⚠️ Select your experience
The steps depend on your interface version. Select a link to skip to the instructions for your version.
Customers who joined Drata on or after Feb 24, 2026 are automatically on the New Experience.
Instructions for the New Experience
Security training helps fulfill personnel-related requirements across frameworks such as SOC 2 and HIPAA. Drata allows you to configure how training is delivered, tracked, and reset over time, while ensuring evidence is available for audits.
Prerequisites
Required Drata roles: Admins only
Where to configure
Go to Settings
Under Organization, select Personnel compliance
Select the Training tab
Security Awareness Training
Security awareness training helps your organization ensure personnel understand basic security practices and meet compliance requirements.
In Drata, you can choose how training is completed and how evidence is collected for audits.
Choose a Training Method
Drata supports several ways to manage security awareness training. Select the option that best fits your organization’s process.
Drata Embedded Training (Default)
With Drata’s built-in training:
Personnel complete training directly in Drata
Completion is recorded automatically
Audit-ready evidence is attached to each personnel record
Training must be completed again when the recurrence resets
This is the simplest option for maintaining compliance.
Connected Training Provider
If your organization already uses a training platform, you can connect it to Drata.
Supported providers include KnowBe4 and ESET
Completion data is synced automatically when available
This option reduces manual uploads while using your existing system.
External Training (Evidence Upload)
If training is completed outside of Drata, evidence must be uploaded manually.
You can choose one of the following:
Personnel upload: Each person uploads proof of completion in My Drata
Admin upload: An admin uploads evidence to each personnel record
Admin upload removes the training step from personnel onboarding, but increases admin responsibility.
Recurring Training Resets
To support annual or recurring compliance requirements, you can require training to reset automatically.
Choose one of the following reset options:
Reset 12 months after each person’s last completion
Reset on the same date each year for all personnel
When a reset occurs, training status returns to Incomplete until new evidence is provided.
HIPAA Training (If Enabled)
If HIPAA is enabled in your account, additional HIPAA training settings appear. You can select:
Drata embedded HIPAA training
HIPAA training through KnowBe4
External training with uploaded evidence
No HIPAA training required
HIPAA compliance is based on whether valid evidence exists for each current employee or contractor.
Recurring reset behavior works the same as security awareness training.
AI Awareness Training
AI awareness training helps organizations meet emerging expectations around AI governance and responsible use. You can choose to:
Use Drata’s embedded AI awareness training
Use a connected provider (such as KnowBe4)
Manage training externally with evidence uploads
Disable AI awareness training if it is not required
Disabling this option removes:
The AI awareness compliance check
The AI training step from personnel onboarding
Recurring reset options apply the same way as other training types.
Training Status and Compliance
Training status reflects whether a person has completed the current training cycle.
Incomplete/Pending means training has not been completed for the current period
Status resets automatically based on your configured schedule
Compliance is determined by valid evidence for the current cycle, not past completions
Important Notes
Keep the following in mind when configuring training:
Training settings directly impact audit readiness
Missing or outdated evidence may cause controls to fail
Changing training settings does not retroactively mark personnel compliant
Removing onboarding steps shifts evidence collection responsibility to admins
Instructions for the Classic Experience
Drata embedded security awareness training
Drata embedded security awareness training
Configuring your Drata Internal Security page is key to fulfill several of the controls within the SOC 2 framework. On this page, you can select the Drata embedded security awareness training to enhance your employees onboarding experience. This training includes modules on phishing, malware awareness, and security policy adherence, ensuring alignment with SOC 2 compliance standards.
BEFORE DIVING IN
Only account administrators have access to this section within Drata.
HERE'S HOW
On the Internal Security page under the Security awareness training section, select either Drata's embedded training or integrate an external training provider based on your organizational needs.
Use Drata's embedded security training.
When employees go through their onboarding within Drata, they will then access the embedded training under the Complete Security Awareness Training task (see below). Your employee will start the training by clicking Begin Training. When your employee completes the training, Security Awareness Training will show completed in their onboarding task list and within the Personnel page. Drata also provides tools for tracking compliance status updates as employees complete their training. Monitoring such statuses ensures adherence to recurring security training cycles, with options to reset or archive records as needed.
Common Questions and Issues
What does a “pending” status mean?
A “pending” status indicates that the user has not completed the ongoing training cycle. Training must be completed per the configured schedule (e.g., annually), and pending personnel remain as such until they fulfill their required modules.
Annual HIPAA Training
Annual HIPAA Training
Personnel should complete HIPAA Training annually in order to satisfy specific requirements within the HIPAA framework. Configuring this training within Drata is a key step to addressing the associated control.
BEFORE DIVING IN
Only account administrators have access to this section within Drata.
HERE'S HOW
Drata provides multiple ways to manage HIPAA training within the application. When HIPAA is enabled for your account you’ll have a setting for HIPAA Training section on your Internal Security page. From here you can select one of four options:
Embedded training with automatic evidence upload
Internal training with manual evidence upload by employee
External training with manual evidence upload by user with the admin or information security lead roles
Training opt-out if HIPAA training is not required for personnel
Once you've selected an option using the radio button, save your changes.
