Pertama Partners
Back to AI Governance & Adoption for Companies

Compliance monitoring: Best Practices

Pertama Partners3 min read

Deploying an AI model is not the end of compliance—it is the beginning. Continuous compliance monitoring ensures that AI systems remain within acceptable parameters throughout their operational life. Yet Gartner's 2024 AI Governance Survey reveals that only 29% of organizations have implemented continuous monitoring for their production AI systems, creating a significant compliance gap between deployment and ongoing oversight.

Why Continuous Monitoring Is Non-Negotiable

AI systems are not static. They interact with changing data, evolving user behaviors, and shifting regulatory requirements. Without continuous monitoring, compliance degrades silently:

  • Model drift: NannyML's 2024 industry analysis found that 91% of production ML models experience meaningful performance drift within 12 months of deployment. This drift can push models out of compliance with accuracy and fairness requirements without any visible malfunction.
  • Data distribution shifts: Real-world data changes over time. A 2024 study published in Nature Machine Intelligence found that 67% of healthcare AI models showed significant performance degradation due to data distribution shift within two years of deployment.
  • Regulatory evolution: AI regulations are actively changing. The OECD tracked 148 new AI policy initiatives globally in 2024 alone. Models compliant at deployment may become non-compliant as requirements evolve.
  • Adversarial exposure: AI systems face ongoing adversarial threats. MITRE's ATLAS threat matrix catalogs over 80 adversarial techniques targeting AI systems, many of which can degrade model behavior without triggering traditional security alerts.

The EU AI Act explicitly requires ongoing monitoring for high-risk AI systems, including performance tracking, incident reporting, and periodic reassessment. Organizations that wait for regulatory enforcement to implement monitoring will find themselves scrambling.

Building a Comprehensive Monitoring Framework

Layer 1: Technical Performance Monitoring

Technical monitoring forms the foundation of compliance oversight. Key metrics and approaches:

Accuracy and performance metrics:

  • Track prediction accuracy, precision, recall, F1 scores, and domain-specific metrics against established baselines
  • Set statistical thresholds for acceptable deviation. Evidently AI's 2024 benchmark recommends alerting when performance degrades by more than two standard deviations from the baseline
  • Monitor latency and throughput as performance indicators—sudden changes may indicate data pipeline issues affecting model inputs

Data quality monitoring:

  • Track input data distributions against training data distributions using statistical distance measures (KL divergence, Population Stability Index, Wasserstein distance)
  • Monitor for missing data, out-of-range values, and schema violations in model inputs
  • Implement data lineage tracking to maintain auditability of data sources. Collibra's 2024 Data Quality Report found that 43% of AI model failures traced back to undetected data quality issues

Bias and fairness monitoring:

  • Continuously measure disparate impact ratios, demographic parity, equalized odds, and other fairness metrics across protected groups
  • The four-fifths rule (80% rule) from US employment law provides a common threshold: if a model's favorable outcome rate for a protected group is less than 80% of the highest group rate, investigate
  • IBM's 2024 AI Fairness Report found that 34% of production AI models developed measurable bias drift within six months of deployment, even when initially tested as fair

Layer 2: Operational Compliance Monitoring

Beyond technical metrics, monitor compliance-relevant operational factors:

Access and usage controls:

  • Monitor who accesses AI systems, what decisions they make, and whether usage patterns align with approved purposes
  • Track privilege escalation and unusual access patterns. Okta's 2024 Identity Governance Report found that 28% of AI-related compliance violations stemmed from unauthorized access or usage outside approved scope
  • Maintain complete audit logs with tamper-evident storage

Documentation currency:

  • Monitor whether model documentation (model cards, datasheets, impact assessments) remains current and accurate
  • Flag documentation that has not been reviewed within required timeframes—ISO 42001 recommends at minimum annual review of all high-risk system documentation
  • Track documentation completeness scores against framework requirements

Incident tracking and trending:

