Intermediate

AI Ethics & Governance (25%)

Domain 4 of the CompTIA AI+ exam — bias detection, fairness, AI regulation, responsible AI principles, transparency, accountability, and privacy.

Types of AI Bias

  • Data bias (Historical bias) — Training data reflects historical prejudices (e.g., a hiring model trained on past decisions where women were underrepresented in tech roles)
  • Selection bias (Sampling bias) — Training data does not represent the full population (e.g., a facial recognition model trained mostly on light-skinned faces)
  • Measurement bias — Flawed data collection methods introduce systematic errors
  • Algorithmic bias — The model architecture or optimization process amplifies biases in the data
  • Confirmation bias — Developers or users interpret results to confirm existing beliefs
  • Automation bias — Over-reliance on AI decisions, failing to apply human judgment

Bias Detection and Mitigation

Pre-training (Data-level)

  • Audit training data for representation across demographics
  • Balance datasets to ensure equal representation
  • Remove or reweight biased data points

During training (Algorithm-level)

  • Use fairness-aware algorithms that optimize for both accuracy and fairness
  • Apply regularization techniques that penalize biased predictions
  • Monitor fairness metrics during training

Post-training (Output-level)

  • Audit model predictions across demographic groups
  • Adjust decision thresholds per group to achieve equitable outcomes
  • Implement human review for high-stakes decisions

Responsible AI Principles

  • Fairness — AI should treat all people equitably, without discrimination based on protected characteristics
  • Transparency — How the AI system works and makes decisions should be understandable
  • Explainability — AI decisions should be explainable to stakeholders (SHAP values, LIME, feature importance)
  • Accountability — Clear ownership of AI decisions and outcomes. Humans remain responsible.
  • Privacy — AI must protect personal data and comply with privacy regulations
  • Safety — AI systems should not cause harm. Include safeguards and human oversight.
  • Robustness — AI should work reliably under various conditions and resist adversarial attacks
Exam focus: The CompTIA AI+ exam heavily tests ethical scenarios. Be prepared for questions like "A company discovers their AI hiring tool rejects 80% of female applicants. What should they do?" The answer always involves investigating the data for bias, auditing the model, and implementing human oversight.

AI Regulation and Compliance

EU AI Act

The EU AI Act classifies AI systems by risk level:

  • Unacceptable risk — Banned (social scoring, real-time biometric surveillance in public spaces)
  • High risk — Strict requirements (hiring, credit scoring, healthcare, law enforcement). Requires risk assessment, documentation, human oversight.
  • Limited risk — Transparency obligations (chatbots must disclose they are AI)
  • Minimal risk — No restrictions (spam filters, AI in video games)

GDPR (General Data Protection Regulation)

  • Right to explanation — Individuals can request an explanation of automated decisions that affect them
  • Right to erasure — Individuals can request deletion of their personal data
  • Data minimization — Only collect data necessary for the specific purpose
  • Consent — Must obtain explicit consent for data processing

Other Regulations

  • CCPA/CPRA — California privacy regulations with similar rights to GDPR
  • HIPAA — Healthcare data privacy in the United States
  • SOC 2 — Security and privacy controls for service organizations

AI Governance Frameworks

  • AI Ethics Board — Cross-functional team that reviews AI projects for ethical concerns
  • Model Cards — Documentation of model purpose, performance, limitations, and bias test results
  • AI Impact Assessment — Evaluate potential social, ethical, and legal impacts before deployment
  • Audit trails — Log all AI decisions for accountability and regulatory compliance
  • Human-in-the-loop — Human oversight for critical decisions (loan approvals, medical diagnoses)

AI Security Risks

  • Adversarial attacks — Intentionally crafted inputs designed to fool AI models (e.g., small image perturbations that cause misclassification)
  • Data poisoning — Injecting malicious data into training sets to corrupt the model
  • Model inversion — Extracting private training data from a model by querying it
  • Prompt injection — Manipulating LLM inputs to override instructions or extract sensitive information
  • Model theft — Reverse-engineering or stealing a proprietary model through extensive querying

Practice Questions

📝
Q1: A company's AI hiring tool was trained on 10 years of hiring data. The company historically hired mostly men for engineering roles. The AI now recommends significantly fewer women for interviews. What type of bias is this?

A) Algorithmic bias
B) Historical bias (Data bias)
C) Measurement bias
D) Automation bias
Show Answer

B) Historical bias (Data bias). The training data reflects historical hiring patterns that underrepresented women. The model learned to replicate these biased patterns. The fix involves auditing and rebalancing the training data, using bias-aware algorithms, and implementing human review for hiring decisions.

📝
Q2: Under the EU AI Act, an AI system used for credit scoring decisions is classified as:

A) Unacceptable risk (banned)
B) High risk (strict requirements)
C) Limited risk (transparency only)
D) Minimal risk (no restrictions)
Show Answer

B) High risk. The EU AI Act classifies AI used for credit scoring, hiring, healthcare, and law enforcement as high risk. These systems must undergo risk assessments, maintain documentation, implement human oversight, and meet accuracy and robustness requirements.

📝
Q3: A user interacts with a customer service chatbot but is not told they are talking to an AI. Which regulation requires disclosure that the user is interacting with AI?

A) HIPAA
B) SOC 2
C) EU AI Act (Limited risk transparency requirement)
D) PCI DSS
Show Answer

C) EU AI Act (Limited risk transparency requirement). The EU AI Act requires that chatbots and other AI systems interacting with humans must disclose that the user is interacting with AI. This is a transparency obligation for limited-risk AI systems.

📝
Q4: Which technique helps explain WHY an AI model made a specific decision by showing how much each input feature contributed to the prediction?

A) Data augmentation
B) SHAP values
C) Gradient descent
D) Transfer learning
Show Answer

B) SHAP values. SHAP (SHapley Additive exPlanations) values show the contribution of each feature to a specific prediction. They answer the question "why did the model predict X?" by assigning an importance value to each input feature. LIME is another popular explainability technique.

📝
Q5: An attacker adds tiny, imperceptible changes to an image that cause an AI model to misclassify it. What is this type of attack called?

A) Data poisoning
B) Model inversion
C) Adversarial attack
D) Prompt injection
Show Answer

C) Adversarial attack. Adversarial attacks use carefully crafted perturbations to inputs that are imperceptible to humans but cause AI models to make incorrect predictions. For example, adding noise to a stop sign image that causes a self-driving car's model to classify it as a speed limit sign.