Skip to content
W K
EU AI Act: Not High Risk

Compliance Training Agent

One auditable pipeline for mandatory-training assignment, completion tracking and affirmative-defense evidence - built so that the Title VII Faragher-Ellerth defence, the state harassment-training mandates, the UK Bribery Act adequate-procedures defence, EU AI Act AI literacy and the DOJ compliance-program test are all evidenced as a by-product, not reconstructed under audit.

Mandatory training assignment and tracking: Title VII Faragher-Ellerth affirmative defence, CA AB 1825/NY Stop Sexual Harassment Act, UK Bribery Act Section 7 and EU AI Act Article 4 AI literacy.

Analyse your process

A selection from over 5,000 projects in 25 years of software development

Airbus Volkswagen Shell Renault Evonik Vattenfall Philips KPMG

One auditable pipeline for mandatory-training assignment, completion tracking and affirmative-defense evidence

The Agent breaks the mandatory-training process into 15 documented decision steps, each with a defined decider - rules engine, AI agent or human - and a per-framework regulatory-mandate flag that replaces spreadsheet-based tracking. Training assignment runs deterministically through a versioned curriculum, role-based gap analysis, auto-enrolment, tiered reminders, completion verification and retention measurement, against the US anti-harassment, whistleblower, FCPA, AML and OSHA regimes, the UK Bribery and Modern Slavery Acts and the SM&CR, and the EU GDPR, Whistleblower Directive, AI Act AI literacy, NIS2 and CSDDD. The Faragher-Ellerth affirmative-defense evidence is assembled from the anti-harassment policy distribution, the complaint-procedure communication, the supervisor training and the reasonable-care documentation. AI literacy compliance runs through a role-tailored Article 4 curriculum, and the UK Bribery Act adequate-procedures training is tracked principle by principle against the MoJ Guidance.

Outcome: For a group of 5,000 employees across the UK, EU and US handling 30 to 60 mandatory-training categories and 8,000 to 12,000 individual training obligations a year, the Agent produces audit-ready evidence instead of a spreadsheet flown blind. The completion gap shrinks from the industry-typical 22% to under 2% through auto-enrolment, tiered reminders and access-suspension. Faragher-Ellerth readiness moves from sample-based assurance to learner-level coverage, and the auditor finding rate on training compliance drops from a typical 6-12% to under 1%.

40% Rules Engine
47% AI Agent
13% Human

The fifteen deterministic steps span every applicable regime - and precisely because each one is fixed by statute, regulation or standard, the pipeline is machine-reproducible and audit-defensible:

Missing training records destroy the Faragher-Ellerth affirmative defence, EU AI Act AI literacy took effect on 2 February 2025, and the DOJ now tests whether training actually works. One auditable training pipeline answers all three.

International mandatory training does not run on one regulatory standard - it runs on twelve overlapping regimes at once across the UK, EU and US. Anti-harassment, anti-bribery, AML, AI-literacy, cybersecurity, whistleblower and modern-slavery training intersect with the US Title VII Faragher-Ellerth defence and the state harassment-training mandates, the SOX, Dodd-Frank, FCPA and DOJ compliance-program regimes and OSHA, the UK Bribery and Modern Slavery Acts and the SM&CR, and the EU GDPR, Whistleblower Directive, AI Act AI literacy, NIS2 and ISO 37301 - and every one of them imposes recordkeeping, retention and completion-evidence obligations.

A US-headquartered group of 5,000 employees across the UK, EU and US faces exposure on several axes at once. Without documented anti-harassment training, an employer forfeits the Faragher-Ellerth affirmative defence against vicarious liability for supervisor harassment, exposing it to compensatory and punitive damages, uncapped Section 1981 race claims and class-action exposure. A California AB 1825 breach triggers Civil Rights Department enforcement and loss of state contracting eligibility. Without adequate-procedures training, the UK Bribery Act Section 7 strict-liability defence falls away, exposing the organisation to uncapped tribunal awards and imprisonment for individuals. An EU AI Act AI-literacy breach reaches EUR 35 million or 7% of turnover, and a NIS2 cybersecurity breach reaches EUR 10 million or 2% for an essential entity.

One auditable mandatory-training pipeline

This Agent follows the Decision Layer principle: each decision is rule-based, AI-assisted or explicitly assigned to a human, with a per-framework regulatory-mandate flag replacing spreadsheet-based tracking. The obvious challenge is familiar: at 5,000 employees across the UK, EU and US, an organisation falls at once under the federal Title VII floor, six state harassment-training statutes, the UK Bribery Act, GDPR, the EU AI Act, NIS2, at least one collective agreement and 30 to 60 internal policies. Each framework changes independently. Even at 1,500 employees across three sites, this matrix easily generates 8,000 to 12,000 individual training obligations a year - each with its own due date, target group and documentation requirement.

Why cross-jurisdictional training needs fifteen steps, not a sample

A single-jurisdiction periodic training samples at a point in time; continuous cross-jurisdictional training needs fifteen deterministic steps, because the regimes overlap. The pipeline runs requirement identification by jurisdiction, role and threshold, curriculum translation, employee master-data integration, gap analysis, auto-enrolment, tiered reminders, completion verification, the Faragher-Ellerth affirmative-defense package, AI-literacy validation, UK Bribery Act adequate-procedures tracking, the state-specific harassment-training matrix, regulatory-content monitoring, pattern detection, non-completion remediation and completeness reporting - end to end.

A concrete cross-border example: a US-headquartered S&P 500 manufacturer with 5,000 employees - 3,200 across 14 US states (concentrated in the six harassment-training states), 1,200 in the UK and 600 in the EU - with 30 to 60 mandatory-training categories and 8,000 to 12,000 individual obligations a year, driven by new hires, role changes, location changes, regulatory amendments and M&A integration. That produces completion-tracking Decision Records, Faragher-Ellerth evidence packages per supervisor and location, the EEOC EEO-1 and state-agency reports, the UK Modern Slavery statement, the CSRD training disclosure, the EU AI Act deployer evidence, the GDPR records of processing, the EU Whistleblower Directive annual report and the NIS2 attestation.

