CY0-001 Exam Dumps - CompTIA SecAI+ v1 Exam

Basic Concept: Preventing vulnerable code from reaching production requires an automated, mandatory gate in the software delivery pipeline. The CI/CD pipeline is the enforcement point where all code must pass before deployment. CompTIA SecAI+ Study Guide covers AI integration in secure development pipelines under AI-assisted security.

Why C is Correct: Implementing an LLM in the CI/CD runner creates a mandatory automated security gate that every code change must pass. The LLM can analyze code for vulnerabilities, insecure patterns, and policy violations, then automatically fail the build if issues are found. This prevents vulnerable code from progressing toward production without human bypass capability, making it the most effective enforcement mechanism.

Why A is Wrong: IDE plug-ins provide warnings to developers during coding, but developers can choose to ignore them and proceed with compilation and commits. Warnings are advisory, not preventive, and cannot guarantee vulnerable code is blocked from the pipeline.

Why B is Wrong: SOAR platforms with ML models are excellent for incident response and security operations automation. However, they are not positioned in the code delivery pipeline and do not gate code from progressing to production.

Why D is Wrong: An agentic penetration testing tool validates vulnerabilities reactively after code is written or deployed. This approach does not intercept code before production deployment and is typically used for post-deployment assessment rather than prevention.

Basic Concept: AI systems used in employment contexts such as job screening carry significant regulatory risk. For a multinational company operating in or serving markets covered by the EU AI Act, compliance with this binding regulation is mandatory to avoid substantial fines. CompTIA SecAI+ Exam Objectives cover AI regulatory compliance under Domain 4.

Why B is Correct: The EU AI Act explicitly classifies AI systems used for employment screening, candidate evaluation, and worker management as high-risk AI applications. These systems are subject to strict compliance requirements including mandatory conformity assessments, human oversight, transparency obligations, and registration. Non-compliance can result in fines up to 30 million euros or 6% of global annual turnover. A multinational company implementing AI job screening must reference the EU AI Act as the primary compliance obligation.

Why A is Wrong: ISO AI standards such as ISO 42001 are voluntary management system standards. While useful for best practices, they do not carry legal enforcement power and adherence does not prevent regulatory fines from binding legislation like the EU AI Act.

Why C is Wrong: Corporate policy is an internal governance document that sets organizational standards. It cannot supersede external legal obligations and following only corporate policy does not protect against fines from regulatory bodies enforcing the EU AI Act.

Why D is Wrong: NIST AI RMF is a voluntary American risk management framework. While excellent for AI risk governance, it is not a binding regulation and does not address the legal compliance requirements that generate fines from regulatory authorities in jurisdictions covered by the EU AI Act.

Basic Concept: Advances in AI generative technology have enabled the creation of highly realistic synthetic video and audio content that convincingly impersonates real individuals. These AI-generated impersonations are called deepfakes and represent a significant threat for corporate fraud, misinformation, and social engineering. CompTIA SecAI+ covers deepfakes under basic AI concepts and cybersecurity threats.

Why C is Correct: The scenario describes a video in which the CEO ' s likeness was convincingly replicated to deliver a false message about bankruptcy. This is a textbook deepfake attack — AI-generated synthetic media using the target ' s face and potentially voice to make it appear they said something they never said. Deepfake technology uses GANs and CNNs to create this type of convincing impersonation, and the attack specifically exploited AI generation for deception.

Why A is Wrong: An on-path attack intercepts network communications between two parties to eavesdrop or modify traffic. It requires positioning in the network path, not creating synthetic media of a person ' s likeness.

Why B is Wrong: Phishing is a social engineering attack that uses deceptive messages typically via email to trick recipients into taking harmful actions such as clicking malicious links or providing credentials. While this attack has social engineering elements, the use of AI-generated video to impersonate the CEO specifically categorizes it as a deepfake attack.

Why D is Wrong: Social engineering broadly describes psychological manipulation tactics to deceive individuals. While deepfakes can be used as part of social engineering campaigns, the specific technical technique used — AI-generated synthetic video — makes deepfake the most precise and accurate categorization.

Basic Concept: Responsible AI is a governance framework addressing risks that arise from AI systems producing outcomes that are unfair, harmful, or contrary to human values. Different risk types fall under different governance domains — some under responsible AI, others under security or operational management. CompTIA SecAI+ Study Guide covers responsible AI risk categories under Domain 4.

Why C is Correct: Response bias occurs when an AI system ' s outputs are systematically skewed against certain groups, topics, or perspectives, reflecting biases embedded in training data or model design. This is a core risk addressed by responsible AI principles including fairness, non-discrimination, and explainability. Responsible AI frameworks mandate bias detection, assessment, and mitigation to ensure AI responses treat all users and groups equitably.

Why A is Wrong: Model drift describes the degradation of model performance over time as the distribution of real-world data diverges from the training data distribution. While an important operational concern, model drift is primarily a technical performance risk managed through MLOps and monitoring practices, not a core responsible AI governance concern.

Why B is Wrong: Reputational loss is a business risk consequence that may result from various AI failures including biased outputs or privacy violations. It is an outcome or impact rather than a specific risk category that responsible AI frameworks directly address.

Why D is Wrong: Data poisoning is a security attack where adversaries corrupt AI training data to manipulate model behavior. This is a cybersecurity threat managed through security controls and data integrity protections rather than responsible AI ethical governance frameworks focused on fairness and accountability.

