EU AI Act Article 4 hits: AI literacy is now mandatory across your workforce

The first hard deadline in the EU AI Act is no longer theoretical. As of 2 February 2026, Article 4 requires every provider and deployer of AI systems in the EU to take measures to ensure a sufficient level of AI literacy among their staff and any third parties operating those systems on their behalf. The next enforcement milestone, the obligations on general-purpose AI models and high-risk systems, lands in August 2026.

For most of the organizations we talk to, this is the article that arrives first and bites first. Article 4 is not optional, it is not phased by company size, and the definition of “deployer” is wide enough to cover any team that has activated Microsoft 365 Copilot, deployed a Copilot Studio agent, or rolled out ChatGPT Enterprise across business units.

What Article 4 actually requires

The text is short and deliberately broad. Organizations must ensure that the people who use, operate, or are affected by AI systems understand:

• What an AI system is, in plain terms relevant to their role
• The capabilities and limitations of the systems they interact with
• The risks and possible harms specific to the deployment context
• The rights they have, including the right to human review of automated decisions

There is no prescribed training format and no certification standard yet. Member-state supervisory authorities will judge sufficiency on a contextual basis. A finance team approving Copilot-generated reconciliations needs a different literacy programme than a frontline support agent using a Copilot Studio agent to draft replies.

Why this is harder than it looks

The compliance question is not “did we run a training.” It is “can we evidence, per system and per role, that the people interacting with this AI understood what it does.” That requires three artefacts most organizations do not have today.

An inventory of the AI systems in production. Copilot is one entry. Each Copilot Studio agent is another. Each Power Automate flow with an AI Builder step is another. Each third-party AI tool connected via an M365 connector adds more. Without an inventory, the literacy programme has no scope.

An ownership map. Who is responsible for each system, who uses it, and who is affected by its outputs. Compliance evidence needs to attach to people, not just systems.

A record of the training each role completed. Generic “AI awareness” content does not satisfy Article 4 on its own. The literacy programme must be tied to the specific systems each person uses.

What governance teams should do in Q1 2026

Three steps move you from exposure to defensible:

Run an AI system inventory. This is the foundation. You cannot scope a literacy programme around systems you have not catalogued. Rencore inventories Microsoft 365 Copilot deployments, Copilot Studio agents, Power Platform AI Builder flows, and 15+ third-party AI platforms from a single policy engine.

Attach owners. Every AI system in scope needs a named owner. Where the owner is unknown, governance policy should flag it and route the resource to the responsible business unit for adoption or removal.

Tie training to systems. Build the literacy curriculum per system category, not as a generic course. The audit trail your compliance team needs is “Person X completed training Y for system Z on date D,” generated and stored as evidence.

Article 4 is the small wave before the August 2026 swell. Organizations that build the inventory and ownership backbone now will spend the rest of the year layering risk classification, documentation, and oversight on a foundation that already exists. Those who wait will be building the foundation in the same quarter they are answering questions from supervisory authorities.

See how Rencore governs Microsoft 365 Copilot and 15+ AI platforms from one policy engine, or book a demo to discuss your Article 4 evidence strategy.