In the Decision Layer, eight of the fifteen steps are rule-engine decisions - requirement identification, gap analysis, the tiered reminder schedule, completion verification, UK Bribery Act tracking, the state harassment-training matrix and the regulatory-mandate flag among them. Five are AI-augmented: employee master-data integration, auto-enrolment and delivery, the Faragher-Ellerth package, AI-literacy validation, the regulatory-content refresh, pattern detection and completeness reporting. Two require human Compliance, L&D and Legal validation - curriculum version control and non-completion remediation with disciplinary input. Every step carries a timestamp, decider type, rationale and challenge mechanism.

What sets compliance training apart from compliance monitoring

Six dimensions distinguish this Agent from compliance monitoring. First, a role-based curriculum with a version-controlled catalogue and auto-enrolment through the LMS API. Second, a tiered reminder schedule with deterministic escalation and access-suspension for safety-critical training. Third, the Faragher-Ellerth affirmative-defense evidence package per supervisor, location and reporting period. Fourth, UK Bribery Act adequate-procedures tracking mapped principle by principle to the MoJ Guidance. Fifth, EU AI Act AI-literacy validation with a role-tailored curriculum and persons-affected mapping. Sixth, the state-specific harassment-training matrix, with each state’s cadence, content and delivery requirements.

The architecture satisfies cross-jurisdictional disclosure by construction, not retrofit. The EEOC EEO-1 and state-agency reports, the UK Modern Slavery statement, the CSRD training disclosure, the EU AI Act deployer evidence, the GDPR records of processing, the EU Whistleblower Directive annual report and the NIS2 attestation are all produced as outputs of the standard pipeline, not as separate compliance reporting. The Audit Trail that training generates as a by-product - when a course was assigned, when reminders went out, when completion was verified, what the assessment score was and when the retention quiz was passed - is exactly the documentation that EEOC charges, state-agency examinations, DOJ compliance-program evaluations, FCA SM&CR reviews and EU AI Office investigations expect as evidence. Audit preparation shrinks from weeks to hours because the evidence already exists.

Where Accountability Stays - Why the Agent is Not High-Risk

The Agent assigns training. It tracks completion. It escalates non-completion. It documents Faragher-Ellerth evidence. It generates completeness reports. What it does not do: decide who gets disciplined. Whether non-completion leads to a formal warning, whether a supervisor’s training gap leads to performance management, whether contract renewal is blocked - those are human decisions. Accountability for the root cause lies with the line manager or responsible department, not with the individual learner.

This separation is not just a governance choice. It is the reason the system is not high-risk under EU AI Act Annex III point 4. Training administration and completion tracking, without decisions that affect the employment relationship, is the architecture that lets the system deploy without a conformity assessment holding up the rollout. If the access-suspension or disciplinary-input automation expanded to autonomous performance evaluation or termination recommendation, it would become high-risk under the Act’s deployer obligations and fundamental-rights impact assessment. Works-council co-determination under the UK and EU consultation rules and the German and French frameworks applies to the introduction of training-tracking systems, with a documented training purpose, data, retention and access.

Cross-system integration

The Agent integrates with the full global learning, compliance-content, security-awareness and immersive-VR stack: Workday Learning, SAP SuccessFactors Learning and Oracle Learning Cloud for HCM-embedded learning; Cornerstone OnDemand, Litmos, Docebo, Absorb, TalentLMS, Bridge LMS and Saba Cloud for dedicated LMS; Skillsoft Percipio, NAVEX EthicsPoint Training, GAN Integrity, EVERFI Workplace Training and Veritas Compliance Training for compliance-content libraries; KnowBe4 Security Awareness, Compliance Plus and KMSAT for security awareness, phishing simulation and NIS2 cybersecurity; Mursion VR Training and EVERFI for immersive harassment and de-escalation training; and Coursera for Business, LinkedIn Learning Hub and Pluralsight for large-scale curated content. The Compliance Training Agent acts as the upstream regulatory-mandate, role-based-curriculum, completion-tracking, Faragher-Ellerth affirmative-defense, AI-literacy-validation, state-specific-harassment-training and access-suspension layer feeding the downstream HR, compliance, risk and audit workflow, or as the orchestration layer running parallel deployments where different business units use different LMS systems after an acquisition.

Micro-Decision Table

Who decides in this agent?

15 decision steps, split by decider

40%(6/15)
Rules Engine
deterministic
47%(7/15)
AI Agent
model-based with confidence
13%(2/15)
Human
explicitly assigned
Human
Rules Engine
AI Agent
Each row is a decision. Expand to see the decision record and whether it can be challenged.
Identify the mandatory-training requirements for each entity and role For each entity, location, role, headcount threshold and regulatory framework, what is the full training catalogue, with role-based assignment, deadlines, refresher intervals, language requirements and completion-evidence standards? The framework is whichever applies - US Title VII anti-harassment training and the state harassment-training laws (California AB 1825, the New York and Illinois Acts and others), SOX, BSA/AML, FCPA and OSHA training; UK Bribery Act, Modern Slavery, GDPR and SM&CR training; EU GDPR, Whistleblower Directive, AI Act AI-literacy and NIS2 training; and ISO 37301, 37001, 27001 and 45001. Rules Engine Auditor

A deterministic rule-engine derives the training catalogue from the regulatory framework, the jurisdiction, the role and the headcount threshold, mapping each requirement back to its source - the EEOC Enforcement Guidance and Faragher-Ellerth doctrine, the state harassment-training statutes, the DOJ compliance-program training factor, the FCA Training and Competence sourcebook, the EDPB guidelines, the EU AI Office, ENISA and ISO 37301. It replaces a Compliance department's experiential mapping with a regulatory-traceable rule chain.

Decision Record

Rule ID and version number
Input data that triggered the rule
Calculation result and applied formula

Challengeable: Yes - rule application verifiable. Objection possible for incorrect data or wrong rule version.

Challengeable by: Auditor

Translate the mandates into a version-controlled, role-based curriculum How is each framework (Title VII anti-harassment, the state harassment laws, FCPA and UK Bribery Act, the EU AI Act AI-literacy duty, GDPR, the Whistleblower Directive, NIS2, OSHA) translated into a role-based curriculum, each carrying a content version, validity period, regulator citation, delivery format, assessment, passing threshold and refresher interval? For example, California AB 1825 supervisor training becomes a two-hour interactive course covering quid pro quo, hostile work environment, retaliation, bystander intervention and the complaint procedure, with an 80% passing threshold and a biennial refresher - with the version history tracked per framework and state amendment. Human Auditor

A collaboration between Compliance, Legal, HR and L&D maintains the version-controlled curriculum, because curriculum definitions require domain expertise, legal interpretation, content review, an accessibility review and translation. Works-council co-determination applies under the UK and EU consultation rules to the scope and content of training where the headcount threshold is met.

