Control 2.14: Training and Awareness Program

Overview

Control ID: 2.14 Control Name: Training and Awareness Program Regulatory Reference: FINRA 4512, SOX 404, GLBA 501(a), FINRA Notice 25-07 Setup Time: 4-8 hours initial development, ongoing maintenance

Purpose

This control establishes comprehensive training and awareness programs for AI agent governance in financial services. Regulatory guidance, including FINRA Notice 25-07 and OCC 2011-12, emphasizes the need for qualified personnel to develop, deploy, and supervise AI systems. Financial institutions must ensure that employees involved in AI agent creation, approval, supervision, and oversight possess the necessary knowledge and skills. This control defines role-based training curricula, certification requirements, and ongoing competency verification to ensure personnel are qualified to manage AI governance responsibilities.

Prerequisites

Primary Owner Admin Role: AI Governance Lead Supporting Roles: Compliance Officer

Required Licenses

Microsoft 365 E3/E5 (for Viva Learning or SharePoint training)
Optional: Microsoft Viva Learning
Optional: Third-party LMS integration

Required Permissions

HR/Learning Administrator (training program management)
AI Governance Lead (curriculum development)
Compliance Officer (regulatory training approval)

Dependencies

Control 2.12 (Supervision and Oversight)
Control 2.8 (Access Control)
Control 2.11 (Bias Testing)

Pre-Setup Checklist

[ ] Training roles identified
[ ] Curriculum topics defined
[ ] Delivery platform selected
[ ] Competency assessment criteria established
[ ] Training records system configured

Governance Levels

Baseline (Level 1)

Provide training on agent governance policies to all creators and admins; annual refresher.

Recommended (Level 2-3)

Role-specific training; documented completion records; compliance certification program.

Regulated/High-Risk (Level 4)

Mandatory annual training with assessment; compliance certification required before agent deployment.

Setup & Configuration

Step 1: Define Training Roles

Identify roles requiring AI governance training.

AI Governance Training Role Matrix:

Role	Training Level	Certification Required	Frequency
Agent Developer	Comprehensive	Yes	Annual + updates
Agent Reviewer	Standard	Yes	Annual
Agent Approver	Standard	Yes	Annual
Designated Supervisor	Advanced	Yes	Annual
AI Governance Lead	Expert	Yes	Annual + continuous
CCO/Compliance Officer	Executive	No	Annual briefing
Business Owner	Awareness	No	Annual
End User	Basic	No	Upon first use
Platform Administrator	Technical	Yes	Annual

Step 2: Develop Training Curriculum

Create role-specific training modules.

Module 1: AI Governance Fundamentals (All Roles) - Duration: 1 hour - Topics: - Introduction to AI agents and Copilot Studio - AI governance framework overview - Governance tiers (Tier 1, 2, 3) - Regulatory landscape (FINRA, SEC, OCC, GLBA) - Role responsibilities in governance - Policy and procedure overview - Assessment: 10 question quiz (80% pass)

Module 2: Agent Development Best Practices (Developers) - Duration: 2 hours - Topics: - Responsible AI principles - Secure development practices - Data minimization and scope control - Testing requirements (functional, security, bias) - Change management and release process - Documentation requirements - Assessment: 15 question quiz + practical exercise

Module 3: Regulatory Compliance for AI (Approvers, Supervisors) - Duration: 1.5 hours - Topics: - FINRA Notice 25-07 requirements - Federal Reserve SR 11-7 model risk management - SEC Division of Examinations AI priorities - Fair lending and anti-discrimination (ECOA) - Record keeping (FINRA 4511, SEC 17a-4) - Supervision requirements (FINRA 3110) - Assessment: 15 question quiz (85% pass)

Module 4: Bias Testing and Fairness (Reviewers, Governance Lead) - Duration: 1.5 hours - Topics: - Understanding bias in AI systems - Protected classes and fair lending - Fairness metrics and measurement - Testing methodology - Remediation procedures - Documentation for compliance - Assessment: 10 question quiz + case study

