In the last twelve months, three different parts of the cybersecurity certification industry have converged on the same problem: nobody has a defensible answer for who, exactly, is qualified to secure an enterprise AI deployment. ISACA launched its Advanced in AI Security Management (AAISM) credential as the first AI-centric security management certification. CertNexus and partners like Ampcus Cyber rolled out the Certified AI Security Specialist (CAISS) workshop track aimed at practitioners. AWS retired its decade-old Machine Learning – Specialty exam and rebuilt its security and AI portfolio around generative AI from the ground up, with a refreshed Security – Specialty exam (SCS-C03) and the new Generative AI Developer – Professional credential. Three different vendors, three different bets on what AI security competence actually looks like.
The wave is real, but it isn’t uniform. These certifications target different audiences, validate different skills, and reflect very different theories of how AI security work should be organized inside an enterprise. Picking the right one — or correctly stacking several — depends on whether your job is governing AI risk, building AI security controls, or operating AI workloads in a specific cloud. This piece breaks down what each credential actually validates, what it costs, who the prerequisites filter for, and where the real gaps remain.
Why AI Security Certifications Suddenly Matter
The push isn’t theoretical. Ninety-five percent of digital trust professionals are worried that generative AI will be exploited by bad actors, according to ISACA’s AI Pulse Poll, and ISC2’s 2025 AI Adoption Survey found that over one-third of surveyed cybersecurity professionals cited AI as the biggest skills shortfall on their teams, and 42% said they’re actively exploring or testing AI-focused security tools. Boards are demanding accountability. Regulators — the EU AI Act, US sector enforcement, emerging APAC frameworks — are asking pointed questions about who validated a model, who owns the risk, and whether anyone documented the data lineage.
Traditional credentials don’t fully answer those questions. CISSP and CISM cover information security management broadly but predate the AI control surface entirely. Cloud security certifications validate workload protection but don’t address adversarial ML, prompt injection, or model supply chain integrity. The certification bodies are racing to fill that gap, and they’re approaching it from three different angles: governance (ISACA), practitioner skills (CertNexus and adjacent vendors), and platform-specific implementation (AWS).
ISACA AAISM: AI Security as a Management Discipline
The AAISM credential is the most ambitious entry in the wave. ISACA launched the Advanced in AI Security Management (AAISM) certification to enable security professionals to demonstrate their ability to implement enterprise AI solutions while being able to identify, assess, monitor and mitigate risk. It’s the first certification that treats AI security as a management and leadership discipline rather than as a demonstration of technical knowledge.
The prerequisite structure tells you who it’s for. Security professionals who hold a Certified Information Security Manager (CISM) or Certified Information Systems Security Professional (CISSP) are eligible to pursue the AAISM. This isn’t an entry-level credential and isn’t pretending to be one — it’s a stack-on for security managers who already understand enterprise risk frameworks and now need to extend that thinking into AI governance.
The exam is structured around three domains. Domain 1 covers stakeholder considerations, industry frameworks, regulatory requirements, AI-related strategies and policies, AI asset and data lifecycle management, AI security program development, and business continuity and incident response. Domain 2 addresses risk management — assessing threats, vulnerabilities, and supply chain issues. Domain 3 focuses on optimizing AI security and highlights knowledge of security technologies, techniques and controls tailored to AI systems, including AI security architecture and design, AI life cycle management, data management controls, privacy and ethical controls, and security controls and monitoring.
Format: 90 multiple-choice questions over 2.5 hours, with a passing score of 450 or higher on a scaled scoring model. Costs scale by ISACA membership tier and reflect the credential’s positioning as an executive-level investment.
A few caveats matter. The AAISM is heavy on governance and policy — useful if your job is selling AI risk to a board, less useful if your job is hardening a fine-tuning pipeline. The largest portion of the exam (38%) focuses on AI Technologies and Controls, including model security, data privacy in training sets, and securing AI infrastructure, but the depth is conceptual rather than hands-on. Don’t expect the exam to teach you how to write a model card or build a Bedrock guardrail policy. It will teach you how to evaluate whether someone else has done so adequately.
ISACA also released the AAIA (Advanced in AI Audit) credential alongside AAISM. AAIA can be earned by audit professionals who hold a Certified Information Systems Auditor (CISA) or other qualified high-level audit certification. The two credentials are explicitly complementary: AAISM for the security management seat, AAIA for the audit and assurance seat.
