Béatrice Moissinac, PhD
Hello, world! 👋 Welcome to BeaBytes.
My goal is to help you understand AI and equip you with enough conceptual (but not technical) fluency to fight off the snake oil merchants.
I reserve the right to change my mind at any time.

contact -at- beabytes -dot- com

© 2013-2025 Béatrice Moissinac, all rights reserved.
Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of my employer or sponsors.
What I think of the TAISE certification as a proven AI Governance expert

What I think of the TAISE certification as a proven AI Governance expert

Dec 3, 2025

AI Governance is emerging as the new market differentiator for SaaS B2B companies, and knowing where to start with a program implementation is not easy. Most Information Security or Compliance professionals often rely on certifications to learn and accredit new skills. Therefore, it is no surprise to see a growing ecosystem of certifications on AI Governance popping up.

A quick web search returns dozens of results. Some are very legitimate, like the ISO 42001 Lead Implementer certification, and many come from reputable institutions (e.g., Georgetown University’s AI Governance & Compliance certificate, IAPP AI Governance Professional certification).

Certifications must have three qualities: (1) a relevant curriculum with appropriate breadth and depth, (2) the backing of a recognized institution, and (3) a fair evaluation system.

In October 2025, the Cloud Security Alliance (CSA) published the Trusted AI Safety Expert (TAISE) certification. CSA is a non-profit organization that publishes research on best security practices for cloud infrastructure. They are best known for the Consensus Assessment Initiative Questionnaire (CAIQ, pronounced “cake”), a standardized questionnaire that companies can fill and publish on the CSA website. TAISE is the culmination of recent efforts by CSA to focus on cloud security in the context of AI. For instance, CSA recently published the AI Control Matrix (AI CM), and its AI-CAIQ, a standardized questionnaire linked to the CAIQ, and focused on AI system management. If you are a Security Compliance professional or working with Security questionnaires from customers, the AI CM and AI-CAIQ should feel very familiar.

I implemented an AI Governance program in 6 months and got it ISO 42001-certified in September 2025, so this blog is not about how TAISE helped me achieve this. This blog is about if I think TAISE can help you achieve this! 😀

TAISE Will Teach You About AI Governance

Overall, I thought that the curriculum was well-rounded, and covered most of the topics that one may expect. It gave some concrete examples of how to implement an AI Governance framework. Professionals familiar with system management frameworks like ISO 27001 or risk management frameworks will feel at home with the material. There is a very strong focus on cloud security for AI, as you could expect from an organization which promotes cloud security.

A Weird - Sometimes Incorrect - Introduction to AI

I am very picky about how people talk about AI and ML nomenclatures. This is literally why I started this blog. To rage about the machine. 🤖. Thus, I found module 1 (Introduction to AI) to be a little bit too imaginative at times.

Module 1’s material claims that standard least squares linear regression “is not machine learning” because there exists an analytical solution to the equation (i.e., you plug in the numbers in the equation and get an answer without an estimation phase, and the answer never changes. You can do it in Excel.). I do agree that nomenclatures are arbitrary, but they are also an attempt to capture a pattern in the concepts they organize. Having an analytical solution to a set of equations is not what separates machine learning from other algorithm families. Machine Learning can be defined as the family of algorithms whose tasks are to cluster or classify based on examples. Another way to explain that this claim is on shaky grounds, is that if you use a Least Square Linear Regression to make decisions about employment in the EU, the EU AI Act will definitely expect you to report it as High Risk.

Some definitions are contradictory. For example, regressions are described as either predicting only categorical variables or only continuous variables (they can do both.). It’s also a bit weird to describe PCA as a canonical unsupervised ML model, because (1) the module doesn’t talk about many other unsupervised models except k-means, and (2) it’s more widely used as a dimensionality reduction method. Why not talk about collaborative filtering or hierarchical clustering?

Another weird thing about the material is the focus on the dichotomy between “Discriminative AI” vs “Generative AI”. Yes, many machine learning algorithms are using “discriminative techniques” because they classify or cluster, thus they discriminate between groups. But this appellation is also used in opposition to predictive models, as if a discriminative model couldn’t be predictive. Every ML model is a predictive model. It is the literal point of ML: learn a model such that you can predict a new label or class when a new data point comes in. “Discriminative AI” is not how most data scientists and ML researchers would talk about those models.

The material correctly explains that ML is a subfield of AI, but never explains what is AI when it is not ML. Even though many non-ML algorithms would be in scope for many regulatory jurisdictions…

Overall, I would not read this module in isolation of any other reference material. You can refer to more well-known textbooks such as “Artificial Intelligence: A modern approach” by Russell and Norvig, which is the world reference. For example, read Chapter 18, which focuses on ML.

Too Deep of a Learning

The second module (Generative AI Architecture and Design) felt like the first couple of weeks of a graduate course on generative AI. This module will be a very difficult chapter for someone without any applied ML experience. The depth of the material was not represented in the final exam either. Additionally, I doubt that this level of depth serves a future AI Governance implementer. It does not seem particularly useful to know exactly how the diffusion model works, or what is the Kullback-Leibler divergence (it was an optional part of the curriculum). Unless you are developing models, this module was too technical in my opinion.

TAISE is Missing the Hardest Part of AI Governance

I have said it before, AI risk assessments are the hardest part of AI Governance. I have listed many resources you can use to create a questionnaire, and to know what context to collect about AI systems. TAISE talks about risks, and how to scope them, but not how to score them. TAISE doesn’t address how to evaluate qualitative AI risk assessments to estimate the presence/absence of a risk. For example, if your AI system uses an LLM with RAG in a specific context, what is the probability and impact of prompt injections? That is left for you to figure out (or hire me as a consultant, I’ll tell you 😜)!

AI Security is Absent from TAISE

Furthermore, module 7 (Introduction to AI Safety and Security) and 8 (Cloud and AI Security) talk about Security applied to AI systems, especially in a cloud environment. After all, CSA is an organization that promotes cloud security, and it shows. Nothing wrong with that, but TAISE is completely devoid of fundamental AI Security content. For instance, neither module 7 nor 8 contain the word “guardrail”. It loops back to what I said about AI risk assessments. You need AI Security expertise (1) to decide what to ask in an assessment, and (2) to evaluate the responses and measure probability and impact of AI Security risks. TAISE is not going to teach you that.

All in all, the certification does state that it’s about AI safety, not AI security. Fair enough. The material gives a good coverage of regulations, frameworks, and recommendation to implement an AI Governance program. I think the certification may leave you wanting on AI and AI Security, and these skills should not be underestimated in establishing an AI Governance program. In a rapidly changing landscape of certifications, time will tell if TAISE becomes a career differentiator.