Skip to content

Control 2.14: Training and Awareness Program

Control ID: 2.14
Pillar: Management
Regulatory Reference: FINRA Rule 3110(a)(7), FINRA Regulatory Notice 25-07, SOX Section 404, GLBA Section 501(b), OCC Bulletin 2011-12
Last UI Verified: April 2026
Governance Levels: Baseline / Recommended / Regulated

Objective

Establish comprehensive training and awareness programs for AI agent governance so that personnel involved in agent creation, approval, supervision, and oversight can develop the knowledge and skills that support regulatory compliance objectives.

Why This Matters for FSI

  • FINRA Rule 3110(a)(7): Supervisory systems require annual compliance meetings and substantive training for personnel involved in oversight functions, including those overseeing AI-assisted activity.
  • FINRA Regulatory Notice 25-07 / 2026 Annual Regulatory Oversight Report (GenAI section): Firms are expected to deliver substantive, recurring AI-specific training that addresses model capabilities, limitations, bias, hallucination risk, and escalation paths — beyond a "check-the-box" exercise.
  • SOX Section 404: Internal control over financial reporting requires evidence of personnel competency where AI agents touch financial workflows.
  • GLBA Safeguards Rule (16 CFR 314.4) / Section 501(b): Written information security programs must include training tailored to the risks each role presents to customer information.
  • OCC Bulletin 2011-12 (Model Risk Management) and Federal Reserve SR 11-7: Model owners, validators, and users require documented competency proportionate to model criticality.

No companion solution by design

Not all controls have a companion solution in FSI-AgentGov-Solutions; solution mapping is selective by design. This control is operated via native Microsoft admin surfaces (Microsoft Viva Learning or a third-party LMS plus an organization-specific curriculum) and verified by the framework's assessment-engine collectors. See the Solutions Index for the catalog and coverage scope.

Control Description

This control establishes training through:

  1. Role-Based Curricula - Define training requirements per role (maker, approver, supervisor, admin)
  2. Core Competencies - Establish minimum knowledge requirements for AI governance
  3. Certification Requirements - Define certification for critical roles
  4. Delivery Mechanisms - Implement training via LMS, SharePoint, or Viva Learning
  5. Competency Assessment - Verify understanding through assessments
  6. Ongoing Education - Annual refresher and updates for policy changes

Key Configuration Points

  • Define training personas: Agent Maker, Agent Approver, Agent Supervisor (FINRA 3110), Platform Admin, End User
  • Author role-based curricula covering AI capabilities, limitations, bias, hallucination, escalation, and firm policy
  • Configure delivery platform — Microsoft Viva Learning (set up in the Teams admin center) with SharePoint and/or supported LMS (Cornerstone, Saba, SuccessFactors, Workday) as content sources
  • Assign the Knowledge Admin Entra role to staff managing Viva Learning content sources
  • Establish assessment criteria and a documented passing threshold (commonly 80%); record the rationale for the threshold
  • Track completion status in the LMS or Viva Learning system of record; export evidence on a defined cadence
  • Configure reminders for initial assignment, annual refresher, and policy-change attestations
  • Retain training completion evidence per the firm's record-retention schedule (see Control 2.13); for SEC 17a-4(f)-impacting roles, retain in WORM-compliant storage

Zone-Specific Requirements

Zone Requirement Rationale
Zone 1 (Personal) Basic governance awareness; annual refresher; self-paced Low risk, foundational knowledge sufficient
Zone 2 (Team) Role-specific training; completion tracking; assessment required Shared agents warrant demonstrated competency
Zone 3 (Enterprise) Comprehensive certification; quarterly updates; competency verification; regulatory focus Customer-facing requires maximum training rigor

Roles & Responsibilities

Role Responsibility
AI Administrator Sponsor curriculum scope for Microsoft 365 Copilot and agent governance; coordinate with compliance on AI-specific content
Knowledge Admin (Entra) Configure Viva Learning content sources (SharePoint, LMS connectors) and manage the learning catalog
Power Platform Admin Provide maker-track content for Copilot Studio and Power Platform; align training prerequisites to environment provisioning
Purview Compliance Admin Approve regulatory training content; validate alignment with FINRA / SEC / GLBA obligations; own retention of training records
Business Manager (non-admin) Ensure team completion, address competency gaps, attest to readiness for FINRA-supervised activity
Control Relationship
2.12 - Supervision Supervisors require specific training
2.8 - Access Control Role assignments align with training completion
2.11 - Bias Testing Bias awareness included in training
2.13 - Documentation Training records maintained per retention requirements

Implementation Playbooks

Step-by-Step Implementation

This control has detailed playbooks for implementation, automation, testing, and troubleshooting:

Verification Criteria

Confirm control effectiveness by verifying:

  1. Role-based training curricula documented for all AI governance roles
  2. Training delivery platform configured with courses and assessments
  3. Completion tracking shows personnel have completed required training
  4. Assessment records demonstrate competency (passing scores)
  5. Annual refresher schedule established with automated reminders

Additional Resources

Implementation Note

Organizations should verify that their implementation meets their specific regulatory obligations. This control supports compliance efforts but requires proper configuration and ongoing validation.

Updated: April 2026 | Version: v1.4.0 | UI Verification Status: Current