I really enjoyed reading this - thank you for making the AI Act a little less legalese and a little more English ;)
I was reading the other day about AI literacy vs AI enablement and how they’re really not the same thing. Giving people tools to use is not the same as actually knowing what those tools could do. I’m also guilty of automation bias, especially when it’s something a little less cognitive - and “sure, good enough” won’t hold up in an audit!
The literacy vs enablement distinction is the one the AI Act is built around, even if it doesn’t use those words. Article 4 requires “appropriate” AI literacy — not just access to tools, but actual understanding of how they work and where they fail. “Sure, good enough” is exactly the gap that provision is trying to close. Whether it succeeds is a different question.
I didn't consider the impact of the DPO requirement. Thank you!
It definitely set a clear standard of accountability to get compliance started. The tiering system you mention doesn't have the same dedicated role with an expert required.
Refreshing to read someone who has stood on both sides of the wall, building and regulating. That dual fluency is rare and it shows in the tier breakdown.
The GDPR parallel is the one that keeps me up at night. Companies are running the exact same playbook: ignore the deadline, wait for the first nine-figure fine to hit headlines, then turn around and ask leadership, "why weren't we doing this already?" The honest answer is "because every budget cycle you told us not to."
The tier framework is very useful. It gives compliance teams something concrete to push back with when leadership inevitably asks for the cheapest possible checkbox. Tier 1 by itself isn't compliance; it's plausible deniability with a completion certificate attached.
One question I'm sitting with: do you see a dedicated AI compliance function emerging the way Privacy did post-GDPR?
The titles are trickling in, but hiring still feels reactive. Most companies look content to bolt AI governance onto an already overstretched privacy or risk team and call it staffed.
Probably yes, but slower. GDPR forced the issue by mandating the DPO role. The AI Act has no equivalent of such role, so companies are making the cheaper call and absorbing it into existing teams.
That said, it is happening in some places. I’m sitting in exactly that function right now. But the pattern so far is European companies moving first, and US legal teams waiting for the enforcement headline that makes the budget conversation unavoidable.
I really enjoyed reading this - thank you for making the AI Act a little less legalese and a little more English ;)
I was reading the other day about AI literacy vs AI enablement and how they’re really not the same thing. Giving people tools to use is not the same as actually knowing what those tools could do. I’m also guilty of automation bias, especially when it’s something a little less cognitive - and “sure, good enough” won’t hold up in an audit!
Thank you for the kind words. :)
The literacy vs enablement distinction is the one the AI Act is built around, even if it doesn’t use those words. Article 4 requires “appropriate” AI literacy — not just access to tools, but actual understanding of how they work and where they fail. “Sure, good enough” is exactly the gap that provision is trying to close. Whether it succeeds is a different question.
I didn't consider the impact of the DPO requirement. Thank you!
It definitely set a clear standard of accountability to get compliance started. The tiering system you mention doesn't have the same dedicated role with an expert required.
Painfully relatable.
Refreshing to read someone who has stood on both sides of the wall, building and regulating. That dual fluency is rare and it shows in the tier breakdown.
The GDPR parallel is the one that keeps me up at night. Companies are running the exact same playbook: ignore the deadline, wait for the first nine-figure fine to hit headlines, then turn around and ask leadership, "why weren't we doing this already?" The honest answer is "because every budget cycle you told us not to."
The tier framework is very useful. It gives compliance teams something concrete to push back with when leadership inevitably asks for the cheapest possible checkbox. Tier 1 by itself isn't compliance; it's plausible deniability with a completion certificate attached.
One question I'm sitting with: do you see a dedicated AI compliance function emerging the way Privacy did post-GDPR?
The titles are trickling in, but hiring still feels reactive. Most companies look content to bolt AI governance onto an already overstretched privacy or risk team and call it staffed.
Probably yes, but slower. GDPR forced the issue by mandating the DPO role. The AI Act has no equivalent of such role, so companies are making the cheaper call and absorbing it into existing teams.
That said, it is happening in some places. I’m sitting in exactly that function right now. But the pattern so far is European companies moving first, and US legal teams waiting for the enforcement headline that makes the budget conversation unavoidable.