Decision Record

Decider ID and role
Decision rationale
Timestamp and context

Challengeable: Yes - via manager, works council, or formal objection process.

Challengeable by: Auditor

Pull employee master data and prior completion records from HR and the LMS Which sources are connected? The HRIS (Workday, SAP SuccessFactors, Oracle HCM, ADP, BambooHR, Hibob, Personio) for employee identity, role, department, location, contract type, start date, tenure, manager hierarchy and any lawfully captured protected-class indicators; and the LMS (Workday Learning, SAP SuccessFactors Learning, Cornerstone, Litmos, Docebo, Skillsoft Percipio, KnowBe4) for prior completion records, extracting each certification's expiry, assessment score, completion timestamp, delivery method and content version. AI Agent Auditor

AI-driven data integration with deterministic data-quality validation. The AI handles connector configuration, schema mapping, identity resolution, duplicate detection and the data-quality assessment; a deterministic check then gates data-source approval under Compliance and Legal governance, the GDPR security requirement and ISO 27001 access control. The agent reads only - it never writes to a source system.

Decision Record

Model version and confidence score
Input data and classification result
Decision rationale (explainability)
Audit trail with full traceability

Challengeable: Yes - fully documented, reviewable by humans, objection via formal process.

Challengeable by: Auditor

Calculate each employee's training gap by role and jurisdiction Applying the role-based curriculum to each employee, what is the gap? Initial training due (on a new hire, role or location change, headcount-threshold crossing or new regulation); refresher training due (annual, biennial, triennial or event-triggered); supplemental training due (role-specific or on a regulatory amendment); and any overdue training - producing a per-employee plan with deadlines, prerequisites, delivery format, language and accessibility. For example, a California supervisor hired on 1 March 2026 needs AB 1825 training within six months, plus annual anti-harassment training if also in New York, quarterly FCPA training in a customer-facing role, and NIS2 training if part of an essential entity. Rules Engine Auditor

Gap analysis is deterministic against the pre-configured curriculum and role assignment, and consistent across employees, jurisdictions and regulatory frameworks. It is auditable under the DOJ compliance-program training factor, the EEOC Enforcement Guidance, the state harassment-training statutes, PCAOB AS 2201, the ICAEW guidance, the AICPA SOC 2 criteria and the relevant ISO standards.

Decision Record

Rule ID and version number
Input data that triggered the rule
Calculation result and applied formula

Challengeable: Yes - rule application verifiable. Objection possible for incorrect data or wrong rule version.

Challengeable by: Auditor

Auto-enrol employees via the LMS API in their language and format How is enrolment triggered? An LMS API call per employee, training, deadline, format, language and accessibility profile - integrating with Workday Learning, SAP SuccessFactors Learning, Cornerstone, Litmos, Docebo, Skillsoft Percipio and KnowBe4. Content is delivered in the employee's preferred language with ADA and Section 508 accessibility (closed captions, screen-reader compatibility, keyboard navigation, colour contrast), via e-learning, virtual classroom, VR simulation, mobile or instructor-led depending on the regulatory requirement and the learner's profile. AI Agent Auditor

AI-augmented enrolment with a deterministic LMS API call. The AI handles language detection, the accessibility profile, the delivery-format selection and the deadline calculation; the deterministic API call then records the enrolment timestamp, assignment ID, learner ID and content version. Each enrolment is captured in an immutable Decision Log, satisfying the DOJ compliance-program guidance, the EEOC, the FCA TC sourcebook and the EU AI Act record-keeping requirement.

Decision Record

Model version and confidence score
Input data and classification result
Decision rationale (explainability)
Audit trail with full traceability

Challengeable: Yes - fully documented, reviewable by humans, objection via formal process.

Challengeable by: Auditor

Send the tiered reminder schedule, escalating as the deadline nears What is the reminder schedule per training, deadline and criticality? An initial assignment notification with the deadline, access link and expected duration; a T-30 reminder by email, push and calendar invite; a T-14 reminder with a second-line escalation flag if the manager has overdue reports; a T-7 urgent reminder with manager notification; a T-1 final reminder requiring manager intervention; and, on a deadline breach, immediate escalation to the line manager, HR business partner and Compliance Officer, with an access-suspension flag for safety-critical training (OSHA, AML, AI literacy for AI deployers) - the content adapting to the learner's language, role and history. Rules Engine Auditor

The escalating reminder schedule is deterministic against the pre-configured criticality and deadline-proximity matrix, and consistent across employees, training types and jurisdictions. It is auditable under the DOJ compliance-program test of whether training is delivered effectively and measured for retention, and each reminder is captured in an immutable Decision Log under the ISO 37301 awareness and communication clauses.

Decision Record

Rule ID and version number
Input data that triggered the rule
Calculation result and applied formula

Challengeable: Yes - rule application verifiable. Objection possible for incorrect data or wrong rule version.

Challengeable by: Auditor

Verify completion, assessment score, engagement and retention What does the LMS completion event capture? The timestamp, learner ID, content version and delivery format; the assessment score, passing threshold, attempt count and question-level analysis where available; the interactive engagement (video watch percentage, simulation or VR outcome, discussion participation); retention via post-training quizzes at 30, 90 and 180 days; the Faragher-Ellerth affirmative-defence documentation (content review, delivery confirmation, learner attestation, complaint-procedure acknowledgement); and the DOJ effectiveness indicators (tailoring to risks, delivery effectiveness, retention measurement, translation appropriateness). Rules Engine Auditor

Completion verification is deterministic against the LMS event and the assessment-engine output, and consistent across employees, training types and jurisdictions. It is auditable under the DOJ compliance-program guidance, the EEOC Faragher-Ellerth doctrine, the FCA TC sourcebook, PCAOB AS 2201, the AICPA SOC 2 criteria and the ISO 37301 performance-evaluation clause.

Decision Record

Rule ID and version number
Input data that triggered the rule
Calculation result and applied formula

Challengeable: Yes - rule application verifiable. Objection possible for incorrect data or wrong rule version.

