AI literacy requirement applies
Article 4 of the EU AI Act requires providers and deployers to take measures, to their best extent, to ensure sufficient AI literacy for staff and others using AI systems on their behalf.
AI training is often treated as a one-off awareness session: a prompt-engineering lunch, a slide deck on hallucinations, a short note saying employees should be careful. That is not enough for responsible adoption.
The EU AI Act changed the baseline. Article 4 requires providers and deployers of AI systems to take measures to ensure, to their best extent, a sufficient level of AI literacy for staff and other people operating or using AI systems on their behalf. The required literacy depends on technical knowledge, experience, education, training, context of use, and the people affected by the system.
In plain language: AI literacy is now operational. It has to match the role, the tool, the workflow, and the risk.
Why generic training fails
A finance analyst, HR manager, legal assistant, clinician, compliance officer, and board member do not need the same AI training. They need a shared foundation, but their decisions are different.
Generic training creates three problems:
- people learn vocabulary but not decision rules;
- high-risk roles receive the same guidance as low-risk roles;
- the organisation cannot show that training matched the actual use context.
AI literacy should be designed like a control, not like a motivational seminar.
A practical AI literacy model
Level 1: General AI literacy
Everyone using AI should understand what generative AI does and does not do: probabilistic output, hallucination, data sensitivity, limits of prompts, overconfidence, bias, and the need for review.
Level 2: Workflow literacy
People using AI in a specific workflow need to understand the permitted tool, permitted data, review standard, escalation path, and documentation requirement for that workflow.
Level 3: Decision literacy
Managers and accountable owners need to understand when an AI use case affects rights, obligations, safety, finance, employment, health, reputation, or customer trust. They need to know when the answer is not "train harder" but "change the workflow" or "do not deploy yet".
Level 4: Governance literacy
Leaders, risk teams, compliance teams, product owners, and AI champions need to understand the governance system: inventory, risk classification, vendor review, human oversight, monitoring, incident handling, and periodic review.
AI literacy programme starter checklist
0/0The training evidence problem
Article 4 does not prescribe a single training format. That flexibility is useful, but it means organisations need evidence of reasonable measures.
Evidence can include:
- role-based training matrix;
- training materials;
- attendance records;
- tool-specific guidance;
- workflow playbooks;
- AI policy acknowledgements;
- refresh cycles;
- escalation examples;
- records of updates after incidents or tool changes.
This is where ISO/IEC 42001 becomes useful. It frames AI governance as a management system: not a one-time project, but a maintained set of policies, processes, responsibilities, evidence, and improvement loops.
What to do next
Start with three groups: everyone, frequent users, and accountable owners. Define what each group must know, which tools they use, which data they handle, and what evidence you will keep. A small, role-based programme is better than a large generic session that nobody can apply.