Post-Market Monitoring

Post-market monitoring under EU AI Act Article 72 is the obligation that keeps the system honest after deployment. Providers of high-risk AI must establish and document a post-market monitoring system proportionate to the nature of the AI technologies and the risks of the high-risk AI system.

The system actively and systematically collects, documents, and analyses relevant data from deployers or other sources on the performance of the high-risk AI system throughout its lifetime. Article 72 then feeds back into the risk management system under Article 9: new findings update the risk picture.

This pairs with Article 73 on incident reporting. Post-market monitoring catches the patterns. Incident reporting handles the spikes.

Production-monitoring platforms for AI typically ship: drift detection, performance-degradation alerts, output-distribution analysis, feedback collection from deployers and end users, and integration with the risk register.

Capabilities to look for:

• Distribution shift detection on inputs and outputs, with configurable baselines.
• Performance metric tracking against deployment-time benchmarks.
• Cohort-level alerts (not just aggregate accuracy) for protected-attribute groups.
• Deployer feedback channels that pipe back to the provider.
• A documented review cadence so monitoring findings actually move the risk register.

• [ ] Establish a monitoring plan that's proportionate to the system's risk profile.
• [ ] Define performance metrics and acceptable thresholds at deployment time.
• [ ] Collect deployer feedback through a structured channel.
• [ ] Monitor for drift on inputs, outputs, and protected-attribute cohorts.
• [ ] Set automated alerts so degradation is caught before it becomes an incident.
• [ ] Feed monitoring findings back into the risk management system at least quarterly.
• [ ] Document the monitoring plan in the technical file (Annex IV).
• [ ] When findings cross the incident threshold, trigger Article 73 reporting.

The most common gap is monitoring that watches model performance but not deployment context. The model performs identically while the population it serves drifts. Article 72 explicitly asks for analysis of the system's interaction with other systems, including the environment.

The second gap is alerts that fire but never close the loop into the risk register. Monitoring is a data-collection exercise unless the findings change the risk score, the controls, or the documentation.

The third gap is monitoring set up by the provider with no contractual mechanism to receive deployer feedback. Article 72 contemplates active collection of data from deployers. Without contracts that obligate deployers to share, the data does not arrive.

• EU AI Act Article 72: Post-Market Monitoring
• EU AI Act Article 73: Reporting of Serious Incidents
• Annex IV: Technical Documentation — the post-market monitoring plan is documented here.
• ISO/IEC 42001:2023 Clause 9.1 — monitoring, measurement, analysis, and evaluation under the AI management system standard.