AIGP vs CIPP/E vs CIPP/US: Which IAPP Certification Is Right for You?

AIGP vs CIPP: The Key Differences at a Glance

All three certifications come from the IAPP and sit at the professional level. All three use the same Pearson VUE delivery, the same 300/500 scaled-score pass mark, and the same multiple-choice format. Beyond that, they diverge sharply in scope, cost, and what they signal to an employer.

The AIGP (AI Governance Professional) covers 100 questions in 165 minutes and costs $799 for non-members. Its four domains - foundational AI governance, laws and frameworks, governing AI development, and governing AI deployment - treat privacy law as one input among many. The exam currently maps to the Body of Knowledge v2.1, effective February 2026.

CIPP/E and CIPP/US each cover 90 questions in 150 minutes and cost $550 for non-members. CIPP/E focuses exclusively on European data protection law: GDPR, the ePrivacy Directive, NIS 2, and the supervisory architecture around them. CIPP/US covers the US sectoral landscape: HIPAA, GLBA, COPPA, FCRA, CCPA/CPRA, and a growing layer of state comprehensive privacy laws. The CIPP/E Body of Knowledge is version 1.3.3, effective September 2025. The CIPP/US Body of Knowledge is version 2.6, also effective September 2025.

The cost difference between AIGP and the CIPP variants reflects the AIGP's broader scope and, arguably, the shorter time the market has had to build up a pool of study material. A certification maintenance fee of $250 applies every two years across all three, waived for IAPP members.

What the AIGP Actually Tests

The AIGP is an operational credential. It asks whether you can design and run a governance programme for AI systems - not just whether you know the laws that apply to them. That distinction matters at exam time.

Domain 1 (21% of scored questions) covers AI definitions, responsible AI principles, lifecycle policies, and how governance approaches differ by company size and risk tolerance. Domain 2 (25%) is where law and frameworks enter: GDPR requirements as they apply to AI, EU AI Act risk classification (prohibited, high-risk, limited, minimal), NIST AI RMF, ISO 42001, and the OECD AI principles. Domain 3 (27%) covers governing AI development - use case assessment, impact assessments, data governance for training data, bias testing, and post-deployment monitoring. Domain 4 (27%) covers deployment governance: choosing between model types, vendor and licensing risk, incident management, and deactivation policies.

About a third of questions are scenario-based. The exam is not asking you to recite Article 22 GDPR; it is asking what a governance professional should do when an organisation wants to deploy a high-risk AI system using a proprietary model from a vendor with opaque audit terms. That practical framing is what distinguishes the AIGP from the CIPP certifications at the technical level.

The EU AI Act features heavily in Domain 2. The regulation is now in force, with the original high-risk enforcement date of 2 August 2026 having been deferred under the EU AI Act Digital Omnibus - a political agreement reached by the Council and Parliament in May 2026 - to 2 December 2027 for stand-alone Annex III high-risk systems (pending formal adoption). Candidates sitting the AIGP are studying the regulation as its compliance requirements are actively taking shape, which means the governance frameworks and risk classification rules tested on the exam are directly relevant to real decisions organisations are making now.

What CIPP/E and CIPP/US Actually Test

The CIPP certifications are law credentials. They test whether you know the rules, who enforces them, and how to apply them to real processing scenarios.

CIPP/E is structured around the GDPR with supporting instruments. Domain 2 (31%) is the core: personal data definitions, controller versus processor, lawful bases, data subject rights, consent, and breach notification. Domain 3 (23%) covers processing principles and the international transfer toolkit - adequacy decisions, Standard Contractual Clauses, Binding Corporate Rules, and the EU-US Data Privacy Framework. Domain 4 (17%) covers accountability - DPIAs, DPO obligations, supervisory authority structure, and GDPR fines. Domain 5 (16%) applies the framework to specific contexts: employment data, surveillance, direct marketing, cookies, and AI. That last objective is notable: CIPP/E does address AI, but only through the lens of what data protection law requires of systems that process personal data. It is narrower than anything the AIGP touches.

CIPP/US reflects how differently US privacy law is constructed. There is no single omnibus statute. Instead, Domain 2 (31%) covers the sectoral laws: HIPAA, GLBA, COPPA, FCRA/FACTA, TCPA. Domain 5 (23%) covers state law: CCPA/CPRA, the Virginia CDPA, Colorado Privacy Act, Connecticut Data Privacy Act, Illinois BIPA, and data breach notification requirements across states. Domains 3 and 4 (12% and 10%) cover government and court access to private-sector data, and workplace privacy respectively. The exam rewards candidates who can navigate overlapping federal and state obligations - preemption analysis and multi-jurisdiction compliance are central.

Both CIPP variants demand a working knowledge of legal text and regulatory guidance - EDPB opinions in the European context, FTC enforcement guidance in the US context. They are harder to pass without reading the source material.

Which Certification Fits Which Role

The AIGP is for people who govern AI systems for a living or are being asked to. That includes privacy professionals being handed AI governance programmes, risk and compliance managers whose organisations are procuring or building AI, legal counsel advising on the EU AI Act, data scientists moving into technical governance roles, and product managers who need to demonstrate they understand the oversight obligations that come with deploying AI at scale. It is also a credible first step for people entering the field without an existing privacy background, since no formal prerequisites exist.

