Digimasters

Information Governance vs Data Governance in Architecture: How Generative AI Is Changing the Game for AEC Firms (UK and US)

Summary: What this long-form blog covers

• The nuanced differences between information governance (IG) and data governance (DG), and why the distinction matters in real AEC practice
• The standards, regulations and frameworks that shape governance in the UK and the US (ISO 19650, UK BIM Framework, RIBA, NBIMS-US, AIA protocols, NIST, CMMC, GDPR/UK DPA, CCPA/CPRA and more)
• The current information landscape of architecture firms across project delivery and corporate functions (HR, finance, legal, marketing, IT) and the operating models that work
• Practical, real-world applications of generative AI across design technology, BIM and corporate back office
• How metadata can be generated automatically by scanning repositories like SharePoint and Nasuni, with concrete examples
• A roadmap to implement AI-enabled governance, including risk, ethics, procurement, architecture, KPIs and ROI

Introduction: why governance now
Architecture is built on information. From concept sketches and feasibility studies to clash detection reports, RFIs, BIM models, specifications, submittals and handover data, your firm’s intellectual capital is inseparable from the information you create, share and retain. The stakes are high. Poorly governed information increases risk, undermines profitability and spoils client experience. It creates rework, erodes trust and damages brand. Conversely, strong governance quietly accelerates delivery, enhances quality and protects value—without getting in the way.

Two terms often used interchangeably—information governance (IG) and data governance (DG)—aren’t the same. In AEC, confusing them leads to gaps in accountability, misaligned investments and programmes that stall before they show value.

At the same time, generative AI is altering what’s possible in both the UK and the US. LLMs, document AI and multimodal tools are reshaping how firms classify, protect, retrieve and reuse information. They promise to reduce administrative overheads, compress decision cycles, elevate compliance and unlock knowledge you already own—across design technology, BIM and corporate functions like finance, HR and legal. They also raise serious questions about privacy, security, intellectual property and ethics.

This blog unpacks the nuanced differences between IG and DG, shows how leading standards apply in the UK and the US, and explores how generative AI is revolutionising governance in practice—right down to auto-tagging documents by scanning SharePoint and Nasuni.

Information governance vs data governance: the crucial distinction
What is information governance?
IG is the strategic framework of policies, roles, processes and technologies that direct and control how information is created, classified, accessed, used, shared, stored and disposed of across its lifecycle. It spans structured data (e.g., BIM parameters, project codes) and unstructured information (e.g., emails, drawings, RFIs, site photos, PDFs). Its job is to reduce risk, meet legal and contractual obligations, preserve evidential value and ensure information supports organisational objectives.

In AEC terms, IG decides:

• What constitutes an official record and where it lives (e.g., the Common Data Environment vs email)
• How long to keep tender returns, RFIs, master models or meeting minutes—and when to defensibly delete them
• How to classify sensitivity (especially on nationally sensitive or commercially confidential projects) and implement access controls
• Which standards to apply (ISO 19650 naming, Uniclass/OmniClass, COBie) and how to audit compliance
• How to respond to legal holds, disputes, audits and Freedom of Information or e-discovery requests
• What “good” looks like for evidential integrity (e.g., BS 10008 in the UK; ESIGN/UETA and sound audit trails in the US)
• Who is accountable for outcomes and decision rights

What is data governance?
DG sits inside IG and focuses more narrowly on data assets—especially structured data and the semantics that make it interoperable. DG ensures that the right data is defined, consistent, high quality, traceable and usable across systems and lifecycle stages. It underpins reliable analytics, BIM data exchange, digital twins and compliant handover.

In architecture, DG addresses:

• Master and reference data: consistent project codes, client names, supplier IDs, Uniclass/OmniClass codes, product data templates
• Data standards: parameter naming conventions in Revit, IFC mappings, COBie schema adherence, model view definitions
• Data quality rules: mandatory fields, valid ranges, uniqueness, completeness for asset registers and handover deliverables
• Lineage and provenance: where data originated, transformations applied, version state and who changed what, when
• Taxonomies and ontologies: shared vocabularies for spaces, systems and assets across disciplines and systems
• Stewardship: who owns each domain (e.g., project master data, asset classification), and how quality is measured and maintained

Where they overlap—and why mixing them up causes problems
Both IG and DG care about metadata, classification and lifecycle. But:

• IG asks: Are we doing the right thing with information, lawfully, securely and efficiently, throughout its lifecycle?
• DG asks: Is our data well-defined, high quality and usable, with clear ownership and standards?

