Overview & objectives

Achieving certification is the start — maintaining and improving your AI Management System (AIMS) ensures sustained compliance and trust. The continual improvement cycle links operational data, incident learnings, and audit feedback into measurable enhancements to governance, risk control, and performance.

AIMS improvement cycle (PDCA)

Follow the Plan–Do–Check–Act cycle as a living framework for improvement:

• Plan: Identify improvement areas via KPIs, audits, incidents, stakeholder feedback, or regulatory change.
• Do: Implement corrective and preventive actions, update procedures, and deploy new controls.
• Check: Monitor results via KPIs, internal audits, and CAPA verification.
• Act: Adjust policies, risk appetite, or governance structure as necessary; communicate outcomes during management review.

Post-certification surveillance audits

• Conducted annually by the certification body to verify the ongoing implementation of the AIMS.
• Focus on changes, incidents, CAPA effectiveness, training, and updated legal/regulatory compliance.
• Surveillance does not re-audit all clauses but tests representative samples across AI lifecycle areas.
• Nonconformities found must be corrected before certificate renewal.

Risk & regulatory review process

• Quarterly review of AIMS Risk Register for new risks, residual changes, or emerging threats (e.g., model drift, generative AI misuse).
• Integrate updates from EU AI Act, UK AI White Paper, ICO guidance, NIST AI RMF revisions.
• Document impact assessments and policy amendments in your Change Control log.

Performance metrics & dashboards

Use metrics to track AIMS health and improvement trends:

• Risk treatment progress: % of risk controls implemented.
• Incident closure time: mean time to verify CAPA.
• Training coverage: % of staff trained within cycle.
• Supplier DD rate: % vendors reviewed on schedule.
• Audit NC trend: reduction of findings vs prior year.
• Innovation rate: # of improvements implemented per quarter.

Incident management & CAPA linkage

• All incidents feed CAPA register with cause, corrective, and preventive actions.
• Effectiveness checks (e.g., repeat occurrence < 5%).
• CAPA dashboard visible to Oversight Board and included in surveillance evidence pack.

Integration with management review

• Management reviews include improvement cycle summaries and KPIs.
• Actions assigned directly from CAPA register or audit findings.
• Review minutes and sign-off evidence become part of next surveillance audit.

Tools & templates

ID | Source | Action | Owner | Target Date | Status | Evidence Link
CI-2025-01 | Audit Finding | Update Supplier DD Form | Procurement | 2025-12-15 | Open | /docs/DD_form_v4.pdf
CI-2025-02 | Incident | Add human oversight training drill | Ops | 2025-11-30 | Done | /training/records/2025Q4.pdf
  

Roles & responsibilities

• AIMS Manager: maintains improvement & CAPA registers, prepares reports.
• Process Owners: implement improvements and supply evidence.
• Authorising Officer: approves resources and verifies sustained compliance.
• Oversight Board: monitors KPI trends and authorises corrective actions.

12-month surveillance roadmap

1. Q1 — Internal audit + risk register review.
2. Q2 — CAPA verification + training update + KPI analysis.
3. Q3 — Supplier re-assessment + oversight drills + management review.
4. Q4 — Surveillance audit readiness + improvement report compilation.

Common pitfalls & mitigation

• No evidence of improvement: maintain register with baseline metrics and outcomes.
• CAPA stagnation: assign due dates and escalate overdue actions.
• Ignored regulatory updates: appoint compliance lead to monitor EU/UK changes quarterly.
• Disconnected metrics: ensure KPIs tie to risks and policies.

Implementation checklist

• Improvement Register live with version control.
• Surveillance audit schedule confirmed with certification body.
• CAPA dashboard updated monthly.
• KPIs reviewed quarterly; trends documented.
• Evidence pack prepared and archived.

© Zen AI Governance UK Ltd • Regulatory Knowledge • v1 08 Nov 2025 • This page is general guidance, not legal advice.