Module 5: Agent Supervision (Supervisors, CCO) - Duration: 1 hour - Topics: - Supervisory responsibilities per FINRA 3110 - Sample review procedures - Escalation protocols - Supervision documentation - Quarterly reporting - Examination preparation - Assessment: 10 question quiz (85% pass)

Module 6: End User AI Awareness (All End Users) - Duration: 30 minutes - Topics: - What are AI agents? - How to interact with agents effectively - Recognizing when to escalate to human - Reporting issues or concerns - Data protection when using agents - Assessment: 5 question quiz (pass/fail)

Step 3: Create Training Delivery Platform

Option A: Microsoft Viva Learning 1. Navigate to admin.microsoft.com 2. Go to Settings → Org settings → Viva Learning 3. Enable Viva Learning 4. Add custom learning content: - Upload SCORM packages - Create SharePoint learning paths - Link to external content providers

Option B: SharePoint Training Site 1. Create SharePoint site: "AI Governance Training" 2. Create document libraries: - Training Materials - Assessments - Completion Records 3. Build learning paths using SharePoint pages 4. Use Microsoft Forms for assessments

Step 4: Configure Training Tracking

Create system to track completions and certifications.

SharePoint List: Training Completion Records

Column	Type	Purpose
Employee	Person	Who completed training
Role	Choice	Agent Developer, Approver, etc.
Module	Choice	Which module completed
Completion Date	Date	When completed
Assessment Score	Number	Percentage score
Pass/Fail	Choice	Met threshold
Certification Expiry	Date	When renewal required
Certified	Yes/No	Currently certified
Manager	Person	For notification

Power Automate Notification Flow:

Trigger: When certification nearing expiry (30 days)
Send reminder to employee and manager
If expired: Restrict access to agent governance functions
Send weekly summary to AI Governance Lead

Step 5: Implement Certification Requirements

Define certification prerequisites for each role.

Certification Matrix:

Role	Required Modules	Pass Score	Validity	Renewal
Agent Developer	1, 2	80%	1 year	Re-take Module 2 + assessment
Agent Reviewer	1, 4	80%	1 year	Re-take Module 4 + assessment
Agent Approver	1, 3	85%	1 year	Re-take Module 3 + assessment
Designated Supervisor	1, 3, 5	85%	1 year	Re-take Modules 3, 5
Platform Admin	1, 2	80%	1 year	Re-take Module 2

Certification Enforcement:

Link certification status to security group membership
Automate removal from developer/approver groups if expired
Block agent creation/approval workflows for uncertified users

Step 6: Create Assessment Framework

Develop assessments for each training module.

Sample Assessment Questions:

Module 1 - Fundamentals:

What are the three governance zones and their purposes?
Which regulation specifically addresses AI in broker-dealer operations?
Who is responsible for quarterly AI governance program review?
What is the minimum retention period for AI agent records under FINRA 4511?

Module 3 - Regulatory Compliance:

According to FINRA Notice 25-07, what testing is required before AI deployment?
What does SR 11-7 require for AI systems classified as models?
Under ECOA, which protected classes must be tested for bias?
What is the supervisory review requirement per FINRA 3110?

Practical Exercise (Module 2):

Given a scenario, identify governance zone classification
Review sample agent configuration and identify compliance gaps
Create test plan for sample agent

Step 7: Establish Ongoing Awareness Program

Create continuous learning and awareness initiatives.

Awareness Program Components:

Component	Frequency	Audience	Content
Monthly Newsletter	Monthly	All	AI governance updates, tips, news
Regulatory Updates	As needed	Governance team	New guidance, enforcement actions
Brown Bag Sessions	Quarterly	Interested staff	Deep dives on specific topics
Case Studies	Semi-annually	Developers, Supervisors	Lessons learned, industry examples
Policy Updates	As needed	All affected	Policy changes, new procedures
Best Practice Sharing	Ongoing	Developers	Peer learning, success stories

Step 8: Document Training Program

Create comprehensive program documentation.

