Artificial intelligence is no longer a topic of the future. In many companies it is already part of everyday work: it helps create content, analyze data, prepare proposals, serve customers, support sales, automate processes and make decisions.

The problem is that AI entered organizations faster than the rules for using it responsibly.

Employees use ChatGPT, Copilot, Gemini, Claude, image generators, automation tools, document analysis tools and customer service tools. They often do so with good intentions: they want to work faster, more smoothly and more efficiently.

But from the company's perspective, several important questions arise:

  • who in the organization uses AI?
  • what tasks are AI tools used for?
  • what data goes into those tools?
  • do employees know what must not be typed into AI?
  • can the company assess the risks associated with using AI?
  • is the organization prepared for the obligations arising from the AI Act?

This is precisely why preparing for the AI Act should not begin with panic about penalties. It should begin with two foundations: AI Governance and AI Literacy.

The AI Act is no longer a distant future

The AI Act - the EU regulation on artificial intelligence - entered into force on 1 August 2024. Its provisions are being implemented in stages, but some of them already apply.

From 2 February 2025, provisions started to apply covering, among other things, the definition of an AI system, prohibited practices, and AI literacy - that is, the competence and awareness associated with using artificial intelligence.

This means companies should not put the topic of AI off until later.

Even if an organization does not build its own AI models but uses ready-made tools in office work, marketing, sales, HR, customer service or data analysis, it should start to organize the way it uses AI.

The problem: companies use AI faster than they create rules

In many organizations AI appeared from the bottom up.

First, employees started testing tools. Then they used them in daily tasks. Next, departments began looking for automation, chatbots, content generators, analytical solutions and decision-support tools.

This is a natural process. AI delivers real benefits: it saves time, speeds up work, increases productivity and helps make better use of knowledge in the organization.

But without rules, so-called shadow AI can emerge - the use of AI tools outside the organization's control.

Examples?

An employee pastes customer data, a contract excerpt or an internal report into an AI tool. The marketing department generates content without labeling or verification. HR tests a CV-screening tool without a risk analysis. Sales uses AI to create proposals based on data that should not leave the organization. A team uses several different tools, but no one knows which of them are safe.

In situations like these, the problem is not artificial intelligence itself. The problem is the lack of management.

What is AI Governance?

AI Governance is a system of rules, processes and responsibilities for the use of AI in an organization.

Put more simply: it is the answer to the question of how a company manages artificial intelligence.

AI Governance should define, among other things:

  • who may use AI tools,
  • for what purposes they may be used,
  • what data must not be entered into AI,
  • who approves new tools,
  • who is responsible for risk assessment,
  • when human oversight is needed,
  • how the use of AI is documented,
  • what to do when AI makes a mistake,
  • how to monitor security and compliance.

Well-designed AI Governance is not meant to block innovation. On the contrary: it is meant to create the conditions in which a company can use AI safely, consciously and in a controlled way.

AI Governance is especially important wherever AI affects people, decisions, personal data, finances, the company's reputation or regulatory compliance.

What is AI Literacy?

AI Literacy is the competence, knowledge and awareness associated with using artificial intelligence.

It is not about every employee becoming a programmer or an expert on language models.

It is about the people who use AI understanding:

  • what AI is and how it works at a basic level,
  • what its limitations are,
  • what AI hallucinations are,
  • why AI answers need to be verified,
  • how to protect personal data and confidential information,
  • when AI tools must not be used,
  • when a human decision is needed,
  • what rules apply in the company,
  • what risks are associated with using AI in a specific department.

AI Literacy is a practical element of responsible AI adoption.

Because even the best AI policy will not work if employees do not know it, do not understand it, or cannot apply it in their daily work.

Why is an AI policy not enough?

Many companies start by creating a document: „AI Usage Policy”.

That is a good step. But the document alone is not enough.

If the AI policy ends up in a folder no one reads, it will not change the way the organization works.

An employee needs to know what this policy means in practice:

  • can they use AI to prepare a proposal?
  • can they paste customer data into a tool?
  • can they use AI to summarize a meeting?
  • can they generate content for publication?
  • do they have to label material created with the help of AI?
  • does the AI output have to be approved by a supervisor?

Without education, a policy remains theory.

That is why AI Governance and AI Literacy must work together.

Governance provides the rules. Literacy makes people able to apply them.

Why is training alone also not enough?

The second mistake is the opposite approach: the company organizes AI training but has no rules, procedures or responsibilities.

Employees learn how to use the tools, how to write prompts and how to speed up their work. But they still do not know:

  • which tools are approved by the company,
  • what data is forbidden,
  • who is responsible for an incorrect AI recommendation,
  • how to report incidents,
  • when AI can support a decision and when it should not be used,
  • where automation ends and risk begins.

