AI & endpoints reshape global information governance

Global Information Governance Day has renewed attention on how organisations manage data risk as artificial intelligence, shadow IT and new regulatory expectations reshape the information landscape.

Business and technology leaders say information governance is shifting from a centralised compliance function to an operational discipline shaped by what happens on employee devices and in day-to-day workflows.

Asia-Pacific and European enterprises face particular pressure as they balance regional data protection rules with global adoption of AI-based tools and cloud services. Many organisations are now reviewing not only retention schedules and records policies, but also how information moves across laptops, mobile devices and software-as-a-service platforms.

Vendors in governance and endpoint management describe a widening gap between policy and practice as employees adopt consumer-grade tools, generative AI assistants and unsanctioned collaboration apps.

Endpoint focus

Jaren Nichols, president and COO of US-based endpoint management firm PDQ, said organisations often underestimate how much information governance depends on the state of devices in the field.

In many large companies, risk, compliance and legal teams define governance frameworks centrally. IT and security teams then translate those frameworks into configuration baselines, access controls and software catalogues for desktops and laptops.

"Information governance isn't just a policy or compliance exercise - it's an operational reality that plays out on everyday devices. While organizations often define governance frameworks centrally, they succeed or fail at the endpoint, where information is created, accessed, shared and stored," Nichols said.

Security specialists report that dispersed workforces, hybrid work patterns and device diversity have increased the number of endpoints holding regulated or sensitive information. This includes contractor machines, personal devices under bring-your-own policies and systems in smaller branch offices.

Governance reviews increasingly include audits of installed software, local data storage and the channels employees use to move files between corporate and external tools. These audits often uncover undocumented applications and unapproved file-sharing services.

Rising AI risk

Information governance experts cite AI-assisted tools and automation as a new set of challenges. Generative AI chatbots, summarisation services and coding assistants often rely on user prompts and documents that may contain confidential data.

Security teams in financial services, healthcare and the public sector have issued detailed guidance on AI use. Some have blocked public services while piloting internal alternatives with stronger audit and data residency controls.

"Today's risk landscape makes that more urgent than ever. AI tools, shadow IT and constantly changing threat conditions mean sensitive information can move faster and farther than governance teams anticipate. If IT doesn't know what software is running, who has access, or how quickly risk can be addressed, even well-designed governance policies break down," Nichols said.

Vendors in the AI and analytics market position data classification, lineage tracking and access logging as baseline requirements for deployment. Governance teams also examine whether AI models use personally identifiable information and how long training and inference data persists.

Visibility and control

Analysts describe visibility as central to any modern governance strategy, pointing to asset inventories, configuration management databases and decentralised logs as frequent weak points.

"Effective information governance requires visibility and control at the point of use. That means understanding what's on endpoints, reducing unauthorized tools that introduce data risk, and being able to patch, remove, or remediate quickly when conditions change. Governance isn't static - it has to adapt in real time," Nichols said.

Organisations in regulated sectors have invested in tools that let IT teams push patches quickly, decommission unapproved applications and revoke access when staff change roles. These controls often align with broader zero trust strategies and identity governance projects.

Many mid-sized businesses, however, still rely on manual processes and incomplete asset lists. Industry surveys show a significant proportion cannot provide an accurate count of running applications across their environment at short notice.

Policy and practice

For governance professionals, the ongoing task is ensuring documented policies match behaviour across the full information lifecycle: creation, classification, access, sharing, retention and disposal.

"Ultimately, strong information governance depends on aligning policy with practical enforcement, especially on the systems employees use every day," Nichols said.

Many organisations now pair traditional records management with data discovery and deletion programmes. These initiatives aim to reduce redundant, outdated and trivial data that can increase exposure during a breach or regulatory inquiry.

Vendors in records and compliance see AI as both a risk driver and a potential tool. Automated classification and retention recommendations can reduce manual effort, but they also require high-quality training data and clear audit trails.

Lifecycle accountability

Anthony Woodward, CEO of information governance platform provider RecordPoint, said the discipline's objectives have not changed, despite new tools.

"As we think about Info Governance Day: AI is the future but as tools change and expectations shift, the core job of Information Governance does not. Its purpose is still to reduce organizational risk by making data accountable throughout its lifecycle, from trustworthy AI and access through to retention," Woodward said.