I spend most of my time on post-signature contract management. The stuff that happens after the deal is done. Tracking obligations, monitoring vendor performance, making sure deadlines don’t slip, chasing down deliverables, confirming that what we agreed to is actually what we’re getting.

It’s the least glamorous part of this work. Nobody writes conference keynotes about it. No vendor demo spends more than 90 seconds on it. CLM marketing focuses on getting to signature faster, which is valuable, but it’s a bit like a real estate agent who helps you buy a house and then vanishes when the roof starts leaking.

Here’s the problem: post-signature is where the money actually lives. It’s where contract value erodes through missed renewals, untracked obligations, SLA violations nobody catches, and price escalations nobody checks. PwC estimated that enterprises could save 2% of annual costs just by improving contract accuracy and compliance, and most of that opportunity sits in the post-signature phase. And now, for the first time in my career, regulators are starting to pay attention to whether organizations are actually managing what they’ve signed.

That changes this job significantly.

What I Mean by “Obligations Tracking”

Let me be specific, because “obligations tracking” sounds like the kind of term that means nothing and everything.

Every contract contains promises. Your company promises to pay on time, provide access to certain systems, meet data protection requirements, deliver quarterly reports. Your vendor promises uptime levels, response times, staffing commitments, compliance with regulations, insurance coverage.

Obligations tracking means knowing what those promises are, who’s responsible for each one, when they’re due, and whether they’re being met. That’s it.

In practice, at most companies, nobody does this. The contract gets signed, filed somewhere, and forgotten until something goes wrong. The promises inside it become theoretical. WorldCC found that only 39% of commercial practitioners believe their contracts are effective at delivering the desired outcome. That’s not because the contracts were poorly drafted. It’s because nobody followed through on what they said.

I’ve lived this. At one company, I audited our top 25 vendor contracts and found that 14 of them contained SLA commitments that nobody on our side was monitoring. We were paying for guaranteed response times, uptime levels, and delivery windows that we had no way of verifying. The vendors could have been out of compliance for years and we’d never have known. (Some of them were. That was an uncomfortable conversation.)

Why Regulators Are Getting Involved

For most of my career, whether you tracked your contract obligations was your problem. If you missed a renewal deadline and got stuck in a bad auto-renewal, that was your loss. If your vendor fell below their SLA and you never claimed the credits, that was money you chose to leave on the table. Nobody outside your organization cared.

That’s changing, and it’s changing from multiple directions at once.

Financial services got hit first. The EU’s Digital Operational Resilience Act (DORA), which took effect in January 2025, fundamentally changed how financial entities manage their technology vendor contracts. DORA doesn’t just require that you have contracts with your ICT providers. It requires specific mandatory contract provisions (SLAs, audit rights, exit strategies, incident notification procedures) and demands that financial entities actively monitor whether those provisions are being met. Financial institutions now have to maintain a register of all ICT third-party contracts and submit it to regulators. The penalties for non-compliance can reach up to 10% of annual turnover.

That’s not “you should probably track your vendor obligations.” That’s “regulators will ask to see your tracking, and if you can’t show it, there are consequences.”

Government contracting is tightening too. In the U.S., federal agencies removed over 1,600 contracts in FY 2025 for non-compliance, and enforcement is increasing. The trend across government procurement is toward stricter documentation, transparency, and accountability throughout the contract lifecycle, not just at award.

AI governance is creating new obligations. I’ve written about this already, but the EU AI Act, Colorado’s AI Act, and California’s AI Transparency Act are all creating compliance obligations that flow through vendor contracts. If your software vendor uses AI to process your data, and new regulations require transparency about how that AI works, those requirements show up as contractual obligations that someone needs to track.

ESG and sustainability reporting is doing the same thing. Companies making sustainability commitments are discovering that those commitments require contractual support. If you’ve told your board (or your investors, or a regulator) that your supply chain meets certain environmental standards, you need contracts that say so, and you need to verify that vendors are actually complying. Research cited by Gatekeeper shows that 57% of executives cite data quality as their top ESG challenge, and 88% rank it among their top three concerns.

What This Means for Contract Managers

If you’re reading this and thinking “I barely have time to track renewals, let alone monitor every obligation in every contract,” I hear you. That’s exactly where I was two years ago.

But here’s what I’ve realized: the gap between “we signed a contract” and “we’re actually managing what we signed” is becoming a compliance risk, not just an operational inconvenience. Regulators aren’t asking “do you have a contract?” They’re asking “can you prove you’re meeting your obligations under that contract?”

For most organizations, the honest answer right now is no.

Roughly 78% of companies don’t systematically track obligations after signing. FTI Consulting research found that 75% of in-house legal teams are operating under hiring freezes even as workloads grow. And contract data is fragmented across an average of 24 different systems, which means even if someone wanted to track an obligation, finding the relevant contract is its own project.

This isn’t sustainable. Not because I say so. Because regulators say so.

What I’m Actually Doing About It

I’m not going to pretend I’ve solved this. Obligations tracking at scale is genuinely hard, even with good tools. But here’s what I’ve implemented that’s made a meaningful difference.

I’ve categorized obligations by risk. Not every obligation in every contract needs the same level of monitoring. A data protection commitment in a contract with a vendor that handles customer PII gets more attention than a standard payment term. I maintain a simple tier system: critical (monitor monthly), important (monitor quarterly), standard (review at renewal). This keeps the work manageable.

I’ve made contracts findable first. You can’t track obligations in contracts you can’t find. The foundation is a searchable repository where I can pull up any contract in seconds. When someone asks “which vendors have data processing obligations?” I can search across every contract and answer in minutes, not days. I did exactly this when auditing for AI clauses, and the same approach works for any obligation category.

I’ve tied obligations to date alerts. The most dangerous obligations are the ones with deadlines: notice periods, reporting requirements, certification renewals, insurance expiration. These go into ContractSafe with automated alerts, the same way I track renewal dates. The system doesn’t know the difference between “this contract auto-renews on March 15” and “this vendor’s cyber insurance certificate expires on March 15.” It just sends the alert.

I’ve started asking vendors about compliance at renewal. Every renewal conversation now includes a short checklist: Are you meeting the SLAs? Has anything changed about how you process our data? Are your insurance and certifications current? Have you added AI capabilities since our last review? Most vendors answer without pushback. The ones who get evasive are the ones I pay closest attention to.

I’ve documented my process. This is the boring one, but it matters. If a regulator or auditor asks “how do you track vendor obligations?” I need to be able to show a process, not just wave at a pile of contracts. My documentation isn’t complicated. It’s a one-page description of what I track, how often, where the data lives, and who’s responsible. But it exists, which puts me ahead of most organizations.

The Uncomfortable Truth

The contract management industry has spent the last decade optimizing the path to signature. Faster drafting. Automated approvals. Electronic signatures. AI-powered review. All valuable. All focused on the 10% of a contract’s life that happens before the ink dries.

The other 90% has been largely ignored. And now regulators, auditors, and boards are starting to ask questions about that 90%.

WorldCC’s research on the ten pitfalls of contracting found that top-performing organizations hold value erosion below 4%, and the distinguishing feature is their investment in post-award contract management capability. Not technology. Capability: process, roles, skills, and follow-through.

That’s the work that needs to happen now. Not because it’s exciting. Because the window for treating post-signature management as optional is closing. Regulators have noticed the gap. The question is whether your organization will close it before someone asks why you didn’t.