Re-Elevating Records Management: Integrating AI Governance, Privacy, Breach Response, and eDiscovery into Modern IG Programs

Written on .

A recent BarkerGilmore study found that although compliance budgets are increasing, four out of five Chief Compliance Officers reported that limited budgets or headcount have hindered their ability to address all compliance needs.[1] This has forced compliance officers to prioritize spending on return on investment (“ROI”) and mitigating vulnerabilities. A 2025 PwC Compliance survey found the top two compliance priorities for organizations are Cybersecurity and Privacy, with Artificial Intelligence as a top technology priority—yet Information Governance (IG) and Records and Information Management (RIM) were not listed as priority items.[2]

As a result, IG and RIM professionals increasingly feel the pressures of a “do more with less” culture, especially for functions not seen as providing a high ROI or presenting a significant vulnerability. However, IG and RIM are foundational to many high-priority compliance programs. The purpose of this article is to help IG and RIM professionals better advocate their role in the changing compliance landscape and elevate their value within the organization.

Brief History of the Profession

IG and RIM were not always part of the compliance function. In the early days, those who managed records were called archivists or file clerks, and their purpose was limited to preserving company history, routing files, and freeing up space by clearing out unneeded paper records. These actions were driven by business needs, not laws or regulations.

The collapse of Enron and Arthur Andersen in 2002, along with the emergence of Sarbanes-Oxley and other recordkeeping laws, highlighted the risks and costs of improper records management. Shortly after, Zubulake v. UBS Warburg held that electronic data is subject to discovery, establishing that records include those created or stored in electronic form. This created an environment where managing information became an organizational priority, as proper management prevented significant compliance fines and reputational damage.

What IG and RIM professionals need to recognize is that these seminal events are now over 20 years old. Since then, organizations have seen new requirements take priority, including those associated with privacy, anti-money laundering, foreign corruption, and cybersecurity. Compliance still often views IG and RIM through the lens of what those functions were two decades ago, rather than how they address today’s challenges. Even more concerning, IG and RIM professionals sometimes advocate for their roles by focusing on issues that were critical decades ago but hold far less relevance today.

Artificial Intelligence and the Role of IG and RIM

According to a PwC 2025 Global Compliance Survey, 82% of companies plan to invest more in at least one technology to automate and optimize compliance activities, and 71% believe AI will have a net positive impact on compliance.[3] The use of AI, especially in areas with high-risk or consequential impacts on people’s finances, health, personal freedom, or safety, is subject to regulations requiring assessments, explainability, human oversight, and transparency.[4] This process is commonly referred to as AI Governance or Readiness.

Some organizations hesitate to implement AI Governance programs, fearing they will stifle innovation. However, IG and RIM can help create programs that serve as safety measures, allowing organizations to excel with greater assurance that AI systems are used safely and effectively. IG and RIM professionals can contribute to AI Governance and Readiness by participating as part of an AI Governance Committee, ensuring the impact of AI is considered across functions. They can inventory AI systems throughout the organization to help identify which are classified as high-risk or consequential and thus subject to regulation. They can also prepare data used for machine learning through cleaning, deleting, labeling, and wrangling, and document assessments, logs, registrations, and reports associated with AI systems and regulatory requirements.

If IG and RIM become part of AI Governance and Readiness, they become less likely to be replaced by AI systems. AI is also an area where organizations are willing to spend, and IG and RIM are well positioned to be part of that investment when aligned with those objectives.

Privacy and the Role of IG and RIM

The implementation of the European Union’s General Data Protection Regulation (“GDPR”) in 2018 made data privacy a priority for many organizations. Since then, jurisdictions across the world have adopted similar laws, and within the United States, 20 states have adopted some type of privacy law, along with industry-specific laws such as HIPAA and GLBA. According to a 2025 Cisco Data Privacy Benchmark Study, 86% of respondents reported a positive impact from privacy laws on their organization, and 96% found the benefits of privacy investments—including cataloging data, implementing controls, and conducting impact assessments—outweigh the costs. [5]  

IG and RIM are critical to the implementation of privacy programs in several ways. They establish policies that promote retention and disposition of records in a manner that addresses both legal and legitimate business needs while protecting personal information. They participate in privacy impact and heightened risk assessments required by law. They verify that published privacy policies are consistent with internal operations. They assist with workflows associated with consumer and data subject access requests, including documentation of receipt, identity verification, decision tree analysis, and communication with requestors. They also manage or document consent, rejection, or modifications to cookies from website users.

These are all activities essential for implementing a privacy program and are generally best addressed by IG and RIM professionals. They are also areas where organizations are willing to invest because they see the benefits and the ROI.

