Journal
AI Literacy
Article 4
EU AI Act
Training
Compliance Evidence

AI Literacy Enforcement: Linking Training Records to Real Usage via the Proxy

3 June 2026

AI Literacy Enforcement: Linking Training Records to Real Usage via the Proxy

Audience: Chief Privacy and Information Officer (CPIO) and Human Resources Subject: Usage-Driven AI Literacy Enforcement via the Interceptor Layer

1. Executive Summary: The AI Literacy Gap

Under Article 4 of the EU AI Act, organisations are legally required to ensure their staff possess a "sufficient level of AI literacy." This obligation has been enforceable since February 2025. The challenge for the CPIO is not just providing training, but proving that staff actually understand the specific tools they are using in their daily work.

NordClaw solves this by using the interceptor to map real-world AI usage to training records, ensuring compliance is based on technical reality rather than attendance lists.

2. The Pain: Undocumented and Irrelevant Training

  • The Attendance Fallacy: Traditional training relies on "completion certificates" for generic videos. Regulators require role-specific literacy — e.g., an HR manager must demonstrate understanding of the risks of AI screening, not just awareness that AI exists.
  • The Evidence Gap: Organisations typically have no way to prove which employees are using which specific AI models. Without this data, it is impossible to target the right training to the right people.
  • The Enforcement Failure: Written policies asking employees to be "literate" before using AI cannot technically prevent an untrained staff member from calling an LLM in their daily workflow.

3. The Interceptor Solution: Linked Literacy Logs

NordClaw uses its position in the traffic path — running on Google Cloud Run in europe-west3 (Frankfurt) — to transform AI literacy from an HR task into a security control.

3.1 Usage-Based Targeting

The interceptor's audit_logs table in Google Cloud SQL for PostgreSQL 15 identifies exactly which users are calling which models (DeepSeek, OpenAI, Anthropic, etc.) via Firebase Auth SSO mapping. The user_id and tenant_id fields — injected as custom JWT claims by the beforeAuthSignIn blocking function — link every request to a named individual in your org chart.

This allows the organisation to target literacy training based on actual employee behaviour, not self-reported tool usage:

  • An employee who has called a DeepSeek model 47 times this month should have completed a DeepSeek-specific literacy module.
  • An HR manager whose requests contain redacted PERSON and SSN PII categories should have completed an Annex III High-Risk AI literacy certification.

3.2 Technical Gatekeeping

The interceptor can be configured to restrict access to specific high-risk endpoints until the user's SSO identity is matched with a "Literacy Training Completed" flag in the compliance database. This creates a technical enforcement gate rather than a policy reminder:

Request arrives at api.nordclaw.eu
  ↓
Firebase JWT validated → user_id extracted
  ↓
Compliance DB lookup: literacy_completed(user_id, model)
  ↓
  ├─ TRUE  → request proceeds through PII redaction pipeline
  └─ FALSE → 403 response with training link

3.3 The One-Page Evidence Report

By combining interceptor usage logs from Cloud SQL with training metadata, NordClaw generates a unified report showing that every active AI user in the organisation has completed the legally required literacy modules for the models they are actually using. This report can be exported as a signed PDF and handed directly to a national supervisory authority — satisfying the "technical documentation" requirements of the AI Act.

4. Regulatory Alignment

| Obligation | NordClaw mechanism | |---|---| | Article 4 — AI literacy | Usage-based training targeting from Cloud SQL audit_logs | | Article 26(6) — Log retention | Immutable 6-month log in Cloud SQL (INSERT-only permissions) | | Article 9 — Risk management | Automatic high-risk flag when HR-sensitive PII categories are detected | | DPA audit evidence | Exportable PDF linking user identity, model usage, and training completion |

5. Conclusion: From Attendance Lists to Technical Proof

AI literacy compliance is not achieved by issuing certificates — it is achieved by proving that the people who use AI tools understand the risks of those specific tools. NordClaw bridges this gap by combining the technical reality of proxy-level usage observation with the organisational reality of HR training records.

The result is a compliance posture that can withstand regulatory scrutiny: not "we trained everyone on AI," but "we can prove that every employee currently using DeepSeek for HR screening has completed the mandatory high-risk AI literacy certification for that specific workflow."