Information Governance
The organization-wide framework of policies, accountability, and controls that governs information as a strategic asset.
Information governance is the umbrella discipline that defines how an organization directs, controls, and accounts for its information across its entire existence — regardless of where that information lives, what format it takes, or which business unit created it. Where records management focuses on the disciplined capture, classification, retention, and disposition of records, and where data management concerns itself with the integrity and usability of structured data, information governance sits above both as the coordinating framework. It asks the strategic questions: Who is accountable for our information? What rules apply to it? How much risk does it carry, and how much value? It treats information not as a byproduct of doing business but as a managed corporate asset deserving the same deliberate stewardship as money, people, or physical property.
The reason information governance has moved from a niche concern to a board-level priority is simple: organizations now create more information, in more formats, across more systems, than any manual process can hope to control. Email, instant messaging, collaboration platforms, cloud repositories, databases, social media, and an expanding universe of unstructured files all generate content that may carry legal, regulatory, historical, or operational significance. Without a governing framework, that content accumulates as unmanaged risk and cost. Information governance provides the policy, accountability, and coordination needed to keep information defensible, discoverable, compliant, and useful — while disposing of what no longer serves a purpose.
What Information Governance Is — and Is Not
A persistent source of confusion is the relationship between information governance and records management. The two are complementary rather than competing. Records management is an operational discipline: it identifies which information constitutes a record, applies retention schedules, and ensures defensible disposition. Information governance is the strategic layer that sets organizational policy, assigns accountability, and harmonizes the many functions that touch information — legal, compliance, privacy, security, IT, and the business itself. In practice, a mature records management program is one of the most important engines through which information governance is executed, but governance also extends to information that may never be formally declared a record, such as transitory content, work-in-progress, and the vast pools of redundant, obsolete, and trivial data that organizations accumulate.
Information governance is also distinct from data governance, though the boundary blurs. Data governance traditionally concentrates on structured data quality, master data, and analytics readiness. Information governance casts a wider net, encompassing unstructured content and the legal and compliance obligations attached to it. The most effective programs treat these as facets of a single accountability framework rather than rival fiefdoms.
The Core Concepts and Sub-Areas
Several themes recur whenever practitioners build and operate an information governance program, and together they form the cluster of topics this hub anchors.
- Program building. Establishing governance is an organizational change effort as much as a technical one. It requires executive sponsorship, a cross-functional steering body, clear roles, written policy, and measurable objectives — not merely the purchase of technology.
- Reference models. The Information Governance Reference Model, or IGRM, is the most widely cited conceptual tool in the field. It depicts information governance as the shared responsibility of business owners who use information for value, legal and risk stakeholders who impose duties and constraints, and IT and records professionals who manage the information across its life. Its central insight is that governance fails when any one of these constituencies acts alone.
- E-discovery. Litigation readiness is one of the strongest practical drivers of governance. The ability to identify, preserve, collect, and produce electronically stored information defensibly depends on knowing what information exists and where it lives — exactly what governance establishes.
- ROT remediation. A core operational activity is the systematic identification and defensible disposal of redundant, obsolete, and trivial information. Reducing this clutter lowers storage cost, shrinks the attack surface, and makes legitimate records easier to find and protect.
- Maturity. Programs evolve along a continuum from ad hoc and reactive toward proactive, measured, and continuously improving. Maturity models give organizations a vocabulary for assessing where they stand and a roadmap for advancing.
- Privacy and security intersections. Governance is where the obligations of records retention, data protection, and information security meet and must be reconciled.
Governing Laws, Standards, and Authorities
Information governance is not founded on a single statute; it synthesizes obligations drawn from many sources. In the United States, federal recordkeeping is shaped by the Federal Records Act and the regulations and guidance issued by the National Archives and Records Administration. Sector-specific regimes — covering health information, financial records, and similar domains — impose their own retention and protection duties, and modern privacy regimes have added rights and constraints that governance programs must accommodate.
On the standards side, the ISO 15489 family establishes principles for records management, ISO 30301 addresses management systems for records, and ISO 27001 anchors information security management. The accountability-oriented Generally Accepted Recordkeeping Principles offer a widely used framework articulating accountability, transparency, integrity, protection, compliance, availability, retention, and disposition. A notable shift in the public-sector landscape is that NARA withdrew its longstanding endorsement of the DoD 5015.2 records management application standard in 2022, redirecting agencies toward the Universal Electronic Records Management Requirements developed under the Federal Electronic Records Modernization Initiative. This reflects a broader move away from certifying monolithic recordkeeping applications and toward defining functional requirements that can be met across diverse modern systems.