Training Program Documentation:

Training policy and requirements
Curriculum overview and objectives
Role-to-training mapping
Assessment criteria and pass scores
Certification requirements and validity
Renewal and recertification process
Record retention (6 years minimum)
Annual program review process

PowerShell Configuration

# ============================================================
# Control 2.14: Training and Awareness Program
# ============================================================

# Connect to required services
Connect-MgGraph -Scopes "User.Read.All", "Group.ReadWrite.All"
Connect-PnPOnline -Url "https://[tenant].sharepoint.com/sites/AIGovernanceTraining" -Interactive

# -------------------------------------------------------------
# Section 1: Create Training Roles and Groups
# -------------------------------------------------------------

Write-Host "Creating training role groups..." -ForegroundColor Cyan

$TrainingGroups = @(
    @{
        Name = "AI-Certified-Developers"
        Description = "Certified to develop AI agents (Modules 1, 2 complete)"
    },
    @{
        Name = "AI-Certified-Reviewers"
        Description = "Certified to review AI agents (Modules 1, 4 complete)"
    },
    @{
        Name = "AI-Certified-Approvers"
        Description = "Certified to approve AI agents (Modules 1, 3 complete)"
    },
    @{
        Name = "AI-Certified-Supervisors"
        Description = "Certified for AI supervision (Modules 1, 3, 5 complete)"
    },
    @{
        Name = "AI-Pending-Certification"
        Description = "Users in training, not yet certified"
    }
)

foreach ($Group in $TrainingGroups) {
    $Existing = Get-MgGroup -Filter "displayName eq '$($Group.Name)'" -ErrorAction SilentlyContinue

    if (-not $Existing) {
        New-MgGroup -DisplayName $Group.Name `
                    -Description $Group.Description `
                    -MailEnabled:$false `
                    -MailNickname $Group.Name.ToLower() `
                    -SecurityEnabled:$true
        Write-Host "Created group: $($Group.Name)" -ForegroundColor Green
    } else {
        Write-Host "Group exists: $($Group.Name)" -ForegroundColor Yellow
    }
}

# -------------------------------------------------------------
# Section 2: Training Curriculum Structure
# -------------------------------------------------------------

Write-Host "`nTraining curriculum structure..." -ForegroundColor Cyan

$Curriculum = @{
    Modules = @(
        @{
            ID = "MOD-001"
            Name = "AI Governance Fundamentals"
            Duration = "1 hour"
            Audience = "All Roles"
            PassScore = 80
            Topics = @(
                "Introduction to AI agents and Copilot Studio",
                "AI governance framework overview",
                "Governance tiers (Tier 1, 2, 3)",
                "Regulatory landscape",
                "Role responsibilities"
            )
        },
        @{
            ID = "MOD-002"
            Name = "Agent Development Best Practices"
            Duration = "2 hours"
            Audience = "Developers, Platform Admins"
            PassScore = 80
            Topics = @(
                "Responsible AI principles",
                "Secure development practices",
                "Data minimization",
                "Testing requirements",
                "Change management"
            )
        },
        @{
            ID = "MOD-003"
            Name = "Regulatory Compliance for AI"
            Duration = "1.5 hours"
            Audience = "Approvers, Supervisors"
            PassScore = 85
            Topics = @(
                "FINRA Notice 25-07",
                "Federal Reserve SR 11-7",
                "SEC AI priorities",
                "Fair lending (ECOA)",
                "Record keeping requirements"
            )
        },
        @{
            ID = "MOD-004"
            Name = "Bias Testing and Fairness"
            Duration = "1.5 hours"
            Audience = "Reviewers, Governance Lead"
            PassScore = 80
            Topics = @(
                "Understanding AI bias",
                "Protected classes",
                "Fairness metrics",
                "Testing methodology",
                "Remediation procedures"
            )
        },
        @{
            ID = "MOD-005"
            Name = "Agent Supervision"
            Duration = "1 hour"
            Audience = "Supervisors, CCO"
            PassScore = 85
            Topics = @(
                "FINRA 3110 requirements",
                "Sample review procedures",
                "Escalation protocols",
                "Documentation requirements",
                "Examination preparation"
            )
        },
        @{
            ID = "MOD-006"
            Name = "End User AI Awareness"
            Duration = "30 minutes"
            Audience = "All End Users"
            PassScore = 100
            Topics = @(
                "What are AI agents",
                "Effective interaction",
                "When to escalate",
                "Reporting issues"
            )
        }
    )
}