Mixing them up leads to:

• Over-indexing on BIM data quality while ignoring unstructured information—where most risk lives (emails, claims correspondence, contractual notices)
• Buying tech without policy, training or enforcement—leading to “shelfware governance”
• Trying to solve legal and privacy obligations with tools alone, without accountability

Top-performing firms treat IG as the umbrella programme under which DG, privacy, security and records management align.

Governance in AEC: standards and frameworks that matter (UK and US)
UK anchor points

• ISO 19650 series: Information management using BIM throughout the asset lifecycle; Part 5 covers security-minded information management
• UK BIM Framework: Practical guidance for implementing ISO 19650 in the UK
• RIBA Plan of Work: Stages and information deliverables by stage
• Uniclass 2015 and ISO 12006: Classification foundations for project information
• COBie: Often contractual for FM handover
• ISO 27001/27002, ISO 27017/27018: Information security and cloud
• ISO 27701: Privacy information management (PII)
• GDPR and UK Data Protection Act 2018: Lawful basis, DPIAs, rights, breach notification, minimisation, retention
• BS 10008: Evidential weight and legal admissibility of electronic information
• ISO 9001/ISO 37301: Quality and compliance management systems
• Government Soft Landings (GSL): Design–construction–operation bridge

US anchor points

• NBIMS-US and AIA protocols: NBIMS-US, AIA E203/G202/G201/G301; BIMForum LOD Specification; US National CAD Standard
• Classification: OmniClass, MasterFormat, UniFormat II; COBie remains relevant and widely used
• Security and federal work: NIST SP 800-53 and 800-171 (CUI), CMMC 2.0 for DoD contractors, FedRAMP for SaaS on federal projects
• Privacy: CCPA/CPRA (California) and other state laws (VCDPA, CPA, etc.); HIPAA where applicable (e.g., healthcare imagery or facility records)
• E-discovery and evidence: Federal Rules of Civil Procedure (FRCP) for legal holds and discovery; ESIGN/UETA for electronic signatures; NIST SP 800-88 for media sanitisation
• Quality and compliance: ISO 9001; SOC 2 for vendors handling sensitive data is often requested

Bottom line: deploy AI in support of these frameworks—not as a shortcut around them.

The information landscape of an architecture practice (project and corporate)
Project and delivery information

• Project set-up: Proposals, bids, PQQs/SQs, fee agreements, novations, appointments, warranties, NDAs, insurance certificates
• Design development: Models (Revit/IFC), drawings, mark-ups, clash reports, discipline coordination, design decisions and change logs
• Specifications and product data: NBS specs (UK), MasterSpec (US), schedules, product data sheets, PDTs
• Communication: Emails, Teams/Slack messages, minutes, RFIs, submittals/transmittals, site instructions, design reviews
• Construction-phase: Site photos, site reports, clarifications, change orders, CDM documentation (UK), RFI logs and submittals (often Procore/Newforma in US)
• Handover: COBie exports, O&M manuals, AIM, as-builts, testing and commissioning records

Corporate functions

• HR: Recruitment, right-to-work/I-9 (US), contracts, performance reviews, payroll, benefits, training records
• Finance: Invoices, POs, expenses, W-8/W-9 (US), VAT/IRS records, revenue recognition, audit packs
• Legal and commercial: Contracts, claims correspondence, legal holds/e-discovery, IP, insurance, risk registers
• Marketing and BD: Credentials, case studies, proposal content libraries, brand assets
• IT and security: Access logs, configuration baselines, incident reports, backup and recovery artefacts
• Compliance: ISO audits, SOC 2 reports, GDPR/CCPA artefacts, DPIAs, policy attestations

