Training Recertification Cadence Governance

2. Summary

Training Recertification Cadence Governance requires that organisations operating AI agents under human oversight establish and enforce a structured cadence for refreshing, testing, and recertifying the competence of all personnel who perform oversight, intervention, or governance functions. AI agent capabilities, risk profiles, regulatory requirements, and operational contexts evolve continuously; operator knowledge that was current at initial certification degrades through forgetting, becomes outdated through system changes, and develops blind spots through routine familiarity. This dimension mandates that recertification occurs at defined intervals, covers both retained knowledge and new material, includes practical assessment rather than passive training alone, and that lapsed certifications result in automatic suspension of oversight authority until recertification is completed.

3. Example

Scenario A — Stale Operator Knowledge After Model Upgrade: A financial services firm certifies 12 trade oversight operators to supervise an AI trading agent in January. In June, the underlying model is upgraded, changing the agent's risk scoring methodology — previously, the agent flagged trades exceeding 2x historical volatility; the new model flags trades exceeding 3x a rolling adaptive volatility measure. The operators are notified of the change via email but no recertification is conducted. In September, an operator reviewing a flagged trade applies the old mental model, interpreting the flag as indicating 2x historical volatility when the flag actually indicates 3x adaptive volatility — a materially higher risk level. The operator approves the trade with a standard risk acknowledgement rather than escalating it to senior risk management. The trade results in a £1.8 million loss. Investigation reveals that 9 of the 12 operators were still applying the pre-upgrade mental model because no recertification tested their understanding of the new methodology.

What went wrong: The organisation changed the AI system's risk methodology but did not recertify the operators who oversee that system. Email notification is not competence verification. The operators' mental models of system behaviour diverged from actual system behaviour after the upgrade, creating a six-month window where oversight was based on incorrect assumptions. Recertification with practical assessment after the model upgrade would have detected the comprehension gap within weeks.

Scenario B — Annual Recertification Gap in Safety-Critical Operations: A water treatment facility deploys an AI agent to manage chemical dosing, with certified human operators overseeing the system. Operators are certified once at deployment and recertification is scheduled annually. The operator manual specifies emergency override procedures for 7 failure scenarios. Eight months after initial certification, a test reveals that operators can correctly execute only 3 of the 7 emergency procedures from memory. Two operators attempt procedures in the wrong sequence, which in a real emergency would worsen the contamination rather than mitigate it. The knowledge decay followed a well-documented forgetting curve — procedural knowledge that is not practised degrades by approximately 50% within 6 months. During the 4-month gap between the 8-month knowledge decay point and the 12-month scheduled recertification, the facility operates with operators who cannot reliably execute emergency procedures. A minor dosing anomaly during this period requires manual override; the operator hesitates for 11 minutes, attempting to recall the correct procedure, before calling a colleague. The delay allows the anomaly to propagate, affecting water quality for approximately 8,000 households and triggering a regulatory investigation costing £620,000 in fines and remediation.

What went wrong: The annual recertification cadence was too infrequent for safety-critical procedural knowledge. The forgetting curve for complex procedures is well-established — annual recertification allows approximately 6 months of operation with degraded competence. No interim competence checks existed to detect the decay before it manifested in a real incident. The recertification cadence was not calibrated to the knowledge decay rate for the specific competencies required.

Scenario C — Regulatory Change Without Recertification: A public sector agency uses an AI agent to assist with immigration case processing. Human adjudicators make final decisions with the agent providing recommendations and supporting analysis. In April, new legislation changes the eligibility criteria for a specific visa category, adding two new grounds for refusal and modifying the evidential threshold for one existing ground. The AI agent is updated to reflect the new criteria within two weeks. Adjudicator training on the new legislation is scheduled for the quarterly training cycle — three months away. During the interim period, 14 adjudicators process approximately 1,200 cases in the affected visa category using outdated knowledge of the eligibility criteria. The adjudicators override the agent's correct recommendations in 89 cases because the agent's analysis references criteria the adjudicators do not recognise, interpreting the unfamiliar criteria as agent errors. Of these 89 overrides, 67 result in incorrect decisions — 41 approvals that should have been refusals and 26 refusals that should have been approvals. The incorrect decisions are discovered 5 months later during an internal quality review. Remediation requires re-opening 67 cases, issuing formal correction notices, and compensating affected applicants, at a total cost of £890,000 and significant reputational damage.

