Skip to main content
v2026.1714 entries · CC-BY 4.0
CASRAI

Editorial · CASRAI

AI Literacy Obligation Article 4: Staff Training Checklist

What Article 4’s AI literacy duty means for research institutions: who counts as staff, what training suffices, and how to document it.

ByMCP Service
Published 2 Jul 2026· 7 minute read

The AI literacy obligation Article 4 of the EU Artificial Intelligence Act has applied since 2 February 2025, yet many research institutions still treat it as a future item rather than a live requirement. Article 4 states that providers and deployers of AI systems “shall take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf.” For universities, funders, and research institutes running admissions tools, grant-screening software, or generative AI assistants, that duty is already in force. This article sets out a practical checklist for what “sufficient” means in a research setting, who it covers, and how to evidence it.

What Article 4 actually requires

Article 4 does not prescribe a fixed curriculum, test, or certificate. It requires institutions to calibrate AI literacy measures against staff technical knowledge, experience, education, training, and the context in which AI systems are used. The obligation applies to both “providers” (organisations that develop and place an AI system on the market) and “deployers” (organisations using an AI system for a professional purpose).

A research institution can be either, sometimes simultaneously. A department that builds a bespoke research-data classification model is a provider of that system; the same university using an off-the-shelf tool for applicant screening or meeting transcription is a deployer. The AI Act scope includes a narrow exemption for systems developed and used exclusively for scientific research before market placement — but once a research tool is deployed operationally, that exemption falls away and Article 4 applies in full.

The statutory definition of AI literacy, in Article 3(56), is: skills, knowledge and understanding that allow providers, deployers and affected persons to make an informed deployment of AI systems, and gain awareness of the opportunities and risks it can cause. The Commission’s AI Office has confirmed it will not impose a single mandatory format.

Who counts as “staff” under the AI literacy obligation

This is where most institutions under-scope their programmes. The Commission’s guidance clarifies that “staff and other persons” is broader than payroll headcount — it extends to anyone acting on the institution’s behalf, including contractors and service providers. In a research setting that typically means:

  • Researchers and PIs using generative AI tools for literature review, drafting, or data analysis
  • Research administrators and grants officers using AI-assisted screening or compliance-checking tools
  • HR and admissions staff using AI-based applicant or candidate screening systems
  • IT and research-computing staff configuring or maintaining institutional AI deployments
  • External contractors or visiting researchers granted access to institutional AI systems
  • Board and senior leadership, who need enough literacy to assess institutional AI risk

Article 4 does not require every group to receive identical training: a developer configuring a high-risk system needs materially more depth than an administrator using a transcription tool. The table below illustrates how role and system risk map onto training depth.

Personnel category Typical AI Act role Indicative literacy depth
Data scientists building institutional AI tools Provider Technical: limitations, bias, risk mitigation, documentation
Grants/admissions staff using screening AI Deployer Operational: output interpretation, human oversight, escalation
Researchers using generative AI for drafting/analysis Deployer (or exempt if pre-market research use) General awareness: hallucination risk, confidentiality
Contractors/visiting staff with system access “Other persons” acting on the institution’s behalf Baseline awareness proportionate to access level
Governing board/senior leadership Deployer (oversight capacity) Strategic: risk appetite, resourcing, regulatory exposure

Building a defensible AI literacy programme

The Commission’s AI Literacy Q&A sets out a four-step minimum approach research institutions can adapt directly:

  • Establish a general understanding of AI within the organisation — what AI is used, where, and why
  • Determine the institution’s role for each system: provider, deployer, or both
  • Assess the risk level of each AI system in use, including any high-risk systems under Chapter III
  • Build literacy actions proportionate to staff knowledge gaps and the context of use

Relying solely on a vendor’s instructions for use is explicitly insufficient — this mirrors the separate Article 26 duty on deployers of high-risk systems to ensure staff are “sufficiently trained” to exercise human oversight.

What is Article 4 of the EU AI Act?

Article 4 is the AI Act provision requiring providers and deployers to ensure a “sufficient level” of AI literacy among staff and other persons operating AI systems on their behalf. It has applied since 2 February 2025, ahead of most other AI Act obligations, and covers technical knowledge, training context, and the persons affected by the system.

