The AI Strategy Guide logo The AI Strategy Guide at the cusp of AI Subscribe →
Enterprise AI Literacy: A Role-Conditional Programme, Not a Compliance Seminar — Capabilities illustration

Enterprise AI Literacy: A Role-Conditional Programme, Not a Compliance Seminar

Tom Prommer · CIO/CTOUpdated 2026-05-2913 min read

A director of supply chain at a German industrial firm asked me, in a kick-off call last October, whether the company should “fine-tune ChatGPT” for their procurement workflow. I asked what he meant by fine-tune. He meant write better prompts. I asked what tools the team was actually using. He meant the public ChatGPT web interface, which his team had been pasting supplier contracts into for six months without telling legal. He was, by any honest measure, one of the more capable executives in the room. His company had spent €90k that year on an external AI strategy review. None of it had reached him. The literacy gap was not a tooling problem and it was not a budget problem. It was a programme that had been designed for the board and never translated for the people who would actually deploy the technology.

That is the structural problem with enterprise AI literacy in 2026. Most published material treats it as AI training for everyone — a generic seminar, a vendor lunch-and-learn, an e-learning module branded with the company logo. That is a compliance-shaped product, and it does not produce literacy. A literacy programme that actually works is role-conditional: the literacy a CFO needs is different from what an HR business partner needs is different from what a procurement officer needs is different from what an engineer needs. The same curriculum at all four levels is the most common failure mode I see, and it is the one EU AI Act Article 4 explicitly calls out by requiring literacy taking into account their roles, the context of use, and the persons affected.

The Act entered into force on 1 August 2024, and the Article 4 literacy obligation became applicable for most deployers on 2 February 2025. Most enterprises are not compliant. The remediation work is real, but it is not the €200k literacy programme the consultancies are pitching against it. It is closer to four tiers, twelve weeks of design, and six to nine months of rollout. This page is the operator version of that programme — what each tier needs, how to evidence it for Article 4, and which parts of the vendor pitch to ignore.

What Article 4 actually says

The text is short. Article 4 of Regulation (EU) 2024/1689 reads, in its operative part: Providers and deployers of AI systems shall take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf, taking into account their technical knowledge, experience, education and training and the context the AI systems are to be used in, and considering the persons or groups of persons on whom the AI systems are to be used.

Three things follow from a plain reading.

One. The obligation is on both providers and deployers. If your company uses ChatGPT Enterprise or Copilot or any third-party AI tool to serve customers, employees, or downstream systems, you are a deployer. The obligation applies. There is no “it is not our code” carve-out: if you are the deployer, the literacy obligation rests with you, whether the model is a black-box API or an open-source local install.

Two. The literacy required is proportionate, not absolute. The Act does not specify a curriculum, a vendor, a minimum hours figure, or a certification. The proportionality is to role, context, and affected persons — exactly the three axes the role-conditional model below is built around. This is why a single generic curriculum is hard to defend; it is also why the heavyweight certification programmes some firms pitch are over-priced for the obligation.

Three. The phrase to their best extent is doing real work. The Act is asking for genuine effort proportionate to organisational size and risk, not perfection. A demonstrable programme — designed, documented, delivered, evidenced — is the bar. An undocumented set of ad-hoc lunch-and-learns is not. The line between the two is the audit-trail work, not the curriculum.

The European Commission published a Q&A document on Article 4 in early 2025 confirming this reading. The supervisory authorities will, in practice, look for evidence that the programme is real, role-appropriate, and updated as the systems change. They will not look for a specific vendor logo on the certificate.

The four-tier model

A literacy programme that meets the Article 4 bar and actually produces literate practitioners has four tiers. Each tier has a different audience, a different curriculum, a different success criterion, and a different evidence requirement.

Tier one: board-level literacy. The audience is the non-executive directors, the chair, and the audit-committee leads. The curriculum is what AI strategy decisions look like, what budget signals to read, and what the four risk postures are at portfolio level. The success criterion is that the board can have an unsupervised conversation about an AI workstream cut decision without retreating to deference. The evidence requirement is light — typically a 90-minute briefing, repeated annually, with materials filed alongside other board education. Most boards I have briefed are under-served at this tier; they have read the Economist coverage, they have not had a working session that connects AI work to budget reality. The fix is not heavy, but it has to happen before the board-tier strategy conversation, not after.