EMBEDDED TRAINING
Drata has developed our own embedded HIPAA Training. This enables personnel to complete the training directly in Drata during onboarding and easily fulfill their annual requirement, thereafter.
When an employee or contractor completes their HIPAA training, Drata will generate a certificate of completion. This PDF is automatically uploaded to Drata and can be viewed/downloaded by admins/information security leads from the personnel drawer and by personnel in ‘My Drata’.
INTERNAL TRAINING
If your organization uses another tool or conducts internal trainings, select the second radio button. You can optionally add a URL for the external HIPAA training which will link personnel to the training directly from the ‘My Drata’ onboarding.
Once training is complete, personnel will need to return to ‘My Drata > Complete HIPAA Training’ and upload proof of completion—such as a screenshot or other file. Once uploaded, the file can be viewed/downloaded by admins/information security leads from the personnel drawer and by personnel in ‘My Drata’.
EXTERNAL TRAINING
If you wish to keep HIPAA Training completely independent from Drata, you can select the third option which will exclude the ‘Complete HIPAA Training’ step from personnel onboarding.
With this option, an admin or information security leads will need to manually upload a file directly in each personnel drawer by selecting the HIPAA Training ‘View / Upload Evidence’ button.
TRAINING OPT-OUT
If HIPAA training is not required for your personnel or organization, select the fourth option to opt out of training. When selected, there will be no references to HIPAA training in Drata.
COMPLIANCE CONFIRMATION
Compliance is determined by the presence of evidence of HIPAA Training—such as a certificate of completion, screenshot, or other file—for each current employee or contractor within your organization.
Navigate to the ‘Personnel’ page to see the status of HIPAA Training compliance for all personnel under the 'HIPAA Training' columns, or select a specific person to open the ‘Personnel Detail’ drawer and view or upload evidence.
Partner Offers & Discounts
Drata has a direct partnership and discounted pricing for first time customers of KnowBe4. Get a 15% Discount on Compliance Plus (HIPAA training) by visiting https://info.knowbe4.com/drata
Check out more partner offers and discounts.
AI Awareness Training
AI Awareness Training
HERE'S WHY
Personnel should complete an AI awareness training annually in order to satisfy specific requirements set by AI-related frameworks, such as NIST AI RMF and ISO 42001. You have the option to configure this training within Drata, a key step in addressing the associated controls.
BEFORE DIVING IN
Only Admins and Information Security Leads have access to this section within Drata.
HERE'S HOW
Drata provides multiple ways to manage AI awareness training within the application. When a related framework is enabled for your account you’ll have a setting for Annual AI Awareness Training (AI awareness training section) on the Internal Security page. From here you can select one of four options:
Embedded training with automatic evidence upload
Internal training with manual evidence upload by employee
External training with manual evidence upload by user with the Admin or Info Sec role
Training opt-out if AI awareness training is not required for personnel
Once you've selected an option using the radio button, save your changes.
EMBEDDED TRAINING
Drata has developed our own embedded AI awareness training. This enables personnel to complete the training directly in My Drata during onboarding and easily fulfill their annual requirement, thereafter.
When an employee or contractor completes their AI awareness training, Drata will generate a certificate of completion. This PDF is automatically uploaded to Drata and can be viewed/downloaded from the personnel drawer and by personnel in My Drata.
INTERNAL TRAINING
If your organization uses another tool or conducts internal training, select the second radio button. You can optionally add a URL for the external AI awareness training which will link personnel to the training directly from the My Drata onboarding.
Once training is complete, personnel will need to return to ‘My Drata > Complete AI awareness training’ and upload proof of completion—such as a screenshot or other file. Once uploaded, the file can be viewed/downloaded from the personnel drawer and by personnel in My Drata.
EXTERNAL TRAINING
If you wish to keep AI awareness training completely independent from Drata, you can select the third option which will exclude the ‘Complete AI awareness training’ step from personnel onboarding.
With this option, you'll need to manually upload a file directly in each personnel drawer by selecting the AI awareness training ‘View / Upload Evidence’ button.
TRAINING OPT-OUT
If AI awareness training is not required for your personnel or organization, select the fourth option to opt out of training. When selected, there will be no references to AI awareness training in Drata.
COMPLIANCE CONFIRMATION
Compliance is determined by the presence of evidence of AI awareness training—such as a certificate of completion, screenshot, or other file—for each current employee or contractor within your organization.
Navigate to the ‘Personnel’ page to see the status of AI awareness training compliance for all personnel under the AI Awareness Training column, or select a specific person to view their personnel details and view or upload evidence.
Partner Offers & Discounts
Drata has direct partnership with KnowBe4 for first time and new customers. Get 25% off a 1 or 3 year subscription of KnowBe4 Security Awareness Training by visiting https://info.knowbe4.com/drata. AI Awareness training is only included in the KnowBe4 Diamond Plan.
Check out more partner offers and discounts.