The complete guide: implementing AI literacy in your organisation
A step-by-step guide to implementing AI literacy under the EU AI Act: inventory, risk classification, role-based training, policy, documentation and upkeep.

You know that taking AI literacy measures is mandatory. You know that Article 4 of the EU AI Act has applied since February 2025. If you first want to be clear on which knowledge each role needs under the EU AI Act, you will find that in a separate insight. But how do you tackle it concretely? How do you get from "we have to do something" to "we have done it and can demonstrate it"?
This guide gives you a step-by-step playbook you can run tomorrow. No dry theory and no legal jargon, just a practical plan for SMEs, local authorities and other organisations that want to get their AI literacy in order.
Phase 1: Inventory (week 1)
Before you can train, you need to know what you have. That sounds obvious, but most organisations skip this step, which is precisely where things go wrong.
Step 1: Make an AI inventory
Map which AI systems are used in your organisation. Not only the official tools, but also the unofficial ones. Ask your IT department for a list of all software with AI components. Ask staff which AI tools they use themselves. Check your browser policy: are there extensions active that use AI?
Pay extra attention here, many employees install "free" AI translators or summary tools that read along with all the text on their screen in the background. This is often the largest invisible data breach risk within an organisation.
Step 2: Risk classification
Categorise each AI system into the risk classes of the EU AI Act:
Important for local authorities and healthcare organisations: AI used for emergency healthcare triage or for assessing access to social benefits can fall into the high-risk category. In many public-sector or essential-service contexts, this may also trigger a Fundamental Rights Impact Assessment (FRIA) under Article 27. Assess this per system and document the outcome.
Step 3: Determine roles
Determine for each employee which category they fall into. In many organisations, most staff (often 70 to 80 per cent) will be "ordinary users", they need a basic training. Managers must also know the obligations of the organisation. HR professionals who use AI in recruitment are in the high-risk category. IT administrators must know when fine-tuning turns you from a deployer into a provider.
Note: in certain cases the law can "promote" you from deployer to provider, with heavier obligations as a result. When fine-tuning a general-purpose AI model (GPAI), according to the non-binding guidelines of the European Commission (published on 10 July 2025) that only happens when the modification uses more than a third of the original training compute. This criterion concerns provider status for general-purpose AI models. It does not replace the separate Article 25 analysis for high-risk AI systems. Most organisations never reach that threshold, they use light techniques such as RAG or prompt-engineering, not massive retraining. If such a substantial modification does make you a provider, the provider obligations apply, with a fine ceiling of up to 15 million euros or 3% of worldwide annual turnover. The highest ceiling of 35 million euros or 7% is reserved for the prohibited practices of Article 5 and so does not apply here.
Phase 2: Training (weeks 2-3)
Now that you know who needs what, you can train in a targeted way. The key is differentiation: not the same training for everyone, but the right training for the right role.
This is exactly how AIAdopt's microtrainings are built: role-based, with recognisable scenarios, short modules and a certificate with clear learning outcomes, for every role in your organisation.
Phase 3: Policy (weeks 3-4)
In parallel with the training, or directly after, you draw up an AI policy. Two to four pages are enough.
What it must contain:
Discuss the policy in a team meeting. Have staff confirm that they have read and understood it. And refer to it in the AI training, so that policy and training reinforce each other.
Phase 4: Documentation and evidence (ongoing)
This is where most organisations fall short. They train, they make policy, but they do not document. And at an audit, documentation is what makes your efforts demonstrable.
Tip: a central overview, a spreadsheet if necessary, in which you track per employee: name, department, role, modules followed, date, certificate status. Link the learning outcomes of the certificates to the specific roles in your organisation chart, and you have a compliance dashboard that gives an auditor a concrete starting point.
By the way: AIAdopt's training platform keeps this automatically. Per employee you see which modules were followed, when, and with what result, including certificates you can present directly at an audit.
Phase 5: Maintenance (annually)
AI literacy is not a one-off exercise. The technology changes, the legislation evolves, and your organisation changes with it.
Evaluate after 6 months: have new AI tools been taken into use? Are there staff who have not yet been trained? Have there been incidents?
Recertify after 12 months: have staff take the assessment again. The questions are different (drawn at random from a question bank), and the content is updated to the latest state of affairs.
The result
After going through these five phases you have: a complete overview of your AI use with risk classification, certified staff with demonstrable AI literacy per role, a documented AI policy, and an audit trail you can present to a supervisory authority.
That is not a compliance burden. That is a competitive advantage.
You do not have to do this alone. AIAdopt guides organisations through this whole journey, from inventory and risk classification to role-based training, certification and ongoing recertification. Everything you have read in this guide is exactly what we provide.
Want to know where your organisation stands?
Download our free EU AI Act Compliance Checklist or view our AI literacy training.