Challengeable by: Auditor

Generate the Faragher-Ellerth affirmative-defence evidence package What does the Faragher-Ellerth package, per supervisor, location and period, document to show the employer's reasonable care to prevent and promptly correct harassment? The anti-harassment policy distribution and acknowledgement; the complaint-procedure communication and accessibility; the anti-harassment training delivery (Title VII and the state laws) with content, method, language, duration, assessment, timestamp and learner attestation; the supervisor-specific training and reporting obligations; the complaint-investigation evidence (timeliness, impartiality, remediation); and the retaliation-prohibition documentation - in a package usable for an EEOC or state-agency charge response, tribunal evidence and class-action defence. AI Agent Auditor

AI-augmented evidence-package generation with deterministic content selection and formatting. The AI consolidates across employees, locations and periods and drafts the narrative, while a deterministic data layer keeps the package evidentiary-accurate. Records are kept for the longest applicable period - four years for California and federal Title VII, six for New York - and the package is distributed under attorney-client privilege through General Counsel governance.

Decision Record

Model version and confidence score
Input data and classification result
Decision rationale (explainability)
Audit trail with full traceability

Challengeable: Yes - fully documented, reviewable by humans, objection via formal process.

Challengeable by: Auditor

Validate AI-literacy training under the EU AI Act How is AI-literacy training verified under the EU AI Act Article 4 for everyone working with AI systems? A basic curriculum for general staff (AI system types, capabilities, limitations, appropriate use, prohibited practices, reporting concerns); an intermediate one for AI users (input-data quality, output interpretation, error patterns, human oversight, incident reporting); an advanced one for high-risk AI deployers (the fundamental-rights impact assessment, log retention, monitoring, serious-incident reporting, worker information and consultation); and a role-tailored level that accounts for the person's technical knowledge, experience and context - with completion, retention and effectiveness tracked to the EU AI Office and EDPB guidance. AI Agent Auditor

AI-driven AI-literacy compliance validation with deterministic curriculum-tier assignment. The AI analyses the role context, selects the curriculum tier and maps the persons affected; a deterministic check then gates compliance approval under the EU AI Office rules, where an Article 26 deployer-obligation breach carries fines of up to EUR 35 million or 7% of global turnover.

Decision Record

Model version and confidence score
Input data and classification result
Decision rationale (explainability)
Audit trail with full traceability

Challengeable: Yes - fully documented, reviewable by humans, objection via formal process.

Challengeable by: Auditor

Track UK Bribery Act adequate-procedures training for the strict-liability defence How is the UK Bribery Act Section 7 adequate-procedures training tracked as part of the strict-liability defence, mapped to the six MoJ Guidance principles? Proportionate-procedures training tailored to the risk, role and business model; top-level commitment evidenced through executive participation and board oversight; risk-assessment training covering geographic, sectoral, customer, transaction and partner risk; due-diligence training covering third parties, customers, suppliers, joint ventures and M&A; the communication and training principle, with content, method, language, completion verification and refresher cycle; and monitoring-and-review training covering escalation, investigation and remediation - tied to the FCPA, the OECD Anti-Bribery Convention and the DOJ FCPA Resource Guide. Rules Engine Auditor

Adequate-procedures training tracking is deterministic, mapped principle by principle to the UK MoJ Guidance, and consistent across employees and jurisdictions. It is auditable under the UK SFO's deferred-prosecution-agreement evaluation, the DOJ FCPA Resource Guide effectiveness assessment, the ISO 37001 awareness-and-training clause and the AICPA SOC 2 criteria.

Decision Record

Rule ID and version number
Input data that triggered the rule
Calculation result and applied formula

Challengeable: Yes - rule application verifiable. Objection possible for incorrect data or wrong rule version.

Challengeable by: Auditor

Operate the multi-state harassment-training matrix How does the multi-state harassment-training matrix run? California AB 1825 - two hours for supervisors and one for non-supervisors every two years at employers with 5+ staff, enforced by the Civil Rights Department; the New York Stop Sexual Harassment Act and NYC Local Law 96 - annual interactive training for all employees with the state-specified topics; the Illinois Workplace Transparency Act - annual training for all employees plus a restaurant-industry supplement; the Connecticut Time's Up Act - two hours for all employees within six months of hire; Delaware HB 360 - interactive training within a year of hire with a biennial refresher; and Maine's statute - training within 300 days of hire. Per-state completion, content adequacy, delivery method, language and retention are all tracked. Rules Engine Auditor

A deterministic multi-state matrix applies each state-specific statute by role, tenure and completion threshold, consistently across employees and locations. It is auditable by the California, New York, NYC, Illinois, Connecticut, Delaware and Maine enforcement bodies, with each training event captured in an immutable Decision Log.

Decision Record

Rule ID and version number
Input data that triggered the rule
Calculation result and applied formula

Challengeable: Yes - rule application verifiable. Objection possible for incorrect data or wrong rule version.

Challengeable by: Auditor

Monitor regulatory updates and auto-trigger a curriculum refresh Monitoring the regulatory and standard-setter sources continuously - the EEOC Enforcement Guidance and the state harassment-training amendments, the DOJ compliance-program guidance, the FCPA Resource Guide, FFIEC and FinCEN updates and OSHA standards; the UK FCA SYSC, PRA Rulebook, EHRC and ICO guidance and the MoJ Bribery Act Guidance; the EDPB guidelines, EU AI Office Article 4 guidance, ENISA NIS2 guidance and CSDDD transpositions; and the ISO 37301, 37001, 27001 and 45001 revisions - which material changes need L&D, Compliance and Legal approval, a curriculum update and a retraining trigger? AI Agent Auditor

AI-driven regulatory-change detection and impact analysis feed a deterministic update of the curriculum and retraining triggers. The AI extracts changes from the Federal Register, state legislatures, enforcement bulletins, EFRAG, the EU Official Journal and ISO updates, surfacing material ones for L&D and Compliance governance to approve; only then are the parameters updated. Consolidating across jurisdictions prevents update-lag where one regulatory theme touches several Member State implementations at once.

Decision Record

Model version and confidence score
Input data and classification result
Decision rationale (explainability)
Audit trail with full traceability

Challengeable: Yes - fully documented, reviewable by humans, objection via formal process.

