EU AI Act Art.4 AI Literacy: NCA Audit Evidence Pack & Self-Assessment Checklist for August 2026

Post #1506 — Finale of the sota.io EU AI Act Art.4 AI Literacy Compliance Series

This is the final post in our five-part series on EU AI Act Article 4 AI literacy obligations. Part 1 explained the obligation scope. Part 2 covered minimum training requirements. Part 3 addressed role-specific curricula. Part 4 covered GPAI tool users. Here, we close the loop: what does a defensible compliance record look like when a National Competent Authority shows up?

With enforcement powers going live on August 2, 2026, this guide covers the practical audit readiness steps — the evidence documents, the self-assessment checklist, and the common gaps that leave organisations exposed.

Why "We Did Training" Is Not Enough

Most organisations will enter the enforcement era with some form of AI awareness activity. The compliance problem is not the absence of training — it is the absence of evidence that the right training reached the right people and produced documented literacy outcomes.

Article 4 of the EU AI Act (Regulation EU 2024/1689) creates an obligation of result, calibrated to context: providers and deployers must ensure "a sufficient level of AI literacy" of staff "taking into account their technical knowledge, experience, education and training and the context the AI systems are to be used in." A generic all-hands session covering ChatGPT basics does not discharge this obligation for a team deploying a high-risk AI system under Art.9 risk management protocols.

National Competent Authorities reviewing Art.4 compliance will not accept verbal assurances. They will ask for documents.

What NCAs Will Actually Request

Based on the structure of EU supervisory frameworks (GDPR enforcement patterns, NIS2 audit guidance, and the AI Act's own inspection provisions under Art.74), an NCA investigating Art.4 compliance will likely request:

1. Staff inventory with AI-system role classification. Which employees operate, use, or oversee AI systems? Which systems? At what risk level? This mapping is the foundation of all subsequent evidence. Without it, you cannot demonstrate that literacy measures were calibrated to the right population.

2. Training programme documentation. Curriculum design, learning objectives, training materials, delivery dates, and trainer credentials for every role-specific literacy track. Generic slide decks are insufficient if they lack evidence of customisation to the AI system context.

3. Completion records with individual attestation. Timestamped records showing who completed which training, when, and at what assessed level. Aggregate completion percentages ("85% of staff trained") are not sufficient — NCAs will ask for individual records for any employee involved in an incident or audit.

4. Competency assessment outcomes. Evidence that training produced measurable understanding, not just attendance. Quiz results, practical exercise scores, or role-play assessments that demonstrate comprehension of the specific AI systems in use.

5. Refresher and update cadence documentation. AI literacy is not a one-time event. When the AI system changes materially, when the regulatory context shifts, or when staff move into new roles, refresher training must follow. Your documentation must show the policy governing this cadence and evidence that it was executed.

6. Third-party and contractor literacy records. Art.4 extends to "other persons dealing with the operation and use of AI systems on their behalf." If contractors, outsourced operations teams, or integration partners operate your AI systems, their literacy evidence belongs in your file. Lack of third-party records is one of the most common compliance gaps.

7. Governance ownership trail. Who in the organisation is responsible for AI literacy compliance? What is the escalation path when gaps are identified? NCAs responding to incidents will look for internal accountability — a named DPO equivalent for AI literacy, governance committee minutes, or a written policy ownership assignment.

The Seven Core Evidence Documents

Translate those NCA expectations into seven concrete documents your organisation should have compiled before August 2, 2026:

Document 1: AI System & Role Inventory (ai-systems-literacy-scope.xlsx)

A structured register mapping:

• Each AI system in use (system name, vendor, risk classification under Art.6)
• Roles that interact with each system (developer, operator, reviewer, end-user)
• Number of staff per role
• Applicable Art.4 literacy tier (awareness / working knowledge / expert)

This document is the axis around which all other evidence rotates. Every training programme, every competency assessment, every refresher schedule should trace back to a row in this register.

Document 2: Role-Specific Training Curricula (role-training-curricula/)

A folder containing the full curriculum for each role tier identified in Document 1. Each curriculum should state:

• Learning objectives (what the trainee will be able to do/explain)
• Module breakdown with duration
• AI system context (which specific systems the curriculum covers)
• Assessment method and pass criteria
• Review date (when curriculum will be updated)

For guidance on curriculum structure for specific roles, see Part 3 of this series.