CertNexus and the Practitioner Track
CertNexus occupies a different slot in the wave. The organization is best known for vendor-neutral emerging-tech credentials — the Certified Artificial Intelligence Practitioner (CAIP) is an in-demand training program designed for data practitioners to acquire vendor-neutral, cross-industry knowledge of AI concepts and skills, alongside the foundational AIBIZ and GenAIBIZ credentials and the Certified Ethical Emerging Technologist (CEET).
What CertNexus has not done is launch a dedicated AI Security Specialist exam under its own brand. The space labeled “CAISS” — Certified AI Security Specialist — is currently occupied by training programs from organizations like Ampcus Cyber, often delivered in partnership with local ISACA and ISC2 chapters as a 4-day workshop designed to bridge the gap between cybersecurity and AI. Participants need to pass with 70% marks to earn the CAISS certificate and badge. The acronym also gets used by independent training vendors like Tonex (CAISF, Certified AI Security Fundamentals) and Practical DevSecOps (CAISP, Certified AI Security Professional), each with their own curricula and credential weight.
This is worth flagging plainly: the practitioner-track AI security credential market is fragmented, and acronym collisions are common. A “CAISS” earned through a 4-day workshop is not equivalent to a multi-domain proctored exam from ISACA or AWS. The credentials in this tier do validate hands-on familiarity with topics like adversarial attacks, data poisoning, OWASP LLM Top 10, and MITRE ATLAS, but the rigor varies enormously by issuer.
For practitioners, the pragmatic move is to read past the badge name and check three things: who actually administers and maintains the exam, whether it’s proctored independently, and whether it appears in any government or enterprise framework (NICCS, DoD 8140, vendor partner programs). CertNexus credentials generally clear those bars; bootcamp-style “specialist” badges generally don’t, even when the curriculum is solid.
AWS: AI Security Through the Cloud Provider Lens
AWS took the most aggressive structural approach. Rather than launching a single new “AI security” credential, AWS rebuilt its entire AI/ML and security certification track around generative AI as a first-class concern.
The retirements: AWS announced the retirement of the AWS Certified Machine Learning – Specialty certification, with the last date to take this exam being March 31, 2026. The replacements form a layered path. At the foundational level, the AWS Certified AI Practitioner (AIF-C01), launched in October 2024, validates AI/ML and generative AI fluency for non-builders. The exam covers five domains: Fundamentals of AI and ML (20%), Fundamentals of Generative AI (24%), Applications of Foundation Models (28%), Guidelines for Responsible AI (14%), and Security, Compliance, and Governance for AI Solutions (14%).
At the professional level, the new AWS Certified Generative AI Developer – Professional (AIP-C01) validates the ability to integrate foundation models into production applications. The standard version of the exam was refreshed to reflect changes in AWS services, including the addition of Amazon Bedrock AgentCore.
The bigger story for security professionals is the refreshed AWS Certified Security – Specialty (SCS-C03), which replaced SCS-C02 in late 2025. The headline addition in SCS-C03 is that generative AI security content has entered the exam, but there is no separate “Domain 7” for AI/ML security — the official AWS exam guide defines exactly six domains, and GenAI security content lives inside Domain 3 (Infrastructure Security) as Skill 3.2.7: “Implement protections and guardrails for generative AI applications”. The skill explicitly references applying GenAI OWASP Top 10 for LLM Applications protections.
Other AI-relevant additions in SCS-C03 are scattered: Skill 5.1.3 covers inter-resource encryption in transit including SageMaker AI and Nitro encryption configurations, and Skill 6.1.3 includes implementing organization policies to manage permissions through SCPs, RCPs, AI service opt-out policies, and declarative policies. Translation: AWS treats AI security as a thin layer of new controls integrated into existing security primitives, not as a standalone discipline. That’s a defensible architectural call. It’s also a significant educational gap — anyone passing SCS-C03 will know how to apply Bedrock guardrails but may have never encountered model inversion attacks, training data extraction, or the broader adversarial ML threat landscape that the AAISM and CAISS curricula cover.
The exam mechanics: SCS-C03 has 65 questions, 170 minutes, requires a scaled score of 750 out of 1,000 to pass, and costs $300 USD. Recertification is every three years.
How the Three Approaches Compare
The cleanest way to think about these credentials is by what question they answer for a hiring manager.