CIPP/E is for privacy professionals whose work centres on European data subjects: DPOs and deputies, privacy lawyers advising GDPR-covered organisations, compliance analysts in EU-market businesses, and anyone managing cross-border transfers or responding to supervisory authority enquiries. If your day is largely spent reading EDPB opinions and Article 29 Working Party guidance, CIPP/E is the credential that validates what you do.

CIPP/US suits US-facing roles: privacy officers at financial institutions, healthcare privacy analysts, in-house counsel tracking state comprehensive privacy law, HR and employment lawyers dealing with employee monitoring obligations, and anyone whose compliance map includes HIPAA, GLBA, CCPA, BIPA, and multiple state notification laws. Because US privacy law is sectoral and state-layered, the CIPP/US requires a notably broad knowledge base that is difficult to acquire without deliberate study.

For jurisdiction-spanning roles - a global privacy officer, a DPO who also chairs an AI ethics committee, or a privacy engineer building data governance tooling - holding CIPP/E alongside AIGP, or CIPP/US alongside AIGP, is increasingly common. Industry analyses note that employers are actively seeking candidates who can demonstrate competence across privacy law and AI governance, rather than one or the other.

Real Cost in Time and Money

The exam fee for CIPP/E or CIPP/US is $550 per attempt for non-members, rising to $799 for the AIGP. Add the $250 biennial maintenance fee to activate each certification (waived for IAPP members), and a single certification costs between $800 and $1,049 to obtain and maintain for the first two years if you sit it as a non-member. IAPP membership reduces both the exam fee and waives the maintenance fee, so for anyone planning to hold two or more credentials the annual membership tends to pay for itself.

Study time is harder to estimate without inventing numbers. What can be said is that the AIGP's body of knowledge is broader in scope than either CIPP variant - it spans AI technology concepts, multiple regulatory frameworks, and practical governance processes. Candidates with an existing CIPP/E often report that the regulatory domains of the AIGP feel familiar, while the governance operations domains (Domains 3 and 4) require new preparation. Candidates coming from an AI or data science background typically have the inverse experience: the technical objectives make sense, but the legal and framework domains require structured study.

All three exams are delivered via Pearson VUE, either online proctored or at a test centre. Exam vouchers are valid for one year from purchase. There are no formal experience prerequisites for any of the three, though the IAPP's own guidance suggests candidates who sit without preparation tend to underperform. Retake fees are lower than first-attempt fees, but the better economy is a thorough preparation the first time.

Which Should You Take First?

If you are in a privacy role in Europe or at a European-market company, CIPP/E is the natural starting point. It is the best-established of the three, the GDPR knowledge it validates is foundational to almost every privacy-adjacent role in that market, and the exam structure is the least technically demanding in the sense that it does not require you to reason about AI system architecture.

If you are in a US-facing privacy role, CIPP/US comes first for the same reasons. The state privacy law domain (23% of the exam) has expanded significantly in recent blueprints as Virginia, Colorado, Connecticut, and other states have enacted comprehensive laws alongside California. That domain is growing, and the certification is a clear signal that you are tracking it.

If you are specifically being hired or repositioned into an AI governance role - particularly if EU AI Act compliance is in scope, or if your organisation is procuring or building AI systems - AIGP first is defensible and increasingly common. The market for AIGP-holders is growing as organisations build out AI governance functions in response to the EU AI Act's expanding compliance timeline: while the original high-risk enforcement date of 2 August 2026 has been deferred to 2 December 2027 under the Digital Omnibus agreement reached in May 2026 (pending formal adoption), organisations are actively investing in governance infrastructure now rather than waiting.

For most people, the sequence that makes sense is to anchor in whichever jurisdiction or domain is most immediately relevant to their current role, then add the complementary credential once the first one is validated. The AIGP combined with a CIPP variant is a stronger signal than either alone, because it demonstrates that you can navigate both the legal requirements that constrain AI systems and the governance processes that keep those systems safe and compliant over time.

How to Prepare Effectively

All three exams use scenario-based multiple-choice questions. The exam is not asking you to recall a definition - it is presenting a situation and asking what the correct governance or compliance response is. That format rewards a specific kind of preparation: applying knowledge to cases, not just reading through a study guide.

The most useful preparation material is questions that mirror how the exam actually thinks. For the AIGP, that means scenarios where you are asked to weigh a governance decision against a specific domain objective - choosing the right risk mitigation at the design stage, deciding whether a GPAI model deployment triggers EU AI Act transparency obligations, or identifying what a model card must contain. For CIPP/E, it means Article-level application questions: which lawful basis applies, when a DPIA is mandatory, whether a cross-border transfer mechanism is still valid after a court ruling. For CIPP/US, it means working through the sectoral intersections - what HIPAA says about a given disclosure, how CCPA opt-out rights interact with GLBA sharing obligations.

Questions that include a worked explanation on every answer choice - including why each wrong answer is wrong - are more effective than those that only confirm the right answer. A plausible distractor that is wrong for a specific reason teaches you the boundary of a rule, and that boundary is exactly what the exam tests. Focusing preparation on the blueprint objectives with the highest domain weights gives the most efficient return on study time.