NIST AI RMF.
Is the official IAPP training enough to pass the AIGP?
The official training is a solid foundation but consistent feedback from candidates and instructors is that it doesn’t fully prepare you for the scenario weight of the actual exam. Plan to supplement with scenario heavy practice question banks and primary source reading of the EU AI Act and the NIST AI Risk Management Framework. The gap is real but bridgeable.
Which AIGP domain is hardest to study for?
It depends on your background. Privacy and legal professionals find Domains III and IV (lifecycle governance and deployment) hardest because the artifacts and engineering vocabulary are unfamiliar. Technical practitioners struggle most with Domain II (laws, standards, and frameworks) because the EU AI Act role distinctions and ISO/IEC 42001 management system thinking don’t map cleanly to specifications. Domain I is the easiest for most candidates and the most over studied as a result.
What is the passing score on the AIGP exam?
The AIGP uses scaled scoring from 100 to 500, with 300 to pass. You sit 100 questions across three hours, of which 85 are scored and 15 are unscored pilot items mixed in. You won’t know which questions are which, so treat them all the same.
How important are the EU AI Act and NIST AI RMF on the AIGP exam?
Both are essential. Domain II carries roughly a quarter of the exam, and the EU AI Act and NIST AI RMF are the two most heavily tested frameworks within it. Even more importantly, both show up indirectly inside Domain III and Domain IV scenarios. You need fluency in EU AI Act role obligations (provider, deployer, importer, distributor) and the four NIST AI RMF functions (Govern, Map, Measure, Manage). Memorizing definitions isn’t enough. You need to apply them to scenarios.
What changed in the AIGP Body of Knowledge v2.1 for 2026?
BoK v2.1 became effective on February 2, 2026. The four domain structure stayed the same, but performance indicators were modified to put more weight on third party governance, contract requirements, and updated data governance policies. Two prior indicators (III.A.3 and IV.B.2) were removed as part of reorganization rather than substantive content cuts. If your study materials reference the seven domain v1.0 BoK or pre 2026 v2.0.1 indicators, they’re outdated.
Should I take the AIGP if I already have CIPP/E or CIPM?
For privacy professionals moving into AI governance work, AIGP is the natural next credential and complements both CIPP/E and CIPM well. Your existing IAPP membership and continuing education credits transfer cleanly, and the AIGP fills the gap between privacy law fluency and AI specific lifecycle governance work. Most candidates with CIPP/E or CIPM finish AIGP prep faster than first time IAPP candidates, but they should still allocate full attention to Domains III and IV where the operational AI content lives.
VP of Educational Services | Training Camp
Jeff Porch is the VP of Educational Services and Operations at Training Camp, where he leads the company's educational initiatives with a focus on accelerated learning and student success. Beyond overseeing curriculum development, Jeff serves as the lead course designer for Training Camp's CompTIA Security+ program, one of their most popular offerings. He is deeply involved in the instructional side of the business — developing certification courses, training instructors, and ensuring that complex IT concepts are delivered in ways that maximize retention and minimize time-to-certification.