Breach Response and the Role of IG and RIM

According to IBM, the average global breach cost has reached $4.88 million, with an average time of 258 days to identify and contain a breach, and a 17% year-over-year increase in reported incidents.[6] This demonstrates why IT and cybersecurity alone are ineffective for preventing and responding to security incidents.

IG and RIM play an important role by implementing and auditing policies to verify proper disposition of unneeded data based on established governance and retention schedules. They also identify the IG role in the event of a security incident, including the roles of data maps, location of cyber insurance policies, and retention of response reports in accordance with existing policies and advice of counsel.

A common reaction to a security incident is not “how did they access the system?” but rather “why did we still have that data?”. Organizations often put most of their resources into building walls around their systems instead of managing the data going into them and having realistic plans for when security measures fail. IG and RIM address what goes into systems so that when an incident occurs, the damage is minimized. IG and RIM also play a vital role by ensuring the response process is documented to mitigate additional financial and reputational damage.

eDiscovery and the Role of IG and RIM

eDiscovery is a $16 billion market expected to reach $25 billion by 2030, despite the use of generative AI to mitigate costs.[7] What distinguishes eDiscovery spending from other areas is the lack of discretion involved: organizations subject to actual or reasonably anticipated litigation must preserve and possibly participate in eDiscovery activities.

eDiscovery actions are often initiated by legal, not compliance, and legal is not always familiar with the organization’s policies or procedures because it is typically focused on issues rather than process. As a result, IG and RIM are often excluded from the legal hold and eDiscovery process.

However, IG and RIM can play an important role by assisting with the establishment of a legal hold process in advance, where legal works with IG and RIM to assist with notification, implementation, and auditing of preservation obligations. They can develop and educate the organization on data maps that identify systems, the information they retain, their purpose, and who has access. They can verify that legal and the litigation group understand the records retention and disposition schedule and know whom to contact with questions. They also manage the process for ending a litigation hold and returning records to the retention schedule.

Many of these activities require IG and RIM professionals to proactively reach out to legal and litigation. This may be a continuous effort since personnel in this area change frequently, especially if the organization uses outside counsel. However, the more legal and litigation know about the IG and RIM function, the more they will use and prioritize it during the eDiscovery process.

Conclusion

IG and RIM are not obsolete or unimportant in today’s compliance and legal environment. While the issues that drove IG and RIM twenty years ago may no longer be the highest priority, today’s high-priority issues require IG and RIM as their foundation. IG and RIM alone will struggle, but when integrated into high-priority areas like AI Governance, Privacy, Cybersecurity, and eDiscovery, they become a business-critical function.

[1] Compliance and Risks, “25 Critical Stats Every Chief Compliance Officer Needs to Know” (Available at https://www.complianceandrisks.com/blog/25-critical-stats-every-chief-compliance-officer-needs-to-know/)

[2] PwC’s Global Compliance Survey 2025 (Available at Global Compliance Survey 2025 | PwC)

[3] Id.

[4] See Regulation (EU) 2024/1689 and C.R.S. § 6-1-1703

[5] Cisco 2025 Data Privacy Benchmark Study, pgs. 8-10 (Available at Cisco 2025 Data Privacy Benchmark Study)

[6] IBM, “Cost of a Data Breach Report 2025” (Available at Cost of a data breach 2025 | IBM)

[7] The Business Research Company, “eDiscovery Market Report”, (Available at https://www.thebusinessresearchcompany.com/report/ediscovery-global-market-report)

Author

  • Tom Corey is a Director with HBR Consulting’s Information Governance Team. Much of Tom’s work involves assisting organizations in developing information governance policies and records retention schedules that are compliant with domestic and international laws, regulations, and data privacy requirements. Tom is an attorney, licensed in North Carolina, and a Certified Records Manager (CRM) and Certified Information Privacy Professional (CIPP / US). In 2021, Tom received the Britt Literary Award for an article published in IM Magazine. Tom has served as an ARMA Chapter President for the Charlotte – Piedmont Group and is a frequent speaker at international and local ARMA events.

(Visited 3 times, 3 visits today)

Tom Corey

Tom Corey is a Director with HBR Consulting’s Information Governance Team. Much of Tom’s work involves assisting organizations in developing information governance policies and records retention schedules that are compliant with domestic and international laws, regulations, and data privacy requirements. Tom is an attorney, licensed in North Carolina, a Certified Records Manager (CRM), Certified Information Privacy Professional (CIPP / US), and a Certified Information Privacy Professional (CIPM). In 2021 and 2022, Tom received the Britt Literary Award for articles published in IM Magazine. Tom has served as an ARMA Chapter President for the Charlotte – Piedmont Group and is a frequent speaker at international and local ARMA events.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© 2019 ARMA International