What I Believe

Information governance is full of received wisdom. Some of it is correct; much of it gets repeated because nobody has bothered to challenge it. This page is where I write down — dated, signed — what I actually think.

These are positions, not essays. When a position grows into something longer, it moves to Writing.

Last updated: June 2026

1. Policy and strategy without an operational layer is theater.

Most organizations write an information governance or records policy, publish it, and treat the document as the achievement. A policy that isn’t wired into operating procedures, decision rights, and a real method for applying retention and disposition doesn’t govern anything — it produces the appearance of governance and the liability of a standard nobody meets. I’ve watched a records policy sit untouched while disposition happened ad hoc. The sharpest version is the organization that preaches discipline it won’t practice: a security team urging clients to minimize data while its own servers keep everything.

A policy has to exist before you can operationalize it, and writing one is a real first step. But most programs stop at that step and call it finished — and a standard you don’t meet is worse than one you never set.

2. The hidden failure point in information governance is decision rights, not policy or technology.

When a program stalls, it gets diagnosed as a policy problem or a tooling problem, and the organization buys a new policy or a new system. The real void is usually that no one owns the decisions: who decides what’s kept, who adjudicates a hold, who arbitrates when legal and the business want different things. If records is everyone’s responsibility, it’s no one’s — and the initiative dies for lack of an owner, not a lack of documents or software.

The counter is that decision rights without good policy and tools just let someone make bad calls faster. Fair — but a clear owner with a mediocre policy will outperform a perfect policy with no owner every time.

3. Information quality is a capture-time problem, not a downstream cleanup.

The default is to let data accumulate, notice it’s unreliable, and fund a reconciliation project to settle the source of truth later. That treats a structural problem as a recurring chore, and the cleanup never catches up to the intake. I learned this the expensive way: an intake form missing a few fields fed bad data into every system downstream, and we spent real effort reconciling records that would have been clean if we’d asked the right questions once, at the door. Every enterprise is one connected web — what enters badly stays bad everywhere it flows.

The counter: you can’t anticipate every field you’ll need at capture, so some downstream correction is unavoidable. True — but most of what gets corrected later was foreseeable at intake, and went unasked because capture felt like someone else’s problem.

4. Most “privacy,” “AI,” and “e-discovery” problems are information-governance problems wearing a regulatory hat.

The field splits these into separate disciplines with separate owners, and the same gaps recur in each. A consulting team I worked with treated a growing store of retained client data as an e-discovery risk. It wasn’t — it was a problem because no one owned a retention rule, a review cycle, or a disposition decision for data the firm had received and no longer needed. The label was “e-discovery”; the void was information governance. Name the discipline you like; underneath it is almost always the same question — what information exists, where it lives, who can touch it, and how long it should live.

The counter is that these fields carry distinct expertise and regulation, and collapsing them loses that. Fair — but the expertise sits on a shared foundation, and ignoring it is why the gaps keep reappearing. I’ll change my mind when I see a privacy or e-discovery failure with no ungoverned information underneath it.

5. You can’t govern AI responsibly on top of information you don’t already govern.

AI governance programs are being stood up on ungoverned data — no lineage, no quality controls, no retention discipline — and the new controls then operate on a foundation that can’t hold them. Information governance isn’t a parallel workstream to AI governance; it’s the prerequisite. The common objection is that foundation-model tools change this, since the model wasn’t trained on your data. But the moment you point that model at your own information — retrieval, fine-tuning, or just pasting documents into a prompt — your data governance is back in play.

I’ll change my mind when I see an AI governance program work well over data the organization couldn’t account for, retain correctly, or trust. So far, the ungoverned foundation is exactly where these programs crack.

6. The field’s real bottleneck is adoption, not frameworks.

We are not short on frameworks, maturity models, or standards. We are short on adoption — the distance between a published framework and the behavior it was supposed to produce. The energy that goes into authoring the tenth maturity model would do more good spent on the unglamorous work of getting people to follow the first. An old boss of mine put it as diet and exercise: everyone knows what’s required, the knowing was never the problem, and without the doing there’s no progress. Information governance has known what to do for years; it still can’t reliably get people to do it.

I’ll change my mind when a genuinely novel framework — not better adoption of an existing one — measurably closes one of the field’s persistent gaps. I don’t expect to be writing that revision.

Changelog

  • June 2026: First published with six positions.

christopher.l.hockey@gmail.com

Views are my own and not those of Gibson, Dunn & Crutcher LLP.

en_USEN_US