  • Record all AI system incidents, near-misses, and complaints
  • Analyze incident trends to identify systemic issues before they become compliance breaches
  • The EU AI Act requires serious incident reporting within defined timeframes for high-risk systems

Layer 3: Regulatory Change Monitoring

Proactive regulatory monitoring prevents compliance surprises:

  • Regulatory horizon scanning: Monitor proposed and enacted AI regulations across all relevant jurisdictions. Thomson Reuters' 2024 survey found that organizations with automated regulatory scanning detected relevant regulatory changes an average of 47 days earlier than those relying on manual monitoring
  • Impact assessment triggers: When new regulations are detected, automatically initiate impact assessments against your AI system inventory to identify affected systems
  • Compliance calendar management: Maintain a centralized calendar of compliance deadlines, review dates, and reporting requirements. Automate reminders and escalations for approaching deadlines

Tools and Technology Stack

Open-Source Monitoring Tools

Several mature open-source tools support AI compliance monitoring:

  • Evidently AI: Comprehensive ML monitoring including data drift, model performance, and data quality checks. Supports dashboard creation and alerting
  • Great Expectations: Data quality monitoring and validation. Enables data testing as part of ML pipelines with over 300 built-in data quality checks
  • Prometheus + Grafana: Infrastructure-level monitoring that can be extended to track AI-specific metrics with custom exporters
  • Alibi Detect: Specialized drift detection library supporting multiple statistical methods for detecting data and model drift

Enterprise Monitoring Platforms

For organizations requiring enterprise-grade capabilities:

  • Arthur AI: Real-time model monitoring with explainability, bias detection, and performance tracking. Supports regulatory compliance dashboards
  • Fiddler AI: Model performance management with explainable AI capabilities and automated alerting
  • WhyLabs: AI observability platform providing data quality monitoring, model performance tracking, and drift detection with low-latency processing
  • Arize AI: ML observability with embedding drift detection, performance tracing, and automated root cause analysis

Forrester's 2024 AI Monitoring Market Overview valued the AI monitoring tools market at $2.1 billion, with projected growth to $8.7 billion by 2028, reflecting the critical importance organizations are placing on this capability.

Integration Architecture

Design your monitoring stack for comprehensive coverage:

  • Data layer: Capture all model inputs, outputs, and metadata in a centralized data store with appropriate retention policies. Ensure GDPR-compliant data handling for personal data
  • Processing layer: Real-time stream processing for latency-sensitive metrics (using Apache Kafka, Apache Flink, or cloud-native equivalents) and batch processing for statistical analyses
  • Alerting layer: Multi-channel alerting (email, Slack, PagerDuty, ticketing systems) with severity-based routing. Configure escalation chains that ensure critical compliance alerts reach the right decision-makers
  • Visualization layer: Role-specific dashboards—technical teams need detailed metric views while compliance officers need summary compliance status and trend analysis

Alerting Best Practices

Effective alerting is the critical link between monitoring and action:

Alert Design Principles

  • Actionable alerts only: Every alert should have a clear response procedure. PagerDuty's 2024 State of Digital Operations report found that teams receiving more than 30% non-actionable alerts experience "alert fatigue," leading to delayed response to genuine issues
  • Severity classification: Use a minimum three-tier severity system:
    • Critical: Compliance breach detected or imminent. Requires immediate response (target: under 1 hour)
    • Warning: Metrics approaching compliance thresholds. Requires investigation within 24 hours
    • Informational: Noteworthy changes that should be logged and reviewed in regular compliance meetings
  • Context-rich notifications: Include the AI system name, affected metric, current value, threshold, trend direction, and a link to the relevant dashboard in every alert

Alert Thresholds

Setting appropriate thresholds is both art and science:

