AICP Exam Prep Free practice test →

Free AICP Practice Questions

10 free, exam-style Artificial Intelligence Compliance Professional (AICP) practice questions with answers and explanations. No signup required. Work through them below, then take the full free AICP practice test to study every exam domain.

Question 1

A multinational recruitment firm deploys an AI system to screen job applicants. The system was trained on 10 years of the company's hiring data, during which the company predominantly hired male candidates for technical roles. The AI now consistently ranks female candidates lower for engineering positions, even when their qualifications match or exceed those of male candidates. Under the AI Act, which requirement has the provider MOST directly violated?

  1. Article 10 - the provider failed to examine training data for biases affecting fundamental rights and take measures to mitigate them
  2. Article 13 - the provider failed to provide sufficiently transparent instructions for use to the deployer about screening methodology and known limitations
  3. Article 14 - the provider failed to design the system to allow effective human oversight during the candidate evaluation and ranking process
  4. Article 12 - the provider failed to ensure automatic logging of screening decisions and the factors that influenced each candidate ranking
Show answer & explanation

Correct answer: A - Article 10 - the provider failed to examine training data for biases affecting fundamental rights and take measures to mitigate them

Question 2

A Spanish fintech company licenses an AI credit-scoring model from a UK-based provider. The fintech company makes no modifications to the system but places it on the EU market under its own brand name, with no mention of the original UK developer. Under the AI Act, the Spanish company is acting as:

  1. A deployer - it uses the AI system under its own authority in a professional context without having developed it
  2. An importer - it is the first entity to make a third-country AI system available on the EU market
  3. A provider - it places the system on the market under its own name or trademark
  4. A distributor - it makes the AI system available on the EU market without being the original developer or an importer
Show answer & explanation

Correct answer: C - A provider - it places the system on the market under its own name or trademark

Question 3

A private insurance company develops an internal AI-based 'reliability score' for its employees. The score is calculated from personal social media activity, financial history, and neighbourhood crime statistics, and it directly affects employees' promotion prospects and work assignments. Under the AI Act, this practice is BEST classified as:

  1. Prohibited - this constitutes social scoring by an organisation leading to systematic detrimental and unfavourable treatment of individuals
  2. Limited risk - the company must inform employees about the AI scoring system and provide transparency disclosures about how scores are calculated
  3. Minimal risk - internal employee scoring systems used by private companies fall entirely outside the scope of the AI Act's regulatory framework
  4. High risk - AI for employee evaluation and task allocation is listed in Annex III under employment and workers management
Show answer & explanation

Correct answer: D - High risk - AI for employee evaluation and task allocation is listed in Annex III under employment and workers management

Question 4

A police department uses AI to predict which individuals in a neighbourhood are likely to commit crimes based solely on personality profiling and demographic data, without any evidence of criminal activity. A separate agency uses AI to assess the reoffending risk of convicted individuals before parole decisions. Under the AI Act, what is the CRITICAL distinction between these two uses?

  1. Both are classified as high-risk AI systems under Annex III, requiring identical conformity assessment procedures and human oversight measures
  2. The first is prohibited - predictive policing by profiling alone is banned; the second is high-risk - recidivism assessment of convicted persons requires compliance
  3. Both are prohibited practices under Article 5 because they involve any form of law enforcement profiling of natural persons
  4. The first is high-risk under the law enforcement category of Annex III; the second is prohibited because it affects convicted individuals' fundamental liberty rights
Show answer & explanation

Correct answer: B - The first is prohibited - predictive policing by profiling alone is banned; the second is high-risk - recidivism assessment of convicted persons requires compliance

Question 5

A bank deploys an AI system that automatically rejects loan applications with no human review. An applicant whose loan is denied requests an explanation of the decision. Under GDPR Article 22 and the AI Act, the applicant is entitled to:

  1. Only a standard written notification confirming the rejection, with no obligation on the bank to disclose the automated reasoning or offer human review
  2. Meaningful information about the decision logic, the right to human intervention, to express their view, and to contest the decision
  3. Only access to the raw financial data that the AI system processed, without any explanation of the logic or the opportunity to contest the outcome
  4. Only the right to resubmit a new application with additional documentation after a mandatory 90-day waiting period has elapsed
Show answer & explanation

Correct answer: B - Meaningful information about the decision logic, the right to human intervention, to express their view, and to contest the decision

Question 6

A company claims its high-risk AI system has 'human oversight' because a staff member presses 'approve' on every AI-generated decision. However, the staff member processes over 500 decisions per hour, spending fewer than 7 seconds per case, and has no authority to override the system. Under Article 14 of the AI Act, this arrangement is:

