Claude

IntuitionLabs is now a member of the Claude Partner Network – AI training and upskilling with Claude for pharma and biotech. Book a call.

IntuitionLabs
Back to Articles

EU AI Act AI Literacy for Pharma: Article 4 Compliance Guide

Executive Summary

The EU Artificial Intelligence Act (Regulation (EU) 2024/1689, the "AI Act") entered into force on 1 August 2024, and its Article 4 "AI literacy" obligation became applicable on 2 February 2025, making it the first substantive duty pharmaceutical companies had to satisfy under the law ([1]) ([2]). The article requires providers and deployers of AI systems to ensure "a sufficient level of AI literacy" among staff and any other persons operating AI systems on their behalf, calibrated to each person's technical knowledge, role, and the risk context of the system in use ([1]). For pharmaceutical and biotech firms, whose AI systems increasingly touch drug discovery, clinical trials, pharmacovigilance, manufacturing, and interactions with the European Medicines Agency (EMA), this is not an abstract compliance exercise: Osborne Clarke has flagged that firms "deploying high-risk AI technologies in support of their medicines' lifecycle or in their interactions with the EMA" are directly in scope ([3]).

Enforcement is layered and, as of publication, still in motion. National market surveillance authorities were due to be designated by 2 August 2025, and the European Commission's own FAQ states supervision and enforcement "apply from 3 August 2026 onwards" in one place and "as of 2 August 2026" in another, an internal inconsistency worth flagging to compliance teams tracking exact dates ([4]). Penalties under Article 99 scale up to €35 million or 7% of global annual turnover for the most serious violations (unacceptable-risk practices), and up to €15 million or 3% of turnover for most other operator obligations, with lighter €7.5 million/1% fines for misleading information to authorities ([5]). While Article 4 itself is not explicitly tied to a fine tier, legal advisers including Travers Smith warn that "a lack of AI staff training/guidance will likely be seen by regulators as an aggravating factor" in enforcement of other AI Act breaches ([6]).

Critically, the regulatory picture is shifting. On 19 November 2025 the European Commission tabled a "Digital Omnibus on AI," and by May 2026 EU institutions had reached a provisional agreement that defers high-risk AI obligations for stand-alone Annex III systems to 2 December 2027 and for AI embedded in regulated products (including many medical devices) to 2 August 2028 ([7]). The same agreement proposes to soften Article 4 itself, shifting it from a hard obligation to "ensure" literacy toward a duty to merely "support the development of AI literacy" ([8]). Despite this loosening, the Commission's May 2025 Q&A guidance, still the most authoritative interpretive document available, sets out four concrete minimum steps: ensure general organisational understanding of AI, clarify the company's role as provider or deployer, assess system-specific risk, and tailor training to staff knowledge and context ([9]).

The urgency is underscored by a persistent knowledge gap: only 9% of life-sciences professionals report understanding U.S. and EU AI regulations well, even as AI is projected to add $100 billion in annual value to the industry ([10]). Meanwhile the global AI-in-pharma market, estimated at $4.35 billion in 2025 and heading toward $35 billion by 2031 at a 41.5% compound annual growth rate, means literacy gaps scale with capital exposure ([11]). Leading pharmaceutical employers are already responding at scale: Johnson & Johnson has put more than 56,000 of its 138,000 employees through a mandatory generative AI course, Merck reports over 50,000 employees actively using its internal GPTeal platform, and Samsung Bioepis opened a dedicated "AI Academy" delivering at least seven hours of training to roughly 1,000 staff ([12]) ([13]).

This report explains what Article 4 actually requires, who counts as a "provider," "deployer," or "affected person," how the obligation intersects with GxP quality systems (GMP, GCP, GLP), the GAMP5 computerized-systems framework, and 21 CFR Part 11-style documentation practices, and what a defensible, risk-tiered AI literacy program looks like for a pharmaceutical organization operating across R&D, manufacturing, pharmacovigilance, and commercial functions. It walks through concrete named implementations at J&J, Merck, Eli Lilly, and Samsung Bioepis, quantifies the compliance and workforce data available as of July 2026, and closes with practical guidance for building a program that survives both a national market surveillance audit and the accelerating pace of regulatory change.

Introduction and Background

Artificial intelligence in pharmaceutical research, development, manufacturing, and commercialization has moved from pilot projects to embedded infrastructure faster than most compliance functions can absorb. Machine learning models screen chemical libraries for drug candidates, predictive algorithms guide clinical trial patient recruitment, generative AI drafts regulatory submissions and medical information responses, and AI-enabled software increasingly qualifies as a medical device component under EU rules ([14]). The EU AI Act, formally Regulation (EU) 2024/1689, was adopted to govern this expansion with a risk-based framework, and it entered into force on 1 August 2024 ([15]).

Unlike the Act's high-risk classification rules or conformity assessment procedures, which phase in over several years, Article 4 took effect almost immediately, on 2 February 2025, alongside the prohibitions on unacceptable-risk AI practices in Article 5 ([2]). Article 4 reads, in full: "Providers and deployers of AI systems shall take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf, taking into account their technical knowledge, experience, education and training and the context the AI systems are to be used in, and considering the persons or groups of persons on whom the AI systems are to be used" ([1]). "AI literacy" itself is a defined term under Article 3(56): "skills, knowledge and understanding that allow providers, deployers and affected persons... to make an informed deployment of AI systems, as well as to gain awareness about the opportunities and risks of AI and possible harm it can cause" ([16]) ([17]).For the life-sciences sector this timing collides with an already dense compliance calendar. Osborne Clarke, a firm advising life-sciences clients across the EU, describes 2 February 2025 as marking "a strategic window to implement AI literacy ahead of an August enforcement deadline" and notes explicitly that pharmaceutical and biotech firms using AI in the medicines lifecycle or in dealings with the EMA fall within scope ([18]). Medtech companies face a further complication: they must reconcile AI Act obligations with the EU's Medical Device Regulation (MDR) and In Vitro Diagnostic Regulation (IVDR), since AI-enabled diagnostic and monitoring software very often qualifies as high-risk under both regimes simultaneously ([19]).

