Skip to content

Control 2.14: Training and Awareness Program

Control ID: 2.14 Pillar: Management Regulatory Reference: FINRA Rule 3110, SOX 404, GLBA 501(b) Last UI Verified: January 2026 Governance Levels: Baseline / Recommended / Regulated Last Verified: 2026-02-03

Objective

Establish comprehensive training and awareness programs for AI agent governance to ensure personnel involved in agent creation, approval, supervision, and oversight possess the knowledge and skills required for regulatory compliance.

Why This Matters for FSI

  • FINRA Rule 3110(a)(7): Supervisory systems require training programs for personnel involved in oversight functions
  • SOX 404: Internal controls require personnel competency documentation
  • GLBA 501(b): Information security programs require employee training
  • FINRA Rule 3110: Emphasizes need for qualified personnel to develop and supervise AI systems

Control Description

This control establishes training through:

  1. Role-Based Curricula - Define training requirements per role (maker, approver, supervisor, admin)
  2. Core Competencies - Establish minimum knowledge requirements for AI governance
  3. Certification Requirements - Define certification for critical roles
  4. Delivery Mechanisms - Implement training via LMS, SharePoint, or Viva Learning
  5. Competency Assessment - Verify understanding through assessments
  6. Ongoing Education - Annual refresher and updates for policy changes

Key Configuration Points

  • Define training roles: Agent Maker, Agent Approver, Agent Supervisor, Platform Admin
  • Create role-based curricula with specific learning objectives
  • Configure training delivery platform (Viva Learning, SharePoint, or third-party LMS)
  • Establish assessment criteria and passing thresholds (80% minimum)
  • Track completion status in training records system
  • Configure automated reminders for annual refresher
  • Document training completion for regulatory examination

Zone-Specific Requirements

Zone Requirement Rationale
Zone 1 (Personal) Basic governance awareness; annual refresher; self-paced Low risk, foundational knowledge sufficient
Zone 2 (Team) Role-specific training; completion tracking; assessment required Shared agents warrant demonstrated competency
Zone 3 (Enterprise) Comprehensive certification; quarterly updates; competency verification; regulatory focus Customer-facing requires maximum training rigor

Roles & Responsibilities

Role Responsibility
AI Governance Lead Define curricula, establish competency requirements
HR/Learning Administrator Configure LMS, track completion, manage records
Compliance Officer Approve regulatory training content, validate alignment
Manager Ensure team completion, address competency gaps
Control Relationship
2.12 - Supervision Supervisors require specific training
2.8 - Access Control Role assignments align with training completion
2.11 - Bias Testing Bias awareness included in training
2.13 - Documentation Training records maintained per retention requirements

Implementation Playbooks

Step-by-Step Implementation

This control has detailed playbooks for implementation, automation, testing, and troubleshooting:

Verification Criteria

Confirm control effectiveness by verifying:

  1. Role-based training curricula documented for all AI governance roles
  2. Training delivery platform configured with courses and assessments
  3. Completion tracking shows personnel have completed required training
  4. Assessment records demonstrate competency (passing scores)
  5. Annual refresher schedule established with automated reminders

Additional Resources

Implementation Note

Organizations should verify that their implementation meets their specific regulatory obligations. This control supports compliance efforts but requires proper configuration and ongoing validation.

Updated: January 2026 | Version: v1.2 | UI Verification Status: Current