$Curriculum | ConvertTo-Json -Depth 4 | Out-File "AI_Training_Curriculum.json"
Write-Host "Curriculum exported to AI_Training_Curriculum.json" -ForegroundColor Green

# -------------------------------------------------------------
# Section 3: Create Training Completion Tracking List
# -------------------------------------------------------------

Write-Host "`nCreating training completion tracking list..." -ForegroundColor Cyan

# Create list in SharePoint
try {
    $ExistingList = Get-PnPList -Identity "Training Completions" -ErrorAction SilentlyContinue
    if (-not $ExistingList) {
        New-PnPList -Title "Training Completions" -Template GenericList

        # Add columns
        Add-PnPField -List "Training Completions" -DisplayName "Employee" -InternalName "Employee" -Type User
        Add-PnPField -List "Training Completions" -DisplayName "Role" -InternalName "Role" -Type Choice -Choices @("Developer", "Reviewer", "Approver", "Supervisor", "Platform Admin", "End User")
        Add-PnPField -List "Training Completions" -DisplayName "Module" -InternalName "Module" -Type Choice -Choices @("MOD-001", "MOD-002", "MOD-003", "MOD-004", "MOD-005", "MOD-006")
        Add-PnPField -List "Training Completions" -DisplayName "CompletionDate" -InternalName "CompletionDate" -Type DateTime
        Add-PnPField -List "Training Completions" -DisplayName "Score" -InternalName "Score" -Type Number
        Add-PnPField -List "Training Completions" -DisplayName "Passed" -InternalName "Passed" -Type Boolean
        Add-PnPField -List "Training Completions" -DisplayName "CertificationExpiry" -InternalName "CertificationExpiry" -Type DateTime

        Write-Host "Created Training Completions list" -ForegroundColor Green
    }
} catch {
    Write-Host "Could not create list - may need to connect to SharePoint" -ForegroundColor Yellow
}

# -------------------------------------------------------------
# Section 4: Certification Status Report
# -------------------------------------------------------------

Write-Host "`nGenerating certification status report template..." -ForegroundColor Cyan

$CertReport = @"
===============================================================================
AI GOVERNANCE CERTIFICATION STATUS REPORT
Generated: $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')
===============================================================================

CERTIFICATION SUMMARY
---------------------
| Role                  | Required | Certified | Expiring (<30 days) | Expired |
|-----------------------|----------|-----------|---------------------|---------|
| Agent Developers      | [X]      | [Y]       | [Z]                 | [W]     |
| Agent Reviewers       | [X]      | [Y]       | [Z]                 | [W]     |
| Agent Approvers       | [X]      | [Y]       | [Z]                 | [W]     |
| Designated Supervisors| [X]      | [Y]       | [Z]                 | [W]     |
| Platform Admins       | [X]      | [Y]       | [Z]                 | [W]     |

OVERALL COMPLIANCE RATE: [X]%

EXPIRING CERTIFICATIONS (Next 30 Days)
--------------------------------------
| Employee              | Role            | Expiry Date | Manager          |
|-----------------------|-----------------|-------------|------------------|
| [Name]                | [Role]          | [Date]      | [Manager]        |

EXPIRED CERTIFICATIONS (Action Required)
----------------------------------------
| Employee              | Role            | Expired On  | Manager          |
|-----------------------|-----------------|-------------|------------------|
| [Name]                | [Role]          | [Date]      | [Manager]        |

ACTION: Remove from certified group, restrict agent governance access

TRAINING COMPLETION THIS QUARTER
--------------------------------
| Module                            | Completions | Pass Rate |
|-----------------------------------|-------------|-----------|
| MOD-001: Fundamentals             | [X]         | [Y]%      |
| MOD-002: Development              | [X]         | [Y]%      |
| MOD-003: Regulatory               | [X]         | [Y]%      |
| MOD-004: Bias Testing             | [X]         | [Y]%      |
| MOD-005: Supervision              | [X]         | [Y]%      |
| MOD-006: End User                 | [X]         | [Y]%      |