Challengeable by: Auditor

Detect non-completion patterns and class-action red flags Which patterns are flagged for review? Systematic non-completion by department, location or manager hierarchy, pointing to an organisational pattern; a post-complaint training-deferral pattern, pointing to retaliation under Title VII and the state harassment statutes; a supervisor-specific completion gap, pointing to a Faragher-Ellerth defence vulnerability; a language or accessibility gap, pointing to disparate-impact exposure; an M&A acquisition gap, pointing to successor liability; and a high-risk-role gap (FCPA-facing roles, AI deployers, DPO-supervised roles, NIS2 essential-entity staff), pointing to a regulatory-mandate breach - each routed to Compliance, Legal, the DPO and the AI Officer with a severity classification. AI Agent Auditor

AI-driven pattern detection with a deterministic severity classification. The AI analyses across employees, locations, departments and periods with statistical-significance testing; a deterministic severity threshold then gates the escalation, to the EEOC, state-agency, DOJ compliance-program, EU AI Office, EDPB and FCA SM&CR audit-readiness standard.

Decision Record

Model version and confidence score
Input data and classification result
Decision rationale (explainability)
Audit trail with full traceability

Challengeable: Yes - fully documented, reviewable by humans, objection via formal process.

Challengeable by: Auditor

Enforce remediation, access-suspension and board reporting by severity How is non-completion remediation enforced by severity? Information (a single isolated overdue) - logged, no notification; Warning (repeated overdue or supervisor non-completion) - the line manager and HR business partner within five business days; Critical (a high-risk-role gap or regulatory-mandate breach) - the Compliance Officer, HR Director and DPO within 24 hours, with an access-suspension flag for safety-critical training (OSHA, AML, AI literacy for AI deployers); and Reportable (systemic non-completion or a litigation trigger) - the executive, board, general counsel and regulator per the jurisdictional requirements (a SOX material weakness and 8-K, an EEOC or state-agency charge response, the FCA SM&CR, EHRC or SFO, or an EU AI Act serious incident). Each case is tracked by ID with the remediation plan, deadline and closure evidence, and tied to disciplinary input and contract renewal where the role requires it. Human Auditor

Compliance, HR and Legal review the non-completion remediation, the access-suspension, the disciplinary input and the board reporting together. The AI severity classification is an input, not a decision; final remediation rests with a Compliance Officer, HR Director and General Counsel sign-off under ISO 37301, the IIA Standards, the DOJ compliance-program guidance and the EEOC Faragher-Ellerth reasonable-care standard. Works-council co-determination applies to the disciplinary input.

Decision Record

Decider ID and role
Decision rationale
Timestamp and context

Challengeable: Yes - via manager, works council, or formal objection process.

Challengeable by: Auditor

Generate the completeness reports, regulator filings and audit packages Which stakeholder-specific completeness reports are generated? A line-manager dashboard with team completion, overdue items and a deadline calendar; an HR business-partner report with department completion, state-specific harassment training and retention; a Compliance Officer report with framework completion, the DOJ effectiveness indicators and material findings; a CHRO, DPO, AI Officer and General Counsel report with cross-functional, cross-jurisdictional completeness and audit readiness; a Board and Audit Committee report to the IIA Standards, DOJ guidance and PCAOB AS 2201; and the per-jurisdiction regulator filings (EEO-1 and state-agency reports, the SEC forms, the UK gender pay gap and Modern Slavery statement, the CSRD ESRS S1-13 training disclosure, the EU AI Act deployer evidence, the GDPR records of processing, the Whistleblower Directive annual report and the NIS2 attestation) - with retention set to the longest applicable jurisdiction. AI Agent Auditor

Reports are generated automatically in each stakeholder's and regulator's required format. The AI handles cross-jurisdictional consolidation, methodology harmonisation and template population, while a deterministic data layer keeps the figures accurate. Records are kept for the longest applicable period - four years for California and federal Title VII, five for OSHA, seven for SOX, ten under the EU AI Act - with assurance under ISAE 3000, the EU Audit Directive, PCAOB AS 2201 and the AICPA SOC 2 criteria.

Decision Record

Model version and confidence score
Input data and classification result
Decision rationale (explainability)
Audit trail with full traceability

Challengeable: Yes - fully documented, reviewable by humans, objection via formal process.

Challengeable by: Auditor

Decision Record and Right to Challenge

Every decision this agent makes or prepares is documented in a complete decision record. Affected employees can review, understand, and challenge every individual decision.

Which rule in which version was applied?
What data was the decision based on?
Who (human, rules engine, or AI) decided - and why?
How can the affected person file an objection?
How the Decision Layer enforces this architecturally →

Does this agent fit your process?

We analyse your specific HR process and show how this agent fits into your system landscape. 30 minutes, no preparation needed.

Analyse your process

Governance Notes

EU AI Act: Not High Risk
Of the fifteen steps, eight are deterministic, five are AI-augmented and two require human judgement. The Agent is not high-risk under the EU AI Act because it administers training logistics and tracks completion without making employment-affecting decisions - but the access-suspension for safety-critical training, the disciplinary input for systemic non-completion and any contract-renewal block must stay human decisions. If the access-suspension or disciplinary-input automation expanded to autonomous performance evaluation or termination recommendation, it would become high-risk under Annex III point 4. Works-council co-determination applies to the introduction of training-tracking systems under the German, French, Italian and Dutch frameworks and the UK and EU consultation rules, and the scope of what is tracked, how non-completion is handled and how access-suspension is authorised must be set out in a works-council agreement. The GDPR basis spans contract performance, legal obligation, special-category data where training touches health or disability accommodation, the records of processing, security, DPO training and the Member State employment derogations, alongside the UK GDPR and the US state privacy laws. Retention runs from four years for California and federal Title VII and five for OSHA up to ten under the EU AI Act. Training records carry sensitive personal data under UK and EU GDPR, the US state privacy laws and the EEOC confidentiality rules. For audit purposes, the training-completion evidence, curriculum-version control, delivery-effectiveness and retention measurement, and the Faragher-Ellerth affirmative-defense documentation are routinely material at SEC registrants and FTSE 350 groups, and the Decision Log supplies the design and operating-effectiveness evidence, the EEOC tribunal-defence evidence and the DOJ compliance-program training evidence. The Agent enforces role-based access, encryption in transit and at rest, a quarterly-reviewed access log, an annual SOC 2 audit, an annual ISO 27001 surveillance audit and a three-year ISO 37301 recertification.