Basic Concept: When implementing guardrails for compliance purposes, organizations need a recognized framework or standard that provides authoritative guidance on what guardrails should address and how to implement them. Compliance guardrails require industry-recognized standards as their basis. CompTIA SecAI+ Study Guide identifies OWASP as the primary reference for LLM application security controls including guardrails.

Why B is Correct: OWASP provides the OWASP Top 10 for Large Language Model Applications, which is a recognized industry resource defining the most critical vulnerabilities in LLM applications and the guardrails needed to mitigate them. Using OWASP as the reference for compliance-required guardrails provides a defensible, industry-standard basis for the security controls implemented, satisfying compliance requirements with authoritative guidance on what guardrails should prevent and how they should function.

Why A is Wrong: RAG is an AI architecture that enhances LLM responses with retrieved external context. It is a capability enhancement technique, not a framework for defining or implementing security guardrails for compliance purposes.

Why C is Wrong: LLM libraries are software development toolkits that provide functions for working with language models. While they may include built-in guardrail features, they are implementation tools, not the governance resource or standard that compliance guardrail requirements should be based upon.

Why D is Wrong: A SIEM is a security monitoring and alerting platform that aggregates and analyzes log data. It is a detection and monitoring tool, not a framework that defines what guardrails are required for LLM application compliance.

Basic Concept: Training an AI model involves repeatedly exposing it to training data so it can learn optimal parameters. The terminology for training cycles is fundamental to understanding AI model training processes. CompTIA SecAI+ Study Guide covers core AI training concepts under basic AI concepts.

Why D is Correct: An epoch refers to one complete pass through the entire training dataset. When a model trains for multiple epochs, it sees each training example multiple times, allowing it to refine its parameters progressively. The number of training epochs is a key hyperparameter that directly affects model performance — too few and the model underfits; too many and it may overfit. For a threat detection model, specifying epochs controls how thoroughly the model has learned from the training data.

Why A is Wrong: k-means clustering is an unsupervised machine learning algorithm that groups data points into k clusters based on feature similarity. It is a data clustering algorithm, not a term describing training cycles or iterations.

Why B is Wrong: Tokens are the discrete units that LLMs use to process text inputs and outputs. Token count measures text processing volume and LLM utilization, not the number of times a model has processed its training dataset.

Why C is Wrong: Temperature is an inference parameter that controls the randomness or creativity of an LLM ' s output generation. Higher temperature produces more varied outputs; lower temperature produces more deterministic responses. It is not related to training cycles or iterations.

Basic Concept: DoS attacks overwhelm AI systems by sending excessive requests that exhaust computational resources, memory, or bandwidth, preventing legitimate users from being served. The primary defense against volume-based attacks is throttling the rate at which requests can be processed. CompTIA SecAI+ Exam Objectives identify rate limiting as the key DoS mitigation control for AI systems.

Why B is Correct: Rate limiting directly addresses the root mechanism of DoS attacks by restricting the number of requests any single client or IP address can submit within a defined time window. By enforcing request quotas, rate limiting prevents attackers from generating the request volume necessary to overwhelm the system while preserving capacity for legitimate users. It is the most direct and effective preventive control against DoS attacks on AI APIs and services.

Why A is Wrong: Model guardrails inspect and filter the content of prompts and responses for policy compliance and safety. They operate at the semantic content level, not at the request volume level, and cannot prevent resource exhaustion from high-volume request flooding.

Why C is Wrong: End-to-end encryption protects the confidentiality and integrity of data in transit. Encrypted DoS traffic is just as damaging as unencrypted traffic; encryption does not limit request rates or prevent resource exhaustion.

Why D is Wrong: Access controls restrict who can interact with the system, which can reduce the potential attacker pool. However, authenticated users and compromised accounts can still launch DoS attacks, and access controls alone cannot prevent high-volume attacks from authorized sources.

Basic Concept: Responsible AI encompasses a set of principles designed to ensure AI systems operate ethically, fairly, and accountably. These principles guide AI development and deployment to minimize harm and maximize trustworthiness. CompTIA SecAI+ Exam Objectives list transparency and explainability as foundational responsible AI principles under Domain 4.

Why B is Correct: Transparency and explainability are cornerstone principles of responsible AI. Transparency means AI systems are open about their nature, capabilities, limitations, and how they make decisions. Explainability means the system can articulate the reasons behind its decisions in human-understandable terms. Together, they enable accountability, support regulatory compliance, allow bias detection, and build user trust. The CompTIA SecAI+ Study Guide and responsible AI frameworks including OECD and NIST AI RMF consistently identify this as a key principle.

Why A is Wrong: Using protected data for training would violate privacy and intellectual property rights. This is not a responsible AI principle — responsible AI actually requires ensuring that training data respects privacy, consent, and legal protections.

Why C is Wrong: Human-in-the-loop is an important operational practice for high-stakes AI decisions, but it is one design pattern rather than the key overarching principle of responsible AI. Not all responsible AI systems require human-in-the-loop operation for every decision.

Why D is Wrong: Maximizing model security is a cybersecurity objective for AI systems. While important, it is an operational security concern rather than a responsible AI governance principle focused on fairness, accountability, and trustworthiness in AI decision-making.