What is “post-market monitoring” in plain language?

It’s how you prove the system stays safe and fit-for-purpose after go-live: what you measure, how you review samples, and how you respond to incidents and changes.

What is a sampling policy?

A written rule-set for what gets reviewed by humans, at what rate, and how review outcomes are recorded. Risk-tiered sampling is the simplest auditable approach.

Do we need to review every decision?

Not always. Many teams define “always-review” triggers for high-risk actions and use sampling for medium-risk activity, provided evidence is captured consistently.

What should trigger burst sampling?

Incidents, near-miss spikes, new model/prompt/policy versions, or significant drift signals are common burst triggers.

What counts as a “material change”?

Any change that could affect outcomes or risk: model swaps, prompt/policy changes, tool access changes, UI changes, or data pipeline changes. Define it explicitly.

What do auditors reject most often?

Plans that are generic. Auditors want owners, thresholds, sampling rates, and a real incident workflow tied to exportable evidence.

Template

Post-market Monitoring Plan Template (with sampling policy)

Download a post-market monitoring plan template with a risk-tiered sampling policy section for AI agents and regulated workflows.

Generate a reviewable post-market monitoring plan in 30–60 minutes.

For compliance, risk, product, and ML ops teams shipping agentic workflows into regulated environments.

Last updated: Dec 16, 2025 · Version v1.0 · Fictional sample. Not legal advice.

Download editable template Request full package

Report an issue: /contact

Context

What this artifact is (and when you need it)

Minimum viable explanation, written for audits — not for theory.

A post-market monitoring plan is the operational document that defines what you monitor after deployment, what thresholds matter, and what happens when thresholds are breached.

Auditors want to see owners, sampling rates, reviewer guidance, and an incident workflow — not a paragraph that says “we will monitor”.

You need it when

You are deploying an agent into a regulated workflow (credit, claims, KYC/AML, HR).
You need to prove ongoing quality, safety, and policy compliance after go-live.
You are preparing an Annex IV dossier or an audit readiness review.

Common failure mode

A plan that lists metrics but has no thresholds, no risk-tiered sampling policy, and no incident workflow (who does what, by when).

Checklist

What good looks like

Acceptance criteria reviewers actually check.

Signals cover quality, policy compliance, tool/action correctness, and operational health.
Each signal has thresholds, severity levels, and a named owner + response SLA.
Sampling policy defines what is sampled, at what rates, and how reviewers label outcomes.
Incident process exists (severity, rollback/kill switch, reporting, corrective actions).
Material change definition triggers re-validation and evidence refresh.
Evidence can be exported as a verifiable bundle (manifest + checksums).

Preview

Template preview

A real excerpt in HTML so it’s indexable and reviewable.

Template preview (excerpt)

# Post-market Monitoring Plan Template (with sampling policy)

## 2) Monitoring signals (what you measure)
- Quality: grounding/accuracy sampling, format validity
- Safety & policy: violations (blocked) + near-misses
- Tool/action correctness: wrong system/action/record
- Operational health: latency, throughput, cost, error rate

## 4) Sampling policy (risk-tiered, auditable)
- What gets sampled (risk tiers + always-sample rules)
- Sampling rates (baseline + burst during incidents)
- Reviewer guidance (labels/rubrics + disagreement handling)

Download the full artifact

How-To

How to fill it in (fast)

Inputs you need, time to complete, and a miniature worked example.

Inputs you need

Risk tiers (low/medium/high) and which actions fall into each tier.
Monitored signals + thresholds + owners.
Sampling rates (baseline + burst rules) and reviewer rubric.
Incident roles, response SLAs, and rollback procedure.
Definition of “material change” and re-validation expectations.

Time to complete: 30–60 minutes for a defensible v1.

Mini example: sampling policy (risk-tiered)

EXAMPLE

Risk tiers:
- High: money movement, account closure, eligibility decisions
- Medium: recommendations that influence a human decision
- Low: low-stakes automation with strong guardrails

Sampling rates:
- High: 25% baseline; 100% during incidents or after major changes
- Medium: 5% baseline; 20% for 2 weeks after new model/policy versions
- Low: 1% baseline

KLA Mapping

How KLA generates it (Govern / Measure / Prove)

Tie the artifact to product primitives so it converts.

Govern

Policy-as-code checkpoints that block or require review for high-risk actions.
Versioned change control for model/prompt/policy/workflow updates.

Measure

Risk-tiered sampling reviews (baseline + burst during incidents or after changes).
Near-miss tracking (blocked / nearly blocked steps) as a measurable control signal.

Prove

Hash-chained, append-only audit ledger with 7+ year retention language where required.
Evidence Room export bundles (manifest + checksums) so auditors can verify independently.

Related resources

Human oversight playbook Audit log retention policy template Evidence pack checklist Annex IV template pack