CompTIA CompTIA CY0-001 PDF

CompTIA CompTIA CY0-001 PDF CompTIA CompTIA CY0-001 PDF Questions Available Here at: https://www.certification-exam.com/en/dumps/comptia-exam/cy0-001-dumps/quiz.html Enrolling now you will get access to 228 questions in a unique set of CompTIA CY0-001 Question 1 Which of the following job roles in an organizational governance structure develops a model from business use cases? Options: A. Platform architect B. AI risk analyst C. Machine learning operations (MLOps) engineer D. Data scientist Answer: D Explanation: The correct answer is D. Data scientist. In an organizational governance structure, the data scientist is typically the role responsible for analyzing business use cases and developing predictive or analytical models from them. They work with data to identify patterns, build machine learning models, and translate business problems into technical solutions. Why the other options are incorrect: A. Platform architect A platform architect designs the overall technical infrastructure and systems that support applications and data workflows. This role focuses on architecture and integration, not on building models from business use cases. B. AI risk analyst An AI risk analyst evaluates the risks associated with AI systems, such as fairness, compliance, security, and ethical concerns. This role is about oversight and governance, not model development. C. MLOps engineer An MLOps engineer manages the deployment, automation, monitoring, and maintenance of machine learning models in production. This role supports the lifecycle of models, but does not primarily create CompTIA CompTIA CY0-001 PDF https://www.certification-exam.com/ models from business use cases. D. Data scientist A data scientist takes business use cases and converts them into data-driven models. This is the role most directly associated with model development. In short, the data scientist is the role that develops a model from business use cases. Question 2 An administrator, who works for a financial institution, is required to implement data security controls for data at rest within AI systems that involve data disclosure. Which of the following is the most suitable control? Options: A. Data lineage B. Rate limits C. Encryption D. Masking Answer: C Explanation: The correct answer is C. Encryption. The question asks about data security controls for data at rest within AI systems that involve data disclosure. "Data at rest" means information stored in a system, database, file, or repository rather than actively being transmitted or processed. For this type of data, the most suitable security control is encryption because it protects stored data by making it unreadable without the proper decryption key. Why encryption is correct: - It is specifically designed to protect stored information. - If unauthorized users gain access to the storage medium, the data remains protected. - It is a standard and widely accepted control for sensitive financial data and regulated environments. Why the other options are not correct: - A. Data lineage: This tracks the origin, movement, and transformation of data. It helps with auditability and governance, but it does not directly protect data at rest. - B. Rate limits: These control how often a system can be accessed or queried. They help reduce abuse or excessive requests, but they do not secure stored data. - D. Masking: This hides portions of data, often for display or use in non-production environments. While useful for reducing exposure, it is not as strong or fundamental a control for protecting data at rest as encryption. In summary, when the goal is to secure stored sensitive data in AI systems, encryption is the most appropriate control. CompTIA CompTIA CY0-001 PDF https://www.certification-exam.com/ Question 3 A security engineer needs to monitor an AI-based system for runtime operations. The engineer is mostly concerned about the visibility of internal activity. Which of the following is the most appropriate monitoring solution? Options: A. Deploying a security information and event management (SIEM) tool B. Implementing a web application firewall (WAF) with header logging C. Relying on vendor model controls and monitoring prompt inputs D. Enabling stack call and debugging level traces at the function level Answer: D Explanation: The correct answer is D. Enabling stack call and debugging level traces at the function level. The question is asking about monitoring an AI-based system during runtime, with the main concern being visibility into internal activity. That means the engineer wants to understand what is happening inside the application or AI workflow while it is running, not just observe external traffic or general security events. Why D is correct: Debugging-level traces and stack call traces provide detailed internal execution visibility. They can show: - Function calls and execution paths - Internal states and intermediate processing steps - Errors, exceptions, and tracebacks - How input is transformed as it moves through the system This makes D the best choice when the goal is to monitor internal activity in runtime operations. Why the other options are less appropriate: A. Deploying a security information and event management (SIEM) tool A SIEM collects and correlates logs from many systems, which is useful for security monitoring and alerting. However, it does not inherently provide deep