Tier two: executive literacy. The audience is the C-suite and the next layer down — CTO, CIO, CISO, CFO, CHRO, COO, heads of major business units. The curriculum is the four-question diagnostic applied at functional level. What is your function’s strategic posture on AI. What is your function’s cost ceiling. What is your function’s timeline pressure. What is your function’s failure tolerance. Each executive should be able to write their own one-page answer and defend it against the CFO. The success criterion is exactly that defensibility. Two 90-minute working sessions, plus a written one-pager from each executive, plus a cross-functional review. This is the tier that connects most directly to the role-specific work — AI for the CTO, the CISO governance piece, and the equivalents for the other functions. The evidence requirement is the one-pager itself, filed and dated.

Tier three: middle-manager literacy. The audience is the people who actually procure, evaluate, and approve AI tooling — line-of-business heads, departmental directors, procurement, vendor-management. The curriculum is procurement and vendor evaluation literacy. How to read a vendor pitch deck. How to identify the difference between a model-lifecycle platform and an LLM observability platform (the tooling cluster covers this in operational depth). How to ask the four scoring-sheet questions before signing a contract. How to recognise when a “pilot” is being scoped to lock in a multi-year deal. This is the tier most under-served in current literacy programmes, and it is the tier where most shadow AI procurement decisions get made. The success criterion is that a procurement officer can walk a vendor through the four-criterion scoring sheet in a discovery call. Three sessions, plus a procurement-evaluation worked example.

Tier four: individual-contributor literacy. The audience is everyone else who uses AI tools in their work. The curriculum is use-it-safely and when-to-escalate. What data must not be pasted into a public-tier tool. What outputs require human review before being acted on. What incident looks like in an AI tool and how to report one. When to ask the team lead before adopting a new tool. The success criterion is a measurable drop in shadow AI incidents and a measurable rise in escalations through the right channel. This is the only tier where a vendor e-learning module is roughly adequate, because the content is genuinely generic and the volume is high. Even here, the module should be supplemented by a one-page company-specific addendum naming the approved tools, the prohibited data classes, and the escalation contact. The evidence requirement is the completion log.

The four tiers are not interchangeable. The most common failure is buying one vendor curriculum and applying it to all four. The board is bored because the content is too operational. The executives are patronised because the content is too generic. The middle managers are confused because the content does not connect to procurement reality. The contributors are roughly fine because the bar is low, but the rest of the programme is wasted.

What the programme costs, honestly

The cost question is where the largest gap between vendor pitches and reality sits. The internal-time cost of a four-tier programme for an organisation of a few thousand staff, designed and run by a small internal team with one external advisor for the design phase, runs roughly:

  • Tier one (board): about 20 hours of internal preparation, 3 to 5 hours of board time, repeated annually. Internal cost on the order of €4k to €8k per year. External content optional but cheap (€3k to €8k) if used.
  • Tier two (executive): about 40 hours of internal preparation per cycle, plus 6 to 8 hours per executive across two sessions and the one-pager. For ten to fifteen executives, internal cost on the order of €25k to €50k for the first cycle, lower thereafter.
  • Tier three (middle manager): the largest single line item. Roughly 80 hours of design and rollout per cohort, with cohort size of 20 to 30. For an org with 100 to 200 middle managers, total internal cost €40k to €90k.
  • Tier four (individual contributor): the cheapest per-head, most expensive in aggregate. Vendor e-learning module typically €15 to €40 per seat per year for a generic tier, plus the addendum and the audit work. For a few thousand staff this lands between €30k and €120k.

Sum of all four tiers for a mid-sized enterprise: roughly €100k to €270k all-in, internal time plus external content, for the first year. Years two and three are roughly 40% of year-one cost as the design amortises.

This is materially cheaper than the headline numbers from the certification-and-consultancy market, which currently price equivalent programmes at €200k to €500k+ for the same scope. The price gap is being driven by buyer anxiety about the EU AI Act, not by the cost of producing literacy. The honest version is that a competent internal team plus the right external design assistance can produce a defensible Article 4-compliant programme inside the lower range. The €500k programme is buying perceived risk reduction, not a better outcome.

What to evidence for Article 4

The supervisory expectation, based on the Commission’s published guidance and the early-2026 enforcement patterns in member states with stronger DSA-adjacent precedents, is roughly the following. Have a written programme document that describes the four tiers, the curriculum, the cadence, and the named owner. Have attendance logs and completion records. Have role-specific learning outcomes documented per tier. Have a refresh cadence (annual for board and executive, semi-annual for middle manager, annual for contributors with event-driven updates when major tools change). Have a named accountable owner — typically the CISO or the CAIO, but the responsibility can sit with HR-led L&D as long as the named owner exists and the content is reviewed by a technical leader.

