This article is part of: Behavioural Design for HR →

AI literacy at work: how to build it across your organisation (2026)

Tom de Bruyne · 28 May 2026 · · lees dit artikel in het Nederlands →

Since 2 February 2025, AI literacy has been a legal requirement. Article 4 of the EU AI Act compels every organisation deploying AI (and by now, which organisation does not?) to ensure a "sufficient level of AI literacy" among the staff working with AI.1 At virtually every organisation we work with, the first reaction to that obligation is predictable. An e-learning gets rolled out, a few prompt workshops are delivered, an AI policy goes on the intranet. Three months later, very little behaviour has come out of any of it.

The assumption underneath that approach is that AI literacy is a matter of knowledge transfer. In practice, AI literacy is a form of behaviour, and behaviour cannot be trained with a PowerPoint.

In this article I will set out what AI literacy actually is, which four behaviours genuinely constitute it, why the conventional approach fails so predictably, and how to design it into an organisation in a way that holds.

What is AI literacy?

AI literacy is the set of skills, knowledge and understanding that enables people to use AI systems responsibly, critically and effectively in their work. It covers technical understanding (how AI models arrive at output), critical judgement (where AI fails and why), practical skill (effective prompting and iteration) and ethical judgement (when to use AI, when not to, and with which data).

That definition comes straight from the law itself. Article 3(56) of Regulation (EU) 2024/1689 defines AI literacy as "skills, knowledge and understanding that allow providers, deployers and affected persons to make an informed deployment of AI systems, as well as to gain awareness about the opportunities and risks of AI and the possible harm it can cause."1

The clue is in the verbs: "allow", "make an informed deployment", "gain awareness". Those are descriptions of behaviour, not descriptions of knowledge. Someone can complete an AI course, pass the assessment, and then in practice copy every ChatGPT output verbatim into a client email. That person holds the knowledge, but does not meet the legal definition of literate.

The distinction is not a wordplay. It determines whether your training programme passes an audit and at the same time actually lowers risk in the organisation, or whether it only does the first.

Design AI literacy, don't train it

The Behavioural Design Fundamentals Course teaches you how to design behaviour (AI behaviour included) on purpose. Two days, real cases from your own organisation, and a method you can apply to your AI programme straight away.

Start the online course → Live in Amsterdam In-company / team training

10,000+ alumni · 43 countries · 9.7 rating

Not ready yet? Follow along with our free weekly newsletter →

SUE Behavioural Design training on AI literacy

Why most AI literacy programmes fail

The conventional approach looks roughly like this. A two-hour online module on "what is AI", a policy document, a list of do's and don'ts, and in the ambitious cases a prompt workshop. Three months later the dust has settled, the e-learning is forgotten, and behaviour sits at exactly the same level as before the training. In some organisations even lower: the false sense of competence makes people less critical.

This failure pattern is not unique to AI. Any training that confuses knowledge transfer with behaviour change runs aground the same way. With AI the effect is just bigger, for three reasons.

The first reason is cognitive offloading. The brain is an energy-saving machine. As soon as a tool can do the thinking for you, System 1 (the fast, automatic part of our thinking that Kahneman described) hands the task over almost automatically.2 That saves a lot of cognitive energy, and that is exactly the problem: without deliberately designed verification rituals, every AI output quietly becomes "true".

On top of that, AI makes mistakes that look competent. A wrong answer from Google is usually visibly wrong. A hallucination from an LLM is grammatically perfect, convincing in tone, and contains plausible-looking references that do not exist. The kind of critical reading people apply unconsciously to a bad website gets switched off in front of fluent AI output. So the bar for verification ends up higher than for almost any other information source.

And the third factor is that AI use happens in a social vacuum. With traditional tools you see colleagues working, and you pick up unconsciously on what is going well and what is not. AI use happens on your own screen, in a chat window no one else sees. Good habits do not get transferred visibly, and bad habits do not get corrected. Everyone finds their own path, and those paths often go wrong.

"Behavior happens when motivation, ability, and a prompt come together at the same moment. If any one is missing, the behavior won't happen."

— BJ Fogg, Stanford Behavior Design Lab

The combination of those three forces explains why AI literacy never emerges from offering knowledge alone. You have to design the behaviours.

The four behaviours that constitute AI literacy

In the projects we run at SUE, AI literacy consistently boils down to four specific, observable behaviours. Anyone who exhibits these four is operationally AI-literate, regardless of which certificate sits underneath.

1. Critical verification instead of blind copying

This is the most fundamental behaviour and at the same time the most neglected. An AI-literate employee treats every AI output as a draft. Numbers get checked at source, names and dates get verified, and legal or medical claims get referred to a human with the right expertise. For every output that leaves the organisation, the implicit question is: do I know this myself, or am I just trusting the model?