Systems commonly in play

• CDEs: Autodesk Construction Cloud/BIM 360, Bentley ProjectWise, Asite, Trimble Connect, Viewpoint, Newforma, Procore (heavily used in the US)
• Collaboration and ECM: Microsoft 365 (SharePoint/Teams/OneDrive), Google Workspace
• File platforms: Nasuni global file system, on-prem file servers
• Design tools: Revit, Rhino, Archicad, Navisworks, Solibri, Tekla, Bluebeam
• Business systems: Deltek Vantagepoint/Ajera/Vision, Unanet, NetSuite, Sage, CRM (Dynamics/Salesforce), HRIS, time and expense

Common pain points we see (project and corporate)

• Email as the shadow CDE: Key decisions and approvals live in inboxes, not the system of record
• Naming and version chaos across SharePoint/Nasuni/Procore/Newforma
• Incomplete BIM metadata blocking coordination and COBie readiness
• Transmittal confusion and wrong-version risk
• Retention uncertainty, leading to keep-everything or delete-too-soon behaviours
• PII exposure in project photos, HR files and emails (GDPR in the UK; CCPA/CPRA and state laws in the US)
• Legal holds and e-discovery complexity across SharePoint, Nasuni and email
• Handover risk: COBie completeness unknown until late
• Finance inefficiency: Invoices and expenses slow to code; inconsistent vendor master data
• HR sprawl: Offer letters, right-to-work/I-9 and training records scattered, with poor access control
• Knowledge loss: Lessons trapped in drives and mailboxes; hard to surface for bids or design reuse
• Tool proliferation: Overlapping repositories create silos; users unsure where to store what

An operating model for governance in architecture
Key roles

• Executive sponsor: Partner/board member accountable for outcomes
• Head of Information Governance (or equivalent): Owns policy, retention, lifecycle controls and assurance
• Data Protection Officer (UK/EU) or Privacy Officer (US): DPIAs/privacy impact, subject rights, breach response
• Information Manager (ISO 19650): Per project, ensures adherence to EIR/BEP, naming, CDE processes, security-minded approach
• BIM Manager/Coordinator: Modelling standards, templates and data quality
• Data Owners and Data Stewards: Project master data, client/supplier masters, classification libraries, COBie
• Records Manager/e-discovery lead: Legal holds, FRCP-compliant processes, defensible disposal
• IT/Security: Identity and access, encryption, logging, safe model/AI deployments
• Legal/Commercial: Contractual deliverables, obligations, holds and disputes
• Project Managers/Design Leads: Enforce governance on live projects

Decision rights and forums

• Policy and retention approval: IG lead with Legal/DPO/Privacy sign-off
• Data standards: BIM lead + Data Owner; ratified by governance forum
• Exceptions and waivers: Governance forum
• Tool selection: Joint IT/IG decision with user reps
• Monthly governance board for KPIs, risks, incidents; project-level IG/DG check-ins

Data governance deep-dive (project and corporate)

• Master and reference data

  • Project codes per ISO 19650 and internal finance schemas
  • Client and supplier masters deduplicated and validated (across Deltek/ERP/CRM)
  • Classification libraries (Uniclass in the UK, OmniClass in the US) managed centrally
  • Product data templates curated and versioned

• Data standards and templates

  • Revit shared parameter files mapped to IFC/COBie; sheet naming aligned with ISO 19650/AIA conventions
  • Structured spec templates: NBS Chorus (UK), MasterSpec/Deltek Specpoint (US)

• Data quality rules and checks

  • Mandatory fields by stage and deliverable (spaces, systems, assets)
  • Automated validation (Solibri rulesets, Dynamo/pyRevit scripts)
  • COBie dashboards with thresholds; test model view definitions early

• Lineage and provenance

  • Export settings and mappings under configuration control; version like code
  • Provenance logs for COBie exports: who, when, how transformed

• Corporate data governance

  • Finance: Chart of accounts master, supplier bank validation, invoice coding rules
  • HR: Role taxonomy, location codes, retention on personnel files
  • CRM: Opportunity stages, sector taxonomy, client hierarchy
  • Stewardship: Named owners for ERP, HRIS, CRM and proposal content libraries

Information governance deep-dive (project and corporate)

