Your Article 4 Deadline Was Sixteen Months Ago. August 2 Is When the Consequences Land.

Pick any L&D team that runs a regulated-industry workforce. Last week, someone on it received a compliance update flagged with one date: 2 August 2026. The EU AI Act, Article 4. AI literacy. Workforce training. The slide listed it next to the GDPR refresh and the ISO 27001 attestation as a Q3 paperwork item. A vendor was probably already lined up. A video module, a completion log, a check on the calendar.

Here is what the slide does not say. Article 4 has been the law since February 2, 2025. Sixteen months ago. The August 2 date everyone is preparing for is not when the obligation begins. It is when the consequences for ignoring it begin.

This is one of those distinctions a careful EU lawyer will eventually correct in your meeting, and they will be right to. The two dates appear in the same regulation, separated by a few lines of Article 113, and the public coverage almost universally collapses them. The result is that thousands of L&D and risk teams are designing for what they think is a future deadline, when the obligation has been live for over a year.

The article most companies skipped

Article 4 sits in the EU AI Act's Chapter I, General Provisions. It is the entire chapter on AI literacy. The text is short:

Providers and deployers of AI systems shall take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf.

Three things are worth pausing on. It covers both providers (organizations that make AI systems) and deployers (organizations that use them). That second category catches almost every regulated company operating in the EU, regardless of where they bought the AI from. The standard is "sufficient" relative to staff role, technical knowledge, context, and the populations the AI touches. And "to their best extent" is a proportionality clause; it is not a strict liability standard.

The Commission has been clear about timing. The official FAQ says it plainly: Article 4 of the AI Act entered into application on 2 February 2025, therefore the obligation to take measures to ensure AI literacy of their staff already applies.

So a regulator can ask today, and has been able to ask for sixteen months, what literacy measures a deployer has taken. What changes in August is that the same regulator now has Article 99 in their pocket. Article 99 is the penalty regime. The national market surveillance authorities get formal enforcement powers. Fines become a tool. A question that has been polite for the past year becomes binding for the next several.

The two readings of the same article

Regulators read Article 4 one way. Carriers read it another. The L&D program that satisfies one will not necessarily satisfy the other.

The regulator reads it as a procedural obligation. Article 4 asks whether the deployer has "taken measures." Measures is a forgiving word. A completion log of a one-hour AI fundamentals video, plus a written policy, plus a register of who attended, is plausibly a measure. It would not survive a forensic challenge, but it satisfies the procedural question. Compliance, by design, is paperwork-shaped.

The underwriter is reading the same article differently. Carriers are not pricing your compliance posture. They are pricing what happens after a claim. They have watched the AI-related claims pile up in the last twelve months: chatbots making false promises, employees pasting client data into public models, AI summaries used as the basis for decisions nobody could later defend. Their question is not "did you have a policy." It is "is there evidence that the person at the keyboard could evaluate the AI output they were acting on?"

That question is starting to show up in renewal paperwork. ISO filed new generative-AI exclusions effective January 2026. Major carriers, including Berkley, Chubb, Travelers, and Berkshire Hathaway, have followed on D&O, E&O, and GL lines. Aon's 2026 risk advisory documents D&O underwriters now asking specifically about AI governance maturity. EPLI carriers are adding renewal questions about automated employment decisions, bias-testing protocols, and human oversight of AI-driven outputs. Cyber renewals include AI-specific items where there were none a year ago.

None of those new questions is satisfied by a completion log. Completion is the ceiling of what a video library can offer. Evidence of judgment is a different artifact entirely.

What an AI claim actually looks like

To see why the distinction matters, imagine the post-incident review.

Air Canada loses in front of a tribunal because its customer-facing chatbot quoted a bereavement fare that did not exist. The Mata v. Avianca attorneys file a brief in federal court built on case citations ChatGPT fabricated. A German appellate court holds an aesthetic-medicine clinic liable for false medical specialist credentials its website AI invented; the clinic's argument that it had supplied only correct data was rejected on the reasoning that an AI tool is not a third party. (Revision to the Bundesgerichtshof is pending, so do not treat the holding as settled German law yet, but the appellate reasoning is on the record.) Samsung discovers, after the fact, that an engineer pasted confidential source code into a public model.

In each of those incidents, the conversation after the fact was not about whether a policy existed. It was about the human at the keyboard. Could they evaluate the AI output they acted on? Was there evidence, anywhere in the file, that they had been built to interrogate the model's confident answer instead of accept it?

A completion certificate cannot answer that question. It was never built to. It records that the training was offered, which is a useful procedural fact and a worthless evidentiary one.

The artifact your audit file actually needs

Compliance gets you past the regulator. Documented competency gets you past the underwriter. Those are two audiences asking two questions, and the same training program does not answer both.

The compliance answer is procedural: was a measure taken. The carrier's question is evidentiary: can your workforce do the thing the measure was about. A program designed for the first reads as a checkbox library. A program designed for the second has to produce evidence per employee, per session, of judgment under realistic pressure. Not "they watched the video about prompt injection," but "they identified the prompt injection in a real scenario from their own industry and explained how they would respond to it."

That second kind of evidence does not come out of a video module. It comes out of a coaching session that requires the employee to defend their reasoning, with a record of where they got it right, where they slipped, and what they would do differently. The artifact at the end is not a completion bar. It is a scored breakdown of how the person thought. The same artifact answers the regulator's procedural question and the underwriter's evidentiary one, because the procedural question is a subset of the evidentiary one. The reverse is not true.

A completion certificate proves the training was offered. A Coaching Session Report proves the employee can do the thing the training was about. In an audit, and at a renewal, that distinction is the whole conversation.

This is the gap a Fortune and Protiviti survey of more than 1,500 board members and executives named directly: AI is exposing a critical-thinking gap that threatens an organization's ability to oversee the systems it is deploying. That gap is what an underwriter is implicitly pricing for, and what a regulator with newly enforceable Article 99 powers can now investigate. The AI Fluency course is built to close that gap one scored session at a time, anchored to the real cases your risk team already cites.

What to do before August 2

Do not rebuild your AI literacy program for an August deadline that does not exist. The deadline was sixteen months ago. The right question is whether the program you currently have produces evidence the underwriter and the regulator will both eventually ask to see, not whether it will be ready by Q3.

If your current program is a video library plus a completion log, ask the second question. Pull a recent log. Can it show one employee actually evaluating an AI output, or only that the video was assigned? If the honest answer is the second one, the program is built for the regulator's procedural question and not the underwriter's evidentiary one. That is a defensibility gap, and the day a claim lands or a renewal questionnaire arrives, the gap is what costs you.

The cleaner build is to design backwards from the artifact. Decide what evidence of workforce AI judgment your audit file needs to hold per employee, per incident-adjacent role, and let the training program do whatever it has to do to produce that artifact. The completion log is a byproduct, not the goal. The Coaching Session Report, or whatever equivalent artifact your program produces, is the deliverable.

That is what Article 4 has been asking for, in its quiet legal way, since February 2025. The August 2 date is simply when the question stops being polite.

If your AI literacy program is being designed to satisfy one of those audiences, the regulator who issues a procedural inquiry or the underwriter who reads your renewal file, which one is it building for?