That is the minimum viable Article 4 programme. Most of the work is the design and the evidence trail; almost none of it is the curriculum content itself, which is where the vendors are pricing aggressively.

Why the consultancies cannot write this honestly

The structural reason this piece is written from a fractional-advisory position rather than a Big-4 one is the same as the reason the cost of failed AI projects page exists. The literacy market in 2026 is a remediation market — buyer anxiety about a regulatory deadline, met by vendors selling the most expensive defensible response. The remediation market rewards heavyweight programmes; the operator reality rewards the four-tier model above. The gap between the two is the consultancy margin.

The board-tier piece in particular is one the consultancies cannot write well because it requires telling the board that most of what they have been briefed on AI is downstream of decisions they have not yet made. The honest board briefing is short, uncomfortable, and ends with the four-question diagnostic and a homework assignment. The consultancy briefing is long, comforting, and ends with a follow-on engagement quote. The two products look the same on a procurement form; they produce very different boards twelve months later.

The governance hub covers the regulatory frame for this work in more depth — the cross-walks between the Act, NIST AI RMF, and ISO 42001, the CISO ownership of the deployment gate, the inventory work that has to happen before any literacy programme is meaningful. The capabilities hub covers the operational layer underneath. This piece sits between them: literacy is the human capability that makes both the governance and the capability layers work, and it is the one most enterprises are under-investing in by a margin large enough to matter.

If you are designing the programme right now, the order I would work in is: name the owner first, then build the tier-two executive sessions because they unlock the budget for the rest, then the tier-three middle-manager work because it has the highest operational leverage, then the tier-four individual-contributor rollout, and finally the tier-one board briefing as the closing artefact that the audit committee can point at. Most programmes start with tier four because it is the easiest to procure. That order produces a compliance product, not a literacy programme. The order matters more than the content.

Sources & methodology

Tier-cost ranges drawn from fractional CTO and CIO engagements 2024–2026, anonymised by sector and headcount band. The four-tier curriculum outline is published under CC-BY-4.0; email me for the working copy or to send a falsification.

Frequently asked questions

What does an enterprise AI literacy programme actually look like?
Four tiers, one curriculum per tier, no shared content across tiers beyond a one-page glossary. Board-tier literacy is about the budget signals and strategy decisions the board has to read. Executive-tier literacy is the four-question diagnostic applied at functional level. Middle-manager literacy is procurement and vendor evaluation. Individual-contributor literacy is use-it-safely and when-to-escalate. The single most common failure is buying one vendor curriculum and applying it to all four tiers; the result is a programme that bores the board, patronises the executives, confuses the middle managers, and barely meets the contributor need.
Does the EU AI Act actually require AI literacy training?
Yes. Article 4 of Regulation (EU) 2024/1689 obliges providers and deployers of AI systems to ensure their staff have a sufficient level of AI literacy, taking into account their roles, the context of use, and the persons affected. The Act entered into force on 1 August 2024; the Article 4 obligation became applicable for most deployers on 2 February 2025. It is genuinely binding, but the text is short and proportionate — it does not specify a curriculum, a vendor, a minimum hours figure, or a certification. The consultancies pitching €200k literacy programmes against this obligation are pricing the gap between the Act's text and the buyer's anxiety.
Can we satisfy the Article 4 obligation with a vendor e-learning module?
Probably not in the form vendors currently ship. The Article requires literacy proportionate to roles, context, and persons affected. A single generic e-learning module is hard to defend as proportionate to a procurement officer evaluating an AI vendor, an HR business partner deciding whether to deploy an AI screening tool, or a CTO setting AI architecture. The defensible minimum is the four-tier model described in this piece with each tier evidenced — attendance logs, completion records, a written role-specific learning outcome. The expensive maximum is a full external certification programme. The right answer is closer to the minimum than the maximum.
How long does a credible AI literacy programme take to roll out?
Twelve weeks for the design, six to nine months for the rollout. Board-tier and executive-tier sessions are short (90 minutes each, run twice) and can land in the first quarter. Middle-manager and individual-contributor tiers take longer because the volume is larger and the operational lift is real. The total cost runs between €40k and €180k internal time for an organisation of a few thousand staff, plus optional external content. The €200k-plus quotes some firms give are usually pricing a deliverable shape, not the actual literacy outcome.