  • Statistical thresholds: Use control chart methodology (Shewhart charts) to set data-driven thresholds based on historical performance distributions. Alert on two-sigma deviations for warnings and three-sigma for critical alerts
  • Regulatory thresholds: Where regulations specify quantitative requirements (e.g., the four-fifths rule for disparate impact), set alerts at 90% of the regulatory threshold to provide a warning buffer
  • Business impact thresholds: Align technical thresholds with business impact. A 2% accuracy drop may be critical in medical diagnostics but acceptable in content recommendation

Reducing Alert Noise

Splunk's 2024 State of Observability Report found that 55% of organizations experience alert fatigue in their monitoring systems. Reduce noise through:

  • Intelligent deduplication: Group related alerts to prevent alert storms from a single root cause
  • Time-based suppression: Suppress repeat alerts for known issues under active investigation
  • Composite alerts: Combine multiple weak signals into a single meaningful alert rather than firing separate alerts for each metric
  • Regular threshold tuning: Review and adjust alert thresholds quarterly based on false positive and false negative rates

Process and Governance

Monitoring Governance Structure

  • Define monitoring ownership: Each AI system should have a designated monitoring owner responsible for alert triage, investigation, and resolution
  • Establish review cadences: Weekly operational reviews of monitoring metrics, monthly compliance reviews analyzing trends, and quarterly strategic reviews assessing monitoring coverage and effectiveness
  • Maintain runbooks: Document response procedures for each alert type. Include diagnostic steps, remediation options, escalation criteria, and communication templates. ITIL's 2024 AI Operations guide recommends runbook review after every major incident

Continuous Improvement

  • Post-incident reviews: After every compliance-related incident, conduct a blameless post-mortem. Document root causes, contributing factors, and improvement actions. Track improvement action completion
  • Monitoring coverage audits: Quarterly assess whether all production AI systems are adequately monitored. Cross-reference against your AI system inventory
  • Benchmark against peers: Participate in industry benchmarking exercises. ISACA's 2024 AI Governance Benchmark provides comparison data across industries and organization sizes
  • Regulatory readiness testing: Periodically simulate regulatory inquiries to test whether your monitoring data can answer regulator questions within expected timeframes. Target: full regulatory data package assembled within 48 hours

Building robust continuous compliance monitoring is a significant investment, but the alternative—discovering compliance failures through regulatory enforcement, customer complaints, or public incidents—is far more costly. Organizations that monitor proactively build trust with regulators, customers, and the public while maintaining the operational agility to deploy AI systems confidently.

Common Questions

NannyML's 2024 industry analysis found that 91% of production ML models experience meaningful performance drift within 12 months. Additionally, a 2024 Nature Machine Intelligence study showed 67% of healthcare AI models had significant performance degradation due to data distribution shift within two years. IBM reports 34% of models develop measurable bias drift within six months.

Three layers of monitoring are essential: technical performance (accuracy, precision, recall, data quality, bias metrics like disparate impact ratios), operational compliance (access controls, documentation currency, incident tracking), and regulatory change monitoring (horizon scanning, impact assessment triggers, compliance calendar management).

Splunk's 2024 report found 55% of organizations experience alert fatigue. Reduce it through intelligent alert deduplication, time-based suppression for known issues, composite alerts combining weak signals, and quarterly threshold tuning. PagerDuty found that teams receiving over 30% non-actionable alerts experience delayed response to genuine issues.

Key open-source options include Evidently AI for comprehensive ML monitoring and drift detection, Great Expectations for data quality validation with 300+ built-in checks, Prometheus with Grafana for infrastructure-level AI metrics, and Alibi Detect for specialized drift detection using multiple statistical methods.

The EU AI Act mandates continuous monitoring for high-risk AI systems including performance tracking, incident reporting within defined timeframes, and periodic reassessment. Organizations must maintain audit logs, enable feedback mechanisms for affected individuals, and ensure documentation remains current with at minimum annual reviews for high-risk systems.

More on AI Governance & Adoption for Companies

Algorithmic accountability: Best Practices

Data catalog implementation: Best Practices

Data ethics: Best Practices