TRAINING PROGRAM METRICS
------------------------
Average Pass Rate: [X]%
Average Score: [Y]
Retake Rate: [Z]%
Time to Certification (avg): [W] days

RECOMMENDATIONS
---------------
[List recommendations for training improvement]

===============================================================================
"@

$CertReport | Out-File "Certification_Status_Report_Template.txt"
Write-Host "Report template created" -ForegroundColor Green

# -------------------------------------------------------------
# Section 5: Training Calendar Template
# -------------------------------------------------------------

Write-Host "`nGenerating annual training calendar..." -ForegroundColor Cyan

$TrainingCalendar = @"
===============================================================================
AI GOVERNANCE TRAINING CALENDAR - [YEAR]
===============================================================================

Q1 (January - March)
--------------------
January:

- Annual certification renewal period begins
- Module updates released
- [Week 2] New developer cohort training starts

February:

- [Week 1] Brown bag: FINRA Notice 25-07 deep dive
- [Week 3] Supervisor refresher training

March:

- [Week 1] End user awareness campaign launch
- [Week 3] Brown bag: Bias testing case studies
- [Week 4] Q1 compliance training deadline

Q2 (April - June)
-----------------
April:

- [Week 2] New developer cohort training
- [Week 4] Regulatory update briefing

May:
- [Week 1] Brown bag: Best practices sharing
- [Week 3] Platform admin technical training

June:
- [Week 2] Mid-year certification audit
- [Week 4] Q2 compliance training deadline

Q3 (July - September)
---------------------
July:
- [Week 2] New developer cohort training
- Annual training content review begins

August:

- [Week 1] Brown bag: Industry lessons learned
- [Week 3] Curriculum updates finalized

September:

- [Week 2] Updated modules released
- [Week 4] Q3 compliance training deadline

Q4 (October - December)
-----------------------
October:

- [Week 2] New developer cohort training
- [Week 4] Brown bag: Year in review

November:

- [Week 2] Pre-renewal notifications sent
- [Week 3] Program effectiveness review

December:

- [Week 1] Q4 compliance training deadline
- [Week 2] Annual program report to CCO
- [Week 3] Certification renewal deadline

===============================================================================
"@

$TrainingCalendar | Out-File "Training_Calendar_Template.txt"
Write-Host "Training calendar template created" -ForegroundColor Green

# -------------------------------------------------------------
# Section 6: Compliance Checklist
# -------------------------------------------------------------

Write-Host "`nTraining program compliance checklist..." -ForegroundColor Cyan

$Checklist = @"
===============================================================================
AI GOVERNANCE TRAINING PROGRAM COMPLIANCE CHECKLIST
===============================================================================

PROGRAM ESTABLISHMENT:

[ ] Training policy documented and approved
[ ] Curriculum developed for all required roles
[ ] Training content created and reviewed by SMEs
[ ] Delivery platform configured (Viva Learning/SharePoint)
[ ] Assessment questions validated
[ ] Pass scores defined and documented

ROLE-BASED TRAINING:

[ ] All Agent Developers assigned to required modules
[ ] All Agent Reviewers assigned to required modules
[ ] All Agent Approvers assigned to required modules
[ ] All Designated Supervisors assigned to required modules
[ ] All Platform Administrators assigned to required modules
[ ] End User awareness available for all users

CERTIFICATION MANAGEMENT:

[ ] Certification requirements documented
[ ] Certification tracking system operational
[ ] Expiration notifications configured
[ ] Access restriction for expired certifications
[ ] Renewal process documented

RECORD KEEPING:

[ ] Training completion records maintained
[ ] Records retained minimum 6 years
[ ] Records accessible for examination
[ ] Training evidence exportable

ONGOING MAINTENANCE:

