Post-Market Monitoring — Ongoing AI System Compliance Surveillance
Definition
Post-market monitoring (PMM) is the systematic, ongoing process of collecting, documenting, and analyzing data about the performance, reliability, and behavior of AI systems after they have been deployed and are operating in real-world conditions. Under the EU AI Act, post-market monitoring is a mandatory requirement for providers of high-risk AI systems and constitutes one of the core operational obligations that cannot be satisfied at the time of conformity assessment alone.
Post-market monitoring covers multiple dimensions: technical performance tracking (accuracy, precision, recall, and other task-specific metrics over time); data distribution monitoring to detect drift between training and production data; bias and fairness monitoring across demographic groups; incident detection and logging; user feedback collection; and regular review of whether the system’s deployment context remains within the parameters for which it was designed and validated.
The EU AI Act requires providers to establish a post-market monitoring system before deployment, document it in the technical file, and actively execute it throughout the system’s operational life. Significant findings must be reported to market surveillance authorities and, where applicable, trigger updates to the technical documentation and risk management system.
Why it matters operationally
Post-market monitoring matters because conformity assessment is a snapshot. It verifies that a system meets requirements at a specific point in time, under specific conditions. Real-world deployment is different: data distributions shift, user behaviors evolve, the system is used in contexts that deviate from its design parameters, and adversarial actors discover exploits. A system that was safe, accurate, and unbiased at deployment can become unsafe, degraded, or biased in production without any internal trigger.
The governance consequence is significant. Organizations that conduct a conformity assessment and then assume ongoing compliance have structurally misunderstood their obligation. The EU AI Act’s post-market monitoring requirement exists precisely because regulators know that point-in-time conformity does not guarantee ongoing safety and compliance. An organization that cannot demonstrate active post-market monitoring is non-compliant regardless of its pre-deployment documentation.
Regulatory framework
| Framework | Post-market monitoring obligations |
|---|---|
| EU AI Act — Art. 72 | High-risk system providers must establish and document a post-market monitoring system. They must actively collect and analyze data on system performance throughout its operational life. Relevant findings must be reported to market surveillance authorities. |
| ISO/IEC 42001 | The standard’s performance evaluation and continual improvement clause requires periodic review of AI systems in operation, including performance metrics and control review. |
| ISO/IEC 23894 | AI risk management includes continuous risk monitoring as a permanent, not one-time, process. |
| Medical Device Regulation (EU MDR) | For AI as a medical device, post-market surveillance has additional specific requirements under MDR, including periodic safety reports. |
How Zertia evaluates it
Zertia evaluates post-market monitoring as part of both the High-Risk AI Systems Audit and the AI Model Audit. The audit assesses whether the post-market monitoring system is genuinely operational: whether monitoring metrics are defined and tracked, whether drift detection mechanisms are in place, whether bias monitoring covers relevant demographic dimensions, whether incident detection and logging are functioning, and whether the organization has a process for acting on monitoring findings before they become compliance failures or safety incidents.
[High-Risk AI Systems Audit] · AI Model Audit
Definitions that hold up under audit.
Does this term apply to your certification project? Let's talk 30 minutes, no commercial pressure.