What went wrong: The recertification cadence (quarterly) was not triggered by a material system change — the legislative update warranted immediate recertification of all affected adjudicators, but no event-driven recertification trigger existed. The AI agent was updated promptly but the human operators were left operating with outdated knowledge for three months. The adjudicators' incorrect overrides were rational given their (outdated) understanding — they believed the agent was wrong because their training did not include the new criteria. This created the paradox of informed-operator-override: operators overriding correct agent outputs because the operators' knowledge is stale.

4. Requirement Statement

Scope: This dimension applies to any AI agent deployment where human personnel perform oversight, intervention, governance, or operational functions that require specific competencies — knowledge of the agent's capabilities and limitations, understanding of the operational domain, familiarity with emergency and override procedures, awareness of applicable regulatory requirements, and proficiency in the tools and interfaces used for oversight. The scope includes all categories of personnel in the oversight chain: primary reviewers, escalation handlers, shift supervisors, quality assurance personnel, incident responders, and governance board members who make decisions about agent operation. The scope explicitly includes personnel whose oversight role is part-time or secondary — an employee who reviews agent outputs as 20% of their role requires the same competence recertification as a full-time reviewer. Contractors and third-party personnel performing oversight functions are included. The scope excludes end-users of agent services who do not perform governance or oversight functions.

4.1. A conforming system MUST define a recertification cadence for each oversight role, specifying the maximum interval between recertifications. The cadence MUST be calibrated to the knowledge decay rate for the competencies required by the role and the consequence severity of competence failure, and MUST NOT exceed 12 months for any role in a high-risk or critical deployment.

4.2. A conforming system MUST define the competency framework for each oversight role, specifying the knowledge, skills, and procedural capabilities that recertification must verify. The competency framework MUST include at minimum: (a) understanding of the agent's current capabilities, limitations, and known failure modes, (b) proficiency in emergency and override procedures, (c) knowledge of applicable regulatory requirements, and (d) ability to correctly interpret the agent's outputs, confidence signals, and escalation indicators.

4.3. A conforming system MUST include practical assessment in recertification — not passive training alone. Practical assessment MUST require the operator to demonstrate competence through scenario-based exercises, simulated decision-making, or monitored live performance, with defined pass criteria.

4.4. A conforming system MUST implement event-driven recertification triggers that mandate out-of-cycle recertification when material changes occur, including at minimum: (a) changes to the AI agent's model, capabilities, or risk methodology, (b) changes to applicable regulatory requirements, (c) significant incidents involving the agent that reveal oversight gaps, and (d) changes to emergency or override procedures.

4.5. A conforming system MUST automatically suspend the oversight authority of any individual whose recertification has lapsed — the individual MUST NOT be permitted to perform oversight functions until recertification is successfully completed.

4.6. A conforming system MUST maintain a recertification registry that records for each individual: current certification status, certification date, expiry date, assessment results, and competency gaps identified during assessment.

4.7. A conforming system SHOULD implement tiered recertification that distinguishes between full recertification (comprehensive reassessment of all competencies) and focused recertification (targeted reassessment of specific competencies affected by a change event). Focused recertification enables rapid response to change events without requiring comprehensive reassessment when only a subset of competencies is affected.

4.8. A conforming system SHOULD implement recertification difficulty scaling — recertification assessments should be at least as rigorous as initial certification assessments, and should include novel scenarios not previously encountered by the operator, to guard against operators who pass recertification through memorisation of standard test cases rather than genuine competence.

4.9. A conforming system SHOULD integrate recertification outcomes with fatigue monitoring (AG-445) and shift scheduling to ensure that recently recertified operators are not immediately assigned to high-fatigue shifts where their refreshed knowledge cannot be applied effectively.

4.10. A conforming system MAY implement continuous competence assessment as a supplement to periodic recertification — using challenge injection (per AG-445 Test 8.6), monitored live performance metrics, and knowledge check prompts integrated into the operational workflow to provide ongoing competence signals between formal recertification events.

5. Rationale

The effectiveness of human oversight over AI agents depends on the competence of the humans performing that oversight. Competence is not a static property — it degrades over time through the well-documented forgetting curve, becomes outdated as systems and regulations evolve, and develops blind spots as operators settle into routines that no longer match current operational realities. Initial certification, no matter how rigorous, provides a point-in-time competence assessment that begins to lose validity immediately after it is conducted.