How It Fits the Records Lifecycle
Information governance frames and oversees the entire lifecycle — creation and capture, classification, active use, maintenance, retention, and final disposition or archival preservation — but it operates one altitude above the lifecycle mechanics. Records management executes the lifecycle; governance decides the policies that the lifecycle enforces and holds the organization accountable for following them. Governance determines what should be captured as a record in the first place, how long categories of information are kept, when and how information is defensibly destroyed, and which information warrants permanent preservation for legal, historical, or institutional value. By integrating retention decisions with privacy, security, and legal-hold obligations, governance ensures the lifecycle is applied consistently rather than improvised system by system.
Common Challenges and Good Practice
The recurring obstacles are well understood. Information sprawl across uncontrolled repositories defeats consistent policy. Organizational silos pit legal, IT, and the business against one another. Over-retention — keeping everything indefinitely out of fear or inertia — inflates cost and liability alike. And governance is too often treated as a technology purchase rather than a sustained accountability program.
Good practice begins with executive sponsorship and a cross-functional governance body with real authority. It depends on defensible, regularly reviewed retention schedules; clear policies that employees can actually follow; and automation that classifies and applies rules where human effort cannot scale. Above all, mature programs measure themselves, demonstrate that policies are consistently applied, and adapt as the information environment changes.
Where the Topic Is Heading
The trajectory of information governance is toward greater automation and tighter integration. As volumes outstrip any manual approach, organizations increasingly rely on automated classification, retention, and remediation, with artificial intelligence assisting in identifying records, flagging sensitive content, and surfacing ROT for disposal. The convergence of governance, privacy, and security into unified accountability frameworks is accelerating, and the regulatory emphasis is shifting from prescriptive product certifications toward functional requirements that any compliant system can satisfy. The enduring principle, however, remains constant: information governance succeeds not when an organization buys the right tool, but when it establishes clear accountability, sound policy, and the disciplined coordination to treat its information as the strategic asset it has become.
Articles in Governance
E-Discovery and Information Governance
Good information governance makes e-discovery faster, cheaper, and less risky. Here's how the two connect — and why disposing of what you don't need is e-discovery cost control.
Information Governance Maturity: From Ad Hoc to Optimized
Information governance programs evolve through maturity levels. Here's what the stages look like and how to move from reactive, ad hoc practices to a managed, optimized program.
Privacy, Security, and Records: The Information Governance Intersection
Records management, privacy, and security overlap constantly. Here's how they intersect — and why governing them together beats running them as separate silos.
ROT Remediation: Cleaning Up Redundant, Obsolete, and Trivial Data
Most organizations are buried in ROT — redundant, obsolete, and trivial data. Here's how to clean it up defensibly to cut cost and risk without destroying anything you must keep.
The Information Governance Reference Model (IGRM) Explained
The IGRM is a framework showing how information governance unites business, legal, RIM, IT, and privacy/security across the information lifecycle. Here's how to read and use it.
Building an Information Governance Program: Roles and Accountability
An information governance program needs executive sponsorship, a cross-functional body, clear policy, and defined roles. Here's how the pieces fit together.
Information Governance vs. Records Management: What's the Difference?
Records management is a core part of information governance — but governance is broader, uniting records, privacy, security, and e-discovery under one accountable framework.
Common questions
- Big-bucket vs item-level retention schedules: how do I choose between them?
- Can a company be penalized for keeping data too long under privacy laws even if nothing was breached?
- Can a US company store records in the EU, or do data localization and cross-border transfer rules block it?
- Can executives or board members be held personally liable for information governance failures?
- Can information governance help reduce cloud storage costs, and how?
- Can our IT department decide on its own to delete old files to free up server space?
- Can we just keep everything forever to be safe instead of bothering with a retention schedule?
- Can we let an AI model train on or index our records, and what are the records and privacy risks?
- CUI vs classified information: what is the difference and do they get handled differently?
- Do I really need a retention schedule if storage is cheap and we never run out of space?
- Do state and local government agencies have to follow a state-approved records retention schedule before destroying records?
- Does a written information governance policy actually protect a company in court if records were mishandled?
- Does the EU GDPR override a company's retention schedule when keeping personal data across borders?
- How do I assess my organization's information governance maturity and figure out the next level to target?
- How do legal, privacy, and records roles divide responsibility during a litigation hold or e-discovery request?