Article 72: Post-Market Monitoring Without a Second Compliance Programme

Post-market monitoring is the obligation that quietly outlasts every other part of AI Act compliance. Article 72 requires providers of high-risk systems to keep watching once the system is live, and to do so through a documented plan. The instinct is to stand up a new programme for it. That instinct is wrong.

A monitoring plan that lives apart from the rest of the business is the one that decays. The systems you already run, telemetry, incident handling, model performance review, change control, generate most of what Article 72 wants. The work is to connect them into a plan, not to build a parallel structure that competes for the same attention and budget.

So what makes a plan defensible? It states what is monitored and why, sets the thresholds and signals that matter, and defines who acts when a signal fires. It ties monitoring to the risk management of Article 9 rather than treating it as a separate exercise. And it records decisions, so an authority can see not just that you monitored, but that you responded.

The review triggers are where many plans are thin. A defensible plan names the conditions that force a reassessment of the system's documentation, performance drift, new failure modes, changes to the intended purpose or the deployment context, and links each to an owner and a timeframe. Without those triggers, monitoring becomes passive data collection that proves nothing.

The common deficiencies are predictable. Plans that describe tools rather than decisions. Plans with no escalation path. Plans that gather metrics no one reviews. Plans that never feed back into the technical file. Each of these reads, to a supervisor, as monitoring on paper only.

The supervisory landscape is tightening as national authorities move from designation to operation, and post-market evidence is exactly the kind of thing a market surveillance authority can ask for without warning. A plan that is already wired into live processes answers that request. A plan that exists only as a document does not.

Our whitepaper, Post-Market Monitoring Plans, sets out the content of a defensible plan, the integration points with your existing infrastructure, the trigger conditions worth naming, and the deficiencies to design out. Monitoring is not administration. It is part of how a high-risk system stays lawful.