The forgetting curve, first characterised by Ebbinghaus in 1885 and confirmed by over a century of subsequent research, demonstrates that human memory for factual and procedural information decays exponentially without reinforcement. For complex procedural knowledge — such as emergency override procedures for an AI agent — retention drops to approximately 50% within 2–4 months without practice. This means an operator certified in January may have lost half of their procedural competence by May, while the annual recertification is not scheduled until the following January. The operator is operating with degraded competence for 8 months of the certification year.

The problem is compounded by the pace of change in AI agent deployments. Unlike traditional automated systems that may operate unchanged for years, AI agents undergo frequent updates — model upgrades, capability expansions, risk threshold recalibrations, new data source integrations, and interface changes. Each change potentially invalidates some portion of the operator's certified knowledge. An operator certified on a system running Model A may be overseeing a materially different system running Model C within months, but their mental model of system behaviour is anchored to Model A. This knowledge-system divergence creates a specific risk: operators who believe they understand the system but whose understanding is outdated. These operators are more dangerous than acknowledged novices because they act with unwarranted confidence, are less likely to seek help, and may override correct system outputs based on their stale understanding (as in Scenario C).

Regulatory requirements also evolve. Financial regulations, data protection requirements, safety standards, and sector-specific rules change regularly. An operator certified when regulation version 1.0 applied may be making decisions in a legal context governed by version 2.0. If their training has not been updated, they may inadvertently violate current requirements while correctly applying requirements that are no longer in force.

The governance imperative is clear: recertification must occur at a cadence that matches the rate of competence decay and the rate of system and regulatory change, whichever is faster. Annual recertification is insufficient for any role where competence decay or system change rates create a significant competence gap within 12 months. Event-driven recertification triggers are essential to address non-periodic changes — a model upgrade in month 3 cannot wait until the annual recertification in month 12.

The requirement for practical assessment — not passive training alone — reflects evidence that passive methods (reading updated documentation, watching training videos, attending lectures) produce poor knowledge retention and do not verify applied competence. An operator who has read about a new risk methodology may believe they understand it but cannot correctly apply it under time pressure. Only practical assessment — scenario-based exercises, simulated decisions, hands-on demonstrations — provides evidence of applied competence.

6. Implementation Guidance

Training Recertification Cadence Governance requires a structured programme that treats operator competence as a perishable asset requiring regular renewal, not a permanent qualification earned once. The core principle is that the recertification cadence must be calibrated to the decay rate of the competencies being certified and responsive to change events that invalidate current certifications.

Recommended patterns:

• Competency-based recertification design. Structure recertification around a defined competency framework for each oversight role, not around generic training content. Each competency maps to specific assessment items: "ability to interpret agent confidence scores" maps to a scenario where the operator must correctly triage three outputs with varying confidence levels. This ensures that recertification verifies the specific capabilities the role requires, not general familiarity with the system.
• Cadence calibration by competency type. Different competencies decay at different rates. Factual knowledge (regulatory thresholds, policy limits) decays faster than procedural skill (interface navigation, routine review workflows), which decays faster than conceptual understanding (risk model principles, governance rationale). Calibrate recertification cadence to the fastest-decaying competency in the role. For safety-critical procedural competencies (emergency overrides, manual intervention sequences), quarterly recertification or more frequent drill-based assessment is appropriate. For conceptual understanding of stable system principles, semi-annual assessment may suffice.
• Event-driven recertification triggers with rapid-turnaround focused assessment. When a material change occurs (model upgrade, regulatory change, significant incident), implement a focused recertification that covers only the affected competencies within a defined SLA (recommended: 10 business days for non-urgent changes, 48 hours for safety-relevant changes). Focused recertification is shorter than full recertification but mandatory — operators who have not completed the focused recertification within the SLA are suspended from affected oversight functions per Requirement 4.5.
• Scenario bank rotation. Maintain a bank of assessment scenarios that is larger than any single assessment and rotated across recertification cycles. This prevents operators from passing recertification through memorisation of a fixed test set. The scenario bank should include: routine scenarios (testing baseline competence), edge-case scenarios (testing handling of unusual but realistic situations), adversarial scenarios (testing response to deceptive or manipulative agent behaviour), and novel scenarios created specifically for each recertification cycle.
• Recertification registry with automated expiry enforcement. Maintain a centralised registry of all certified personnel with automated expiry tracking. When a certification expires — either through cadence-based expiry or event-driven invalidation — the registry automatically notifies the individual and their supervisor, and triggers technical enforcement that prevents the individual from performing oversight functions (e.g., account suspension, access revocation, queue removal) per Requirement 4.5.
• Grace period with supervised operation. Implement a short grace period (recommended: 5 business days for cadence-based expiry) during which an expired-certification operator may continue oversight functions only under direct supervision by a currently certified individual. This prevents operational disruption from administrative delays while maintaining oversight quality. No grace period should apply for event-driven invalidation of safety-critical competencies.