visibility into the internal runtime behavior of the AI application itself. It is more about centralized log analysis than internal execution tracing. B. Implementing a web application firewall (WAF) with header logging A WAF focuses on filtering and monitoring HTTP traffic to protect web applications from attacks. Header logging may help track request metadata, but it still mainly provides external request visibility rather than internal system activity. It is not the best solution for understanding runtime internals. C. Relying on vendor model controls and monitoring prompt inputs This approach focuses on the AI model’s inputs and built-in vendor controls. It may help with safety and abuse detection, but it does not provide detailed runtime visibility into the internal operations of the system. It is more about controlling and observing prompts than tracing execution. Key takeaway: If the concern is visibility into internal activity during runtime, the most appropriate monitoring method is detailed application-level tracing and debugging logs. That is exactly what option D provides. If you want, I can also explain how this differs from observability tools like logging, metrics, and tracing in AI CompTIA CompTIA CY0-001 PDF https://www.certification-exam.com/ systems. Question 4 Which of the following should an auditor reference when reviewing a company’s human resources AI systems for legal non-compliance? Options: A. Organization for Economic Cooperation and Development (OECD) standard B. National Institute of Standards and Technology (NIST) AI Risk Management Framework 9RMF) C. European Union (EU) AI Act D. International Organization for Standardization (ISO) Answer: C Explanation: The correct answer is C. European Union (EU) AI Act. When an auditor is reviewing a company’s human resources AI systems for legal non-compliance, the most relevant reference is the EU AI Act because it is a binding legal framework, not just a voluntary standard or guideline. HR-related AI uses, such as hiring, promotion, employee monitoring, and performance evaluation, are generally considered high-risk under the EU AI Act. That means these systems are subject to strict legal requirements related to transparency, documentation, risk management, data governance, human oversight, and accuracy. Why C is correct: - The EU AI Act is a law, so it is directly relevant to legal compliance. - HR AI systems often fall into categories the Act treats as high-risk. - An auditor checking for legal non-compliance should use a legal/regulatory source, not only a best- practice framework. Why the other options are not the best answer: - A. OECD standard - The OECD AI principles are important ethical and policy guidelines, but they are not binding legal requirements for compliance review. - B. NIST AI Risk Management Framework (AI RMF) - NIST AI RMF is a useful framework for managing AI risk, but it is voluntary and primarily focused on risk management, not legal compliance. - D. ISO - ISO standards can help with governance and quality management, but they are typically voluntary standards rather than legal rules. In short, if the auditor’s goal is to assess legal non-compliance in HR AI systems, the EU AI Act is the most appropriate reference because it is the primary legal instrument among the choices. CompTIA CompTIA CY0-001 PDF https://www.certification-exam.com/ Question 5 An airline corporation wants to implement a chatbot application using a large language model (LLM) so its customers: Can ask question and receive answers about flight details. Have the option to upload files. Which of the following security controls should the airline use to protect against malicious input and unauthorized use beyond the service-level agreement? (Choose two.) Options: A. Prompt guardrails B. Role-based access controls C. Firewall rules D. Model token quotas Answer: A, D Explanation: The correct answers are A. Prompt guardrails and D. Model token quotas. The airline wants to build a chatbot powered by a large language model that can answer customer questions and also accept file uploads. In this kind of application, there are two main risks mentioned in the question: 1. Malicious input 2. Unauthorized use beyond the service-level agreement Let’s look at the options one by one. A. Prompt guardrails Prompt guardrails are controls that help limit or filter what users can send to the model and what the model is allowed to do. They can help prevent prompt injection, harmful requests, and other malicious input. Since the chatbot will accept user questions and uploaded files, guardrails are important to reduce the risk that someone tries to manipulate the model with harmful or unexpected content. Why it is correct: - Helps protect against malicious input - Can restrict unsafe prompts or instructions - Useful for LLM-specific security D. Model token quotas Token quotas limit how many tokens a user, account, or application can send to or receive from the model within a certain time period. This helps prevent abuse, excessive usage, and attempts to go beyond agreed service limits. Why it is correct: - Prevents unauthorized or excessive use - Helps enforce service-level agreement limits - Protects against runaway cost and abuse Now the incorrect options: CompTIA CompTIA CY0-001 PDF https://www.certification-exam.com/ B. Role-based access controls RBAC is useful for controlling who can access