AIAdopt
HomeInsightsThe complete guide: implementing AI literacy in your organisation
guideMarch 2026· 8 min reading time

The complete guide: implementing AI literacy in your organisation

A step-by-step guide to implementing AI literacy under the EU AI Act: inventory, risk classification, role-based training, policy, documentation and upkeep.

The complete guide: implementing AI literacy in your organisation

You know that taking AI literacy measures is mandatory. You know that Article 4 of the EU AI Act has applied since February 2025. If you first want to be clear on which knowledge each role needs under the EU AI Act, you will find that in a separate insight. But how do you tackle it concretely? How do you get from "we have to do something" to "we have done it and can demonstrate it"?

This guide gives you a step-by-step playbook you can run tomorrow. No dry theory and no legal jargon, just a practical plan for SMEs, local authorities and other organisations that want to get their AI literacy in order.

Phase 1: Inventory (week 1)

Before you can train, you need to know what you have. That sounds obvious, but most organisations skip this step, which is precisely where things go wrong.

Step 1: Make an AI inventory

Map which AI systems are used in your organisation. Not only the official tools, but also the unofficial ones. Ask your IT department for a list of all software with AI components. Ask staff which AI tools they use themselves. Check your browser policy: are there extensions active that use AI?

Pay extra attention here, many employees install "free" AI translators or summary tools that read along with all the text on their screen in the background. This is often the largest invisible data breach risk within an organisation.

Step 2: Risk classification

Categorise each AI system into the risk classes of the EU AI Act:

Prohibited AI practices: social scoring, emotion recognition in the workplace, manipulation of vulnerable groups. If you find this: stop immediately.
High-risk: AI used in specific Annex III contexts, such as recruitment and selection, education assessment, emergency healthcare triage, access to essential public services, certain public-benefit decisions and critical infrastructure. Strict requirements apply here.
Limited risk: chatbots, deepfake tools. The transparency obligation applies here.
Minimal risk: spam filters, AI search functions, translation tools. Minimal requirements apply here, but AI literacy remains mandatory.

Important for local authorities and healthcare organisations: AI used for emergency healthcare triage or for assessing access to social benefits can fall into the high-risk category. In many public-sector or essential-service contexts, this may also trigger a Fundamental Rights Impact Assessment (FRIA) under Article 27. Assess this per system and document the outcome.

Step 3: Determine roles

Determine for each employee which category they fall into. In many organisations, most staff (often 70 to 80 per cent) will be "ordinary users", they need a basic training. Managers must also know the obligations of the organisation. HR professionals who use AI in recruitment are in the high-risk category. IT administrators must know when fine-tuning turns you from a deployer into a provider.

Note: in certain cases the law can "promote" you from deployer to provider, with heavier obligations as a result. When fine-tuning a general-purpose AI model (GPAI), according to the non-binding guidelines of the European Commission (published on 10 July 2025) that only happens when the modification uses more than a third of the original training compute. This criterion concerns provider status for general-purpose AI models. It does not replace the separate Article 25 analysis for high-risk AI systems. Most organisations never reach that threshold, they use light techniques such as RAG or prompt-engineering, not massive retraining. If such a substantial modification does make you a provider, the provider obligations apply, with a fine ceiling of up to 15 million euros or 3% of worldwide annual turnover. The highest ceiling of 35 million euros or 7% is reserved for the prohibited practices of Article 5 and so does not apply here.

Phase 2: Training (weeks 2-3)

Now that you know who needs what, you can train in a targeted way. The key is differentiation: not the same training for everyone, but the right training for the right role.

Role-based: a receptionist who occasionally uses ChatGPT needs different knowledge than an HR manager who uses AI in selection interviews. Article 4 explicitly says you must take account of the context of your staff.
Practical and recognisable: work with scenarios that staff recognise from their own working day. Not abstract legislation, but concrete situations.
Assessed and certified: a training without an assessment is a presentation. A certificate that states exactly which competences were assessed and which articles of the AI Act were covered, that is strong, practical evidence.
Short modules: 20-30 minutes per session, followed at your own pace, on any device. That is the format that works in practice.

This is exactly how AIAdopt's microtrainings are built: role-based, with recognisable scenarios, short modules and a certificate with clear learning outcomes, for every role in your organisation.

Phase 3: Policy (weeks 3-4)

In parallel with the training, or directly after, you draw up an AI policy. Two to four pages are enough.

What it must contain:

Approved AI tools: which tools may staff use? Which are not allowed?
Guidelines for data processing: which data may and may not be entered into AI tools?
Rules for confidential information: with free tools there is a real risk that your input is used in model training. With business contracts this is usually excluded. Make sure staff know this difference.
Responsibilities: who is the person responsible for AI? Who do staff report problems to?
Rules for high-risk use: which extra safeguards apply?
Sanctions: not to punish, but to make clear that the policy is serious.

Discuss the policy in a team meeting. Have staff confirm that they have read and understood it. And refer to it in the AI training, so that policy and training reinforce each other.

Phase 4: Documentation and evidence (ongoing)

This is where most organisations fall short. They train, they make policy, but they do not document. And at an audit, documentation is what makes your efforts demonstrable.

Per employee: who followed which training, when, and with what result. Keep certificates centrally.
AI inventory list: which systems, which risk class, who is responsible.
AI policy: dated, signed, and communicated.
Incidents: if something goes wrong, record what happened and which measures were taken.

Tip: a central overview, a spreadsheet if necessary, in which you track per employee: name, department, role, modules followed, date, certificate status. Link the learning outcomes of the certificates to the specific roles in your organisation chart, and you have a compliance dashboard that gives an auditor a concrete starting point.

By the way: AIAdopt's training platform keeps this automatically. Per employee you see which modules were followed, when, and with what result, including certificates you can present directly at an audit.

Phase 5: Maintenance (annually)

AI literacy is not a one-off exercise. The technology changes, the legislation evolves, and your organisation changes with it.

Evaluate after 6 months: have new AI tools been taken into use? Are there staff who have not yet been trained? Have there been incidents?

Recertify after 12 months: have staff take the assessment again. The questions are different (drawn at random from a question bank), and the content is updated to the latest state of affairs.

The result

After going through these five phases you have: a complete overview of your AI use with risk classification, certified staff with demonstrable AI literacy per role, a documented AI policy, and an audit trail you can present to a supervisory authority.

That is not a compliance burden. That is a competitive advantage.

You do not have to do this alone. AIAdopt guides organisations through this whole journey, from inventory and risk classification to role-based training, certification and ongoing recertification. Everything you have read in this guide is exactly what we provide.

Want to know where your organisation stands?

Download our free EU AI Act Compliance Checklist or view our AI literacy training.

Want to know more?

Get in touch for a no-obligation conversation about what AIAdopt can do for your organisation.