Summary

Post-market monitoring (PMM) is a lifecycle obligation for high-risk AI under the EU AI Act and a core element of responsible AI in the UK. It observes live behaviour, compares against tolerances and triggers action when residual risk rises.

• Provider: designs PMM, KPIs, regulatory reporting and CAPA.
• Deployer: operates the system, monitors incidents, controls and reports serious incidents promptly.
• Evidence: telemetry, logs, model versions, data lineage, decisions, outcomes, explanations.

Monitoring objectives & KPIs

• Define objectives tied to harms, fairness, security, privacy, explainability and operational KPIs.
• Set tolerances/thresholds and attach owners, review cadence and escalation paths.
• Track drift, bias, model degradation, outage and misuse patterns.

Telemetry, logging & data minimisation

• Capture signals needed to prove safety, fairness, privacy, explainability, security and robustness.
• Minimise personal data; prefer hashed or synthetic fields; support data subject rights.
• Maintain clear retention & disposal aligned to your Record of Processing Activities (ROPA).

Drift & bias surveillance

• Detect data and concept drift; run bias metrics (pre/post-deployment) and compare vs tolerances.
• Record affected cohorts, magnitude, decision impact; trigger CAPA where thresholds are breached.

Safety & security monitoring

• Continuously validate performance/robustness; log adversarial patterns and abuse signals.
• Apply hardening: input validation, guardrails, rate-limits, rollbacks, fail-safes.

Alerts, thresholds & escalation

• Encode thresholds → alert severities → runbook actions → escalation to AI governance forum.
• Ensure paging/on-call for P1/P2; log every action with timestamps and owners.

What is a “serious incident”?

A serious incident is any event that results in or is likely to result in material harm (health, safety, fundamental rights, significant economic loss), or a systemic breach of the provider’s declared risk controls. Maintain a typed incident taxonomy with mapped workflows.

Reporting workflow (EU/UK)

1. Detect → triage severity → stabilise system (rollback, throttle, disable affected flows).
2. Collect bundle: logs, prompts/inputs, outputs, version hashes, data slices, impact analysis.
3. Notify stakeholders and (where mandated) authorities within the prescribed timelines.
4. Root-cause → CAPA → validation → controlled return to service.

CAPA: corrective & preventive actions

• Corrective: hotfixes, model rollback, config changes, temporary guardrails.
• Preventive: data quality programs, new checks, strengthened thresholds, retraining gates.

Feedback loop & model updates

• Close the loop from incidents & metrics into backlog, retraining and policy updates.
• Record decisions in your AI governance minutes and change log.

Governance, evidence & records

• Maintain living risk file, KPI dashboards, SI registry, CAPA tracker and audit-ready evidence.
• Keep data lineage, model cards, evaluation reports and deployment approvals.

Implementation checklist

• Objectives & KPIs defined, thresholds set, owners assigned, cadence established.
• Telemetry mapped; minimisation & retention applied; privacy/security reviewed.
• Drift/bias monitors live; alerting & runbooks tested; SI workflow rehearsed.
• CAPA process operational; governance minutes & evidence library maintained.

© Zen AI Governance UK Ltd • Regulatory Knowledge • v1 05 Nov 2025 • This page is general guidance, not legal advice.