The European Commission's own regulators have acknowledged the practical difficulty. In May 2025 the Commission's Directorate-General for Communications Networks, Content and Technology published a detailed Questions & Answers document on AI literacy, explicitly stating the AI Office "will not impose strict requirements regarding Article 4 of the AI Act," preferring flexibility over prescription given how fast the underlying technology is evolving ([20]). That flexibility is a double-edged sword for pharmaceutical compliance, quality, and regulatory affairs teams: it removes a rigid checklist but also removes the certainty of "if we do X, we are compliant." Instead, organizations must build a defensible, documented, risk-calibrated rationale, the same posture GxP (Good Practice, encompassing Good Manufacturing Practice, Good Clinical Practice, and Good Laboratory Practice) quality systems already demand for validated computerized systems. This report treats that convergence, between AI Act literacy obligations and existing GxP quality infrastructure, as the central practical challenge pharmaceutical compliance leaders face in 2026 and beyond.

Key Changes: What Article 4 Requires and How It Is Evolving

Article 4 sits in Chapter I ("General Provisions") of the AI Act, alongside definitions and scope, rather than in the high-risk-system chapters. This placement matters: unlike Articles 8 through 15, which apply only to systems classified as high-risk, Article 4 applies horizontally to any provider or deployer of any AI system, regardless of risk tier ([21]). Osborne Clarke states plainly that the AI literacy requirements "do not differentiate between high-risk AI systems and those deemed low- or medium-risk. These provisions are applicable to any deployer or provider of an AI system governed by the regulation" ([21]). A pharmaceutical marketing team using a low-risk AI writing assistant is, in principle, just as much in scope as a clinical operations team running a high-risk diagnostic algorithm, though the intensity of the required measures differs.

Osborne Clarke's German-market briefing adds a jurisdictional nuance: Article 4 does not carve out narrow categories of AI, and "essentially, only purely personal non-professional use by natural persons is excluded from the scope of the AI Act" ([22]). In practice, that means the obligation attaches to essentially every professional AI use inside a pharmaceutical company, from an R&D scientist's machine-learning model to a commercial team's customer-relationship chatbot.

Who Is Covered: Providers, Deployers, and "Other Persons"

The Act distinguishes providers (entities that develop an AI system and place it on the market or put it into service under their own name) from deployers (entities that use an AI system under their own authority) ([23]). Most pharmaceutical companies are deployers with respect to the large language models and enterprise AI tools they license from vendors, but many are simultaneously providers if they build proprietary predictive models for drug discovery, patient stratification, or manufacturing process control.

The Commission's May 2025 Q&A clarifies who counts as "other persons dealing with the operation and use of AI systems": "these are not employees, but persons broadly under the organisational remit. It could be, for example, a contractor, a service provider, a client" ([24]). Punter Southall Law offers a concrete illustration relevant to pharmaceutical HR functions: "given the popularity of AI recruitment and screening tools, most HR teams would probably be considered deployers of AI systems, with the result that those recruiting are included in those dealing with AI systems" ([25]). The same firm raises the risk of "Shadow AI," noting that "even if an organisation bans AI use for work purposes the evidence shows that it is still likely to happen for example on an employee's own personal devices", which strengthens the case for organization-wide baseline awareness training rather than narrowly scoped technical training for a small AI team ([26]).

The Commission's Q&A also confirms that affected persons, including patients and clinical trial participants who are subject to AI-assisted decisions, are contemplated by the underlying rationale of Article 4, even though the Act does not explicitly enumerate their training. Recital 20 of the Act states AI literacy "should equip providers, deployers and affected persons with the necessary notions to make informed decisions regarding AI systems," including, for affected persons specifically, "the knowledge necessary to understand how decisions taken with the assistance of AI will have an impact on them" ([27]). For pharmaceutical deployers running patient-facing AI, such as symptom triage chatbots or AI-supported adherence tools, this recital effectively extends the spirit of Article 4 to patient communications, even absent an explicit training mandate for patients themselves.

Minimum Content: What the Commission Actually Expects

Because Article 4's text is deliberately open-ended, the Commission's May 2025 Q&A functions as the closest thing to authoritative interpretive guidance available. It lays out four minimum steps organizations should take:

  • General AI understanding: "What is AI? How does it work? What AI is used in our organisation? What are its opportunities and dangers?" ([28])
  • Organisational role clarification: determining whether the company is developing AI systems or simply using systems built by others ([29])
  • Risk-specific assessment: identifying "what employees need to know when dealing with such AI system" and the mitigations required ([30])
  • Tailored, documented action: building concrete literacy measures on that analysis, factoring in staff's existing technical knowledge, experience, education, and the specific context of use ([31])

Notably, the Commission's FAQ states there is no obligation to test or certify employee knowledge: "Article 4 of the AI Act does not entail an obligation to measure the knowledge of AI of employees" ([32]), and no certificate is required: "There is no need for a certificate. Organisations can keep an internal record of trainings and/or other guiding initiatives" ([33]). Similarly, no dedicated AI governance structure is mandated: "No, no specific governance structure is mandated to comply with article 4 of the AI Act", meaning companies need not appoint an "AI officer" analogous to a GDPR data protection officer ([34]). Travers Smith summarizes the same point: "There is also no specific governance structure required, so organisations do not need to appoint an AI officer or create an AI governance board to meet the AI literacy requirements" ([35]).

