Your organisation has an AI policy. But do you know if anyone follows it?
An AI policy on paper does not steer behaviour. How Article 4 of the EU AI Act and AI literacy training close the gap, with a concrete testing rhythm.

Most organisations I speak to now have some form of AI policy. A memo, a directive, a paragraph in the information security policy. Duly approved, neatly archived. And that is often where the story ends. Because between that document and what actually happens on Monday morning at the front desk, in the policy department or out in the field, there is a gap. The question almost nobody asks: do you know whether your staff follow that policy? And do they even understand it?
What the UN panel established on 1 July 2026
On 1 July 2026, the UN panel of forty international AI experts presented its first report, led by Turing Award winner Yoshua Bengio and Nobel Peace Prize laureate Maria Ressa. It fed into the first global dialogue on AI governance, held in Geneva on 6 and 7 July 2026.
Two findings stood out. One: there are already more than forty AI governance frameworks and guidelines worldwide, but they are fragmented, inconsistent and rarely tested on the only question that matters: do they work? Two: policymakers face what the panel calls the evidence dilemma. You need reliable knowledge to regulate AI well, but by the time that knowledge exists, the technology has already moved on.
That is about states and treaties, not about your organisation. But the pattern behind it is uncomfortably familiar: writing frameworks without ever checking whether they work.
The same pattern, closer to home
In many organisations, the AI policy is exactly that kind of framework: drafted, approved and never again held up against everyday practice. Nobody knows whether employees are aware of it. Nobody knows whether they follow it. Nobody knows whether it even matches the tools that are actually being used by now.
And the workplace has its own, smaller version of that evidence dilemma. When your policy was written, a good share of the AI features your staff use today did not yet exist. The colleague who discovered last month that the word processor can now "think along" did not reach for your memo at that moment. AI no longer enters only through procurement, where you can attach conditions to it. It is also built into the software you already have, and it evolves faster than any document.
A policy on paper does not steer behaviour. People do, when they understand what they are using and why there are limits.
Why a better document alone is not enough
The reflex is predictable: tighten the policy, write a version 2.0, add another annex. A clear, practical policy has real value, don't get me wrong. But it does not solve the core problem. The gap is not in the text. The gap is between the text and the people.
The UN panel pointed to something comparable at global level: many AI safety assessments today are carried out by the companies that build the systems. Organisations, in turn, often rely blindly on whatever their software provider calls "safe". If the only party that understands what an AI tool does is the provider, then your policy is a signature under someone else's homework.
The EU saw this too. It is no coincidence that AI literacy sits right at the front of the EU AI Act: Article 4 asks organisations that provide or use AI to take measures to develop the AI literacy of their staff and of others working with AI systems on their behalf. The law does not demand a guaranteed level of knowledge per individual. It does demand demonstrable measures that fit role, experience and context. Not a paper exercise, then, but a practical obligation you must fulfil in a demonstrable way. Which is only logical: someone who does not understand what a language model can and cannot do cannot follow a policy about exactly that.
What actually closes the gap: AI literacy in practice
Three things, in this order.
Know what is being used. Not what was purchased, but what is actually in use. Including the AI that rides along in existing software and the tools employees have found for themselves. A simple tool inventory that gets half an hour of attention every quarter is enough.
Make sure people understand what they are working with. That is not a study day on neural networks. It is basic knowledge: what can this do, what can it not do, which information may go in and which never should. AI literacy training does not have to be heavy. It mainly has to happen, for everyone who comes into contact with AI. And test the understanding, not the reading: a short knowledge check says more than a signature under the memo.
Test the policy against practice, in a fixed rhythm. Concretely: check every quarter whether the policy still matches what employees actually use. Update the tool inventory, review a few real work products where AI played a part, set up an accessible reporting point for incidents and doubtful cases without a blame culture, and record twice a year, in a short meeting with senior management, what needs adjusting. Not an audit project, but a recurring business rhythm. Precisely the point where the world's frameworks fail, according to the UN panel: they get written, not tested.
On 6 and 7 July 2026, governments in Geneva discussed how to keep AI governable at global level. Important work. But it changes nothing about what happens in your organisation today. Nobody will close that gap for you. The good news: it is a gap you can close yourself, and the first step is not a thicker document. It is people who know what they are doing.
Rob Ummels, AIAdopt. AI adoption, AI literacy and practical guidance for organisations that want to use AI wisely.
Written by Rob Ummels in collaboration with Claude (Anthropic). Final editorial responsibility: AIAdopt.
Want to know where your organisation stands?
Download our free EU AI Act Compliance Checklist or view our AI literacy training.