Why AI Isn't Your Next GDPR -- It's Bigger
Everyone is treating Article 4 like another compliance project. They are making the same mistake they made with GDPR -- except this time, the thing they need to comply with is rewriting their entire operation while they try to document it.
I have been watching organisations stumble through technology transitions for thirty years. I watched the GDPR scramble in 2016--2018: the frantic data mapping exercises, the cookie banners, the privacy officers hired six months before enforcement. Most companies survived it. Some even got better at handling personal data.
Now I am watching the same playbook emerge for Article 4 of the EU AI Act. Compliance teams are buying off-the-shelf AI literacy training. HR departments are scheduling half-day workshops. Legal counsel is drafting AI use policies that mirror their GDPR documentation.
They are wrong. Not because compliance doesn't matter -- it does. But because they are preparing for a GDPR-shaped problem, and what they are facing is something fundamentally different.
Where the GDPR Parallel Holds
Let me be fair to the comparison, because in several ways, Article 4 genuinely resembles GDPR. Understanding the similarities helps clarify where they diverge.
The obligation structure is familiar. Both regulations impose obligations on organisations that use a technology, not just on the technology itself. GDPR did not regulate databases; it regulated how organisations process personal data. Article 4 does not regulate AI models; it requires organisations to ensure their people have "a sufficient level of AI literacy." The regulatory target is the organisation, not the tool.
The vagueness is deliberate. GDPR introduced "appropriate technical and organisational measures" without defining what "appropriate" meant. Article 4 requires "sufficient" AI literacy without prescribing curricula, hours, or certifications. In both cases, the regulator intentionally left room for interpretation -- which creates uncertainty for compliance teams and opportunity for those who define the standard early.
The penalty architecture is escalating. GDPR penalties reach EUR 20 million or 4% of global turnover. The AI Act's penalty framework hits EUR 15 million or 3% of global turnover for Article 4 violations. But as with GDPR, the direct fines may be the least of it. Insurance premiums, reputational damage, client attrition, and contractual liability can exceed statutory penalties by an order of magnitude.
The organisational change requirement is real. Both regulations demand more than a policy document. GDPR required data protection officers, privacy impact assessments, data processing agreements, consent mechanisms, breach notification procedures. Article 4 will require training programmes, competence assessments, documentation of AI literacy across the workforce, and ongoing review as the technology evolves. Neither can be solved by buying software.
The cross-border complexity is identical. Both apply across the EU but are enforced by national authorities, each interpreting requirements slightly differently. Italy has already enacted Law No. 132/2025, restricting AI to "support and auxiliary tasks" in professional services. Germany's courts are setting precedents through rulings like the Darmstadt case, where a court declared an expert report inadmissible due to undisclosed AI use. The regulatory landscape is fragmenting before the August 2026 enforcement deadline arrives.
If this were the full picture, the GDPR playbook would work. Hire a compliance officer, document your processes, train your staff, update your policies annually. Move on.
But it is not the full picture.
Where the Analogy Breaks Down -- Completely
Here is the difference that changes everything: GDPR added a layer on top of existing work. Article 4 addresses a technology that is replacing the work itself.
When GDPR arrived, organisations added privacy notices to their websites, consent checkboxes to their forms, data processing clauses to their contracts. The underlying work did not change. Salespeople still sold. Marketers still marketed. Accountants still reconciled. They just did it with more documentation and fewer unauthorised data transfers.
AI does not add a layer. It rewrites the layer.
I call this competence debt, and it is the central challenge that makes Article 4 fundamentally different from any compliance obligation that came before it.
Consider what happens when you deploy AI across a professional services firm. The junior associates who used to spend their first three years learning to research case law are now using AI to generate first drafts. The procurement analysts who learned supplier evaluation by processing hundreds of RFPs manually are now reviewing AI-summarised shortlists. The financial controllers who developed judgment by manually reconciling thousands of transactions are now overseeing AI-processed batches.
In each case, the output looks the same -- or better. Faster, cheaper, more consistent. But the learning that used to happen inside those tasks has disappeared. The competence was a byproduct of the work, and the work is gone.
GDPR never created this problem. You could comply with GDPR and still have a workforce that understood their jobs. You can comply with Article 4 -- run the training, file the documentation, tick the boxes -- and still end up with an organisation that cannot function when the AI fails.
That is not a compliance gap. That is an existential risk.
Liga's Perspective: The Compliance Officer's Nightmare
Liga Paulina, compliance and accounting specialist, on why training records are not enough.
I work with organisations on their compliance documentation every day, and I can tell you: the Article 4 challenge is unlike anything we have faced with GDPR or financial regulation.