Assessment

Agent Readiness 76-83%
Governance Complexity 24-31%
Economic Impact 54-61%
Lighthouse Effect 38-45%
Implementation Complexity 26-33%
Transaction Volume Weekly

Prerequisites

  • Defined training requirements matrix per role plus location plus regulatory framework with version-controlled curriculum including US Title VII anti-harassment plus state-specific (California AB 1825 plus NY plus IL plus CT plus DE plus ME) plus SOX 806 plus FCPA plus AML plus OSHA plus UK Bribery Act 2010 Section 7 plus Modern Slavery plus SM&CR plus EU GDPR Article 39 plus EU AI Act Article 4 plus NIS2 plus EU Whistleblower Directive plus ISO 37301
  • Read-only access to HR systems plus LMS being integrated: Workday HCM plus Workday Learning plus SAP SuccessFactors plus SAP SuccessFactors Learning plus Oracle HCM Cloud plus Oracle Learning Cloud plus Cornerstone OnDemand plus Litmos plus Docebo plus Absorb plus TalentLMS plus Bridge LMS plus Saba Cloud plus Skillsoft Percipio plus KnowBe4 plus NAVEX EthicsPoint Training plus Coursera for Business plus LinkedIn Learning Hub
  • Compliance Officer plus HR Director plus L&D Director plus DPO plus AI Officer plus General Counsel assignment per domain plus jurisdiction with escalation chain documentation plus access-suspension authorisation matrix
  • Faragher-Ellerth affirmative-defense documentation framework including anti-harassment policy plus complaint procedure plus supervisor expectations plus reasonable-care documentation plus retaliation prohibition plus per-state harassment training compliance (California CRD plus New York DHR plus NYC CCHR plus Illinois IDHR plus Connecticut CHRO plus Delaware DOL plus Maine DOL)
  • Content authoring plus accessibility validation: SCORM plus xAPI plus AICC content plus ADA Section 508 accessibility (closed captions plus screen reader compatibility plus keyboard navigation plus color contrast) plus multi-language delivery plus VR simulation (Mursion plus EVERFI) plus interactive assessment plus retention measurement
  • Reporting templates for regulatory plus audit purposes: EEOC EEO-1 Component 1 plus OFCCP AAP plus state agency annual reports plus SEC Form 8-K plus 10-Q plus 10-K plus DEF 14A plus UK Gender Pay Gap plus UK Modern Slavery statement plus EU CSRD ESRS S1-13 Training and skills development plus EU AI Act Article 4 plus Article 26 deployer evidence plus GDPR Article 30 RAT plus EU Whistleblower Directive annual report plus NIS2 compliance attestation
  • Works council or worker representative agreement on automated training assignment plus completion tracking plus access-suspension scope per UK Information and Consultation of Employees Regulations 2004 plus EU Information and Consultation Directive 2002/14/EC plus German BetrVG plus French CSE plus Italian Statuto dei Lavoratori plus Netherlands COR with documented training purpose plus data plus retention plus access
  • Decision logging infrastructure per EU AI Act Article 12 record-keeping plus GDPR Article 5(2) accountability plus ISO 27001 Annex A.5.36 plus SOC 2 Common Criteria CC1.5 plus US OFCCP 2-3 year retention plus EEOC 1-3 year retention plus California 4 year plus New York 6 year plus OSHA 5 year plus SOX 7 year plus EU Whistleblower Directive transposition retention plus EU AI Act Article 12 10 year retention
  • Continuous regulatory-change monitoring subscription covering Federal Register plus state legislatures plus enforcement bulletins plus EFRAG plus EU Official Journal plus EDPB plus EU AI Office plus ENISA plus EHRC plus FCA plus ICO plus PRA plus DOJ plus SEC plus FFIEC plus OSHA plus IIA plus AICPA plus ISO standard updates

Infrastructure Contribution

The Compliance Training Agent builds the role-based curriculum, completion-tracking, retention-measurement, Faragher-Ellerth affirmative-defense and access-suspension infrastructure that underpins every training-intensive HR agent. Its curriculum versioning, auto-enrolment, tiered reminders, completion verification and retention measurement are the operational governance layer that the Certification Tracking, Training Needs Analysis and Training Effectiveness Agents depend on under the EU AI Act AI literacy and deployer-training requirements and the DOJ compliance-program training factor. The architecture transfers directly to the Onboarding Agent for training completion and regulator filing, the Performance Review Agent for competence assessment and development planning, the Compliance Monitoring Agent for training-evidence integration, the Audit Agent for the Faragher-Ellerth package, and whistleblower-channel validation for mandatory training under the EU Directive, SOX 806 and PIDA. It builds the Decision Logging and Audit Trail the Decision Layer uses to make every decision traceable and challengeable - covering the EEOC Faragher-Ellerth defence, state harassment training, the FCPA and UK Bribery Act, EU AI Act AI literacy, the EU Whistleblower Directive, NIS2 and the ISO 37301 management review. Audit preparation shrinks from weeks to hours because the evidence already exists in the Decision Log.

What this assessment contains: 9 slides for your leadership team

Personalised with your numbers. Generated in 2 minutes directly in your browser. No upload, no login.

  1. 1

    Title slide - Process name, decision points, automation potential

  2. 2

    Executive summary - FTE freed, cost per transaction before/after, break-even date, cost of waiting

  3. 3

    Current state - Transaction volume, error costs, growth scenario with FTE comparison

  4. 4

    Solution architecture - Human - rules engine - AI agent with specific decision points

  5. 5

    Governance - EU AI Act, works council, audit trail - with traffic light status

  6. 6

    Risk analysis - 5 risks with likelihood, impact and mitigation

  7. 7

    Roadmap - 3-phase plan with concrete calendar dates and Go/No-Go

  8. 8

    Business case - 3-scenario comparison (do nothing/hire/automate) plus 3×3 sensitivity matrix

  9. 9

    Discussion proposal - Concrete next steps with timeline and responsibilities

Includes: 3-scenario comparison

Do nothing vs. new hire vs. automation - with your salary level, your error rate and your growth plan. The one slide your CFO wants to see first.

Show calculation methodology

Hourly rate: Annual salary (your input) × 1.3 employer burden ÷ 1,720 annual work hours

Savings: Transactions × 12 × automation rate × minutes/transaction × hourly rate × economic factor

Quality ROI: Error reduction × transactions × 12 × EUR 260/error (APQC Open Standards Benchmarking)

FTE: Saved hours ÷ 1,720 annual work hours

Break-Even: Benchmark investment ÷ monthly combined savings (efficiency + quality)

New hire: Annual salary × 1.3 + EUR 12,000 recruiting per FTE

All data stays in your browser. Nothing is transmitted to any server.

