In many companies, the conversation about artificial intelligence starts with tools.

  • Who has access to ChatGPT?
  • Are we rolling out Copilot?
  • Can marketing use image generators?
  • Can sales rely on AI for proposals?
  • Can HR analyse CVs with the help of algorithms?

These are important questions, but they aren't where you should start.

The first question is different: do people in the organisation understand how to use AI safely?

That is what AI literacy is about.

AI literacy doesn't mean everyone has to become an AI expert

One of the most common mistakes is treating AI literacy like a course on using a specific tool. But it isn't about every employee knowing all the features of ChatGPT, Gemini, Claude or Copilot.

AI literacy is not the manual for one program.

It is the practical ability to understand what AI is in everyday work, what its limitations are, what risks it can create and when a human must take responsibility.

An employee with AI literacy doesn't have to be able to explain the architecture of a language model. They should, however, know that AI can generate errors, invent facts, oversimplify context, miss industry nuance or sound very confident while providing false information.

They should also know that not everything that can be pasted into an AI tool is allowed to be pasted there.

That is the difference between using AI and using AI responsibly.

Why is this topic urgent?

The AI Act introduces an obligation to ensure an adequate level of AI competence among people who operate and use AI systems on behalf of an organisation. This obligation, stemming from Article 4 of the AI Act, has applied since 2 February 2025.

This matters, because many companies still think about the AI Act mainly through the lens of future obligations for high-risk systems. Yet AI literacy is one of the first areas that already applies to organisations using AI.

This does not mean every company must immediately build a large AI academy programme. It does mean the organisation should be able to show that it has taken reasonable steps: trained people, set rules, explained the risks and adjusted the level of knowledge to how AI is actually used in the company.

In other words: it isn't enough to tell employees "use AI, but be careful."

You have to tell them what, specifically, to be careful about.

The biggest risk starts with ordinary tasks

Many AI-related risks don't appear in spectacular technology projects. They appear in ordinary office work.

Someone wants to prepare a reply to a client faster, so they paste part of the correspondence into an AI tool. Someone summarises a contract. Someone polishes a recruitment document. Someone analyses data from a spreadsheet. Someone writes a product description. Someone asks AI to assess a text, a CV, a complaint or a letter from a contractor.

In each of these situations AI can genuinely help.

But in each of them a problem can also arise: data exposure, breach of confidentiality, a factual error, an unauthorised recommendation, a lack of source verification, or a decision based on output that no one actually checked.

That is why AI literacy is not a topic for the IT department alone.

It concerns HR, marketing, sales, administration, customer service, the board, finance, lawyers, managers and everyone who uses AI tools in their daily work.

Employees don't have to fear AI. They shouldn't trust it blindly either

A good AI literacy programme does not build fear of technology.

The point isn't to discourage people from using AI. Quite the opposite - well-prepared employees can use AI more wisely, faster and more safely.

The problem begins when an organisation falls into one of two extremes.

The first extreme is banning everything. The company blocks tools, doesn't explain why and pretends employees won't look for workarounds.

The second extreme is total freedom. Everyone uses whatever they want, however they want, for whatever they want, and the company has no rules, no register of tools and no knowledge of what data goes into external systems.

AI literacy lets you escape both extremes.

It gives employees a basic orientation: what is allowed, what is not, when to be cautious, when consent is needed and when AI output must be checked by a human.

What should an employee using AI understand?

In practice, AI literacy should address a few simple situations from everyday work.

An employee should know that personal data, confidential information, client documents, financial data, contracts or internal materials should not go into random AI tools without the organisation's assessment and consent.

They should understand that an AI answer is not a source of truth. It can be a starting point, a draft, an inspiration or help in organising information, but it does not replace verification.

They should be able to recognise situations in which using AI may affect other people: candidates, employees, clients, students, patients, citizens or contractors. There the risk is greater than when polishing the style of an internal note.

They should also know that a company may have approved and unapproved AI tools. The fact that something is available online does not automatically mean it can be used at work.