Document 3: Training Delivery Records (training-completion-log.csv)

A timestamped log per employee:

employee_id | full_name | role | ai_system | curriculum_version | delivery_date | delivery_method | score | passed | assessor
E-10042     | A. Müller | SRE  | prod-ml-v3| v2.1               | 2026-03-15    | e-learning      | 87%   | yes    | system
E-10043     | J. Kowalski| PM  | prod-ml-v3| v2.1               | 2026-03-18    | facilitated     | pass  | yes    | L. Bauer

Preserve these records for at least the duration of the AI system's operational life plus five years, consistent with general regulatory record-keeping expectations.

Document 4: Competency Assessment Results (competency-assessments/)

For each role tier, assessment artefacts demonstrating comprehension rather than mere attendance:

• Written test papers with answer keys and individual scored copies
• Practical exercise descriptions and evaluator notes
• Scenario-based assessment rubrics with scoring grids
• Aggregate and individual result summaries

Assessment design matters. Questions must be calibrated to the AI system context, not generic AI trivia. An assessor reviewing a deployer's compliance record will test whether the assessment could plausibly have been passed by someone who has never touched your specific AI system — if yes, it may not satisfy Art.4's contextual calibration requirement.

Document 5: Refresher & Update Policy (literacy-refresher-policy.md)

A written policy defining:

• Triggers for mandatory refresher training (major model update, system scope change, staff role change, regulatory update)
• Maximum interval between scheduled refreshers (12 months is a defensible default for high-risk system operators)
• Responsibility for triggering refresher events
• Process for updating curricula when triggers occur
• Exception handling (new joiners, long-term leave returners)

The policy alone is insufficient. Document 3 should contain evidence of the policy being executed.

Document 6: Third-Party Literacy Attestations (third-party-attestations/)

Signed attestations from each third party that operates or accesses your AI systems:

• Name of organisation and individual(s)
• Which AI system they access
• Literacy training completed (curriculum name, version, date)
• Acknowledgment of Art.4 obligations

For GPAI tool users using vendor-provided tools (GitHub Copilot, Claude API, etc.), Part 4 of this series covers the specific evidence needed for that category.

Document 7: Governance Record (ai-literacy-governance.md)

A document establishing:

• Named role responsible for Art.4 compliance (equivalent function to a DPO for literacy)
• Reporting line and escalation path
• Review frequency (committee meetings or governance sign-off)
• Version history of the literacy programme

Include meeting minutes or email threads where governance decisions about the literacy programme were made. Paper trails of internal deliberation demonstrate proportionate organisational seriousness.

20-Point Self-Assessment Checklist

Run this checklist before your first NCA interaction. Score each item 0 (not done), 1 (in progress), or 2 (complete with evidence).

Scope & Inventory (max 8)

• We have a complete register of all AI systems in operation
• Each system is classified by risk level (prohibited, high-risk under Art.6, limited-risk under Art.50, minimal)
• We have identified every role that operates, uses, or oversees each AI system
• Third-party and contractor AI system access is included in scope

Training Programme (max 8)

• Role-specific curricula exist for every identified role
• Curricula are calibrated to specific AI systems, not generic AI awareness
• Learning objectives map to Art.4 contextual requirements
• A refresher policy with clear triggers is documented

Evidence Records (max 12)

• Individual completion records exist for every trained employee
• Records include timestamps, curriculum version, and outcome
• Competency assessments (not just attendance) are documented for all high-risk system operators
• Assessment questions are calibrated to specific AI systems in use
• Third-party attestations are collected and stored
• Records are stored in a durable, audit-accessible system

Governance (max 8)

• A named individual is responsible for Art.4 compliance
• An escalation path exists for newly identified literacy gaps
• Governance decisions about the literacy programme are documented
• Programme review dates are scheduled and evidenced

Scoring interpretation:

• 32–36: Strong compliance posture. Audit-ready.
• 24–31: Partial gaps. Prioritise evidence collection before August 2.
• 16–23: Significant gaps. Begin structured remediation immediately.
• Below 16: Material compliance risk. Consider external specialist support.

Integration with the Broader AI Act Compliance Stack

Art.4 does not operate in isolation. NCAs investigating an incident under other articles will pull the literacy record as a matter of course.

Art.9 (Risk Management System): High-risk AI providers must maintain a risk management system throughout the system lifecycle. Adequate human oversight — a core risk control — depends on operators who understand how to exercise that oversight. A risk management system is undermined if the humans in the loop lack documented literacy about the system they are overseeing.

