Directive controls are designed to guide the actions of users or systems, ensuring that they operate according to the policies and standards in place. Mandatory user training for handling sensitive data is clearly a directive control because it requires certain behavior from users in relation to security practices, thereby directing their actions in accordance with organizational security requirements.