5. AI Safety, Security, and Governance (20%)

Domain 3 is tested differently from the other domains — it's less about "which service implements this" and more about "which combination of controls provides defense-in-depth." The exam presents scenarios with a specific threat or compliance requirement and tests whether you understand which controls operate at which layer. A single-layer answer is almost always wrong.

The three sections in this phase build on each other: safety controls protect against harmful content at runtime (5.1), data security controls protect sensitive information at rest and in transit (5.2), and governance controls ensure auditability and organizational oversight over time (5.3). All three must be present in production.

⚠️ Common Misconception: Responsible AI is a post-deployment concern — something you add to an existing system to satisfy compliance requirements. In reality, responsible AI must be designed in from the start. Model selection, data governance, fairness evaluation, and explainability mechanisms must be architectural decisions, not retrofit patches. The exam tests this by presenting scenarios where responsible AI was treated as an afterthought and asking what should have been different.