Anti-patterns to avoid:

• Passive recertification. Treating recertification as a compliance checkbox where operators read updated materials and click "I acknowledge" without any practical assessment. This verifies awareness at best, not competence. An operator who has read the new emergency procedure cannot necessarily execute it correctly under pressure. Recertification without practical assessment is training, not certification.
• Uniform cadence across all roles and competencies. Applying the same recertification interval (typically annual) to all roles regardless of competency decay rates, system change frequency, or consequence severity. A safety-critical emergency procedure role and a routine data classification review role do not have the same recertification requirements. Uniform cadence either over-certifies low-risk roles (wasting resources) or under-certifies high-risk roles (creating competence gaps).
• Fixed assessment content. Using the same assessment scenarios and questions across multiple recertification cycles. Operators learn to pass the specific test rather than maintaining genuine competence. After two cycles with the same content, assessment results reflect test familiarity rather than operational competence.
• Recertification without consequence for failure. Allowing operators who fail recertification to continue performing oversight functions pending remediation. If an operator has failed to demonstrate competence, they should not be exercising oversight authority. Failure must trigger immediate suspension of oversight functions per Requirement 4.5, with a structured remediation and re-assessment path.
• Training-only without assessment. Conducting recertification as a training session (lecture, e-learning module, documentation review) without any assessment component. Training is input; certification requires verified output. An operator who attended training is not recertified — an operator who attended training and demonstrated competence through assessment is recertified.

Industry Considerations

Financial Services. Financial regulators already mandate competence requirements for individuals performing regulated functions. The FCA's Training and Competence Sourcebook (TC) requires firms to ensure that employees who carry out regulated activities are competent and remain competent. Where AI agent oversight constitutes or supports a regulated activity, recertification must satisfy TC requirements. Firms should align AI oversight recertification with existing competence frameworks, extending them to cover AI-specific competencies (model behaviour understanding, confidence score interpretation, override procedure proficiency).

Safety-Critical and Industrial. Process control environments have established recertification cadences for safety-critical operator roles, often mandated by sector-specific regulation (e.g., COMAH in the UK, OSHA Process Safety Management in the US). AI agent oversight recertification should align with existing safety recertification programmes, adding AI-specific competencies to established assessment frameworks. Quarterly or more frequent drill-based assessment is standard practice for emergency procedures in these environments and should extend to AI system override procedures.

Healthcare. Clinical competence recertification (continuing professional development, revalidation) is already mandated for healthcare professionals. AI-specific competencies — understanding clinical decision support system limitations, recognising algorithmic bias indicators, knowing when to override agent recommendations — should be integrated into existing CPD and revalidation frameworks rather than creating parallel certification programmes.

Public Sector. Government agencies processing consequential decisions (benefits, immigration, licensing) should implement recertification programmes that include regulatory update certification. When legislation changes, affected adjudicators should be recertified before processing cases under the new legislation, not after a quarterly or annual training cycle.

Maturity Model

Basic Implementation — The organisation has defined a competency framework for each oversight role and a recertification cadence not exceeding 12 months. Recertification includes practical assessment (not passive training alone). A recertification registry tracks certification status. Lapsed certifications result in suspension of oversight authority. Event-driven recertification triggers exist for model changes and regulatory updates. This level meets the minimum mandatory requirements.

Intermediate Implementation — All basic capabilities plus: recertification cadence is calibrated to competency-specific decay rates, with more frequent assessment for safety-critical procedural competencies. Focused recertification enables rapid response to change events without requiring full reassessment. A rotating scenario bank prevents assessment memorisation. Recertification outcomes feed into workforce planning and scheduling. The registry enforces automated expiry with technical access controls.