Compliance Training Agent

Initial assessment for your leadership team

A thorough initial assessment in 2 minutes - with your numbers, your risk profile and industry benchmarks. No vendor logo, no sales pitch.

All data stays in your browser. Nothing is transmitted.

Related Agents

Equipment Provisioning Agent

Gets new hires a working, compliant workstation on day one - deriving the equipment profile, ordering it, configuring devices with a cybersecurity baseline, and meeting the ergonomic and accessibility duties under OSHA, the UK DSE Regulations and the ADA.

W
Readiness: 78-85%
Economic: 51-58%
Governance: 8-15%
Micro-Decisions: 13
Weekly

Onboarding Workflow Agent

From signed contract to productive employee - 50+ tasks, zero dropped balls.

W
Readiness: 74-81%
Economic: 68-75%
Governance: 28-35%
Micro-Decisions: 14
Weekly

Probation Management Agent

Probation deadline monitoring as a compliance obligation - structured tracking from day one to confirmation, so the retention decision is never made under last-minute pressure across the US, UK and EU.

W D
Readiness: 71-78%
Economic: 44-51%
Governance: 38-45%
Micro-Decisions: 14
Monthly

Frequently Asked Questions

How does the Agent operationalise the US Title VII Faragher-Ellerth affirmative defence and the state harassment-training laws across multi-state operations?

US harassment training is operationally complex, because Title VII, the EEOC Enforcement Guidance and the Faragher, Ellerth and Vance decisions set the federal floor, while the state statutes impose stricter cadence, content and delivery. The Agent runs it in five phases. First, it documents the Faragher-Ellerth defence elements - reasonable care to prevent and correct harassment through a documented policy, complaint procedure, supervisor training and retaliation prohibition, and the employee's unreasonable failure to use the preventive opportunities - integrating with NAVEX EthicsPoint and OneTrust. Second, it operates the state-cadence matrix: California AB 1825 (two hours for supervisors, one for others, every two years at 5+ staff), the New York and NYC annual interactive training, the Illinois annual training, the Connecticut two-hour training within six months, Delaware's within a year with a biennial refresher, and Maine's within 300 days. Third, it tailors the curriculum to each state's required topics (quid pro quo, hostile work environment, retaliation, bystander intervention, complaint procedure), integrating with Skillsoft Percipio, Cornerstone Compliance and Mursion VR. Fourth, it measures the DOJ effectiveness indicators - tailoring, delivery and retention via post-training quizzes at 30, 90 and 180 days. Fifth, it generates the per-supervisor, per-location affirmative-defence package for an EEOC or state-agency charge response, tribunal evidence and class-action defence, with retention of four years federally and in California and six in New York.

How does the Agent operationalise EU AI Act Regulation 2024/1689 Article 4 AI literacy obligation effective 2 February 2025 plus Article 26 deployer training?

EU AI Act AI-literacy compliance is operationally complex, because Article 4 (effective 2 February 2025) requires providers and deployers to ensure a sufficient level of AI literacy among staff and others operating AI systems on their behalf - accounting for technical knowledge, experience, education, context and the people affected - while Article 26 requires human oversight by competent, trained and authorised people, with fines reaching EUR 35 million or 7% of turnover for a deployer breach. The Agent runs it in five phases. First, it maps everyone dealing with AI operation - general staff, AI users, high-risk deployers, oversight personnel and providers. Second, it assigns the curriculum tier: a basic level for general staff (AI system types, capabilities, limitations, appropriate use, prohibited practices, reporting concerns), an intermediate level for AI users (input-data quality, output interpretation, error patterns, human oversight, incident reporting), and an advanced level for high-risk deployers (the fundamental-rights impact assessment, log retention, monitoring, serious-incident reporting, worker information and consultation). Third, it tailors delivery to each person's knowledge and context, integrating with Coursera, LinkedIn Learning, Skillsoft Percipio and Cornerstone. Fourth, it measures retention via post-training quizzes at 30, 90 and 180 days and role-context performance indicators. Fifth, it documents everything to the Article 12 record-keeping and the EU AI Office guidance, keeping audit-ready evidence for an EU AI Office investigation, the national market surveillance authority and any serious-incident response.

How does the Agent operationalise UK Bribery Act 2010 Section 7 adequate procedures including training as constituent of strict-liability defence?

UK Bribery Act 2010 compliance is operationally complex, because Section 7 imposes strict liability on a commercial organisation for failing to prevent bribery by an associated person, unless it can prove it had adequate procedures - and the six MoJ Guidance principles (proportionate procedures, top-level commitment, risk assessment, due diligence, communication including training, and monitoring and review) set the framework, so losing the training evidence forfeits the defence. The Agent runs it in five phases. First, it delivers proportionate-procedures training tailored to the business-model risk, jurisdiction, role and customer-facing exposure, integrating with NAVEX EthicsPoint, Skillsoft Percipio and Cornerstone Compliance. Second, it documents top-level commitment through executive participation, board oversight, management certification and consequence management. Third, it trains customer-facing, procurement, M&A and government-relations roles on the geographic, sectoral, customer, transaction and partner risk indicators and red flags. Fourth, it trains procurement, legal and M&A staff on due diligence for third-party intermediaries, customers, suppliers and joint ventures, including beneficial ownership and reputational checks. Fifth, it communicates the policy, reporting channel and retaliation prohibition, runs the refresher and event-driven retraining, and monitors effectiveness - tied to the FCPA, the OECD Anti-Bribery Convention and the SFO deferred-prosecution-agreement evaluation, where breaches carry unlimited fines and up to ten years' imprisonment.

How does the Agent process US Sarbanes-Oxley Section 806 Whistleblower training plus Dodd-Frank Section 922 SEC Whistleblower Program plus EU Whistleblower Protection Directive 2019/1937 training?

