← Back to AI Governance Templates

Model Lifecycle Policies

Post Market Monitoring Policy

Outlines how ongoing monitoring and reporting works for high-risk systems.

Owner: Post-Market Monitoring Officer

Purpose

Comply with EU AI Act Article 61 and internal governance objectives by defining how high-risk AI systems are monitored, documented, and reported after deployment.

Scope

Applies to all high-risk and critical AI systems deployed in the EU or other regulated markets. Medium-risk systems may adopt this policy to strengthen assurance.

  • High-risk Annex III systems (credit, employment, healthcare, safety)
  • Critical internal controls (financial reporting, regulatory submissions)
  • AI services with contractual monitoring clauses

Definitions

  • Post-Market Monitoring Plan (PMMP): Formal plan describing monitoring metrics, data sources, and reporting cadence.
  • Serious Incident: Event causing harm, security breach, or regulatory non-compliance that must be reported to authorities.
  • Corrective Action: Steps to remediate identified issues, including retraining or disabling the AI system.

Policy

All applicable systems must maintain an approved PMMP. Monitoring evidence, incident logs, and corrective actions must be retained and made available to regulators upon request. Serious incidents must be reported within mandated timelines.

Roles and Responsibilities

Post-Market Monitoring Officer (PMMO) owns PMMP templates, consolidates reports, and liaises with regulators. Model Owners execute monitoring tasks and document incidents. Compliance ensures reporting deadlines are met. Responsible AI reviews safety outcomes.

Procedures

PMMP must cover:

  • Monitoring scope and metrics (accuracy, bias, safety incidents, data drift).
  • Data sources (monitoring dashboards, user feedback channels, audit logs).
  • Alert thresholds and escalation matrix.
  • Incident reporting workflow with regulatory timelines.
  • Corrective action tracking and closure criteria.
  • Periodic PMMP review schedule.

Exceptions

If a system temporarily ceases operation (e.g., maintenance), PMMO may suspend PMMP activities but must document rationale and restart monitoring before reactivation.

Review Cadence

PMMP effectiveness is reviewed at least annually or sooner after major incidents or regulatory updates. Results feed into the enterprise risk register.

References

  • EU AI Act Article 61 (Post-market monitoring)
  • ISO/IEC 42001:2023 Clauses 9 and 10 (Performance evaluation, improvement)
  • Internal documents: Incident Response for AI Systems Policy, Monitoring Playbook, Regulatory Reporting SOP
Post Market Monitoring Policy | VerifyWise AI Governance Templates