AI literacy is becoming a standing expectation for organizations that deploy AI — from regulators, from customers, and from auditors reviewing your governance program. The workable structure, as recommended practice, is three tiers: awareness for everyone, proficiency for power users, and practitioner depth for the teams who build and operate AI systems. Each tier has a different audience, a different depth, and a different refresh cadence. This article describes what belongs in each.
Tier 1 — Awareness: every employee
The base tier is short (an hour or less), mandatory, and repeated at onboarding. It covers exactly four things: what a language model is and its characteristic failure mode (confident, plausible, wrong); which tools are approved and for which data; the never-send list tied to your data classification; and the escalation triggers and channel. We cover this tier in detail in training employees on AI risk — the goal is a small, accurate mental model, not technical depth.
Measure completion, keep the records, and refresh when something material changes rather than on a fixed anniversary. A five-minute update after a real (anonymized) internal incident teaches more than an annual hour.
Tier 2 — Proficiency: power users
Power users are staff whose output substantially runs through AI: support teams using assisted responses, analysts summarizing documents, marketers drafting content, HR and legal staff using approved review tools. They need everything in Tier 1 plus the skills to use the tools well and to act as the first line of quality control:
- Effective prompting — providing context and source material instead of relying on the model's general knowledge; asking for structure; iterating rather than accepting the first draft.
- Verification habits — checking claims against source documents, spotting fabricated citations, knowing which outputs in their workflow require human sign-off before use.
- Departmental rules — the specific policies for their function (see department usage policies), including which data classes their approved tools may handle.
- Feedback duty — power users see more model output than anyone else in the company; give them a lightweight way to report quality drift and policy near-misses, and treat those reports as monitoring data.
This tier is best delivered per-function, with examples from the team's actual tools, and refreshed whenever a tool or underlying model changes materially.
Tier 3 — Practitioner: builders and operators
The deepest tier is for engineers, data teams, and product owners who build and maintain Claude-powered systems. This curriculum is technical and platform-specific. A reasonable syllabus:
| Module | What it covers |
|---|---|
| Platform fluency | Which surface you run on (first-party API, Claude Platform on AWS, Bedrock, Vertex AI, Foundry), what differs — feature availability, who acts as data processor, how billing and quotas work. |
| Model lifecycle | Model IDs are pinned snapshots; migrations between versions can carry breaking changes and re-baselined token counts; deprecation dates are published and must be tracked. |
| Data handling | Retention defaults and exceptions, zero-data-retention arrangements and which stateful features fall outside them, residency controls — grounded in the official data-retention documentation. |
| Safety engineering | Prompt injection and mitigations, output validation, refusal handling, content-policy enforcement layers, human-in-the-loop design. |
| Evaluation & monitoring | Building evals for their use case, regression testing across model changes, usage and cost monitoring, incident response. |
Practitioner training should be assessed by doing — a reviewed eval suite or a completed pre-production checklist — not by a quiz. And it must be maintained: this layer goes stale fastest, because platforms ship features and models continuously.
Running the program
Three recommendations from practice. First, give the program an owner — typically whoever owns AI governance — and let department leads own Tier 2 content, since they know the workflows. Second, define tier membership by access, not job title: anyone granted a power-user tool takes Tier 2 first; anyone with production API access takes Tier 3. Your identity system already knows who these people are. Third, keep records of who completed what and when — training records are among the categories of documentation examiners commonly request (see records your regulators may ask for).
Where to go next
Start with the base tier in training employees on AI risk, then anchor the program in your governance structure via program foundations and the governance maturity model.