💡 Still using the classic Drata experience? Refer to Drata embedded security awareness training, Annual HIPAA Training, or AI Awareness Training for the original UI.
Security training helps fulfill personnel-related requirements across frameworks such as SOC 2 and HIPAA. Drata allows you to configure how training is delivered, tracked, and reset over time, while ensuring evidence is available for audits.
Prerequisites
Required Drata roles: Admins only
Where to configure
Go to Settings
Under Organization, select Personnel compliance
Select the Training tab
Security Awareness Training
Security awareness training helps your organization ensure personnel understand basic security practices and meet compliance requirements.
In Drata, you can choose how training is completed and how evidence is collected for audits.
Choose a Training Method
Drata supports several ways to manage security awareness training. Select the option that best fits your organization’s process.
Drata Embedded Training (Default)
With Drata’s built-in training:
Personnel complete training directly in Drata
Completion is recorded automatically
Audit-ready evidence is attached to each personnel record
Training must be completed again when the recurrence resets
This is the simplest option for maintaining compliance.
Connected Training Provider
If your organization already uses a training platform, you can connect it to Drata.
Supported providers include KnowBe4 and ESET
Completion data is synced automatically when available
This option reduces manual uploads while using your existing system.
External Training (Evidence Upload)
If training is completed outside of Drata, evidence must be uploaded manually.
You can choose one of the following:
Personnel upload: Each person uploads proof of completion in My Drata
Admin upload: An admin uploads evidence to each personnel record
Admin upload removes the training step from personnel onboarding, but increases admin responsibility.
Recurring Training Resets
To support annual or recurring compliance requirements, you can require training to reset automatically.
Choose one of the following reset options:
Reset 12 months after each person’s last completion
Reset on the same date each year for all personnel
When a reset occurs, training status returns to Incomplete until new evidence is provided.
HIPAA Training (If Enabled)
If HIPAA is enabled in your account, additional HIPAA training settings appear. You can select:
Drata embedded HIPAA training
HIPAA training through KnowBe4
External training with uploaded evidence
No HIPAA training required
HIPAA compliance is based on whether valid evidence exists for each current employee or contractor.
Recurring reset behavior works the same as security awareness training.
AI Awareness Training
AI awareness training helps organizations meet emerging expectations around AI governance and responsible use. You can choose to:
Use Drata’s embedded AI awareness training
Use a connected provider (such as KnowBe4)
Manage training externally with evidence uploads
Disable AI awareness training if it is not required
Disabling this option removes:
The AI awareness compliance check
The AI training step from personnel onboarding
Recurring reset options apply the same way as other training types.
Training Status and Compliance
Training status reflects whether a person has completed the current training cycle.
Incomplete/Pending means training has not been completed for the current period
Status resets automatically based on your configured schedule
Compliance is determined by valid evidence for the current cycle, not past completions
Important Notes
Keep the following in mind when configuring training:
Training settings directly impact audit readiness
Missing or outdated evidence may cause controls to fail
Changing training settings does not retroactively mark personnel compliant
Removing onboarding steps shifts evidence collection responsibility to admins