Advanced Implementation — All intermediate capabilities plus: continuous competence assessment supplements periodic recertification through challenge injection and monitored live performance. Predictive models identify individuals at risk of competence decay before formal recertification. Recertification data is integrated with fatigue monitoring (AG-445) and incident learning (AG-423) to create a comprehensive operator effectiveness picture. Independent validation confirms that the recertification programme effectively maintains oversight competence. Competency gap analysis drives targeted training investment.

7. Evidence Requirements

Required artefacts:

• Competency framework documentation. The defined competency framework for each oversight role, specifying the knowledge, skills, and procedural capabilities that recertification verifies, with mapping to specific assessment items.
• Recertification cadence specification. The defined recertification interval for each role, with the calibration rationale (competency decay rates, system change frequency, consequence severity analysis).
• Recertification registry. The current registry showing all oversight personnel, their certification status, certification dates, expiry dates, most recent assessment results, and any competency gaps identified.
• Assessment content and results. The practical assessment scenarios, questions, and pass criteria used in each recertification cycle, plus individual assessment results. Assessment content must demonstrate rotation across cycles.
• Event-driven recertification records. Records of all event-driven recertification triggers, including the triggering event, affected competencies, recertification SLA, completion dates, and any operators suspended pending recertification.
• Authority suspension records. Records of all instances where oversight authority was suspended due to lapsed certification, including the suspension date, reason, duration, and recertification completion date.
• Remediation records. Records of competency gaps identified during recertification, the remediation actions taken, and the re-assessment outcomes.

Retention requirements:

• Recertification registry, assessment results, and authority suspension records: minimum 7 years for regulated financial services; minimum 5 years for other regulated sectors; minimum 3 years otherwise.

Access requirements:

• Producible to regulators or auditors within 48 hours of request. Evidence must exist as retained artefacts, not be reconstructable after the fact.

8. Test Specification

Test 8.1: Recertification Cadence Enforcement

• Stimulus: Allow a certified operator's recertification to expire by passing the defined cadence interval without renewal. Attempt to have the operator perform an oversight action (approve a decision, acknowledge an alert, or execute an override) after expiry.
• Expected behaviour: The system detects the lapsed certification and prevents the operator from performing the oversight action. The operator receives a notification that their certification has expired and they must complete recertification before resuming oversight functions.
• Pass criteria: The operator is blocked from performing any oversight action after certification expiry. A suspension record is logged with the correct expiry date and reason. The operator's supervisor is notified.
• Fail criteria: The operator successfully performs an oversight action after certification expiry, or no suspension record is created.

Test 8.2: Event-Driven Recertification Trigger

• Stimulus: Simulate a material system change (e.g., model upgrade that changes risk scoring methodology). Verify that the system triggers an event-driven recertification for all operators whose competencies are affected by the change.
• Expected behaviour: The system identifies all operators with competencies affected by the change. Recertification notices are issued to each affected operator with the focused recertification scope and completion SLA. Operators who do not complete focused recertification within the SLA have their oversight authority suspended.
• Pass criteria: All affected operators are identified and notified within 24 hours of the change event. The recertification scope correctly maps to the affected competencies. At least one operator who does not complete recertification within the SLA is verified to have their authority suspended.
• Fail criteria: Any affected operator is not identified, the recertification scope does not match the affected competencies, or operators are permitted to continue oversight after the SLA without completing recertification.

Test 8.3: Practical Assessment Inclusion Verification

• Stimulus: Review the most recent recertification cycle's assessment materials for a defined oversight role. Verify that the assessment includes practical components (scenario-based exercises, simulated decisions, or demonstrated procedures) and not only passive components (acknowledgement forms, multiple-choice knowledge tests without application context).
• Expected behaviour: The assessment includes at least one practical component requiring the operator to demonstrate applied competence — executing a procedure, making a decision in a simulated scenario, or interpreting agent outputs under realistic conditions.
• Pass criteria: At least 40% of assessment weight derives from practical components. Practical components require demonstrated action, not merely selected answers. Pass criteria for practical components are documented and specific.
• Fail criteria: The assessment contains no practical component, or practical components represent less than 40% of the total assessment weight.

Test 8.4: Competency Framework Completeness

• Stimulus: Compare the defined competency framework for a selected oversight role against the four mandatory competency categories from Requirement 4.2: (a) agent capabilities and limitations, (b) emergency and override procedures, (c) regulatory requirements, (d) output interpretation including confidence signals and escalation indicators.
• Expected behaviour: All four mandatory competency categories are addressed in the competency framework with specific, assessable competency statements mapped to assessment items.
• Pass criteria: All four categories are present. Each category contains at least one specific competency statement. Each competency statement maps to at least one assessment item in the recertification materials.
• Fail criteria: Any of the four mandatory competency categories is missing from the competency framework, or any category lacks a mapping to assessment items.