  1. Adequate - the AI Act requirement is satisfied as long as a human is technically present somewhere in the automated decision pipeline
  2. Adequate - provided the staff member holds a relevant professional qualification and has received documented training on the AI system's outputs
  3. Inadequate - but only because the staff member lacks formal override authority, not because of the decision processing speed or review depth
  4. Inadequate - effective oversight requires genuine ability to understand, evaluate, and override outputs, not mere rubber-stamping
Show answer & explanation

Correct answer: D - Inadequate - effective oversight requires genuine ability to understand, evaluate, and override outputs, not mere rubber-stamping

Question 7

A technology company trains a large language model using computational resources totalling 5 × 10²⁵ FLOPs. Under the AI Act, this model is presumed to pose systemic risk. What ADDITIONAL obligations apply beyond the standard GPAI provider obligations?

  1. The provider must obtain mandatory third-party certification from an EU-designated notified body before making the model available to downstream providers
  2. The provider must withdraw the model from the EU market within 12 months and replace it with a lower-compute alternative that falls below the threshold
  3. The provider must conduct adversarial testing, track and report incidents, ensure adequate cybersecurity, and report energy consumption
  4. The provider must publish the complete training data set, model architecture, and all training weights in a publicly accessible EU-hosted repository
Show answer & explanation

Correct answer: C - The provider must conduct adversarial testing, track and report incidents, ensure adequate cybersecurity, and report energy consumption

Question 8

A startup with €2 million in annual worldwide turnover deploys an AI system that constitutes a prohibited practice under Article 5. Under the standard penalty rule, the fine would be up to €35 million or 7% of global turnover (€140,000), whichever is HIGHER - meaning €35 million. However, for SMEs and startups, the AI Act applies a special rule. What is the MAXIMUM fine this startup faces?

  1. €35 million - the proportionality principle does not reduce penalties for violations of prohibited AI practices regardless of company size
  2. €10,000 - a fixed reduced penalty applies automatically to all startups with annual turnover below €10 million irrespective of the violation type
  3. €0 - startups with annual turnover below €5 million are fully exempt from all administrative fines imposed under the AI Act
  4. €140,000 - the proportionality principle means the LOWER of the two amounts applies for SMEs and startups
Show answer & explanation

Correct answer: D - €140,000 - the proportionality principle means the LOWER of the two amounts applies for SMEs and startups

Question 9

A medical device company develops an AI system that diagnoses diabetic retinopathy from retinal scans. The AI functions as a safety component within a CE-marked medical device. Under the EU regulatory framework, this AI system is subject to:

  1. Both the AI Act as a high-risk safety component and the Medical Device Regulation - requiring dual compliance with both frameworks
  2. Only the AI Act - medical devices containing AI components are governed exclusively by AI-specific regulation and are exempt from MDR
  3. Only the Medical Device Regulation - the AI Act explicitly defers to existing sector-specific product safety legislation for all medical AI
  4. Neither framework - diagnostic AI systems that operate within an already CE-marked medical device are exempt from additional requirements
Show answer & explanation

Correct answer: A - Both the AI Act as a high-risk safety component and the Medical Device Regulation - requiring dual compliance with both frameworks

Question 10

An organisation already manages enterprise risks using ISO 31000. It now needs to add AI-specific risk management covering bias, opacity, data quality, and adversarial attacks. A colleague recommends ISO/IEC 42001 instead. What is the KEY difference between these two options?

  1. ISO/IEC 42001 extends ISO 31000 with AI-specific risk guidance and integrates directly into existing enterprise risk management processes and frameworks
  2. Both standards serve identical purposes - extending ISO 31000 with AI-specific risk management guidance - and choosing either produces the same outcome
  3. ISO/IEC 23894 extends ISO 31000 with AI-specific risk guidance; ISO/IEC 42001 is a certifiable AI Management System covering governance, not just risk
  4. ISO/IEC 23894 replaces ISO 31000 entirely for all AI contexts; ISO/IEC 42001 only applies to organisations with existing ISO 27001 certification
Show answer & explanation

Correct answer: C - ISO/IEC 23894 extends ISO 31000 with AI-specific risk guidance; ISO/IEC 42001 is a certifiable AI Management System covering governance, not just risk

Ready for the real thing?

Practice hundreds more AICP questions with instant scoring, weak-area drills, and full exam simulations.

Start the free practice test See pricing