However, the Commission is explicit that passive compliance, simply pointing staff to an AI vendor's instructions for use, is insufficient. The Q&A states: "in many cases, simply relying on the AI systems' instructions for use or asking the staff to read them might be ineffective and insufficient" ([36]). This has direct relevance for pharmaceutical deployers of common productivity tools: the Q&A confirms that "a company, whose employees are using ChatGPT for, e.g., writing advertisement text or translating text" does need to comply with Article 4, and "they should be informed about the specific risks, for example hallucination" ([37]).

Timeline: From February 2025 to Enforcement in 2026

The compliance calendar around Article 4 is confusingly dense, and internally inconsistent even within the Commission's own guidance. The obligation itself became applicable on 2 February 2025, the same date the Article 5 prohibited-practices ban took effect ([2]). Governance provisions establishing the EU AI Office and national competent authorities came into effect from 2 August 2025 ([38]). Member States were required to designate at least one notifying authority and one market surveillance authority by that same 2 August 2025 date ([39]).

As for when penalties can actually be imposed, the Commission's own FAQ contains two different statements. One answer reads: "The supervision and enforcement rules apply from 3 August 2026 onwards" ([2]). A later answer in the same document states "The national market surveillance authorities will start supervising and enforcing the rules as of 2 August 2026" ([39]). Osborne Clarke's independent analysis aligns with the latter, more common figure, stating "enforcement provisions... along with provisions for legal remedies will only come into effect on 2 August 2026" ([40]). Pharmaceutical compliance teams should treat 2 August 2026 as the operative planning date while noting the ambiguity in official Commission text, rather than assume a full extra day of grace.

Whether penalties could apply retroactively to conduct between February 2025 and the enforcement start date remains unresolved. Travers Smith notes: "When asked if penalties could be imposed retrospectively from 2 February 2025, the Commission did not give a clear answer" ([41]). Punter Southall Law reaches a similar conclusion on the maximum-fine question, noting that the specific penalty amount "will depend on the national authorities" since Member States were tasked with adopting their own laws on AI literacy penalties by 2 August 2025 ([42]). Given this uncertainty, treating early 2025 as an active compliance window rather than a dead period is the prudent course for regulated pharmaceutical operations.

Table 1 below consolidates the key dates pharmaceutical compliance teams need to track, drawing on the EUR-Lex regulatory text, the Commission's Q&A, and Gibson Dunn's analysis of the Digital Omnibus agreement.

DateProvisionStatus as of July 2026
1 August 2024AI Act enters into forceIn force ([15])
2 February 2025Article 4 AI literacy obligation and Article 5 prohibited-practices ban applyIn force ([2])
2 August 2025Governance provisions apply; GPAI model obligations apply; deadline for Member States to designate market surveillance authoritiesIn force ([38])
2 August 2026Article 50 transparency obligations apply; Article 4/Article 99 enforcement begins (per most sources; the Commission's FAQ also cites 3 August 2026 in one place)Active compliance date ([43])
2 August 2027GPAI models placed on market before 2 August 2025 must fully comply; deadline for national AI regulatory sandboxes (proposed, Omnibus)Proposed/scheduled ([44])
2 December 2027Annex III stand-alone high-risk AI obligations apply (proposed, Omnibus)Proposed deferral ([7])
2 August 2028Annex I high-risk AI obligations apply, covering AI embedded in medical devices (proposed, Omnibus)Proposed deferral ([7])
2 August 2030High-risk AI systems intended for use by public authorities must fully complyScheduled ([45])

This timeline underscores why pharmaceutical compliance teams cannot treat Article 4 as a single deadline: the obligation itself has been active since early 2025, several adjacent obligations (governance, GPAI, transparency) have phased in on different dates through 2025 and 2026, and the highest-stakes high-risk requirements, most relevant to AI-enabled medical devices and clinical decision support, are now realistically not binding until 2027 or 2028 under the pending Digital Omnibus agreement.

Penalties and Enforcement Mechanics

Article 99 of the AI Act sets a tiered penalty structure. Non-compliance with Article 5's prohibited practices is subject to fines of "up to 35 000 000 EUR or, if the offender is an undertaking, up to 7 % of its total worldwide annual turnover for the preceding financial year, whichever is higher" ([5]). Most other operator obligations, including many of the requirements clustered around high-risk systems, carry fines of "up to 15 000 000 EUR or... up to 3 % of its total worldwide annual turnover" ([46]). Providing false or misleading information to authorities or notified bodies is penalized more lightly, at up to €7.5 million or 1% of turnover according to the wider commentary literature summarizing Article 99's fourth tier ([47]).

Article 4 does not appear explicitly among the named provisions in Article 99, which creates interpretive uncertainty about which fine tier, if any, attaches directly to a bare AI literacy failure. Osborne Clarke's German practice notes candidly: "Violations of the requirements of the AI-Act are subject to sanctions in accordance with Art. 99 (1) of the Act, which are to be determined in detail by the Member States and notified to the EU Commission" ([48]). In practical terms, most legal advisers converge on the same conclusion Travers Smith reaches: an AI literacy gap is unlikely to trigger standalone enforcement, but it becomes "an aggravating factor" when a regulator is already investigating a separate breach, for example a high-risk clinical AI system malfunction traced to untrained staff ([6]). Punter Southall Law's assessment is similar: "Currently the main risk is civil action with a number of pressure groups engaged in looking at the use of AI", alongside the theoretical possibility of private enforcement where an affected individual sues over inadequate AI literacy measures ([49]). The EUR-Lex text confirms this private-enforcement channel exists in principle, providing that reporting of AI Act infringements and protection of the people who report them falls under the EU's existing whistleblower directive, Directive (EU) 2019/1937 ([50]).

