← All themesOpen in explorer →
Post-market Monitoring & Incidents across ISO 42001, NIST AI RMF and the EU AI Act
// theme · monitoring
Post-market Monitoring & Incidents
Operating phase: drift, incidents, corrective action, reporting.
// Do once → satisfies all three
ONE post-market monitoring plan with KPIs, drift thresholds, incident register, and a serious-incident reporting workflow.
The Art.72 plan and Art.73 reporting cadence is the strictest; meeting them automatically delivers the ISO and NIST monitoring outcomes.
ISO 42001
Cl.9.1 · Cl.10.2 · Annex A.6.2.8
NIST AI RMF
MANAGE 4.1 · MANAGE 4.2 · MANAGE 4.3
EU AI Act
Art.72 · Art.73
// Evidence auditors expect
- ✓ Post-market monitoring plan (Art.72) with KPIs
- ✓ Incident register with severity, root cause, corrective action
- ✓ Serious-incident report template aligned to Art.73 timelines
- ✓ Periodic management review of monitoring output
// Common pitfalls
- ⚠ Monitoring drift but with no threshold that triggers an action.
- ⚠ No serious-incident reporting workflow until Day 1 of an incident.
- ⚠ Monitoring output never feeds back into risk register or management review.
ISO 42001
7Cl.9.1 + 10.2 + Annex A.6.2.8 cover monitoring and corrective action.
Clause 9.1
Monitoring, measurement, analysis and evaluation
Define what to monitor, methods, frequency, and evaluate AI performance.
Clause 9.2
Internal audit
Plan and conduct internal audits of the AIMS at planned intervals.
Clause 10.2
Nonconformity and corrective action
Respond to nonconformities, take corrective action and prevent recurrence.
Annex A.3.3
Reporting of concerns
Provide a mechanism for personnel to raise concerns about AI systems without fear of reprisal.
Annex A.6.2.6
AI system operation and monitoring
Operate and monitor AI systems in production, including drift and performance checks.
Annex A.6.2.8
AI system recording of event logs
Record event logs from AI systems to support traceability, monitoring and incident response.
Annex A.8.4
Communication of incidents
Communicate AI system incidents to affected parties and authorities in a timely way.
NIST AI RMF
8MANAGE 4 covers post-deployment monitoring, response and improvement.
GOVERN 6.2
Contingencies for third-party failures
Plans in place for failures or incidents from third-party AI components.
MEASURE 1.1
Metrics and methods selected
Approaches and metrics for measuring AI risks are selected.
MEASURE 2.5
Validity & reliability assessed
AI system is regularly evaluated for validity, reliability and performance.
MEASURE 3.1
Approaches to track risks identified
Approaches and metrics to track identified AI risks over time.
MEASURE 3.3
Feedback from end users captured
Feedback from end users and affected communities tracked.
MANAGE 2.2
Mechanisms to sustain value
Mechanisms to sustain or restore deployment in event of failures.
MANAGE 4.1
Post-deployment monitoring
Post-deployment monitoring plans implemented for AI systems.
MANAGE 4.3
Incidents & errors communicated
Incidents and errors are communicated and used to improve the AI system.
EU AI Act
5Art.72 obliges a post-market monitoring plan; Art.73 mandates reporting of serious incidents to authorities.
Article 12
Record-keeping (logs)
High-risk AI must automatically log events for traceability throughout its lifecycle.
Article 20
Corrective actions and duty of information
Providers must take corrective action and inform authorities of non-conforming AI.
Article 55
Obligations for GPAI with systemic risk
Model evaluations, systemic risk assessment & mitigation, incident reporting, cybersecurity.
Article 72
Post-market monitoring by providers
Active, systematic collection of data on performance of AI throughout lifetime.
Article 73
Reporting of serious incidents
Providers report serious incidents to market surveillance authorities.