Most AI governance conversations focus on what happens before deployment. Risk assessments. Documentation. Testing.
NIST just published a 40-page report saying that’s not enough.
AI 800-4 maps everything we don’t know about monitoring AI systems after they go live. And the picture is not reassuring.
The core problem: AI systems are non-deterministic. The same input doesn’t always produce the same output. Models drift. Context changes. Behavior evolves. A system that passed every pre-deployment test can still fail in production – and most organizations have no infrastructure to catch it when it does.
What most companies are missing
NIST identified six categories of post-deployment monitoring: functionality, operations, human factors, security, compliance, and large-scale impact.
Most organizations are reasonably good at the first two. Almost nobody is systematically monitoring human-AI interaction – how users are influenced by the system, whether the model is reinforcing bias, how trust dynamics are shifting over time.
That’s the biggest blind spot. And it has direct legal consequences.
There’s also the shadow AI problem. Employees using AI tools on personal devices, outside official infrastructure. No logging. No traceability. No audit trail. From a compliance perspective – that’s not a technical issue. It’s a liability issue.
Why this matters now
NIST AI 800-4 doesn’t create new legal obligations. But it signals where regulatory scrutiny is heading.
The EU AI Act focuses heavily on pre-deployment controls. Post-deployment monitoring is the next frontier – and most organizations aren’t ready.
The question isn’t whether continuous AI monitoring will become standard practice. It will.
The question is whether your organization will build that capability before regulators require it – or after.
For legal and strategic advisory on AI governance, visit AI Business Studio.
