Monitoring
Definition
Monitoring is the ongoing, planned activity of observing, measuring, and reviewing systems, processes, and controls to detect issues, verify performance, and confirm that requirements are being met. In ISO/IEC 42001 (an AI management system (AIMS) standard), monitoring includes defining what will be monitored (e.g., AI system performance, quality, drift, bias, robustness, security events, and unintended impacts), setting measurement methods and thresholds, reviewing results, and taking corrective action when outcomes deviate from objectives or risk tolerances. Effective monitoring combines automated signals (telemetry, alerts, dashboards) with periodic human review (trend analysis, control testing, management reviews) so organizations can identify control failures, emerging risks, and compliance gaps early. Monitoring also supports audit readiness by producing evidence of control operation over time, such as alert records, incident tickets, review notes, and metrics reports. Comparable concepts appear in other programs as continuous control monitoring, continuous compliance monitoring, and security logging and monitoring practices.
Real-World Examples
Startup: AI model drift and performance monitoring
A small team tracks latency, error rates, and data drift for an AI feature and investigates alerts when thresholds are exceeded.
Scaleup: Continuous controls monitoring (CCM)
A growing company monitors key control signals (MFA coverage, privileged access changes, backup success, and patch status) to catch control drift.
Enterprise: SOC and AI incident monitoring
A security operations team correlates logs, EDR alerts, and AI-system anomalies to detect abuse, data leakage, or unsafe model behavior.
Audit-ready evidence for monitoring activities
Teams retain alert histories, investigation notes, and periodic review sign-offs to demonstrate monitoring is performed and acted upon consistently.
Monitoring is the ongoing observation and measurement of systems and controls to detect issues, confirm controls operate as intended, and produce evidence for governance, risk, and compliance oversight.
Continuous security monitoring uses near-real-time telemetry, alerts, and analyst review to identify suspicious activity and control failures quickly, enabling faster containment and corrective action.
Compliance monitoring tracks whether policies, processes, and control requirements are being followed, covering items like access control, change management, incident response, data handling, and periodic reviews.
Logging records events, alerting notifies on conditions, auditing independently assesses conformance, and monitoring is the broader ongoing process that uses logs, alerts, and reviews to detect and manage deviations.
Common types include network and endpoint monitoring for threats, application and cloud monitoring for reliability and misconfigurations, and control monitoring to verify key safeguards remain effective over time.
Organizations should monitor leading indicators such as privileged access changes, configuration baselines, vulnerability and patch status, backup success, logging coverage, and exceptions to required approvals or reviews.
Cadence depends on risk: high-risk signals should be monitored continuously or daily, while lower-risk controls may be reviewed weekly, monthly, or quarterly, with defined triggers for escalation.
Typical KPIs include alert volume and quality, mean time to detect/respond, coverage of critical logs, control pass rates, exception trends, remediation time, and recurring issue rates by control area.
Common capabilities include SIEM for log correlation, SOC processes for triage and response, EDR for endpoint visibility, CSPM for cloud posture checks, and CCM for continuous control signal tracking.
Document what is monitored, thresholds and owners, review frequency, and escalation paths, then retain evidence such as dashboards, alert records, investigation tickets, review sign-offs, and corrective action outcomes.
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-26 | WatchDog Security GRC Wiki Team | Initial publication |