That said, the AI Act's own enforcement architecture, drawing on Regulation (EU) 2019/1020, gives market surveillance authorities the power to require corrective action, order product withdrawal, or recall a non-compliant AI system within as little as 15 working days once a non-compliance finding is made ([51]). For a pharmaceutical deployer of a high-risk clinical AI tool, an inspection finding of inadequate staff training could realistically cascade into a demand for corrective action on the underlying system itself, not merely a training fine.

Interaction with Article 26 Human Oversight Obligations

Article 4's literacy requirement does not exist in isolation. Recital 91 of the Act ties AI literacy directly to the human oversight obligations that apply specifically to deployers of high-risk AI systems: "deployers should ensure that the persons assigned to implement the instructions for use and human oversight as set out in this Regulation have the necessary competence, in particular an adequate level of AI literacy, training and authority to properly fulfil those tasks" ([52]). Travers Smith flags the practical consequence for pharmaceutical deployers of high-risk clinical or manufacturing AI: "if your organisation uses a 'high-risk' system which, from August 2026, will require human oversight, those individuals will need to have the necessary training and support for that task (Article 26 of the EU AI Act)" ([53]). This means the generic, organization-wide Article 4 baseline training and the role-specific Article 26 human-oversight training are two distinct but overlapping compliance streams that pharmaceutical quality and regulatory teams need to track separately, since Article 26 explicitly requires trained competence rather than merely "sufficient" literacy.

The Digital Omnibus: A Moving Target

The regulatory picture around Article 4 changed materially in late 2025 and through mid-2026. Faced with widespread industry concern that the AI Act's implementation timeline was unrealistic, the European Commission published the "Digital Omnibus on AI" on 19 November 2025 ([54]). After failed trilogue negotiations in late April 2026, EU institutions reached a provisional political agreement on 6 May 2026, confirmed by Member State representatives on 13 May, with formal adoption expected before the 2 August 2026 deadline ([55]).

Two changes are most consequential for pharmaceutical compliance planning. First, high-risk obligations are deferred: "High-risk obligations for stand-alone Annex III systems are deferred to 2 December 2027; for AI embedded in regulated products under Annex I, to 2 August 2028" ([7]). The latter category directly covers AI embedded in medical devices, meaning many diagnostic and therapeutic AI tools used by pharmaceutical and medtech companies now have roughly two extra years before the full conformity-assessment regime bites. Second, and specific to this report's subject, the agreement proposes to soften Article 4 itself: "The Article 4 AI literacy obligation, which has applied since 2 February 2025, is proposed to be softened: providers and deployers would be required to support the development of AI literacy among their staff, rather than to guarantee a specific level of literacy" ([56]). The Commission's own FAQ confirms this direction, noting the amendment would "shift the obligation on the Member States and Commission to promote AI literacy and upskilling and reskilling in AI, rather than enforcing an unspecific obligation on organisations", while stressing that "for those who deploy high-risk AI systems, the obligation to ensure that their staff is trained to ensure human oversight remains in place" ([57]). Crucially, Gibson Dunn cautions that "the amended dates do not bind until formal adoption and Official Journal publication," so pharmaceutical companies should not treat the softened language as legally operative until it clears the full EU legislative process ([58]).

Two further Omnibus details matter to pharma specifically. First, the agreement introduces a mechanism to limit duplicative requirements for AI embedded in products already covered by sectoral EU legislation, explicitly including medical devices, so that "the Commission is empowered to limit the application of specific AI Act requirements where sectoral legislation already imposes equivalent obligations" ([59]). Second, the definition of "safety component" is narrowed so that AI used only for "non-safety related aspects of user assistance, performance optimization, service efficiency, automation or convenience, or quality control" does not automatically trigger high-risk classification by virtue of being embedded in a regulated product ([60]). For pharmaceutical AI systems used in areas like inventory optimization or non-clinical process automation, this could meaningfully shrink the high-risk footprint, and with it, the intensity of literacy and oversight obligations required.

Implementation Considerations and Process Changes for Pharma

Mapping Article 4 onto Existing GxP Quality Systems

Pharmaceutical organizations do not need to build an AI literacy program from a blank slate. GxP quality systems, which govern Good Manufacturing Practice (GMP), Good Clinical Practice (GCP), and Good Laboratory Practice (GLP) environments, already mandate role-based training, documented competency, and change-control discipline for validated computerized systems. ERA Sciences, a life-sciences compliance vendor, frames the challenge directly: "AI literacy (understanding what AI is, what it does, and how it impacts GxP systems) is emerging as a mission-critical competency for IT, Business and Quality leaders" and situates the obligation alongside existing frameworks including "21 CFR Part 11, Annex 11, Annex 22, GAMP5, GAMP Artificial Intelligence Guide and ALCOA+" ([61]).

The ISPE GAMP Guide: Artificial Intelligence, published in July 2025 as a 290-page standalone reference designed to be used alongside GAMP 5 (Second Edition), is the closest thing the industry has to a sector-specific validation and governance framework for AI-enabled computerized systems in GxP areas ([62]). It is explicitly framed as "the single source for a holistic interpretation on effectively developing and using AI-enabled computerized systems in GxP areas, while safeguarding patient safety, product quality, and data integrity" ([62]). Aligning an Article 4 program with this guide gives pharmaceutical compliance teams a defensible, industry-recognized reference point when a market surveillance authority or an internal audit asks for evidence of "sufficient" AI literacy, and the guide is explicitly positioned to work alongside GAMP 5 rather than replace it, with a core team drawn from companies including Roche Products and Intuitive Surgical ([63]).