Measuring this is simple. What percentage of AI-generated content is verified by a human before publication or sending? In the organisations we measure, that figure rarely climbs above 30%. In a literate organisation it sits, for risk-sensitive content, at 100%.

2. Effective prompting through iteration

Anyone using AI as a search engine, one question and one answer, leaves something close to 80% of the value on the table. Effective prompting is a conversation: you start broad, you refine, you ask for alternatives, you have the model critique its own output. In our programmes, literate users typically run six to ten iterations per task. Illiterate users stop at one or two.

This is not a technical skill in the IT sense of the word. At its core it is a conversational skill. You do not learn it from a list of "10 best prompts", but by practising, with guidance, on your own real work.

3. Recognising where AI fails

An important part of AI literacy is knowing where AI should not be deployed. Tasks where the cost of an error is asymmetric (a medical diagnosis, a legal opinion, a pricing decision, an employment ruling) call for deliberately switching AI off. In EU AI Act terms, they fall under "high-risk" and require human oversight.1

A literate employee can answer two questions at any moment: (1) what are the consequences if this AI output is wrong, and (2) how likely am I to notice that error. At "large" and "small", AI use stops there. That kind of judgement is not learned in a module, because it develops through guided reflection on real cases.

4. Handling data and privacy safely

The least exciting and most underestimated behaviour. A literate employee knows which data may and may not enter a prompt, which tool fits which kind of information, and which limitations come with an output. No customer data in consumer ChatGPT. No strategy documents in Gemini Free. No source code in Copilot Personal. That sounds obvious, but in every organisation we measure, data routinely ends up where it should not be.

"The biggest threat to your AI strategy is not that employees won't use it, but that they will use it without knowing what they are doing."

— Tom de Bruyne, SUE Behavioural Design

These four behaviours, verifying, prompting, knowing the limits and sharing safely, together form the operational definition of AI literacy in an organisation. They can be measured and they can be designed. They cannot be replaced by an e-learning.

How to design AI literacy with SWAC

At SUE, for every behaviour we want to embed lastingly, we use the SWAC model: Spark, Want, Again, Can, the four conditions that durable behaviour has to meet. Applied to AI literacy, it looks like this.

The SWAC model for behaviour change applied to AI literacy in organisations
SWAC: four conditions for sustainable behaviour, here applied to AI literacy. Miss any one, and the behaviour stops.

CAN: make the four behaviours easier than the alternatives

Verifying has to be easier than not verifying. That only works by designing it into the workflow. A mandatory "source field" in templates where AI content gets integrated, for example. A prompt library of well-structured starting prompts per role, so iteration begins from a decent starting point. A simple decision tree on the intranet for "which data may go into which tool". A red list of data categories that must never enter public tools.

"Simplicity eats willpower for breakfast", Fogg writes.3 The desired behaviour has to become the path of least resistance, otherwise in the long run it always loses to System 1's automatic behaviour.

WANT: motivate at the moment that matters

General messages about "AI is important for our future" silently disappear into the inbox. What works are motivation moments tied to concrete errors, not as punishment but as a signal of what is at stake. An anonymised monthly "lessons learned" email with three real cases where things almost or actually went wrong does more for verification motivation than four consecutive policy updates.

Social proof works too, but only when it comes from respected peers. Not from management or IT. The motivation to prompt thoroughly emerges when the senior on the team shows in a team meeting how she or he iterates. That is a role model that all the CEO's emails combined cannot match.

SPARK: design triggers into the workflow

Without a trigger, no behaviour happens, even when motivation and ability are present. For AI literacy, triggers work best when they are physically built into the moment of AI use. A mandatory checklist popup before AI content leaves the building. A red border around outputs from certain tools until verified. An automatic Slack reminder the moment someone types a sensitive term into a prompt.

The trick is to design the trigger as an accelerator of the right behaviour rather than as an interruption. A well-designed verification prompt actually saves the employee time, because the structure speeds the work up, and adds safety on top of that.

AGAIN: build rituals, not events

Behaviour only becomes habit after months of repetition.3 A one-off kick-off, however good, does not produce literacy. What does work is a weekly fifteen-minute "AI learning round" in every team meeting. Someone brings one good prompt iteration, one near-miss, and one example of "I deliberately did not use AI here, and this is why". Fifteen minutes, every week, all year round.

This is not scalable in the sense of "we roll it out in one go". It is scalable in the sense of "it actually changes behaviour". And that, in the end, is what the law really wants: not certificates, but demonstrably literate conduct on the work floor.

Four common mistakes when building AI literacy

From the programmes we run, four mistakes come back so consistently that they are worth naming explicitly.

Mistake 1: Outsourcing AI literacy to IT

At its core, AI literacy is not an IT topic. It is an HR, leadership and process topic. IT can manage the tools and write the policy, but the behaviours emerge in workflows shaped by operations and management. Organisations that hand the project to the CIO and then lean back end up with a neat technical rollout and no behaviour change.