system resources, but it is not the best choice here for protecting against malicious input to the LLM or for enforcing usage limits under the SLA. It is more about user permissions than model interaction safety. C. Firewall rules Firewalls help control network traffic, but they do not directly address prompt injection, malicious text input, or LLM usage quotas. They are useful for general network security, not the specific risks described in the question. Summary: - Prompt guardrails protect the model from malicious input. - Model token quotas prevent unauthorized or excessive usage beyond the SLA. Therefore, the correct answer is A and D. Question 6 A security operations center (SOC) has a very high volume of logs and alerts. The manager proposes the implementation of machine learning (ML) system to help with triage. Which of the following tasks is most suitable? Options: A. Applying filters on specific alerts B. Automatically patching vulnerable systems C. Identifying and classifying alerts D. Summarizing the content of alerts Answer: C Explanation: The correct answer is C. Identifying and classifying alerts. A SOC with a very high volume of logs and alerts needs help reducing noise and prioritizing what matters most. Machine learning is especially well suited for recognizing patterns in large datasets, grouping similar items, and classifying events based on learned behavior. In this case, ML can assist by identifying which alerts are likely related, which ones are benign, and which ones may indicate real threats. Why C is correct: - ML is effective at alert triage because it can learn from historical data. - It can classify alerts into categories such as low, medium, or high priority. - It can help detect patterns that humans might miss when alerts arrive in large volumes. - It improves SOC efficiency by reducing manual review workload. Why the other options are incorrect: A. Applying filters on specific alerts - Filtering is usually a rule-based or manual process, not a primary ML task. - It can reduce noise, but it does not leverage ML’s strength in pattern recognition and classification as well CompTIA CompTIA CY0-001 PDF https://www.certification-exam.com/ as option C does. B. Automatically patching vulnerable systems - This is a remediation task, not a triage task. - ML may help identify vulnerabilities, but automatically patching systems is an administrative/automation function, not the main purpose of ML in alert handling. D. Summarizing the content of alerts - While summarization can be useful, it is not the best fit for a SOC triage use case. - The primary need here is to sort and prioritize alerts, which is better described by identifying and classifying them. In short: ML is most useful here for identifying patterns and classifying alerts so analysts can focus on the most important incidents first. Question 7 An organization recently created a custom model that integrates with a language model (LLM). The developer notices that the application programming interface (API) costs have increased. Which of the following is the best control to reduce cost? Options: A. Implementing prompt templates B. Increasing central processing unit (CPU) and memory C. Reducing the model size D. Adjusting token limits Answer: D Explanation: The correct answer is D. Adjusting token limits. When an application uses a language model, API cost is usually based on how many tokens are sent to and returned from the model. Tokens represent pieces of text, and the more tokens used in a request and response, the higher the cost. If an organization notices increased API costs, one of the most effective controls is to limit the number of tokens the model can generate or process. Why D is correct: - Adjusting token limits directly reduces the amount of text the model handles. - This can lower both prompt-processing and response-generation costs. - It also helps prevent unnecessarily long outputs, which can quickly increase usage and expense. Why the other options are not the best answer: - A. Implementing prompt templates - Prompt templates can improve consistency and efficiency, but they do not directly control token consumption as effectively as token limits. - B. Increasing central processing unit (CPU) and memory CompTIA CompTIA CY0-001 PDF https://www.certification-exam.com/ - This may help performance in some systems, but it does not reduce LLM API usage costs. - C. Reducing the model size - Smaller models may cost less in some cases, but this is not the most direct or universal control for reducing API costs in a custom model integration. In summary, setting or tightening token limits is the best way to control and reduce LLM API costs because it directly limits usage. Question 8 A security administrator needs to improve an AI model. During an initial investigation, the administrator notices that two successive login features are recorded every day, and then a successful login occurs after a specific time interval. All the successful login attempts have been during office hours. Which of the following techniques should the administrator use to improve the AI model’s security? Options: A. Access management B. Pattern recognition C. Signature matching D. Vulnerability analysis Answer: B Explanation: The correct answer is B. Pattern recognition. Here’s why: The scenario describes a security administrator observing repeated login behavior over time: - Two successive login features are recorded every day - A successful login occurs after a specific time interval - All successful logins happen during office hours This indicates the administrator is identifying a repeating trend or behavioral pattern in the login data. Pattern recognition is the technique used to detect and analyze such regularities in data. In the context of AI security, it helps the model learn what normal or suspicious activity looks like, which improves its ability to detect anomalies or threats. Why the other options are not correct: A. Access management This is about controlling who can access systems and resources. It is a security control, but it does not describe analyzing repeated login behavior to improve an AI model. C. Signature matching This technique compares data against known malicious patterns or signatures. It is useful for detecting known threats, but the question focuses on recognizing a recurring behavioral sequence, not matching against a known attack signature. D. Vulnerability analysis CompTIA CompTIA CY0-001 PDF https://www.certification-exam.com/ This involves identifying weaknesses in systems or models. It is important for security assessment, but it does not fit the observed pattern of login events described in the question. In short, the administrator is observing recurring login behavior and timing, which is best addressed by pattern recognition. Question 9 Which of the following is the most concerning risk for a company that allows corporate end users to use public-facing large language models (LLMs)? Options: A. Inaccuracies due to hallucinations B. Out-of-date acceptable use policies C. Data security regulatory violations D. Malicious code generation Answer: C Explanation: The correct answer is C. Data security regulatory violations. Why this is the most concerning risk: Public-facing large language models can retain, process, or be exposed to sensitive corporate information if employees paste in internal data, customer records, source code, contracts, or other confidential content. That creates the risk of violating privacy, security, and industry regulations such as GDPR, HIPAA, PCI DSS, or internal data handling policies. Because these models are external services, the company may lose control over where data goes, how it is stored, and whether it is used for model training or logging. This makes regulatory and data security exposure the most serious concern. Why the other options are less correct: A. Inaccuracies due to hallucinations This is a real risk because LLMs can generate incorrect or misleading responses. However, it is usually a quality and reliability issue rather than the most severe company-wide risk. B. Out-of-date acceptable use policies This can create governance problems, but it is indirect. It is not as immediately serious as the possibility of exposing regulated or confidential data. D. Malicious code generation LLMs can assist in generating harmful code, but for a company allowing ordinary end users to use public LLMs, the broader and more likely concern is accidental leakage of sensitive information and resulting compliance violations. In summary: The biggest risk is not just that the model may be wrong or misused, but that employees may share sensitive corporate data with an external service, leading to security incidents and regulatory noncompliance. CompTIA CompTIA CY0-001 PDF https://www.certification-exam.com/ Question 10 Which of the following requires developers to harden infrastructure to protect AI systems? Options: A. Intake processes B. Acceptable use policies C. Development guidelines D. Configuration standards Answer: D Explanation: The correct answer is D. Configuration standards. Why D is correct: Configuration standards are the rules and baseline settings used to secure systems and infrastructure. If developers and administrators must harden infrastructure to protect AI systems, they need clear standards for how servers, networks, storage, access controls, and related components should be configured. Hardening typically involves reducing unnecessary services, applying secure settings, limiting permissions, and ensuring systems are set up to resist attacks. Why the other options are incorrect: A. Intake processes Intake processes are used to collect, review, and prioritize requests or inputs, such as project requests or data submissions. They are not specifically about securing or hardening infrastructure. B. Acceptable use policies Acceptable use policies define what users are allowed to do with systems and data. They focus on behavior and policy compliance, not on technical infrastructure hardening. C. Development guidelines Development guidelines help programmers write secure, consistent, and maintainable code. While they may include security best practices, they are broader than infrastructure hardening and do not specifically require hardening the underlying environment. Summary: The question asks which item requires developers to harden infrastructure to protect AI systems. Configuration standards are the most directly related because they define the secure setup and baseline protections for the infrastructure supporting those systems. Would you like to see more? Don't miss our CompTIA CY0-001 PDF file at: https://www.certification-exam.com/en/pdf/comptia-pdf/cy0-001-pdf/ CompTIA CompTIA CY0-001 PDF https://www.certification-exam.com/