MODULE 07 · ~3 hrs

Exam Preparation & Practice

Final preparation for the TCAIA proctored exam. Covers exam format, cross-module integration exercises, case study practice, and timed practice questions.

7.1 — Exam Format and Structure

The TCAIA exam is a 2-hour proctored online examination consisting of 80 questions covering all six preceding modules. Understanding the format helps you allocate time and effort effectively.

Exam Structure

Question Type	Count	Description
Multiple Choice (Single Answer)	50	Four options, one correct answer
Multiple Select	15	Four+ options, two or more correct answers
Scenario-Based	15	Read a case study, answer 3-5 related questions (across 3 case studies)

Module Weight Distribution

Module	Weight	Approx. Questions
01 — NIST AI RMF	15%	~12 questions
02 — ISO/IEC 42001	20%	~16 questions
03 — EU AI Act	20%	~16 questions
04 — India DPDP + RBI	15%	~12 questions
05 — Model Cards & Red-Teaming	15%	~12 questions
06 — Audit Documentation & Governance	15%	~12 questions

★TIME MANAGEMENT

You have 120 minutes for 80 questions — that's 1.5 minutes per question on average. Strategy: spend ~1 min on MC questions, ~1.5 min on multi-select, and ~2-3 min on scenario questions. Flag difficult questions and return to them. Passing score is 70% (56/80).

Results are provided within 24 hours. Candidates who do not pass may retake the exam after a 14-day waiting period (one free retake included, additional retakes at ₹2,999).

Key Points

2-hour proctored exam, 80 questions

Three question types: MC, multi-select, scenario-based

Passing score: 70% (56/80)

14-day wait between retakes

ISO 42001 and EU AI Act are highest weighted (20% each)

7.2 — Cross-Module Integration

The exam tests your ability to connect concepts across modules. Expect questions that require applying knowledge from multiple frameworks simultaneously.

Framework Mapping: NIST ↔ ISO 42001 ↔ EU AI Act

NIST AI RMF Function

ISO 42001 Clauses

EU AI Act Requirements

GOVERN

Cl. 5 (Leadership) + Cl. 6 (Planning)

Quality Management System, AI Literacy (Art. 4)

MAP

Cl. 4 (Context) + Cl. 8 (Operation — risk assessment)

Risk Classification (Art. 6), Conformity Assessment

MEASURE

Cl. 9 (Performance Evaluation)

Post-Market Monitoring, Performance Testing

MANAGE

Cl. 8 (Operation — risk treatment) + Cl. 10 (Improvement)

Incident Reporting, Corrective Actions

Multi-Framework Compliance Approach

Identify Systems

Inventory all AI systems

→

Classify Risks

Per each framework

→

Map Controls

Unified control set

→

Assess Gaps

Against all requirements

→

Remediate

Prioritized action plan

★EXAM TIP

Common integration question pattern: 'An organization operating in both India and the EU must comply with...' — You need to identify applicable laws (DPDP Act + GDPR + EU AI Act), map overlapping requirements, and recommend a unified governance framework (ISO 42001 + NIST AI RMF).

Auditors must assess compliance holistically — checking whether an organization's single governance framework adequately addresses requirements from multiple applicable regulations and standards.

Key Points

Exam tests cross-module connections

Framework mapping across NIST, ISO, EU AI Act

Multi-jurisdiction compliance analysis

Lifecycle coverage across frameworks

Holistic audit approach across all applicable standards

7.3 — Case Study Practice

Scenario-based questions present real-world situations where you must identify applicable regulations, required controls, and appropriate audit findings. Practice the 5-step approach below.

5-Step Case Study Approach

Identify & Classify

What is the AI system? What risk tier does it fall under in each applicable framework?

Determine Jurisdictions

Which countries/regions are involved? Which regulations apply (EU AI Act, DPDP, GDPR, RBI)?

Map Required Controls

What controls, documentation, and assessments are required from each applicable framework?

Identify Gaps

What is missing or non-compliant based on the scenario details?

Recommend Remediation

Provide specific, actionable recommendations — not vague 'improve governance' statements.

Three Case Study Archetypes

Archetype

Scenario

Key Frameworks

Focus Areas

High-Risk AI Audit

EU bank deploys AI credit scoring

EU AI Act (high-risk) + GDPR + ISO 42001

Fairness testing, human oversight, conformity assessment

GPAI Compliance

Startup releases open-source foundation model

EU AI Act (GPAI/systemic risk) + copyright law

Systemic risk threshold, training data transparency, open-source exemptions

Indian Enterprise

Indian NBFC uses third-party AI for loan underwriting

DPDP Act + RBI guidelines + vendor due diligence

Explainability, data localization, consent, third-party responsibility

★PRACTICAL RECOMMENDATIONS

The exam rewards specific, actionable recommendations over generic statements. Instead of 'improve documentation,' say 'Create model cards following Mitchell et al. (2019) framework with all 8 sections, and establish a quarterly review cycle.' Specificity demonstrates competence.

Key Points

Three case study archetypes on the exam

Five-step approach: classify → jurisdictions → controls → gaps → remediate

Must apply multiple frameworks simultaneously

Practical, specific recommendations score higher

Time allocation: ~2-3 minutes per scenario question

// Practice Questions

Q1: A company operates in both India and the EU. Which data protection laws apply to their AI systems?

Show Answer

DPDP Act 2023 (India) and GDPR (EU). If their AI system is high-risk under the EU AI Act, additional requirements apply. If they are a Significant Data Fiduciary under DPDP, they need a DPO, DPIAs, and independent audits.

Q2: How would you map NIST AI RMF functions to ISO 42001 clauses?

Show Answer

GOVERN maps to Clauses 5 (Leadership) and 6 (Planning). MAP maps to Clause 4 (Context) and Clause 8 (Operation — risk assessment). MEASURE maps to Clause 9 (Performance Evaluation). MANAGE maps to Clause 8 (Operation — risk treatment) and Clause 10 (Improvement).

Q3: An AI system used for employee hiring in the EU — what risk tier does it fall under and what's required?

Show Answer

High-risk under Annex III (employment, workers management). Required: risk management system, data governance, technical documentation, record-keeping, transparency to deployers, human oversight, accuracy/robustness/cybersecurity, conformity assessment, CE marking, EU database registration, and post-market monitoring.

Q4: Describe your approach to auditing a multi-jurisdictional AI system.

Show Answer

Five-step approach: (1) Identify and classify the AI system under each applicable framework, (2) Determine all applicable jurisdictions and regulations, (3) Map required controls from each framework into a unified control set, (4) Identify gaps through evidence collection and testing, (5) Recommend specific remediation actions prioritized by severity and regulatory urgency.

Q5: What is the exam time management strategy for the TCAIA exam?

Show Answer

120 minutes for 80 questions = 1.5 min average. Allocate ~1 min for MC questions (50), ~1.5 min for multi-select (15), and ~2-3 min for scenario questions (15). Flag difficult questions and return to them. This leaves ~10-15 minutes for review.

Q6: An Indian NBFC uses a third-party AI model for credit scoring. List all compliance requirements.

Show Answer

DPDP Act: consent for data processing, transparency about AI use, data principal rights. RBI: model governance framework, independent validation, explainability for rejections, data localization for payment data. Third-party management: vendor due diligence, contractual safeguards, the NBFC remains fully responsible for compliance regardless of the vendor relationship.

← 06. Audit Documentation & Governance Take the Exam →