Your Whole Team Uses AI. Only One of Them Knows the Rules. That Is a Training Problem.
By Gabriel Tan | May 2026
Ask your account executive which AI tools are on the approved list. Ask them what data classification tier applies to a draft earnings release. Ask them who to call if they accidentally paste client financials into a free-tier tool.
If they cannot answer all three questions in 10 seconds, your AI use policy is a document, not a practice. The gap between having a policy and having a team that follows it is training. And as of 2 February 2025, that training is a legal requirement.
What the regulation says
The EU AI Act introduced an AI literacy obligation that took effect on 2 February 2025. The obligation applies to deployers, which is any organisation that uses AI systems in its operations. Your PR firm is a deployer. Your IR advisory is a deployer. Your financial communications consultancy is a deployer.
The Act does not prescribe a specific training format. It requires that staff who operate or interact with AI systems have sufficient understanding of the tools, their limitations, and their risks to use them responsibly. If your firm has EU-listed clients, a London office, or operates in a jurisdiction that references the EU framework, this obligation applies to you.
The AI literacy obligation is not a suggestion buried in a guidance note. It sits in the Act itself. Non-compliance carries penalties. And the first thing a regulator or client will ask for is evidence that your team has been trained. A sign-off sheet showing who completed training and when is that evidence.
Why one training for everyone does not work
A 20-person PR or IR firm has at least three distinct roles that interact with AI differently. Each role carries a different failure mode.
The account executive's risk is input error. They are the ones using AI tools daily, pasting client material into prompts, generating first drafts, running research queries. Their failure mode is putting the wrong data into the wrong tool: confidential financials into a free-tier account, client-identifiable information into a public tool, restricted data into any tool at all.
The senior consultant's risk is output error. They review AI-assisted deliverables before they reach the client. Their failure mode is trusting the output without checking it: a fabricated statistic that looks plausible, a forward-looking statement the AI generated that the client's CFO never approved, a quote attributed to someone who never said it.
The MD's risk is structural. They are responsible for the firm's regulatory position, vendor contracts, client disclosure, and insurance coverage. Their failure mode is not knowing that the vendor's terms of service disclaim liability for AI output accuracy, or that the firm's professional indemnity policy may not cover AI-assisted errors.
Same firm, three different risks. But the first two risks apply to everyone. Every person in the firm needs to know what tools are approved and what data goes where. Every person in the firm needs to know how AI output fails and how to check it. The structural risk is the one that sits with leadership.
That gives you three tracks. Everyone attends Tracks 1 and 2. Leadership stays for Track 3.
Track 1: Tools, data, and escalation (everyone)
This track covers three things. First, which tools are on the approved list and which are not. If it is not on the list, it does not touch client work. Second, the data classification tiers from your AI use policy: what data never goes into any tool, what goes into enterprise tools only, and what can go into non-enterprise tools with guard rails. Third, the escalation rule: if client data enters an unapproved tool, who do you tell and how fast.
This track takes 20 minutes. The test at the end is the three-question check: Can I use this tool? Can I put this data in? Who do I tell if something went wrong? If everyone in the room can answer those three questions, Track 1 has done its job.
Track 2: Checking AI output (everyone)
AI tools fabricate. They present invented statistics as fact. They generate plausible but unsupported statements. They attribute quotes to people who never said them. Every person in your firm who touches a deliverable needs to know this, whether they are drafting or reviewing.
This track gives the team a five-point checklist for every AI-assisted deliverable:
Are the numbers in this output sourced? Can I trace each figure back to a client-approved document or a verified source?
Are the quotes real? Did the person actually say this, or did the AI generate it?
Are the forward-looking statements supported? Has the client's management approved this language?
Is there anything in here that I cannot verify? If so, it gets flagged or removed before it goes further.
Have I logged which tool was used and what data was entered?
This track also covers escalation for output errors. If a reviewer finds a claim they cannot verify, or if an AI-generated error makes it into a deliverable that has already been sent, who do they tell and what is the process? The escalation contact and the steps should be the same ones in your incident protocol.
This track takes 25 minutes. Print the five-point checklist. Pin it where the work happens.
Track 3: Regulatory and contractual exposure (leadership only)
This track is for MDs, partners, and senior leadership. It covers four things. The EU AI Act's provider/deployer framework and what it means for your firm's liability as a deployer. What your AI vendor's terms of service actually say about accuracy and liability. Your firm's disclosure position and how to communicate it to clients when the question comes up. And whether your professional indemnity insurance covers claims arising from AI-assisted deliverables.
This track takes 25 minutes. The people in this room are the ones who sign the vendor contracts, set the disclosure policy, and talk to the insurer. The training makes sure those decisions are informed, not assumed.
How to run the session
Total time: 90 minutes. One session, not three separate ones.
First 45 minutes: Tracks 1 and 2, whole team. Start with the approved tools and data classification (Track 1, 20 minutes). Then move into output checking and the five-point checklist (Track 2, 25 minutes). Walk the team through the governance dashboard so they know where to log AI use and where the records live.
Next 25 minutes: Track 3, leadership only. The rest of the team is done. Senior leadership stays for the regulatory and contractual session.
Final 10 minutes: sign-off. Every attendee signs to confirm they completed the training. File the signed sheet as a governance record. It goes into the training tracker tab of your governance dashboard. That signed sheet is what you produce when a client or regulator asks for evidence of AI literacy.
No external trainer required. No software to buy. The session uses your firm's own AI use policy, your approved tools list, and your governance dashboard. One afternoon.
What to do this week
Schedule the session. Block 90 minutes in the next two weeks. One calendar invite, whole team.
Prepare two one-page briefings for the whole team (Track 1 and Track 2) and one for leadership (Track 3). Each briefing should fit on a single page. Two hours of preparation.
Print the five-point checklist and the sign-off sheet.
Run the session. File the sign-off sheet. Set the annual refresh date. Done.
The EU AI Act says your team needs AI literacy. Your clients are starting to ask for evidence of it. The training record is a governance artefact you can show in a pitch, reference in a proposal, and produce if a regulator asks. One session builds it. One refresh a year maintains it.
Gabriel Tan is the founder of Mekong Bridge Advisory. He builds structured execution systems for PR and communications firms.