The EMA has also weighed in on the broader regulatory context. Its reflection paper on the use of artificial intelligence in the lifecycle of medicines, first published in draft in July 2023, sets out principles applicable "at any step of a medicines' lifecycle, from drug discovery to the post-authorisation setting" and states that "a human-centric approach should guide all development and deployment of AI and ML" ([64]) ([65]). The paper also recommends that where an AI or ML system might affect the benefit-risk balance of a medicine, "EMA advises developers to seek early regulatory support, e.g. through qualification of innovative development methods (for human medicines) or scientific advice" ([66]). An AI literacy program that references both the AI Act's Article 4 requirements and the EMA's medicines-lifecycle expectations demonstrates the kind of "context the AI systems are to be used in" analysis Article 4 itself demands, particularly for AI/ML modelling approaches used in preclinical development and pharmacovigilance signal detection that the EMA paper identifies as priority application areas ([67]).

Designing Role-Based Training Tiers

A recurring theme across compliance advisers is that blanket, one-size-fits-all training both under-serves technical staff and over-burdens non-technical staff. ERA Sciences recommends segmenting training into three tiers: "Executive Awareness: What AI is, regulatory risk exposure, strategic opportunities," "Operational Literacy: Use case validation, change management, data integrity impact (ideal for IT and Quality leads)," and "Technical Depth: Algorithm behavior, dataset handling, mitigation strategies for bias or drift (for developers and system architects)" ([68]). This tiering maps directly onto the Commission's own instruction to calibrate training to "technical knowledge, experience, education and training" as specified in Article 4's text ([1]).

ERA Sciences further recommends creating "repeatable frameworks for AI use case development" and to "mandate model cards for all AI tools that impact GxP data or decision making," structured documentation covering an AI tool's purpose, inputs, outputs, and limitations that doubles as both a training aid and an audit artifact ([69]). This model-card practice is itself grounded in the AI Act: Recital 165 explicitly references "industry best practices such as model and data cards" as a mechanism for demonstrating trustworthy AI governance even for non-high-risk systems ([70]).

A further practical recommendation, distinct from formal training design but directly relevant to a GxP culture of psychological safety around quality issues, is normalizing uncertainty. ERA Sciences advises organizations to "build space into retrospectives and town halls for 'AI uncertainties'" and to "praise teams that raise 'unknowns' as part of project planning," arguing that "encouraging curiosity doesn't weaken your compliance posture, it strengthens it by uncovering risks early and fostering psychological safety" ([71]).

Documentation, Governance, and Audit Readiness

Because Article 4 requires no certificate and no mandated governance structure, the compliance burden shifts almost entirely onto documentation of process, not proof of individual competency. Osborne Clarke's practical guidance is unambiguous: "companies should also not fail to document the measures they have taken to ensure the AI literacy of their staff. In this way, they can prove, if necessary, that they have fulfilled their obligation under Art. 4 of the AI-Act" ([72]). The same firm recommends "specialist training courses, workshops and presentations" combined with a company-wide "acceptable use policy" containing "binding rules for the staff on which AI systems may be used in the company for which purposes and what is permitted or prohibited when using them" ([73]).

IntuitionLabs' broader analysis of EU AI Act compliance for pharmaceutical companies frames this documentation work as one part of a wider preparatory sequence: "inventorying all AI uses, classifying each by risk, integrating AI compliance into quality systems (e.g. risk management under ICH Q9), establishing governance and documentation practices, and training staff on AI literacy" ([74]). Anchoring the AI inventory itself in the same risk-management vocabulary already used for ICH Q9 quality risk management gives pharmaceutical quality teams a single risk taxonomy across GxP and AI Act obligations, rather than two parallel and potentially conflicting risk frameworks. For SME and mid-size pharmaceutical companies without in-house AI regulatory expertise, the Commission's Q&A also points to the network of 251 European Digital Innovation Hubs (EDIHs) across Member States and associated countries, noting "80% of EDIHs already provide services focused on AI, including trainings, workshops, bootcamps for different needs and levels of knowledge of AI" as a low-cost external resource ([75]).

Finally, on formal process changes, pharmaceutical deployers of contracted AI capability should note the Commission's cautious position on flowing the obligation down the supply chain: asked whether service providers should have contractual obligations to demonstrate AI literacy, the Commission answered that "in general, people working for a service provider or contractor need to have the appropriate AI skills to fulfil the task in question (same as the employees)," implying vendor and CRO (contract research organization) contracts should increasingly carry explicit AI-literacy assurance clauses even though the Act does not mandate a specific contractual mechanism ([76]).

Data Analysis and Evidence

Quantifying the scale of the AI literacy gap, and the countervailing investment pharmaceutical companies are making, helps calibrate how much organizational effort Article 4 compliance realistically demands. Several converging data points, from different research organizations and vendors, sketch the same picture: a large and unresolved gap between AI deployment and workforce understanding.

MasterControl, a GxP quality-management software vendor, cites survey data showing "only 9% of life sciences professionals understand U.S. and EU artificial intelligence (AI) regulations well. Yet AI could add $100 billion in value to our industry" ([10]). That same 9% figure and $100 billion valuation appear independently corroborated in IntuitionLabs' compliance analysis of the sector, which frames the gap as "a massive missed opportunity" relative to AI's projected value contribution ([77]).