The result?

More people use AI, but the organization still has no control.

That is why responsible AI adoption requires both elements: education and a management system.

What should a company do first?

Preparing for the AI Act does not have to start with a complicated legal project.

To begin with, it is worth taking a few practical steps.

1. Make an AI inventory

The company should check where and how AI is being used.

It is worth asking:

  • which AI tools are used,
  • by which departments,
  • for what tasks,
  • on what data,
  • whether they are approved tools,
  • whether they affect customers, employees or business decisions.

Without such a map, an organization often does not know what risks already exist.

2. Define the rules for using AI

Next, you need to establish the basic rules.

For example:

  • what data may and may not be entered into AI,
  • which tools may be used,
  • who approves new solutions,
  • when human oversight is required,
  • how to label AI-generated content,
  • how to verify the results of AI work,
  • how to report errors and incidents.

The rules should be simple, practical and understandable for employees.

3. Train your employees

AI Literacy should be tailored to the employee's role.

Marketing needs different competencies, HR others, sales others, customer service others, and management different ones again.

Training should cover not only the capabilities of AI, but also its limitations and risks.

The most important topics are:

  • data security,
  • confidentiality of information,
  • AI hallucinations,
  • responsibility for decisions,
  • verification of results,
  • company rules,
  • AI Act requirements,
  • practical examples from the given department.

4. Assign responsibility

It should be clear in the company who is responsible for managing AI.

This does not immediately have to mean a new position. But the organization should know:

  • who approves AI tools,
  • who maintains the register of AI use,
  • who assesses risks,
  • who is responsible for training,
  • who responds to incidents,
  • who monitors changes in regulations.

Without responsibility, AI remains a scattered topic that everyone is interested in but no one really manages.

5. Monitor and update

AI changes very quickly. Tools that are an add-on to work today may become part of a key process tomorrow.

That is why the rules for using AI should be updated regularly.

The company should monitor:

  • new tools,
  • new use cases,
  • incidents,
  • changes in regulations,
  • risks to data and security,
  • the effectiveness of training,
  • the needs of individual departments.

AI Governance is not a one-off document. It is a process.

AI Governance + AI Literacy = safer AI adoption

The greatest value of AI is not simply having the tools. The greatest value is using them skilfully, responsibly and consciously in the organization.

A company that has AI Governance knows what the rules are.

A company that develops AI Literacy has people who can apply those rules.

Only the combination of these two elements gives real control over AI.

This matters not only from the perspective of compliance with the AI Act. It also matters for data security, reputation, quality of work, customer trust and the efficiency of the organization.

The AI Act should not be treated solely as a legal problem.

It is a matter of managing the company.

If an organization uses AI, it should know where, how, by whom and for what purpose this technology is being used.

That is why the first step should not be the question: „Are we at risk of penalties?”

A better question is: „Can our company manage AI responsibly?”

The answer begins with two pillars:

  • AI Governance - that is, rules, procedures, responsibilities and risk control.
  • AI Literacy - that is, education, awareness and the practical competencies of employees.

Because AI should not be adopted by accident. It should be adopted consciously.

Want to check whether your company is ready for the AI Act?

Start by assessing two key areas: AI Governance and AI Literacy.

Check whether your organization:

  • knows where and how it uses AI,
  • has rules for using AI tools,
  • trains employees in the safe and responsible use of AI,
  • can assess the risks associated with AI,
  • documents and controls the use of artificial intelligence in business processes.

AI TrustCERT helps companies organize their use of AI in a single process - combining rules, procedures, risk assessment and employee education.

If your organization uses AI, do not wait until a problem appears. Start by getting the basics in order.

Sources

  1. European Commission - AI Act: regulatory framework for artificial intelligence in the EU. Information on the entry into force of the AI Act, the stages of applying its provisions and the obligations regarding prohibited practices, AI literacy, GPAI and high-risk systems.
  2. European Commission - AI Literacy: Questions & Answers. An explanation of the AI literacy obligation under Article 4 of the AI Act and the indication that providers and deployers of AI systems should ensure an adequate level of AI competence among people using the systems on their behalf.
  3. EUR-Lex - Regulation (EU) 2024/1689, Artificial Intelligence Act. The official text of the regulation of the European Parliament and of the Council laying down harmonized rules on artificial intelligence.
  4. AI Act Service Desk - Article 4: AI literacy. A practical discussion of the obligation to ensure an adequate level of AI literacy among employees and other people using AI on behalf of the organization.