[ ] Annual curriculum review scheduled
[ ] Regulatory update process defined
[ ] Effectiveness metrics tracked
[ ] Continuous improvement process in place

REGULATORY ALIGNMENT:

[ ] FINRA 4512 (associated persons registration)
[ ] FINRA Notice 25-07 (AI competency requirements)
[ ] OCC 2011-12/SR 11-7 (qualified personnel)
[ ] SOX 404 (training controls documentation)

===============================================================================
"@

Write-Host $Checklist -ForegroundColor Yellow

Write-Host "`nTraining program configuration complete" -ForegroundColor Green

Financial Sector Considerations

Regulatory Alignment

Regulation	Training Requirement	Control Implementation
FINRA 4512	Registration and qualification	AI governance competency certification
FINRA Notice 25-07	Qualified personnel for AI	Role-based training curriculum
OCC 2011-12 / SR 11-7	Staff expertise for model risk	Technical training for MRM
SOX 404	Training documentation for controls	Training records retention
GLBA 501(a)	Employee training on safeguards	Data protection modules
FFIEC CAT	Cybersecurity training	Security awareness components

Zone-Specific Configuration

Zone	Training Depth	Certification	Assessment
Zone 1 - Personal	Basic awareness	Not required	Optional
Zone 2 - Team	Role-specific	Required for developers/approvers	80% pass
Zone 3 - Enterprise	Comprehensive	Mandatory for all governance roles	85% pass

FSI Training Priorities

Broker-Dealer Personnel:

FINRA 3110 supervision requirements
Suitability and best interest obligations
Communications supervision

Investment Adviser Personnel:

Fiduciary duty and AI
Advice accuracy and disclosure
Client protection

Banking Personnel:

Fair lending and ECOA
Consumer protection
Privacy and GLBA

Verification & Testing

Verification Steps

Training Program Established
Review training policy document
Verify curriculum covers all roles
Confirm assessment questions validated
Training Assigned
Check all governance personnel assigned
Verify completion tracking active
Confirm certification status current
Records Maintained
Review training completion records
Verify records accessible for audit
Confirm 6-year retention active
Certifications Enforced
Test access restriction for expired users
Verify notification workflow active
Confirm renewal process functional

Compliance Checklist

[ ] Training policy documented and approved
[ ] Role-based curriculum developed
[ ] Training platform configured
[ ] Assessments created with pass thresholds
[ ] Certification requirements documented
[ ] Completion tracking operational
[ ] Expiration notifications active
[ ] Training records retained 6+ years
[ ] Annual program review scheduled

Troubleshooting & Validation

Issue: Low Training Completion Rates

Symptoms: Personnel not completing required training Solution:

Review training accessibility and ease of use
Check if training time is allocated
Send manager reminders with metrics
Escalate persistent non-compliance to CCO
Consider mandatory calendar blocks

Issue: High Assessment Failure Rates

Symptoms: Many users failing assessments Solution:

Review assessment questions for clarity
Analyze which questions are most missed
Improve training content for weak areas
Consider practice assessments
Allow retakes after additional study

Issue: Certification Enforcement Not Working

Symptoms: Expired users still have access Solution:

Verify Power Automate flow is running
Check security group membership logic
Test workflow with sample user
Review access control dependencies
Implement manual backup check

Issue: Training Content Outdated

Symptoms: Content doesn't reflect current regulations or procedures Solution:

Implement regulatory monitoring process
Schedule quarterly content reviews
Create update workflow with SME review
Version all training content
Communicate updates to learners

Additional Resources

Control	Relationship
2.12 - Supervision	Supervisors require training
2.8 - Access Control	Training gates access
2.11 - Bias Testing	Bias testing training required
2.6 - Model Risk Management	MRM training requirements
2.13 - Documentation	Training records retention

Support & Questions

For implementation support or questions about this control, contact:

AI Governance Lead (governance direction)
Compliance Officer (regulatory requirements)
Technical Implementation Team (platform setup)

Updated: Dec 2025
Version: v1.0 Beta (Dec 2025)
UI Verification Status: ❌ Needs verification