Test 8.5: Assessment Rotation Verification

• Stimulus: Compare assessment content (scenarios, questions, practical exercises) from the three most recent recertification cycles for a given role. Measure the overlap in assessment items.
• Expected behaviour: Assessment content demonstrates meaningful rotation. While core competencies are consistently assessed, the specific scenarios and questions used to assess them vary across cycles.
• Pass criteria: No more than 50% of assessment items are identical across any two consecutive recertification cycles. At least 30% of each cycle's assessment items are novel (not used in the immediately preceding cycle).
• Fail criteria: More than 50% of assessment items are identical between consecutive cycles, or fewer than 30% of items are novel.

Test 8.6: Recertification Registry Accuracy

• Stimulus: Select 10 individuals from the recertification registry. For each, verify that the registry accurately reflects their current certification status by cross-referencing against assessment completion records, expiry calculations, and any event-driven invalidation events.
• Expected behaviour: The registry accurately reflects each individual's certification status — certified individuals have valid completion dates and future expiry dates, expired individuals are correctly marked as expired, and event-invalidated individuals are correctly marked as requiring focused recertification.
• Pass criteria: 100% of sampled records are accurate. No individual is incorrectly recorded as certified when their certification has lapsed or been invalidated.
• Fail criteria: Any sampled record incorrectly reflects the individual's certification status.

Test 8.7: Authority Suspension Technical Enforcement

• Stimulus: Suspend an operator's certification in the recertification registry (simulating expiry or event-driven invalidation). Verify that technical enforcement mechanisms prevent the operator from accessing oversight functions — not merely that a policy prohibits them from doing so, but that system-level controls enforce the prohibition.
• Expected behaviour: The operator's access to oversight interfaces is blocked, their decisions are rejected if submitted, and their queue assignments are removed or redirected. The enforcement is technical, not merely procedural.
• Pass criteria: The operator cannot access oversight interfaces or submit oversight decisions through any available channel. Technical enforcement activates within 1 hour of registry suspension (or within the defined SLA). Queue reassignment occurs without manual intervention.
• Fail criteria: The operator can access oversight interfaces or submit decisions after suspension, or enforcement requires manual intervention that could be delayed or omitted.

Conformance Scoring

• Score 0: No recertification programme exists — operators are certified once (if at all) and never reassessed, regardless of the passage of time, system changes, or regulatory updates.
• Score 1: Recertification exists but is passive only (e.g., annual acknowledgement of updated documentation), has no practical assessment component, and lapsed certifications do not result in authority suspension. Event-driven triggers do not exist.
• Score 2: Recertification includes practical assessment at a defined cadence not exceeding 12 months. A competency framework is defined for each role. Lapsed certifications trigger automatic authority suspension with technical enforcement. Event-driven recertification triggers respond to model changes and regulatory updates. A recertification registry tracks certification status. Assessment content rotates across cycles.
• Score 3: Verified through independent assessment — an independent party has validated that the recertification programme effectively maintains operator competence, that practical assessments are rigorous and rotated, that event-driven triggers respond within defined SLAs, and that authority suspension is technically enforced. Continuous competence assessment supplements periodic recertification. Recertification data drives workforce planning and training investment.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
EU AI Act	Article 14 (Human Oversight)	Direct requirement
EU AI Act	Article 9 (Risk Management System)	Supports compliance
SOX	Section 404 (Internal Controls Over Financial Reporting)	Supports compliance
FCA SYSC	6.1.1R (Systems and Controls)	Direct requirement
FCA TC	Training and Competence Sourcebook	Direct requirement
NIST AI RMF	GOVERN 1.4, MANAGE 4.2	Supports compliance
ISO 42001	Clause 7.2 (Competence)	Direct requirement
DORA	Article 13 (Learning and Evolving)	Supports compliance

EU AI Act — Article 14 (Human Oversight)

Article 14 requires that natural persons assigned to human oversight are enabled to properly understand the relevant capacities and limitations of the high-risk AI system and to properly monitor its operation. The words "properly understand" and "properly monitor" imply ongoing competence, not point-in-time certification. An operator who understood the system at certification 11 months ago but has not been reassessed since a model upgrade does not "properly understand" the current system. Recertification at an appropriate cadence is the mechanism by which organisations ensure that oversight personnel maintain the understanding that Article 14 requires. Event-driven recertification after system changes directly supports the requirement that oversight personnel understand the system's current capacities and limitations.