Art.11 (Technical Documentation): Providers of high-risk AI systems must maintain technical documentation before placing the system on the market. This documentation should cross-reference the training programme for operators, establishing that the intended use case (and the limitations of the system) are communicated through the literacy programme.

Art.13 (Transparency and Provision of Information to Deployers): Providers must supply deployers with information sufficient to understand the system, including its capabilities, limitations, and oversight requirements. Art.4 literacy for deployer staff is the downstream mechanism by which that information is operationalised. If deployer staff lack the literacy to act on Art.13 disclosures, the transparency obligation is discharged in form but not in substance.

Art.26 (Obligations of Deployers of High-Risk AI Systems): Deployers must implement the technical and organisational measures specified in the provider's Art.13 information. They must also ensure that operators have the competence to use the system and assign human oversight to individuals who have the authority, capability, and training to interpret the system's output and intervene. This capability requirement is the Art.26 operationalisation of Art.4.

Common Audit Preparation Gaps

Based on the compliance patterns visible across GDPR enforcement (the closest structural analogue), organisations entering their first AI Act audit cycle tend to exhibit predictable gaps:

The attendance gap: Training delivery records show 90%+ completion, but competency assessment records are absent or anodyne. Attendance proves that staff sat through training; assessment proves they understood the relevant content for their specific AI system context.

The contractor blindspot: In-house staff are trained and documented. But the team that actually runs the ML pipeline day-to-day is a managed service provider, and their literacy records are not in the compliance file.

The version mismatch: The AI system was updated substantially in Q1 2026. The training curriculum has not been reviewed since initial deployment. Staff operating the updated system are technically undertrained for its current capabilities and limitations.

The governance gap: A well-constructed training programme exists, but no individual is named as responsible for maintaining it. When the NCA asks "who ensures your Art.4 compliance is current?", the answer is silence or "the compliance team generally."

The GPAI afterthought: The compliance record covers the bespoke ML systems in production. The AI coding assistants used by 40 developers, the LLM-based customer triage tool deployed in support, and the AI-enhanced analytics dashboard used by the business team are not in scope in the document. Each of these creates a separate Art.4 population requiring separate evidence.

Practical Priorities for the Next 8 Weeks

With August 2, 2026 approximately 8 weeks away, the most defensible use of remaining time depends on your current posture:

If you have an existing training programme but lack evidence: Focus entirely on Document 3 (completion records) and Document 4 (assessment results). Retroactive assessment is possible for staff who have completed training — administer a documented competency check now and record the outcomes. Courts and regulators accept good-faith remediation.

If your programme has scope gaps (contractors, GPAI tool users, updated systems): Address the gap systematically. For each uncovered population, design a minimal viable literacy unit calibrated to their specific AI system interaction, deliver it, and document both delivery and assessment before August 2.

If your governance trail is thin: Convene a formal governance meeting before July 31, record that the Art.4 programme was reviewed, name the responsible individual in the minutes, and attach the evidence documents as annexes. A single well-documented governance action builds the paper trail needed to demonstrate organisational seriousness.

If you are starting from zero: Prioritise scope definition (Document 1) and a minimal documented training event with individual completion records (Documents 2 and 3) for your highest-risk AI system users. Partial compliance documented in good faith before August 2 is substantially better than no compliance record at all when NCAs begin their first enforcement activities.

Series Summary: The Five Art.4 Obligations in Practice

This series has covered the full Art.4 compliance stack:

Art.4 is a process obligation, not a binary pass/fail. Organisations that have invested in structured, documented, role-calibrated literacy programmes — and can demonstrate this through the evidence documents outlined here — will be in a defensible position regardless of how NCA enforcement evolves in the first 18 months.

Running sota.io Infrastructure for EU AI Act Compliance

EU AI Act compliance — including the Art.4 literacy programme documentation — requires storing structured evidence records, controlling access, and maintaining audit trails across your engineering organisation.

sota.io provides EU-sovereign PaaS infrastructure hosted in Germany and France, with GDPR-compliant data residency, role-based access controls, and the logging and audit capabilities needed for both Art.4 evidence management and the broader compliance stack (Art.9 risk system logs, Art.12 record-keeping, Art.19 automated log preservation). No US-CLOUD-Act exposure. No third-country data transfers.

If you are building or migrating compliance-critical infrastructure ahead of the August 2026 deadline, start with a sota.io environment — EU-native from the first deployment.

This post is part of the sota.io EU AI Act Compliance Series. For regulation citation verification and further reading, see the EU AI Act text on EUR-Lex.