With GDPR, I could audit compliance by checking records. Does the data processing agreement exist? Yes. Is the privacy notice published? Yes. Was the DPIA conducted? Yes. The documentation either existed or it did not. The underlying work -- accounting, invoicing, reporting -- remained the same work it had always been.
With Article 4, the documentation problem is recursive. I need to verify that staff have "sufficient AI literacy" for their roles. But their roles are changing because of AI. The skills that were sufficient six months ago may be inadequate today, because the AI tools have evolved, the workflows have changed, and the tasks themselves have been restructured.
Here is a concrete example. Last year, a mid-sized firm I work with introduced AI-assisted invoice processing. The training programme covered how to use the tool, how to review AI-flagged exceptions, how to override incorrect categorisations. Proper Article 4 documentation. Six months later, the AI vendor updated their model. The exception rate dropped from 12% to 3%. The team celebrated -- fewer exceptions to review, less manual work.
But think about what actually happened. The team had been developing judgment by reviewing those exceptions. Every flagged invoice was a learning opportunity: unusual supplier terms, misclassified VAT treatments, pricing anomalies that warranted investigation. When the exception rate dropped, the learning opportunities dropped with it. The team's competence was quietly eroding while their compliance documentation showed green across every metric.
Training records prove you ran the training. They do not prove the training was sufficient for tomorrow's version of the role. And when the role itself is being continuously reshaped by AI, "sufficient" is a moving target that no annual refresher course can hit.
I have started telling my clients: if your Article 4 compliance plan looks like your GDPR compliance plan, you have the wrong plan. GDPR compliance is a state you achieve and maintain. Article 4 compliance is a capacity you build and continuously develop. The difference is fundamental.
Edgar's Perspective: When AI Eliminates Organisational Glue
Edgar, technical and AI strategy lead, on why agentic AI changes the calculus entirely.
The conversation about AI literacy assumes that AI is a tool humans use. That framing was accurate in 2023. It is already outdated.
What we are seeing now -- and what will accelerate dramatically through 2026 and 2027 -- is agentic AI. Systems that do not wait for human prompts but initiate actions, coordinate with other systems, and complete multi-step workflows autonomously. This is not a better search engine. This is a replacement for the connective tissue of organisations.
Think about what actually holds a mid-sized company together. It is not strategy documents or org charts. It is the thousands of small coordinating actions that happen every day: someone in procurement emails a supplier for an updated quote, someone in finance reconciles a bank statement against an invoice, someone in HR schedules interviews and sends calendar invitations, someone in legal reviews a contract clause and flags a risk for the project manager.
This is organisational glue -- the routine coordination work that keeps everything moving. And agentic AI is eliminating it at remarkable speed.
Klarna's experience is the early warning. They replaced 700 customer service agents with AI. The AI handled 2.3 million conversations in its first month. Then they discovered that the AI could not handle empathy, nuance, or edge cases. CEO Sebastian Siemiatkowski admitted publicly that "cost was a predominant evaluation factor," resulting in "lower quality." They started rehiring.
But here is what Klarna's leadership perhaps did not articulate publicly: when they fired those 700 agents, they did not just lose labour capacity. They lost the accumulated understanding of how customers actually behave, what the common pain points are, which issues escalate and why, and how to de-escalate situations that the policy manual does not cover. That knowledge lived in the heads of experienced agents. It was never documented, because it was never treated as knowledge -- it was treated as a cost centre.
Salesforce made the same discovery at larger scale. They cut 4,000 support roles, replaced them with AI agents, and privately acknowledged regrets as gaps emerged that AI could not fill. Remaining staff were forced to increase oversight of automated outputs, and institutional knowledge proved harder to replace than anyone anticipated.
The implications for Article 4 compliance are severe. You cannot train people to oversee work they have never learned to do. You cannot build AI literacy programmes for roles that are being redefined monthly. And you certainly cannot achieve "sufficient" competence through annual refresher courses when the technology your people need to understand is evolving on a weekly release cycle.
The GDPR analogy fails here most completely. GDPR regulated a stable technology layer -- databases, cookies, forms. AI is not a stable layer. It is an expanding, learning, increasingly autonomous set of capabilities that reshapes what it touches. Trying to regulate it with GDPR-era compliance thinking is like trying to regulate electricity with candle-safety regulations.
The Evidence: What Happens When Competence Debt Comes Due
The research is no longer theoretical. We have documented cases across industries, and the pattern is consistent.
