Reading time: 5 minutes
AI Act Checklist: 7 Questions Every Training Manager Must Be Able to Answer
The EU AI Act doesn't require a course. It requires you to prove your team understands the AI they use — what it can do, what it can't, and what risks it carries.
Article 4 of Regulation (EU) 2024/1689 sets out something more concrete than it first appears: it's not enough for employees to use AI systems. The organization must be able to demonstrate that they understand what they're using — what the system can do, what it can't, and what the consequences are of trusting its output without applying their own judgment. From August 2, 2026, Spain's AI supervisory authority (AESIA) can begin verifying that compliance.
The question we hear most often from L&D teams right now isn't "what does the law say?" It's: "how do I know if what we have is already enough?"
That's exactly what this checklist is for. It's not a complete guide to the Regulation — that's in our detailed guide to Article 4. It's a diagnostic tool: seven questions that help you see where the work is done and where the real gaps are before August.
Article 4 applies to those who deploy AI systems — not only those who build them. That includes any AI tool your employees use: writing assistants, predictive analytics platforms, recommendation systems, AI-powered hiring tools, content generators.
Without an inventory, you can't know who needs training or on what. The obligation isn't generic — it's tied to the specific systems each role actually uses.
What you should have: an up-to-date register of which AI systems are in use, in which departments, and for which functions. It doesn't need to be sophisticated — a spreadsheet works. What doesn't work is not having one at all.
The Regulation classifies AI systems into four categories: unacceptable risk (prohibited), high risk, limited risk, and minimal risk. Training requirements are more demanding for high-risk systems — including those that affect hiring decisions, performance evaluation, access to services, or critical infrastructure.
What you should have: a basic risk classification for each system in your inventory. For high-risk systems, the requirement for documented competency is higher — and so is the depth of training required.
"Sufficient AI literacy" doesn't mean the same thing for everyone. Article 4 explicitly recognizes that the required competency level must be adapted to the role: the engineer fine-tuning a model needs a different kind of understanding than the sales rep using a customer analytics tool, or the manager making decisions based on automated recommendations.
Training the entire workforce with the same generic module doesn't fulfill the obligation — it covers it on paper, but not in substance.
What you should have: a role-and-competency matrix that defines, for each profile, which aspects of the AI systems in use they need to understand and at what level of depth.
This is where many organizations fall short without realizing it. Article 4 requires employees to understand three dimensions of the systems they use: what the system can do, what it cannot do, and what risks its use entails.
A tool onboarding module that explains "how to log in, how to run a query, how to read the output" doesn't meet this requirement. The critical dimension is missing: when the system can be wrong, what biases it may carry, what the consequences are of trusting its output blindly.
What you should have: training content that includes, for each system, at least one block on known limitations and one on the risks of misuse or over-reliance.
Here's a distinction many teams overlook: having a training system is not the same as having audit-ready evidence.
An LMS with published modules is a system. Evidence is something else: individualized records showing that each specific employee completed the training, on what date, and with what result if there was an assessment. The difference matters because an inspection doesn't audit the platform — it audits the person. "María García, from the operations department, completed the AI literacy module on May 15 with an 85% score on the final assessment" is evidence. "We have a course in the LMS that all employees have access to" is not.
A PDF sent by email doesn't generate that record. An in-person session without a signed attendance list and outcome, either.
What you should have: individualized completion records per employee, module, date, and assessment result — automatically generated by the system and exportable in a format that supports an audit (SCORM, xAPI, or another recognized traceability standard).
The Regulation treats AI literacy as an ongoing competency, not a one-time certificate. AI systems get updated, the Regulation's application guidelines are published progressively, and the catalog of tools in use at your company will change.
Training designed once to meet a deadline in August 2026 may be obsolete before the year is out.
What you should have: a periodic review mechanism for training content — at minimum, annual — and a clear process for updating modules when a new AI system is introduced or an existing one changes significantly.
Not in three months. Today.
This is the closing question because it reveals whether compliance work is done or merely planned. The inventory, the risk classification, the role matrix, the training content, the records, the update plan — if any of these exists only as intention, the compliance is not complete.
AESIA doesn't evaluate plans. It evaluates evidence.
Seven questions. In most organizations, two or three don't have a solid answer. That's not a failure — it's a useful diagnosis.
The path forward is practical: inventory first (nothing else is possible without it), then risk classification by system, then the role matrix, and from there the design of training with traceability built in from the first module. The order matters because each step enables the next.
What doesn't work is treating all of this as a project for "after the summer." The deadline is before the summer.
No. The obligation to ensure "sufficient AI literacy" applies to any organization that deploys AI systems — meaning, uses them in its operations. If your company uses an AI tool for hiring, customer analysis, or operational management, Article 4 applies to you.
From August 2, 2026, AESIA can open supervisory proceedings. Penalties under the Regulation for breaches of operator requirements (which include Article 4) can reach up to €15 million or 3% of global annual turnover. For less serious breaches, penalties are lower — but reputational risk and exposure in internal audits also count.
It depends on the content, but in most cases it's not enough. Article 4 requires training to be proportionate to the role and to the specific systems the employee uses. A general introductory module can be a starting point — but not the end point.
Article 4 establishes the general AI literacy obligation for all employees who work with AI systems, regardless of risk level. High-risk systems (Annex III of the Regulation) have additional specific requirements: technical documentation, human oversight, audits, activity logging. These are two separate layers — Article 4 applies in every case; the high-risk requirements are added on top when the system falls into that category.
^1 Regulation (EU) 2024/1689 of the European Parliament and of the Council (EU Artificial Intelligence Act). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R1689 ^2 AESIA — Agencia Española de Supervisión de la Inteligencia Artificial. https://www.aesia.es
@ 2026 Vidext Inc.
Newsletter
Discover all news and updates from Vidext
@ 2026 Vidext Inc.