This is not technical knowledge. It is basic organisational hygiene.

AI literacy must be tailored to the role

Not everyone in a company needs the same level of knowledge about AI.

A person who occasionally uses AI to edit text needs different preparation than an HR employee using tools that support recruitment, than the IT department, and different still from a board making deployment decisions.

This matters, because the AI Act indicates that the level of competence should take into account, among other things, technical knowledge, experience, education, training, the context in which the AI system is used and the people the system is applied to.

In practice, this means AI literacy should not be a single presentation sent to everyone.

A better approach is a common minimum for the whole organisation plus additional modules for people who use AI in more sensitive processes.

The board should understand the risk and the responsibility. HR should understand AI's limitations when working with candidates and employees. Marketing should know how to label content and avoid copyright infringement. Sales should know what not to enter into AI tools in the context of clients and proposals. IT and compliance should understand questions of vendors, data, security and the register of tools.

Only then does training stop being a formality and start genuinely changing the way people work.

Training alone is not enough without rules

AI literacy is the first step, but it should not hang in a vacuum.

If a company trains people but has no AI policy, no list of approved tools, no rules on data and no process for reporting new uses, employees are still left to deal with the problem on their own.

Good practice looks different.

First, the organisation sets basic rules for using AI. Then it trains employees with reference to those rules. Next it collects confirmations that employees understand and accept the rules. In parallel, it creates a register of AI tools and begins to assess where using AI may create risk.

Then AI literacy stops being a training event.

It becomes part of the company's AI management system.

Evidence matters

In the context of the AI Act, it will matter more and more not only whether a company did something, but whether it can demonstrate it.

If an organisation says it trained its employees, it should know who completed the training, when, on what scope and whether they accepted the rules for using AI.

If a company claims to have an AI policy, it should be able to show its current version, the date it was implemented and how it was communicated to the team.

If an organisation declares that it manages AI risk, it should have at least a basic register of tools and uses.

Without this, it's easy to fall into the trap of apparent compliance. At the level of declarations everything looks fine, but when a client, an audit or an inspection asks, there is nothing to show.

Where does AI TrustCERT help?

AI TrustCERT was designed precisely around a company's practical readiness to use AI responsibly.

It helps put the area of AI literacy in order not as a one-off training, but as part of a broader process: educating employees, adopting rules, confirming acceptance, identifying tools, recognising risks and preparing a readiness report.

As a result, a company can move from the general message "use AI carefully" to a concrete system: we know who we trained, which rules apply, who accepted them and which areas need further action.

This matters, because AI literacy is not about an employee knowing fashionable buzzwords.

It's about making better decisions in everyday work.

Summary

AI literacy is one of the simplest, cheapest and most practical steps in preparing a company for the AI Act.

It doesn't require a big technology deployment. It requires putting the basics in order: clear rules, understandable training, awareness of risk and evidence that the organisation has genuinely addressed the topic.

A company that doesn't do this may face a growing problem - not because it uses AI, but because its employees use AI without a shared understanding of the rules.

AI literacy is not a course on using ChatGPT.

It is the first level of responsibility for AI in an organisation.

And the first step toward keeping AI under control.

Sources

  1. The European Commission states that the first AI Act rules began to apply on 2 February 2025, including the definition of an AI system, AI literacy and a limited number of prohibited AI practices.
  2. The European Commission explains that Article 4 of the AI Act requires providers and deployers of AI to ensure an adequate level of AI competence among their staff and other people acting on their behalf, taking into account, among other things, technical knowledge, experience, training, the context of system use and the people the system is applied to.
  3. The European Commission indicates that the obligation under Article 4 of the AI Act applies from 2 February 2025, while supervision and enforcement by national market surveillance authorities will start from August 2026.
  4. Reuters reported on the European Commission's guidance on prohibited AI practices, including uses related to employers, websites and the police, illustrating the practical context of the risks employees and organisations must understand.