486 court cases involving AI hallucinations. The AI Hallucination Cases Database maintained by HEC Paris researcher Damien Charlotin documents 486 cases worldwide where lawyers submitted AI-generated citations that were fabricated. 128 lawyers and 2 judges have been identified. By September 2025, courts began sanctioning lawyers not just for submitting fake citations, but for failing to detect their opponent's fake citations. The competence expectation is expanding, not contracting.
CNET's 53% error rate. CNET published 77 AI-written articles and found errors in more than half of them. Basic financial maths was wrong. Language appeared plagiarised. The AI could generate fluent text but lacked the domain expertise that journalists bring -- the very expertise that editorial staff were supposed to be replaced by the AI in the first place.
McDonald's three-year AI drive-through failure. After testing AI voice-ordering in 100+ US restaurants with IBM, McDonald's abandoned the project in 2024. The AI confused accents, added unwanted items, and could not match the contextual understanding that a minimum-wage employee develops within weeks. The tacit knowledge embedded in "simple" jobs turned out to be irreplaceable.
The industry data is stark. According to McKinsey's 2025 State of AI research, 88% of organisations use AI, but only 1% have achieved AI maturity. S&P Global found that 42% of companies abandoned most AI initiatives in 2025, up from 17% in 2024. And MIT's 2025 GenAI Divide report found that 95% of corporate AI pilots fail to create measurable P&L impact. The competence gap is not a theoretical risk -- it is the primary reason AI deployments fail.
But the evidence also shows what works.
IKEA trained 30,000 employees and 500 leaders on responsible AI, combining AI fundamentals for all staff with specialised leadership programmes. JPMorgan Chase requires prompt engineering training for every new hire, treating AI competence as foundational infrastructure. These organisations understand that compliance is a byproduct of competence, not a substitute for it.
The difference between the failures and the successes is not budget or technology. It is whether the organisation treated AI adoption as a procurement decision or as an organisational transformation. The ones who bought tools failed. The ones who built competence succeeded.
What Organisations Actually Need
If your Article 4 response is a compliance project, you will end up with documentation that proves you tried and an organisation that cannot function when the AI stumbles.
What you need instead is competence infrastructure. Here is what that means in practice.
Competence that matches context. Article 4 deliberately requires literacy "taking into account their technical knowledge, experience, education and training, and the context in which the AI systems are to be used." Generic training fails this test by design. A procurement specialist, a financial controller, and a legal counsel all need different AI competencies, because they use AI in different contexts with different risk profiles.
Learning embedded in workflow, not extracted from it. The most effective AI training does not happen in a classroom or an e-learning module. It happens when professionals use AI tools on real work, with structured guidance on verification, limitation awareness, and judgment development. The GDPR model of annual refresher courses will not work for a technology that changes quarterly.
Competence that builds over time. AI literacy is not binary -- you do not "have it" after completing a course. It develops in stages: from basic awareness, through professional application, to operational integration, to strategic capability. Organisations need training architectures that support progression, not one-off interventions that create an illusion of readiness.
Human expertise preserved alongside AI capability. The Klarna lesson, the Salesforce lesson, the CNET lesson -- they all point to the same conclusion. You cannot automate your way to competence. When you remove the human work where expertise develops, you must create alternative pathways for that expertise to be built. Otherwise, you end up with an organisation that depends entirely on tools it cannot evaluate, verify, or override.
The Floor and the Mission
I started by saying that everyone is treating Article 4 like another GDPR. Let me be precise about why that is dangerous.
GDPR compliance protected your organisation from regulatory penalties. It was necessary, it was expensive, and most organisations achieved a workable version of it. But GDPR compliance alone never made an organisation excellent at data management. It set a floor.
Article 4 compliance will also set a floor -- a minimum level of AI literacy that regulators can enforce and auditors can verify. Every organisation operating in the EU will need to meet it by August 2026.
But the organisations that will thrive are not the ones that meet the floor. They are the ones that recognise the floor for what it is: the starting point of a much larger transformation. The ones that understand that AI is not a tool you learn to use and then move on. It is a fundamental shift in how professional work happens, how expertise develops, how organisations learn, and how competence is maintained.
Compliance is the floor. Competence is the mission.
The question is not whether your organisation will comply with Article 4. The question is whether, three years from now, your people will still have the expertise to know when the AI is wrong.
If your compliance plan does not answer that question, it is not a plan. It is a receipt.
This analysis draws on the TwinLadder Research competence debt case database, covering documented cases from Klarna, Salesforce, CNET, McDonald's, Air Canada, and 486 AI hallucination cases in court filings. For the full evidence base and source citations, see the Twin Ladder Casebook.
Alex Blumentals is the founder of Twin Ladder. Liga Paulina leads compliance and accounting operations. Edgar leads technical strategy and AI architecture.