Curriculum Overview: Governance and Compliance for AI on AWS

Welcome to the curriculum overview for Security, Compliance, and Governance for AI Solutions, mapped specifically to Domain 5 of the AWS Certified AI Practitioner (AIF-C01) exam. This curriculum provides a structured pathway to understanding how AWS services help organizations innovate with Artificial Intelligence while maintaining rigorous regulatory compliance and security standards.

---

Prerequisites

Before diving into this curriculum, learners should have a foundational understanding of the following concepts to ensure a smooth learning experience:

• AWS Cloud Practitioner Essentials: Basic familiarity with core AWS services (Amazon EC2, Amazon S3) and the AWS Global Infrastructure.
• AWS Shared Responsibility Model: Understanding the division of security responsibilities between AWS (security of the cloud) and the customer (security in the cloud).
• Identity and Access Management (IAM): Basic knowledge of users, groups, roles, and policies.
• Foundations of AI/ML: High-level understanding of what AI, Machine Learning, and Generative AI are, including the concepts of training data and model deployment.

[!IMPORTANT] If you are unfamiliar with the AWS Shared Responsibility Model, it is highly recommended to review it before beginning this module. When utilizing AI services like Amazon Bedrock or Amazon SageMaker, your compliance responsibilities shift depending on whether you are using managed infrastructure or foundational models.

---

Module Breakdown

This curriculum is divided into four sequential modules, moving from foundational governance to continuous compliance and vulnerability management.

---

Learning Objectives per Module

Module 1: Centralized Governance & Baselines

• Objective 1: Explain how AWS Organizations provides centralized account management and uses Service Control Policies (SCPs) to restrict AI service usage regardless of IAM permissions.
• Objective 2: Describe how AWS Control Tower automates the setup of multi-account environments (landing zones) to establish predefined governance guardrails for AI development teams.

Module 2: Configuration & Activity Tracking

• Objective 1: Understand how AWS CloudTrail logs API activity across AWS accounts to ensure accountability and enable user/service activity monitoring for AI workloads.
• Objective 2: Demonstrate how AWS Config tracks resource configuration changes and evaluates them against desired compliance states, automatically identifying non-compliant AI resources.

Module 3: Security Risk & Vulnerability Management

• Objective 1: Define the role of Amazon Inspector in continuously scanning EC2 instances, container images, and Lambda functions for known software vulnerabilities using real-world threat intelligence.
• Objective 2: Utilize AWS Trusted Advisor to evaluate an AWS account against best practices, specifically identifying overly permissive IAM policies or exposed ports that could violate compliance standards.

Module 4: Compliance Validation & Auditing

• Objective 1: Differentiate between internal compliance management and accessing AWS's own compliance documentation via AWS Artifact (e.g., downloading AWS's SOC or ISO reports).
• Objective 2: Leverage AWS Audit Manager to automate evidence collection for audits, continuously mapping data to prebuilt frameworks (SOC 2, GDPR, HIPAA) to generate audit-ready reports with reduced manual effort.

---

Success Metrics

To know you have mastered this curriculum, you should be able to consistently demonstrate the following outcomes:

• Service Differentiation Validation: Accurately select the correct AWS service given a scenario. For example, knowing that AWS Artifact is for downloading AWS's compliance reports, while AWS Audit Manager is for collecting evidence of your compliance.
• Lineage Tracing: Successfully explain how to maintain data and model lineage—documenting where training data originates, how it was curated, and what licenses apply—using AWS tracking tools.
• Architectural Assessment: Given an AI architecture (e.g., a Generative AI application using Amazon Bedrock), identify potential governance gaps and propose the integration of services like AWS Config or CloudTrail to mitigate risks.
• Exam Readiness: Achieve a score of 85% or higher on practice questions related to AIF-C01 Content Domain 5.2 (Recognize governance and compliance regulations for AI systems).

[!TIP] A great self-test is to practice the "If this, then that" method. "If an auditor asks for our SOC 2 evidence, I use [Service]." (Answer: AWS Audit Manager).

---

Real-World Application

Why does this matter in your career as an AI Practitioner? AI technologies—especially Generative AI—introduce unique risks, such as data privacy violations, model bias, and hallucinations. If a healthcare company wants to build a generative AI application to summarize patient records, they must adhere to HIPAA regulations.

Without strong governance and compliance controls, deploying such a model is a massive legal and financial liability.

By leveraging the AWS Compliance Ecosystem, an organization can automate much of this burden:

The Real-World Workflow

1. Prevention: The organization uses AWS Organizations and Control Tower to prevent developers from launching unapproved AI services or exposing public endpoints.
2. Detection: As the application runs, Amazon Inspector continuously scans the underlying EC2 instances and containers for vulnerabilities, while AWS CloudTrail logs exactly who is invoking the AI models.
3. Auditing: When it's time for their annual HIPAA assessment, the compliance team doesn't spend weeks gathering spreadsheets. They use AWS Audit Manager to automatically pull configurations from AWS Config and logs from CloudTrail, generating an auditor-ready report.

Mastering these tools bridges the gap between theoretical AI models and enterprise-ready, legally compliant AI solutions.