FCA SYSC and FCA TC — Systems, Controls, and Training and Competence

The FCA's Training and Competence Sourcebook explicitly requires firms to ensure that employees performing regulated activities maintain competence, including through regular assessment. TC 2.1.1R states that firms must ensure employees are competent and "remain so." The ongoing competence requirement maps directly to recertification cadence governance. For AI agent oversight that constitutes or supports a regulated activity, recertification must demonstrate that operators remain competent to oversee the specific AI systems they supervise, with assessment reflecting current system behaviour and current regulatory requirements.

ISO 42001 — Clause 7.2 (Competence)

ISO 42001 Clause 7.2 requires that organisations ensure persons performing work under their control are competent on the basis of appropriate education, training, or experience, and where applicable, take actions to acquire the necessary competence and evaluate the effectiveness of those actions. Recertification is the mechanism for evaluating whether competence is maintained over time. The clause's requirement to "evaluate the effectiveness" of competence actions maps to practical assessment — the organisation must verify through assessment that training produced actual competence, not merely training attendance.

SOX — Section 404 (Internal Controls Over Financial Reporting)

Where human operators form part of the internal control framework for AI-assisted financial reporting, their competence is a control component. SOX requires that controls are effective throughout the reporting period, not merely at a single assessment point. Operator competence that degrades between annual recertifications represents a control gap. For SOX-relevant oversight roles, recertification cadence should ensure that competence is maintained continuously, supporting the assertion that controls were effective throughout the period.

DORA — Article 13 (Learning and Evolving)

DORA Article 13 requires financial entities to develop ICT risk management capabilities through lessons learned from ICT-related incidents, testing, and emerging threats. Recertification that incorporates incident learning (per AG-423) and evolving threat awareness supports this requirement by ensuring that operator competence reflects current knowledge, not historical training.

NIST AI RMF — GOVERN 1.4 and MANAGE 4.2

GOVERN 1.4 addresses processes for AI risk management, including workforce competence. MANAGE 4.2 addresses the need for regular assessment of AI system performance, which includes the performance of the humans who oversee AI systems. Recertification cadence governance supports both provisions by ensuring that the human component of AI governance maintains adequate competence through regular, practical assessment.

10. Failure Severity

Field	Value
Severity Rating	High
Blast Radius	All oversight decisions made by operators with degraded or outdated competence — potentially spanning months of operation across multiple operators, with systemic impact when a change event invalidates an entire team's certifications simultaneously

Consequence chain: Operator competence degrades or becomes outdated without detection, causing the oversight function to operate on incorrect assumptions about agent behaviour, regulatory requirements, or procedural correctness. The immediate failure is a divergence between the operator's mental model and operational reality — the operator believes the system works one way when it actually works differently (Scenario A: £1.8 million loss from misinterpreted risk score), or the operator believes the regulatory requirements are one thing when they have changed (Scenario C: 67 incorrect decisions, £890,000 remediation). The operational impact is insidious because the operators are not aware that their competence has degraded — they perform oversight with confidence, making decisions that appear reasoned and professional but are based on outdated or incomplete knowledge. This creates a specific and dangerous failure mode: operators overriding correct agent outputs because the agent's behaviour has changed and the operator's understanding has not. The business consequences include financial loss from oversight failures, regulatory findings for inadequate competence management, remediation costs for decisions made during competence gap periods, and potential safety incidents in safety-critical contexts (Scenario B: £620,000 in fines, 8,000 households affected). The regulatory consequence is compounded because the failure reveals a systemic governance weakness — the organisation mandated human oversight but did not ensure that the humans were competent to provide it. This transforms an isolated decision error into a systemic control finding.

Cross-references: AG-007 (Governance Configuration Control), AG-440 (Oversight Ergonomic Design Governance), AG-441 (Shift Handover Quality Governance), AG-445 (Fatigue Monitoring Governance), AG-447 (Deskilling Mitigation Drill Governance), AG-420 (Tabletop Exercise Governance), AG-426 (Fallback Staffing Governance), AG-423 (Incident Learning Closure Governance).