On market scale, the global AI-in-pharma market is estimated to have reached $4.35 billion in 2025, projected to grow to $6.16 billion in 2026, and on track toward $35 billion by 2031 at a compound annual growth rate of 41.5%, based on figures compiled from Mordor Intelligence's industry research and reproduced in IntuitionLabs' EU AI Act compliance guide ([11]). This trajectory means the population of employees whose day-to-day work touches an AI system, and who therefore fall within Article 4's scope, is expanding rapidly year over year, not holding steady.

Table 1 below summarizes the concrete training investments disclosed by major pharmaceutical employers as of mid-2026, alongside the source and reporting basis for each figure.

CompanyProgramReported ScaleFormatSource
Johnson & JohnsonMandatory generative AI course56,000+ of 138,000 employees (~41%); required before AI tool authorizationRequired course, prompt engineering and summarization focus([12])
Johnson & JohnsonDigital immersion boot camp14,000+ employees; 37,000+ cumulative training hoursSix-week program, expanded from a 2023 pilot of 2,500 employees, 90-minute weekly classes([78])
MerckGPTeal internal AI platform50,000+ employees using regularlySelf-serve courses, monthly webcasts, developer boot camps (0.5 to 10 days)([79])
Eli LillyCompany-wide GenAI encouragement plus certificationAll employees encouraged; senior leaders and managers required to obtain AI certification (from 2025)"AI Games" competitions, encouraged GenAI use in 2024 year-end reviews([80])
Samsung Bioepis"AI Academy"~1,000 employees; minimum 7 hours per personDedicated on-site training facility at Songdo HQ, April to July rollout([13])

These figures suggest a wide dispersion in program maturity even among large, well-resourced pharmaceutical employers. J&J's approach, gating AI tool access behind mandatory completion of a training course, most closely mirrors what a strict reading of Article 4's "sufficient level of AI literacy" standard would demand, since it creates a documented, verifiable control point rather than relying on voluntary uptake. Merck and Eli Lilly's approaches lean more heavily on encouragement, self-serve resources, and executive-level certification, which may satisfy Article 4's flexible "best extent" language but would likely present a thinner documentation trail if a market surveillance authority requested evidence. Samsung Bioepis's model, a dedicated fixed-hours curriculum delivered through a purpose-built internal academy, offers perhaps the cleanest audit trail: a specific minimum hours figure, applied uniformly, delivered through a named facility.

On the regulatory-fine side, the tiered penalty structure under Article 99, up to €35 million or 7% of global turnover for the most serious violations and €15 million or 3% for most other operator obligations, sets the outer bound of exposure ([5]) ([46]). MasterControl's compliance guidance for life-sciences AI documentation reinforces the same point from a quality-systems angle, recommending a "risk-based documentation approach" that ties the intensity of AI oversight to the severity of the underlying compliance exposure ([81]). For a mid-cap pharmaceutical company with several billion dollars in annual revenue, a 3% turnover-based fine would dwarf the cost of even an extensive, multi-tier AI literacy program of the kind J&J or Samsung Bioepis have deployed, reinforcing that training investment functions as a comparatively low-cost insurance policy against a much larger tail risk.

Case Studies and Real-World Examples

Johnson & Johnson: Gating AI Access Behind Mandatory Training

Johnson & Johnson's approach illustrates the strictest interpretation of "sufficient level of AI literacy" among the companies examined. Chief Information Officer Jim Swanson described the company's philosophy as treating AI fluency the same way it treats scientific and functional literacy: "There are so many ways we've been using AI... But to do that effectively, we had to really create a curriculum and a mindset around upskilling" ([82]). Critically, the generative AI course is not optional: "More than 56,000 of J&J's 138,000 workers have taken a generative AI training course, which is required before any employee is authorized to use the technology" ([12]), covering summarization and prompt engineering skills. A separate, more intensive digital immersion boot camp, covering AI, augmented reality, and automation, has recorded "more than 37,000 cumulative hours of training from more than 14,000 employees" ([78]), scaling up from a 2023 pilot in which "more than 2,500 employees participated" in weekly 90-minute classes over six weeks ([83]). Swanson framed the underlying motivation in terms of institutional longevity rather than compliance: "We've been around 135 years. We've had to reinvent ourselves multiple times to stay relevant and current" ([84]). While this program predates and was not designed around the EU AI Act specifically, its access-gating structure would satisfy an EU market surveillance authority's likely evidentiary demands more thoroughly than most voluntary programs, since course completion is a documented precondition of tool access.

Merck: An Internal AI Platform as the Training Vehicle

Merck's response centers on GPTeal, a proprietary internal platform that "gives employees access to large language models such as OpenAI's ChatGPT, Meta's Llama, and Anthropic's Claude while keeping company data secure from external exposures" ([85]). Chief Technology Officer Ron Kim reported that "more than 50,000 Merck employees were using GPTeal regularly" ([79]), supported through "a mix of self-serve digital training courses, monthly webcasts focused on generative AI, and boot camps for software developers that could last anywhere from half a day to 10 days" ([79]). Kim described the company's maturation from productivity use cases to a more rigorous impact focus: "Now, the journey is clearly to identify, implement, track, and measure use cases that have a dramatic impact on our business" ([86]), including using generative AI to draft regulatory documents submitted to health authorities, a use case squarely within the Article 4 "context the AI systems are to be used in" analysis, given the direct link to regulatory submissions. Kim explained the rationale in terms of freeing scientific staff from lower-value work: "We felt like some of our scientists were taking time being copyeditors... That's not what they trained for" ([87]).