Mistake 2: One-size-fits-all curriculum

The EU AI Act explicitly requires the level of literacy to match the context and risk of the application.1 A marketing team using AI for concepts, an HR team using AI for CV screening, and a legal team using AI for contract summaries: those are three completely different literacy needs. One centralised e-learning package for the entire organisation neither passes the legal bar nor works in practice.

Mistake 3: Measuring what is easy instead of what matters

E-learning completion rates are easy to measure and say nothing about literacy. Time spent in a module, the same. What matters is behaviour: percentage of verified outputs, average iteration length, number of deliberate "no, I am not using AI here" moments, number of data-risk reports. That is more cumbersome to measure, but it is what the law requires and what actually lowers risk in practice.

Mistake 4: No social fabric for learning

AI use is isolated work. Those who get good at it do so in silence, and those who get bad at it never find out. Without a designed social fabric (peer review, recurring learning rounds, visible examples from respected colleagues) literacy cannot emerge. This is the part most often skipped and the part that makes the biggest difference.

A one-day AI literacy plan

The Deep Dive Designing AI Adoption teaches you how to build AI literacy as behaviour, not as training. You diagnose the psychological barriers in your organisation and design an approach that meets the EU AI Act and actually works.

Start the online course → Live in Amsterdam In-company / team training

10,000+ alumni · 43 countries · 9.7 rating

SUE Behavioural Design training on AI literacy

Conclusion: AI literacy is a design challenge

Since 2 February 2025, every organisation deploying AI carries a legal obligation. But the law is not the real reason to do this well. The real reason is that AI is now in the hands of people at scale who do not know where it fails, and that is a commercial, legal and reputational risk on a scale we have not seen before.

Organisations that take this seriously do not start with an e-learning. They start with a diagnosis. Which of the four behaviours do our people exhibit, which do they not, and in which workflows? They then design interventions per behaviour: instead of one central training, many small, contextual rituals. And they keep going over a period of months.

That is more cumbersome than ticking a module box. In my experience it is also the only thing that works.

Frequently asked questions about AI literacy

What is AI literacy?

AI literacy is the set of skills, knowledge and understanding that enables people to use AI systems responsibly, critically and effectively in their work. Operationally it consists of four behaviours: critically verifying AI output, prompting effectively through iteration, recognising where AI fails, and handling data and privacy safely. Since 2 February 2025 it has been legally required in every organisation that deploys AI, under Article 4 of the EU AI Act.

Is AI literacy required by law?

Yes. Since 2 February 2025, Article 4 of the EU AI Act (Regulation (EU) 2024/1689) requires all providers and deployers of AI systems to ensure a "sufficient level of AI literacy" among staff and other persons working with AI on their behalf. This applies to every organisation deploying AI in the EU, regardless of size or sector.

What is the difference between AI training and AI literacy?

AI training teaches people how a tool works, as a one-off knowledge moment. AI literacy is a set of four daily behaviours: verifying, prompting, recognising limits, and sharing safely. A training is an event; literacy is a habit. Most AI training programmes produce certificates without behaviour change, because they skip the psychological and contextual layer.

How do you measure AI literacy in an organisation?

Measure what people do, not what they know. Four indicators work best: (1) the percentage of AI outputs verified before publication, (2) the average prompt iteration length, (3) the number of cases where employees consciously refuse AI use because the risk is too high, and (4) the number of reported near-misses involving data. Knowledge quizzes measure nothing that matters.

What exactly does Article 4 of the EU AI Act require?

Article 4 requires organisations developing or deploying AI to "take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf". The level must be proportionate to the technical knowledge of the group, the context, and the persons on whom the AI is used. No specific curriculum is mandated, but the outcome is: demonstrably literate personnel.

Who within the organisation owns AI literacy?

In practice a triangle works best: HR owns the behaviour change and learning interventions, IT owns the tools and technical policy, and line management owns application in workflows. When a single party picks it up alone (usually IT), the result is structurally a well-intentioned but failed rollout. Legal accountability rests with the deploying organisation (in EU AI Act terms: the deployer).

HR Managers Communication Marketing Change Mgmt Sales Government UX & Design Product
View the Fundamentals Course →
Astrid Groenewegen - Co-founder SUE Behavioural Design
Astrid Groenewegen
Co-founder, SUE Behavioural Design
Weekly Newsletter

1.5 minutes of influence

Every week I notice something: a hospital sign, a supermarket shelf, a line in a meeting. Always something that shows exactly how context steers behaviour. I write it down. Every Thursday morning it lands in your inbox. In 90 seconds.

Join 10,000+ readers  ·  Free  ·  Unsubscribe anytime