The credentials are not substitutes. A security manager with AAISM but no platform experience cannot harden a Bedrock deployment. An SCS-C03 holder with no governance training cannot tell a board which AI risks justify pausing a deployment. The CertNexus and CAISS-tier practitioner credentials validate threat-model literacy but don’t carry the audit weight of either ISACA or AWS in regulated industries.
Which One Should You Pursue First?
Match the credential to the role you’re actually hiring or being hired into.
If you’re a security manager or CISO at an organization deploying AI, AAISM is the most direct fit. It assumes you already have CISM or CISSP, builds on that vocabulary, and gives you the structured framework to engage with regulators, boards, and auditors. The fact that ISACA paired it with AAIA on the audit side signals an emerging two-credential standard for enterprise AI assurance.
If you’re a cloud security engineer in an AWS environment, SCS-C03 is the mandatory upgrade. The exam now expects you to know GenAI guardrails, Bedrock security boundaries, and AI service opt-out policies. Pair it with the AI Practitioner cert if you want a defensible answer to “do you understand the AI side, not just the security side.”
If you’re a practitioner — AppSec, red team, ML engineer, or security architect — the CertNexus stack (AIBIZ → CAIP → adjacent CAISS workshops) builds vendor-neutral fluency without locking you into a single cloud. Just be skeptical of acronym-shaped credentials from issuers you’ve never heard of. Verify the proctoring, the maintenance cadence, and whether anyone in your industry actually recognizes the badge.
If you’re early in your career or transitioning from another security domain, AWS Certified AI Practitioner is the cheapest, fastest entry point into AI fluency. It won’t make you an AI security expert, but it will get you literate in foundation models, Bedrock, RAG, and responsible AI principles — which is the floor for most other AI security work.
What These Certifications Don’t Cover
The wave is impressive in scope and missing in places that matter.
Adversarial ML depth is thin everywhere. None of the three flagship credentials test deep technical attacks like membership inference, model extraction, or training-data reconstruction at the level a serious red team would expect. MITRE ATLAS literacy is implied in some curricula but not rigorously tested.
Agentic AI security is barely covered. Bedrock AgentCore appears in the AWS exam refresh, but the broader question of how to secure tool-using, multi-step AI agents — prompt injection across tool calls, exfiltration through MCP servers, agent identity and authorization — is largely unaddressed. Expect this to be the next gap to be filled.
Supply chain integrity for foundation models gets surface-level treatment. Verifying model provenance, detecting backdoored weights, evaluating fine-tune contamination — these remain practitioner skills earned in the field, not on exams.
Evaluation and red-teaming methodology is touched on but not certified rigorously. There’s no equivalent of OSCP for AI systems yet — no proctored hands-on exam where you have to actually compromise or harden a real model under time pressure.
Frequently Asked Questions
Do I need CISSP before pursuing AAISM? Yes, or an active CISM. Both certifications are required eligibility paths for AAISM, and the exam content assumes that baseline.
Is the AWS Machine Learning – Specialty still worth taking? No. The last date to take MLS-C01 is March 31, 2026. Existing holders keep their certification through its original expiration, but new candidates should target Machine Learning Engineer – Associate or AI Practitioner instead.
Can I skip vendor certifications if I have AAISM? Only if your role is purely strategic. AAISM validates governance fluency; it does not validate that you can configure KMS keys, write SCP policies, or implement Bedrock guardrails. Operational roles still need platform credentials.
How current is the GenAI content on these exams? Reasonably current but lagging the field by 6–12 months. AWS launched SCS-C03 in December 2025 with a new emphasis on Bedrock workloads, guardrails for generative AI applications, and protecting model training data. ISACA and the practitioner-tier programs update on similar cadences. Anything moving faster than that — agentic AI, MCP security, frontier model alignment — won’t be on the exam yet.
The Stance
The certification wave is real and useful, but it’s also a snapshot of a field still defining itself. ISACA bet on governance. AWS bet on platform integration. The CertNexus / CAISS tier bet on practitioner literacy. None of those bets is wrong; none is sufficient alone. The right move for most security professionals over the next 18 months is to pick the credential that matches your actual job, treat it as a baseline rather than a destination, and build hands-on adversarial ML and agentic AI skills outside any exam — because the exams haven’t caught up to where the threat is going.
If you wait for the perfect AI security certification to exist before engaging, you’ll be three years behind the people who picked the closest fit and started.