Eli Lilly: Cultural Adoption Over Restriction

Eli Lilly took a contrasting approach to peers who restricted employee chatbot use over data-privacy concerns. Chief Information and Digital Officer Diogo Rau explained: "We went in the exact opposite direction... We told everybody you need to use it, you need to start bringing ChatGPT into your work" ([88]) ([89]), while cautioning staff, "Don't put anything in there that you don't want to get out" ([90]), a data-privacy risk message that aligns closely with the specific hallucination and data-handling risks the Commission's own Q&A flags as necessary training content. The company built gamified engagement through "an 'AI Games' competition timed to the Summer Olympics in Paris" and, in 2024, "encouraged all employees and managers to use generative AI for their year-end reviews" ([91]) ([80]). Most significantly for the EU literacy standard, by 2025 the company moved from voluntary adoption to formal credentialing: "this year, the company is set to require all senior leaders and managers to obtain an AI certification" ([80]), representing exactly the kind of role-based tiering (mandatory certification for those with organizational authority over AI use) that compliance advisers recommend for Article 4 alignment.

Samsung Bioepis: A Dedicated AI Academy for a Biopharmaceutical Workforce

Samsung Bioepis, a biopharmaceutical company specializing in biosimilars, took the most structurally formal approach among the cases examined. The company "established an AI-dedicated training facility called the 'AI Academy' at its Songdo headquarters in Incheon and, from April to July, will provide at least seven hours of theoretical and practical AI education per person to approximately 1,000 employees" ([13]), described as "the first time the company has implemented company-wide AI training" ([92]). The curriculum spans "the latest generative AI applications, designing AI models tailored to specific job functions, and promoting work automation," with the company stating the goal is "to internalize AI as a core technology that can maximize work efficiency, rather than simply as a tool for assisting with tasks" ([93]). Beyond the initial rollout, the company plans structural continuity: "a task force (TF) led by the dedicated AI team to develop customized 'AI agent'" capabilities and to "expand its AI competency enhancement efforts beyond one-off training to a sustainable model" ([94]). This "sustainable model" framing, moving beyond a one-time compliance event to an ongoing capability, is precisely what EU legal advisers recommend, since the Commission's Q&A treats AI literacy as an evolving obligation tied to fast-changing technology rather than a fixed checklist satisfied once.

Implications and Future Directions

Several structural dynamics will shape how the AI literacy obligation actually plays out for pharmaceutical companies over the next 18 to 24 months. First, the Digital Omnibus's softening of Article 4's language, from a duty to "ensure" literacy to a duty merely to "support" its development, will likely reduce legal exposure somewhat once formally adopted, but it does not eliminate the underlying commercial and operational incentive to train staff well ([56]). Pharmaceutical companies operating AI in clinical, manufacturing, or pharmacovigilance contexts will still need Article 26-grade human oversight training for high-risk systems regardless of how Article 4 itself is amended, since the Commission has explicitly preserved that obligation ([57]).

Second, the deferral of Annex I high-risk obligations (covering AI embedded in medical devices) to 2 August 2028, and Annex III stand-alone high-risk obligations to 2 December 2027, gives pharmaceutical and medtech companies genuine additional runway ([7]). Gibson Dunn's advice to clients generally is directly applicable to pharmaceutical compliance planning: "Use the additional time, do not wait for it. The 2027/2028 dates for high-risk AI systems provide real headroom, but a compliance framework takes time to build properly. Organizations should treat the agreement as a signal to commence or continue, not as a reason to defer" ([95]). Given that AI literacy training typically takes months to design and scale across a global workforce, as the multi-year rollouts at J&J and Samsung Bioepis demonstrate, waiting for the 2027/2028 deadlines to approach would leave little margin for error.

Third, the interplay between AI Act obligations and existing sector-specific rules like MDR, IVDR, and GMP is trending toward rationalization rather than duplication, per the Digital Omnibus's new mechanism allowing the Commission to limit AI Act requirements where equivalent sectoral obligations already exist ([59]). This suggests pharmaceutical compliance teams should design AI literacy programs as an extension of, rather than a parallel track to, existing GxP training infrastructure, consistent with the ISPE GAMP AI Guide's positioning as a companion to GAMP 5 rather than a standalone regime ([96]).

Fourth, sector-agnostic AI literacy pressure is intensifying beyond the AI Act itself. Punter Southall Law observes that "AI literacy is on the agenda for other regulators too," citing UK courts effectively imposing AI literacy obligations on law firm leadership and UK financial regulators warning that "the senior manager regime could be used to lead to personal sanction if risks are not addressed" ([97]). For globally operating pharmaceutical companies, this signals that an EU-only Article 4 program will likely need extension to UK, US, and other jurisdictions as parallel AI-literacy expectations emerge, reinforcing the case for a single, globally consistent internal training architecture rather than a jurisdiction-by-jurisdiction patchwork.

Finally, the workforce data suggests the gap Article 4 is meant to close remains wide open industry-wide. With only 9% of life-sciences professionals reporting strong understanding of AI regulation as of the survey MasterControl cites, and the AI-in-pharma market compounding at over 40% annually, pharmaceutical organizations that treat AI literacy as a genuine capability investment, not a checkbox exercise, stand to capture more of the projected $100 billion in industry value while carrying materially lower regulatory and operational risk than peers who treat the obligation as a one-time training event ([10]) ([11]).

Frequently Asked Questions (FAQs)

What is EU AI Act Article 4 compliance, in practice? Article 4 compliance means a provider or deployer of any AI system has taken documented, risk-calibrated measures to ensure staff and other relevant persons understand what AI is, how the organization's specific AI systems work, and what risks and mitigations apply to their role, as the Commission's May 2025 Q&A minimum-steps framework sets out ([9]). There is no certificate, test, or fixed governance structure required ([33]).

