By NHI Mgmt Group Editorial TeamPublished 2026-06-30Domain: Governance & RiskSource: SumSub

TL;DR: More than 15,000 professionals have already been trained and certificates now count as recognised evidence of competence across compliance and risk workflows, according to SumSub. The shift matters because standardised, verifiable learning is becoming a governance requirement, not just a training nice-to-have.


At a glance

What this is: Sumsub Academy has gained CPD accreditation, turning its free compliance courses into formally recognised learning for risk and compliance professionals.

Why it matters: This matters because verified training can help standardise onboarding, refresher learning, and accountability across compliance and identity-adjacent programmes.

👉 Read Sumsub's announcement on CPD accreditation for Sumsub Academy


Context

Compliance training only helps when it produces skills that can be demonstrated, not just completed. In practice, many programmes still rely on informal enablement that does little to prove competence across onboarding, verification, fraud response, and lifecycle controls.

CPD accreditation changes the governance conversation because it gives teams a recognised way to show that learning has happened and been assessed. For IAM, identity lifecycle, and risk leaders, that matters wherever human reviewers, analysts, and operations staff are part of the control plane.


Key questions

Q: How should compliance teams use accredited training in regulated workflows?

A: Use accredited training as evidence that staff have completed structured learning for specific workflows, then link it to role ownership, supervision, and review outcomes. The goal is not to replace controls with courses. The goal is to make competence visible, auditable, and tied to the processes where mistakes create regulatory or fraud exposure.

Q: When does compliance training become a governance control rather than awareness raising?

A: Training becomes a governance control when it is standardised, recorded, and mapped to real operational responsibilities. That is the point at which learning stops being a communications exercise and starts supporting accountability, audit evidence, and consistent decision-making across the customer lifecycle.

Q: What signals show that teams are not ready to apply compliance training in practice?

A: The main signals are inconsistent case handling, repeated escalation errors, weak audit evidence, and dependence on a few experienced staff to interpret exceptions. If knowledge is not producing repeatable decisions across the team, the programme is still awareness based rather than operationally mature.

Q: Who should own evidence that compliance staff have been trained correctly?

A: Ownership should sit with the function that controls the workflow, usually compliance leadership in partnership with line managers and internal audit. Training records are strongest when they sit alongside role definitions, supervision rules, and periodic reassessment, because then competence can be tied to actual responsibility rather than attendance alone.


Technical breakdown

CPD accreditation and what it changes in compliance learning

CPD, or Continuous Professional Development, is a formal mechanism for recognising structured learning and recorded professional growth. In a compliance context, accreditation matters because it converts training from an informal activity into evidence that can support competence tracking, audit preparation, and role-based development. That does not guarantee operational skill by itself, but it does create a more defensible record than ad hoc attendance. For organisations managing regulated workflows, the distinction between learning content and verifiable learning evidence is material.

Practical implication: treat accredited learning as evidence input to governance records, not as a substitute for control testing.

Why operational training matters in onboarding and fraud workflows

Onboarding, verification, and fraud prevention depend on consistent human judgement as much as tooling. When teams lack a shared baseline, decisions drift across regions, queues, and escalation paths, which creates uneven customer handling and control gaps. Practical training helps reduce that variance by translating policy into repeatable action. The value is not abstract education. It is better decision quality at the points where identity checks, exception handling, and case review affect risk.

Practical implication: map training completion to the workflows where judgment errors create the highest compliance and fraud exposure.

How accredited learning supports lifecycle governance and auditability

Lifecycle governance depends on people understanding when to approve, escalate, re-verify, or offboard activity across a process, not only on systems enforcing those steps. Accredited learning gives organisations a cleaner way to show that staff responsible for these actions have been trained against a recognised standard. That is particularly useful where regulators or auditors ask for evidence that control owners understand the procedures they are expected to apply. The stronger the evidence trail, the easier it is to defend operating discipline.

Practical implication: align accredited training with control ownership so audit requests can be answered with evidence, not just policy statements.


NHI Mgmt Group analysis

Verified learning is becoming part of compliance governance, not a separate HR activity. When organisations can show that training has been accredited and completed, they gain a stronger evidence trail for control ownership and accountability. That matters in regulated environments where the question is increasingly not whether people were informed, but whether they can prove competence at the point of action. Practitioners should treat learning records as a governance artifact.

