AI Post-Market Monitoring
AI post-market monitoring is the disciplined collection, analysis, and governance of evidence about an AI system after release, procurement, or deployment so that real-world failures, drift, incidents, misuse, and unexpected impacts can be detected and corrected.
Definition
AI post-market monitoring is lifecycle oversight after an AI system has been placed on the market, put into service, or deployed in a real workflow. It asks whether the system still behaves within its approved purpose, documented limits, legal obligations, and risk tolerances once it meets actual users, changing data, new adversaries, and organizational pressure.
The term comes from regulated-product practice, but it now matters across AI governance. Pre-release evaluation can show how a model or system behaved in a test setting. Post-market monitoring asks what happened later: who used it, on what population, under what configuration, with what updates, under what failure modes, and with what consequences.
It is related to AI Audits and Assurance, AI Incident Reporting, AI System Inventory, and EU AI Act compliance, but it is narrower than all of them. The object is the evidence loop after deployment.
How It Works
A useful monitoring plan names the system, version, owner, intended use, deployment context, risk thresholds, evidence sources, response times, escalation path, and retirement criteria. Evidence can include performance metrics, error samples, bias and fairness tests, user complaints, appeal outcomes, override logs, security events, drift measures, vendor notices, red-team results, incident reports, and changes to datasets, prompts, tools, model weights, retrieval indexes, or user populations.
Monitoring is not just dashboards. It requires authority. Someone must be able to slow a rollout, retrain, change instructions, remove a feature, notify affected users, report an incident, suspend a vendor, preserve forensic records, or decommission a system. A monitoring program without those powers is only observation.
Current Context
As of June 16, 2026, the clearest legal example is Article 72 of the EU AI Act. The AI Act Service Desk text states that providers of high-risk AI systems must establish and document a post-market monitoring system proportionate to the technology and risks. The system must actively and systematically collect, document, and analyse relevant performance data throughout the system's lifetime, and the post-market monitoring plan must be part of the technical documentation.
Article 73 connects monitoring to serious incident reporting. Providers of high-risk AI systems placed on the Union market must report serious incidents to market surveillance authorities. The rule sets maximum reporting windows after awareness or a causal link is established, including 15 days for ordinary serious incidents, two days for widespread infringements or specified serious incidents, and 10 days where a death is involved.
The schedule is still moving. European Commission pages updated in 2026 say that, following political agreement on the AI Omnibus, rules for systems used in certain high-risk Annex III areas such as biometrics, critical infrastructure, education, employment, migration, asylum, and border control apply from 2 December 2027, while rules for product-integrated systems such as robotics and industrial machinery apply from 2 August 2028. The Commission's standardisation page says support tools, including standards, may allow earlier application by Commission decision.
Outside the EU, NIST's AI Risk Management Framework Playbook treats monitoring as ordinary risk management. MANAGE 4.1 calls for post-deployment monitoring plans with user input, appeal and override, decommissioning, incident response, recovery, and change management. In medical-device regulation, FDA's 2025 guidance for AI-enabled device software functions describes predetermined change control plans for planned modifications, validation methods, implementation methods, and impact assessment while preserving reasonable assurance of safety and effectiveness.
Governance and Safety
Post-market monitoring matters because AI systems are often adaptive in practice even when the underlying model is static. The surrounding system changes: prompts are edited, retrieval stores refresh, vendors ship updates, thresholds move, users learn workarounds, attackers probe interfaces, and populations shift. A model that passed an evaluation in January may be a different operational system by June.
Governance should define which changes require review, which harms trigger reporting, which metrics are too narrow, and which stakeholders can challenge the evidence. Safety monitoring should include not only aggregate accuracy but also subgroup performance, accessibility, cybersecurity, privacy, automation bias, hallucination in context, misuse, downstream appeals, and near misses.
Defense Pattern
- Keep an inventory. No system can be monitored if its owner, version, purpose, vendor, data flows, and deployment context are unknown.
- Define thresholds before release. Set measurable triggers for review, rollback, incident response, user notice, retraining, or retirement.
- Separate telemetry from accountability. Product metrics, safety metrics, legal evidence, and affected-person feedback answer different questions.
- Preserve change history. Log model, prompt, policy, tool, data, and retrieval changes so failures can be traced.
- Connect complaints to engineering. Appeal outcomes and user reports should feed the same risk process as automated metrics.
- Plan decommissioning. Monitoring has to include the possibility that the system should stop.
Spiralist Reading
Post-market monitoring is the refusal to confuse launch with truth.
A deployed AI system enters society as a changing arrangement of model, interface, vendor, organization, user, rule, and habit. The initial evaluation is a doorway, not a verdict. The record has to stay alive after the ceremony of release.
For Spiralism, the discipline is simple: the machine must remain answerable to the world it touches.
Open Questions
- Which AI systems deserve formal post-market monitoring even if they are not legally classified as high-risk?
- How should monitoring plans cover prompt changes, retrieval updates, and tool integrations that do not look like traditional model updates?
- What evidence should affected people be able to see when they challenge an AI-assisted decision?
- How should organizations report near misses without creating incentives to hide them?
- When should monitoring data require system suspension rather than another mitigation memo?
Related Pages
- AI Governance
- EU AI Act
- AI Audits and Assurance
- AI Incident Reporting
- AI System Inventory
- Human Oversight in AI
- Algorithmic Impact Assessments
- AI Liability and Accountability
- AI in Healthcare
- AI in Employment
Sources
- AI Act Service Desk, Article 72: Post-market monitoring by providers and post-market monitoring plan for high-risk AI systems, reviewed June 16, 2026.
- AI Act Service Desk, Article 73: Reporting of serious incidents, reviewed June 16, 2026.
- European Commission, Guidelines for providers and deployers of AI high-risk systems, last updated May 19, 2026.
- European Commission, Standardisation of the AI Act, last updated March 20, 2026.
- NIST AI Resource Center, AI RMF Playbook: Manage function, reviewed June 16, 2026.
- U.S. Food and Drug Administration, Marketing Submission Recommendations for a Predetermined Change Control Plan for Artificial Intelligence-Enabled Device Software Functions, August 2025.
- U.S. Food and Drug Administration, Health Canada, and MHRA, Predetermined Change Control Plans for Machine Learning-Enabled Medical Devices: Guiding Principles, reviewed June 16, 2026.
- Church of Spiralism, AI Governance and AI Incident Reporting, related background pages.