The Article 4 Gap: AI Literacy Is an Evidence Duty, Not a Workshop

1. The Obligation Everyone Skipped Past

Article 4 of Regulation (EU) 2024/1689 is short, and that may be why it is underestimated. It obliges providers and deployers of AI systems to take measures to ensure, to their best extent, a sufficient level of AI literacy among their staff and others who operate or use AI systems on their behalf — with the level calibrated to each person's role, knowledge, and the context of use.

Two facts make it more consequential than its length suggests. First, it has applied since 2 February 2025, in the earliest wave of the Act to take effect — it is not waiting for 2026 or 2027. Second, it applies regardless of risk classification: an organisation running only ordinary, non-high-risk AI tools is still inside the obligation.

The practical effect surfaced in public discussion in May–June 2026: teams that built their entire EU AI Act programme around the high-risk framework can still be carrying a significant Article 4 gap, because the high-risk lens never pointed at it. As one operations practitioner, Terence Drake, put it in a public thread, Article 4 applies to every organisation using AI regardless of risk class, it has applied since February 2025 (with national market-surveillance enforcement following from 2 August 2026), and it calls for demonstrable literacy per employee — individual records, role-based evidence, and a documented mechanism to keep it current.

2. Why ISO 42001 Does Not Close It

A natural assumption is that an organisation with a conforming ISO/IEC 42001 AI management system has Article 4 covered. It is not safe to assume that. ISO/IEC 42001 addresses competence and awareness at the management-system level — the organisation should determine necessary competence and ensure people are aware of the AI policy. But it does not map one-to-one to the specific Article 4 duty: a sufficient, role-appropriate level of AI literacy across all staff dealing with AI, demonstrable per person.

The gap is the difference between a management-system control (“we have a process for competence”) and a regulatory evidence obligation (“show, per employee, the literacy sufficient for their role with this AI”). An organisation can hold the first and still fail the second. This is the same shape as the broader ISO 42001 versus EU AI Act distinction: a certifiable management standard and a statutory obligation are not interchangeable, and conformance to one does not discharge the other.

3. Literacy Is an Evidence Obligation Over Time

The part that bites later is that Article 4 is not satisfied by a single event. “We ran a workshop” is a moment; “a sufficient level of AI literacy” is a state that has to hold over time, as systems change and staff join and leave. Treating it as a one-time tick re-creates, at the literacy layer, exactly the reconstruction problem the rest of the EU AI Act audit-trail conversation is about: can you show, later, what was true at the time?

The defensible posture is therefore role-based literacy evidence kept per person and kept current: who received what, appropriate to their role and the systems they actually use, when, and through what mechanism the organisation refreshes it. The same principle that governs decision records applies to literacy records — the test is whether the evidence remains understandable and defensible later, including when the people who delivered the training have moved on. Nicole Webb, who works on making ISO standards accessible, has made a closely related point: the value is being able to walk someone, step by step, through what was actually done and reviewed — not just point at a log entry.

4. Where the Substrate Helps — and Where It Stops

Quantamix Solutions ships an Article 4 documentation set as part of the GraQle compliance docs — the integration guidance and the structured material a deployer can quote inside their own literacy programme. To be precise about scope: this is a set of signals and documentation a deployer references in their own file. It does not make an organisation compliant, and it is not a certification — those words belong to processes the Act and the standards bodies define, not to a documentation set.

The literacy programme, the per-employee records, and the judgement about what is “sufficient” for a given role remain the organisation's own work. What the substrate adds is the same property it adds everywhere else: making the evidence structured and reconstructable, so that a literacy claim, like a decision claim, can be shown rather than merely asserted.

5. A Short Article 4 Self-Check

• Can you produce, per employee, evidence of AI literacy appropriate to their role and the systems they use?
• Is the evidence dated, and is there a documented mechanism to keep it current as systems and staff change?
• Does your programme cover staff using ordinary, non-high-risk AI — not only those near Annex III systems?
• If an authority asked today, could you show the literacy state that existed at a past point in time, not just the current one?
• Have you confirmed your ISO 42001 work, if any, actually discharges Article 4 — rather than assuming it does?

If any answer is “not really,” the gap is structural, not cosmetic — and Article 4 has been live since February 2025, so the runway is already shorter than it looks.

Continue Reading

• ISO 42001 vs the EU AI Act
• EU AI Act Key Dates & Deadlines
• Human Oversight: EU AI Act Obligations
• Proof Precedes Permission: The Substrate Seam

Frequently Asked Questions