Standardised training matters most where human judgement drives control quality. Onboarding, verification, and fraud review all depend on consistency across teams, shifts, and regions. Formal accreditation reduces the variability that appears when knowledge is learned informally and never validated. The implication is straightforward: programmes that cannot evidence consistent operator knowledge are carrying hidden control risk.

CPD-style accreditation sharpens the boundary between awareness and operational readiness. Too many teams equate course completion with readiness to execute regulated processes, but the two are not identical. Recognised learning hours provide a better baseline for competence tracking, yet organisations still need workflow testing, supervision, and periodic reassessment. Practitioners should distinguish education records from control assurance.

Compliance capability is moving toward provable competence, not just policy compliance. As regulations become more detailed and customer lifecycle processes more complex, organisations need a way to show that staff understand the rules they apply. A named concept here is competence evidence debt: the gap between having training content available and being able to prove that the right people completed the right learning at the right time. The practical conclusion is that this gap will become harder to ignore in audits and assurance reviews.

Free access does not reduce governance value when the output is verifiable. A zero-cost course still has utility if it produces tracked learning hours and certificates that can be used in internal records and external professional development. The field should stop assuming that enterprise value only comes from paid training. Practitioners should focus on whether the learning outcome is auditable and role-relevant.

From our research:

  • Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to GitGuardian & CyberArk's The State of Secrets in AppSec.
  • The same research says the average estimated time to remediate a leaked secret is 27 days, even though 75% of organisations express strong confidence in their secrets management capabilities.
  • For a broader governance lens, see NHI Lifecycle Management Guide and OWASP Non-Human Identity Top 10 for lifecycle and control patterns that translate beyond compliance training.

What this signals

Compliance programmes are increasingly judged by whether they can prove operator competence, not simply distribute material. With 57% of organisations lacking a complete inventory of their machine identities, governance gaps often start with poor process ownership and end with weak assurance records.

Competence evidence debt: the gap between training availability and provable readiness is now a practical risk signal. Organisations that cannot connect learning records to role-based control ownership will struggle to defend consistency in audit, incident review, or regulatory challenge.


For practitioners

  • Map accredited courses to control ownership Assign accredited learning to staff who own onboarding, verification, fraud review, and escalation decisions so training evidence supports the controls they operate.
  • Separate awareness from readiness Use course completion as a baseline, then validate competence through workflow tests, supervised case reviews, and periodic reassessment.
  • Track training evidence alongside policy attestations Keep certificates, learning hours, and role assignment records together so audits can trace who was trained, when, and for which regulated process.
  • Use formal learning to reduce process variance Prioritise accredited refreshers for teams that handle onboarding exceptions, fraud escalation, and cross-border compliance decisions where inconsistency creates risk.

Key takeaways

  • Formal accreditation turns compliance learning into evidence that can support governance, audit, and accountability.
  • The real value is consistency at the workflow edge, where onboarding, verification, and fraud decisions are made.
  • Organisations still need supervision and testing, because certificates prove exposure to learning, not operational readiness by themselves.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AT-1Training and awareness are central to making compliance roles repeatable and auditable.
NIST CSF 2.0PR.AC-1Role alignment matters because trained staff need clear authority in the workflow they operate.
NIST SP 800-63Identity assurance thinking supports evidence-based competence tracking for people handling regulated tasks.

Tie accredited learning to role-based training records and reassessments for staff in regulated workflows.


Key terms

  • Continuous Professional Development: A formal model for tracking structured learning and professional growth over time. In security and compliance functions, CPD matters because it creates evidence that staff have completed recognised training and can maintain competence in regulated workflows, not just attended a one-off course.
  • Competence evidence: Records that demonstrate a person has completed learning tied to a real job responsibility. In identity and compliance governance, competence evidence is stronger than attendance because it can be audited, linked to role ownership, and used to show that a control operator was trained for the task they performed.
  • Operational readiness: The point at which a person can apply knowledge reliably in live workflows. It is more than awareness or course completion. Operational readiness means the individual can make repeatable decisions, follow policy under pressure, and act consistently enough for the organisation to rely on their output.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.

This post draws on content published by Sumsub: Sumsub Academy receives CPD accreditation for compliance training. Read the original.

NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-06-30.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org