Unit 3 of 3

7.3 — Case Study Practice

Scenario-based questions present real-world situations where you must identify applicable regulations, required controls, and appropriate audit findings. Practice the 5-step approach below.

5-Step Case Study Approach
01
Identify & Classify

What is the AI system? What risk tier does it fall under in each applicable framework?

02
Determine Jurisdictions

Which countries/regions are involved? Which regulations apply (EU AI Act, DPDP, GDPR, RBI)?

03
Map Required Controls

What controls, documentation, and assessments are required from each applicable framework?

04
Identify Gaps

What is missing or non-compliant based on the scenario details?

05
Recommend Remediation

Provide specific, actionable recommendations — not vague 'improve governance' statements.

Three Case Study Archetypes
Archetype
Scenario
Key Frameworks
Focus Areas
High-Risk AI Audit
EU bank deploys AI credit scoring
EU AI Act (high-risk) + GDPR + ISO 42001
Fairness testing, human oversight, conformity assessment
GPAI Compliance
Startup releases open-source foundation model
EU AI Act (GPAI/systemic risk) + copyright law
Systemic risk threshold, training data transparency, open-source exemptions
Indian Enterprise
Indian NBFC uses third-party AI for loan underwriting
DPDP Act + RBI guidelines + vendor due diligence
Explainability, data localization, consent, third-party responsibility
PRACTICAL RECOMMENDATIONS

The exam rewards specific, actionable recommendations over generic statements. Instead of 'improve documentation,' say 'Create model cards following Mitchell et al. (2019) framework with all 8 sections, and establish a quarterly review cycle.' Specificity demonstrates competence.

Key Points
Three case study archetypes on the exam
Five-step approach: classify → jurisdictions → controls → gaps → remediate
Must apply multiple frameworks simultaneously
Practical, specific recommendations score higher
Time allocation: ~2-3 minutes per scenario question
← Previous unitModule overview →