Whistleblower training is operationally complex, because US SOX 806 and the Section 1107 criminal liability, the Dodd-Frank 922 bounty, the EU Whistleblower Directive with its national transpositions (the German HinSchG, French Loi Sapin II, Spanish Ley 2/2023) and UK PIDA all create overlapping training obligations for managers, designated recipients and all employees. The Agent runs it in five phases. First, it trains managers, HR business partners, Compliance Officers and designated recipients on whistleblower rights, anti-retaliation, reporting procedures, confidentiality and the EU Directive's seven-day acknowledgement and three-month feedback. Second, it trains all employees on the channels, protected disclosures, retaliation prohibition and anonymous reporting, integrating with NAVEX EthicsPoint, OneTrust, EQS Group and Whistlelink. Third, it tailors the training to the Member State specifics - the German dual internal-external channel, the French two-tier reporting, the Spanish internal information channel. Fourth, it tailors the US training to the SOX 806 anti-retaliation remedy, the Section 1107 felony, the Dodd-Frank 922 awards and DOJ voluntary self-disclosure. Fifth, it measures retention, channel awareness and reporting confidence via survey and quiz, and documents to the EU Directive, SOX 806 and PIDA - where an EU transposition breach reaches EUR 20 million or 4% of turnover and SOX 1107 retaliation carries up to ten years' imprisonment.

How does the Agent handle US OSHA safety training across the General Industry and Construction standards and the state-plan jurisdictions?

US OSHA training is operationally complex, because the OSH Act, the General Industry and Construction standards, the topic-specific standards (Hazard Communication, Lockout/Tagout, PPE, Respiratory Protection, Bloodborne Pathogens, Confined Spaces) and the 28 state-plan jurisdictions all create overlapping training obligations with substantial penalty exposure. The Agent runs it in five phases. First, it documents the pre-assignment training required by each standard - GHS chemical-hazard training, energy-isolation procedures, PPE selection and use, respiratory fit-testing and medical evaluation, bloodborne-pathogens exposure control, and confined-space entry-permit and rescue procedures - integrating with EVERFI, Skillsoft Percipio and Cornerstone. Second, it runs the annual refresher and hazard-specific training on equipment or process changes and near-miss incidents, with VR simulation for high-hazard scenarios. Third, it delivers training in the employee's preferred language per the OSHA Field Operations Manual, with ADA and Section 508 accessibility. Fourth, it tailors training to the state-plan specifics - California's heat-illness and workplace-violence rules, Michigan's process safety management, Oregon's wildfire-smoke rule - tracking per-jurisdiction completion. Fifth, it documents to the 29 CFR 1904 and Hazard Communication record-keeping, retained for five years, where a wilful violation exceeds USD 156,000 per instance, a serious one runs to around USD 15,600, and a wilful violation causing death carries up to six months' imprisonment.

How does the Agent operationalise EU NIS2 Directive 2022/2555 cybersecurity training plus EU CSDDD due diligence training plus EU CSRD ESRS S1-13 Training and skills development disclosure?

EU cybersecurity, due-diligence and sustainability training is operationally complex, because the NIS2 Directive's risk-management, incident-reporting and enforcement provisions, the CSDDD, and the CSRD with the ESRS S1-13 training-and-skills standard all create overlapping training and disclosure obligations. The Agent runs it in five phases. First, for NIS2 it trains the management body and all employees on basic cyber hygiene - phishing simulation, social engineering, password and device security, incident reporting - against the ENISA Threat Landscape, integrating with KnowBe4, Cornerstone Compliance and Skillsoft Percipio. Second, it tailors the training to the entity classification, with stricter requirements for essential entities (energy, transport, banking, health, digital infrastructure) than for important entities, where penalties reach EUR 10 million or 2% of turnover for essential entities and EUR 7 million or 1.4% for important ones. Third, for the CSDDD it trains procurement, M&A and operations on human-rights and environmental due diligence - identification, prevention, mitigation and accountability - phased from 2027 by company size, integrating with NAVEX EthicsPoint, OneTrust ESG and GAN Integrity. Fourth, for the CSRD it generates the annual ESRS S1-13 disclosure - average training hours per employee, the percentage participating, and skills development - tied to the EFRAG guidance and IAS 19. Fifth, it coordinates the NIS2, CSDDD, CSRD, EU AI Act, Whistleblower Directive and GDPR training to avoid learner fatigue, integrating with Workday Learning, SAP SuccessFactors Learning and Cornerstone.

How does the Agent integrate with Workday Learning, SAP SuccessFactors Learning, Oracle Learning Cloud, Cornerstone OnDemand, Litmos, Docebo, Absorb, TalentLMS, Skillsoft Percipio, KnowBe4, NAVEX EthicsPoint Training, Coursera for Business, LinkedIn Learning Hub, Mursion VR, and EVERFI?

The mandatory-training landscape spans five layers - HCM-embedded learning, dedicated LMS, compliance content libraries, security awareness and immersive VR - and the Agent acts as the integration point across all five, gated by the regulatory-mandate flag. On the HCM-embedded layer, Workday Learning brings cloud-native learning with role-based assignment, completion tracking and skills-based development; SAP SuccessFactors Learning offers enterprise learning with 80+ country localisation tied into SAP HCM; and Oracle Learning Cloud integrates with Oracle Fusion HCM. On the dedicated-LMS layer, Cornerstone OnDemand and SumTotal cover the compliance library, mobile learning, virtual classroom, assessments and regulatory reporting, alongside Litmos, Docebo, Absorb, TalentLMS, 360Learning and Bridge for the mid-market and enterprise. On the content-library layer, Skillsoft Percipio, NAVEX EthicsPoint, GAN Integrity, Convercent and EVERFI cover anti-harassment, the state harassment laws, FCPA, the UK Bribery Act, AML, GDPR, the EU AI Act, NIS2 and Modern Slavery, with the DOJ effectiveness measurement. On the security-awareness layer, KnowBe4 covers NIS2 cybersecurity training, phishing simulation and the GDPR, HIPAA, PCI-DSS and FFIEC modules. On the immersive-VR layer, Mursion and EVERFI provide interactive harassment, de-escalation, diversity and bystander-intervention training. And for curated content, Coursera, LinkedIn Learning, Pluralsight and Saba cover leadership, technology, AI literacy and cybersecurity. The Agent acts as the upstream regulatory-mandate, role-based-curriculum, completion-tracking, Faragher-Ellerth defence and access-suspension layer feeding the HR, compliance, risk and audit workflow, or the orchestration layer where business units run different LMS systems after an acquisition.

What Happens Next?

1

30 minutes

Initial call

We analyse your process and identify the optimal starting point.

2

1 week

Discover

Mapping your decision logic. Rule sets documented, Decision Layer designed.

3

3-4 weeks

Build

Production agent in your infrastructure. Governance, audit trail, cert-ready from day 1.

4

12-18 months

Self-sufficient

Full access to source code, prompts and rule versions. No vendor lock-in.

Implement This Agent?

We assess your process landscape and show how this agent fits into your infrastructure.