TL;DR
A defensible Article 4 programme produces seven artefacts: a written training plan keyed to Article 4, an inventory of AI systems in use, a role-tier map, role-specific curricula, attendance and completion logs, a refresher cadence, and a policy on residual-risk escalation. Pair these with the technical documentation Article 11 expects from providers, and you have a pack you can hand to a national competent authority on request without redrafting anything.
The seven artefacts
This list mirrors the structure used by the European Commission’s AI Act service desk when it walks organisations through self-assessment, and matches the supervisory framework in the Digital Strategy AI Act overview.
1. Written training plan referencing Article 4
A short document, two to four pages, naming Article 4 of Regulation (EU) 2024/1689 by reference, the scope of staff covered, the systems in scope, the cadence, and the responsible owner. This is the document a regulator opens first.
2. AI system inventory
A list of every AI system in production use across the organisation: name, vendor, purpose, the data categories it processes, who uses it, who supervises it, and the date it entered service. Update at least quarterly. This is also the input your DPIA team needs to satisfy GDPR Article 35.
3. Role-tier map
A spreadsheet mapping each in-scope role to one of four tiers (operators, configurers, builders, decision-makers - see who needs training). Headcount per tier and per business unit. Updated when staff join, leave, or change role.
4. Role-specific curricula
A curriculum document per tier. Each curriculum names the learning objectives, the duration, the delivery format, and the assessment method. The research output of Nova IMS and the AI governance modules at Instituto Superior Técnico provide reference frameworks the curriculum can cite.
5. Attendance and completion logs
A log per session: date, attendees, role tier, format, duration. For e-learning, completion records with timestamps. Retain for at least seven years to align with bookkeeping retention and to cover the AI Act conformity timeframe.
6. Refresher cadence
A documented schedule for retraining. The defensible minimum is annual for all tiers, six-monthly for builders and decision-makers, and event-driven retraining whenever a new AI system enters service or a tool’s capabilities materially change.
7. Residual-risk escalation policy
A short policy describing what staff do when an AI system produces an unsafe, biased, or unexpected output, and how those incidents are logged and reviewed. Pair this with the post-market monitoring obligation under Article 72 if you are a provider.
Common gaps
Three gaps come up repeatedly in pre-supervision audits we run:
- No inventory. Teams have training but cannot prove it covers the actual tools in use.
- One-size-fits-all training. A single 30-minute video for everyone fails the proportionality test that Article 4 explicitly requires.
- No log retention plan. Training was delivered but the records were lost when an LMS was replaced.
The Government of Portugal’s digital portal and the Portuguese Government Digital Strategy both flag the proportionality requirement as the most common failure mode in pilot supervisory reviews.
How AISO Learn helps
Our team-engagement programme produces all seven artefacts as part of the eight-week delivery, not as a separate documentation project bolted on at the end.
Get the full checklist for your organisation