What is the definition of AI literacy in the EU AI Act?

Article 3(56) defines AI literacy as the skills, knowledge and understanding that let providers, deployers and affected persons make informed decisions about deploying AI systems, while remaining aware of the opportunities, risks, and potential harms those systems can cause in their specific context of use.

Who at a research institution needs AI literacy training under Article 4?

Anyone dealing with an AI system’s operation or output on the institution’s behalf, not just IT or data-science staff. This includes researchers, administrators, HR and admissions teams, contractors, and senior leadership — with training depth proportionate to each group’s technical role and the risk level of the system they use.

Does Article 4 require a certificate or formal training records?

No. The AI Office has confirmed there is no mandated test or certificate for Article 4 compliance. Institutions should instead keep an internal record of training delivered, attendance, and content — evidence that becomes essential if a national market surveillance authority later reviews compliance.

Documenting compliance: what evidence to keep

Because Article 4 sets no certification standard, the practical question is evidential: what would a research institution show a national market surveillance authority if asked? A defensible record typically includes:

  • A written AI inventory identifying each system in use, its provider/deployer classification, and risk tier
  • Training content and delivery records (dates, attendance, format) mapped to each staff category
  • A documented rationale for why the chosen literacy measures were “sufficient” for each role and system
  • An AI use policy communicated to staff, contractors, and other relevant persons
  • A review cycle — literacy measures should be revisited as systems and risk profiles change

National market surveillance authorities take over enforcement of Article 4 from 2 August 2026, when the AI Act’s general application and high-risk provisions take effect. Enforcement is meant to be proportionate — gravity, intent, and negligence are all considered — but an incident with no evidence of staff training is likely to weigh against an institution.

Implications for research institutions and GPAI tools

Research institutions increasingly deploy general-purpose AI (GPAI) tools — large language model assistants embedded in research-writing or literature-search workflows — rather than narrow, purpose-built systems. The AI Act GPAI provisions (Chapter V, applying to GPAI model providers from 2 August 2025) sit alongside, not instead of, the Article 4 duty on deployers: using a GPAI-based writing assistant still makes an institution a deployer under Article 4, regardless of the model provider’s own transparency obligations.

One development worth tracking: the European Commission’s 2025 Digital Omnibus proposal would shift part of the Article 4 burden from individual organisations toward Member States and the Commission itself. That proposal has not been adopted, so the current text of Article 4 remains binding on institutions as providers or deployers — institutions should not defer action for a change that may not materialise as proposed.

Sector signals reinforce the direction of travel: UK courts have separately expected legal professionals to demonstrate AI competence in submissions, and UK financial regulators have referenced the Senior Managers Regime in connection with AI risk oversight — evidence that “sufficient AI literacy” is becoming an expectation beyond the AI Act’s direct territorial reach.

What research institutions should do next

Institutions without a formal AI literacy programme should start with an AI system inventory, classify each system by provider/deployer role and risk tier, then build tiered training from that analysis rather than buying a generic module. Article 4 rewards documented judgement over box-ticking: the institutions best placed for enforcement from August 2026 will be those that can show a reasoned, evidenced, role-differentiated approach. Research-administration functions, which typically already own institutional policy documentation, are well positioned to lead this work alongside data protection, IT governance, and research integrity offices.

LAC

Partner Deal

LAC Health Supplies Mobile App

Referenced across the research world

University of Cambridge logoColumbia University logoUniversity of Edinburgh logoHarvard University logoUniversity of Oxford logoPrinceton University logoStanford School of Medicine logoUniversity College London logoORCID logoCrossref logoUniversity of Cambridge logoColumbia University logoUniversity of Edinburgh logoHarvard University logoUniversity of Oxford logoPrinceton University logoStanford School of Medicine logoUniversity College London logoORCID logoCrossref logo
  • University of Cambridge logo
  • Columbia University logo
  • University of Edinburgh logo
  • Harvard University logo
  • University of Oxford logo
  • Princeton University logo
  • Stanford School of Medicine logo
  • University College London logo
  • ORCID logo
  • Crossref logo

View CASRAI adoption →