What does "AI literacy training for life sciences" actually need to cover? At minimum: general AI concepts, the specific AI systems in use at the organization, the associated opportunities and risks (including hallucination and bias), and, for high-risk clinical or manufacturing systems, the competency needed for human oversight under Article 26 ([37]) ([53]). GxP-specific literacy should also cover data integrity impact and model documentation, per ERA Sciences' framework discussed above.

What are the pharmaceutical AI compliance guidelines beyond Article 4? Pharmaceutical companies must layer AI Act obligations atop existing GMP, GCP, MDR/IVDR (for medical device AI), and data-protection rules, plus sector guidance such as the EMA's reflection paper on AI in the medicines lifecycle and the ISPE GAMP AI Guide for validated computerized systems ([64]) ([62]).

What are the EU AI Act training requirements exactly, in terms of format and hours? The Act itself specifies no fixed hours or format; the Commission has explicitly declined to mandate one, stating "there is no one size fit all when it comes to AI literacy" ([98]). In practice, disclosed pharmaceutical programs range from Samsung Bioepis's fixed minimum of seven hours per employee to J&J's course-plus-boot-camp model with no single hours figure but a hard access gate ([13]) ([12]).

How to implement AI literacy in pharma step by step? Compliance advisers converge on a similar sequence: (1) inventory all AI systems in use and their risk classification; (2) determine whether the organization is a provider, deployer, or both for each system; (3) assess risk and required competency per system and per role; (4) design tiered training (executive, operational, technical) calibrated to that analysis; (5) document all measures taken; and (6) establish an acceptable-use policy and, where AI is high-risk, Article 26-grade human oversight training ([9]) ([68]) ([72]).

What is "EU AI Act Article 4 explained" in one sentence? Article 4 requires every provider and deployer of an AI system operating in or affecting the EU to take reasonable, documented, risk-calibrated measures ensuring staff and relevant third parties understand the AI systems they use well enough to make informed, safe decisions ([1]).

How does AI literacy fit into healthcare regulation more broadly? Article 4 does not distinguish between high-risk and lower-risk AI systems, meaning the obligation applies broadly across healthcare and life-sciences deployers, while the EMA's reflection paper and MDR/IVDR add sector-specific technical and clinical expectations for AI used in the medicines and medical device lifecycle ([21]) ([64]).

How does GxP compliance intersect with the EU AI Act? GxP frameworks already require validated, documented, risk-assessed computerized systems and trained personnel; the AI Act's Article 4 and Article 26 obligations layer directly onto that infrastructure, and the ISPE GAMP AI Guide is explicitly designed to be used alongside GAMP 5 to harmonize the two regimes ([96]).

Conclusion

The EU AI Act's Article 4 AI literacy obligation has been legally applicable since 2 February 2025, and enforcement, however precisely dated within the Commission's own slightly inconsistent guidance, is coming into force around 2 August 2026. For pharmaceutical companies, the obligation is neither optional nor abstract: AI already touches drug discovery, clinical trial design, pharmacovigilance, manufacturing, regulatory submissions, and commercial operations, and Osborne Clarke's assessment that pharma and biotech firms deploying high-risk AI in the medicines lifecycle or in EMA interactions are squarely in scope reflects the practical reality most organizations already face. The Commission's own guidance offers real flexibility, no mandated format, no certification requirement, no specific governance structure, but that flexibility places the compliance burden on documentation and defensible process design rather than on satisfying a fixed checklist.

The Digital Omnibus's pending softening of Article 4's language and its multi-year deferral of high-risk AI obligations to 2027 and 2028 buy pharmaceutical organizations genuine time, but not an excuse to wait. Article 26's human oversight training requirement for high-risk systems remains untouched by the Omnibus, and the underlying commercial case for AI literacy, closing the gap between a 9% regulatory-understanding rate and a market moving toward tens of billions of dollars in annual value, exists independent of the legal deadline. The named implementations examined here, from J&J's access-gated mandatory course to Samsung Bioepis's purpose-built AI Academy, demonstrate that pharmaceutical companies large enough to have dedicated compliance and learning infrastructure are already treating AI literacy as core workforce capability rather than a discrete regulatory task. Organizations that integrate Article 4 obligations into existing GxP training, documentation, and risk-management systems, rather than building a parallel compliance track, will be best positioned when national market surveillance authorities begin active enforcement and when the deferred high-risk deadlines of December 2027 and August 2028 arrive.

External Sources (98)
Adrien Laurent

Need Expert Guidance on This Topic?

Let's discuss how IntuitionLabs can help you navigate the challenges covered in this article.

I'm Adrien Laurent, Founder & CEO of IntuitionLabs. With 25+ years of experience in enterprise software development, I specialize in creating custom AI solutions for the pharmaceutical and life science industries.

DISCLAIMER

The information contained in this document is provided for educational and informational purposes only. We make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability of the information contained herein. Any reliance you place on such information is strictly at your own risk. In no event will IntuitionLabs.ai or its representatives be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from the use of information presented in this document. This document may contain content generated with the assistance of artificial intelligence technologies. AI-generated content may contain errors, omissions, or inaccuracies. Readers are advised to independently verify any critical information before acting upon it. All product names, logos, brands, trademarks, and registered trademarks mentioned in this document are the property of their respective owners. All company, product, and service names used in this document are for identification purposes only. Use of these names, logos, trademarks, and brands does not imply endorsement by the respective trademark holders. IntuitionLabs.ai is an AI software development company specializing in helping life-science companies implement and leverage artificial intelligence solutions. Founded in 2023 by Adrien Laurent and based in San Jose, California. This document does not constitute professional or legal advice. For specific guidance related to your business needs, please consult with appropriate qualified professionals.

Related Articles

Need help with AI?

© 2026 IntuitionLabs. All rights reserved.