• Policies and principles

  • Information classification scheme; align to ISO 19650-5 for security-minded projects
  • Records of processing and DPIAs (GDPR/UK DPA); privacy assessments for US state laws where you operate
  • Records management: define system of record for each information type
  • Retention and disposal schedules aligned to legal/contractual needs (e.g., HMRC/IRS, contract limitation periods)
  • Legal/e-discovery holds: suspend deletion and notify custodians (FRCP/UK equivalents)
  • Email governance: what to file, when and where; automate filing where possible

• CDE governance and evidence

  • Folder structures, metadata schemas and naming conventions aligned to ISO 19650
  • Workflow states and transmittal processes with immutable logs
  • BS 10008-aligned evidential practices (UK) and robust audit trails (US)

• Assurance and training

  • Periodic audits, metrics on filing timeliness, transmittal accuracy, close-out completeness
  • Role-based training for project teams, corporate functions and stewards

How generative AI is revolutionising governance (project and corporate)
AI doesn’t replace governance—it accelerates it. LLMs, document AI and RAG can tag, check, summarise and route information, and surface organisational knowledge on demand.

High-value AI use cases in AEC IG and DG

• Automated classification and tagging

  • Auto-apply metadata—project code, stage, discipline, classification (Uniclass/OmniClass), sensitivity, retention category—when files land in SharePoint or Nasuni
  • Use confidence thresholds and human-in-the-loop queues

• Drafting governance artefacts from client requirements

  • Turn EIRs into first-draft BEPs, MIDP/TIDP and responsibility matrices with citations to your standards

• Deliverable compliance checks

  • Compare submittals, drawings and COBie extracts against EIR/contractual requirements; flag gaps with evidence

• Email and correspondence governance

  • Suggest which emails are records and file to the correct project space; apply sensitivity labels and link to RFIs or decisions

• RFI triage and routing

  • Classify RFIs by type/urgency; draft initial responses; cite similar resolved RFIs

• Contract and obligation extraction (project and corporate)

  • Extract obligations, insurances and notices from appointments, novations and subcontracts into a live register; alert on deadlines

• Finance automation

  • Read invoices and expenses; auto-code to cost centres and projects; detect duplicates and outliers; reconcile to POs; push to Deltek/ERP

• HR and privacy automation

  • Detect PII in documents and photos; recommend redaction; assist DPIAs; help with right-to-work/I-9 checks and retention rules

• Change detection across revisions

  • Summarise material changes between drawing/spec revisions; update decision logs

• Knowledge assistant for design and bids

  • Answer “How did we solve this before?” using RAG over BEPs, project standards, lessons and details, with permission-aware citations
  • Support BD/proposals by tailoring credentials and approaches to sector and client needs

• Governance health monitors

  • Track naming compliance, metadata completeness, access anomalies and retention adherence across SharePoint and Nasuni

How to auto-generate metadata by scanning SharePoint and Nasuni
What “scanning” means in practice

• Connectors

  • SharePoint: Microsoft Graph/SharePoint APIs; SharePoint Premium (formerly Syntex) for content understanding; Microsoft Purview for sensitivity and retention labels
  • Nasuni: SMB/NFS crawlers or vendor APIs; integration via eventing or scheduled scans; index content in a secure search/vector store

• Processing pipeline

  • Ingest and normalise: OCR scanned PDFs; detect duplicates; malware scan
  • Parse and extract: Use layout-aware models for drawings/specs; extract dates, parties, project IDs, RFI numbers, sheet numbers, revision, discipline, stage
  • Classify: Apply project, discipline, Uniclass/OmniClass, document type, confidentiality, retention category
  • Enrich and write back:
    • SharePoint: Write extracted fields to document library columns; apply sensitivity/retention labels (Microsoft Purview); optionally suggest ISO 19650-compliant file names
    • Nasuni: Store metadata as NTFS extended attributes or sidecar JSON; optionally mirror key tags in a metadata index (Elastic/Azure Cognitive Search) and expose read-only in your CDE or portal
  • Govern:
    • Trigger workflows (e.g., route “Published” records to immutable storage; start review tasks for low-confidence classifications)
    • Log decisions for audit; honour legal holds across both repositories

Example metadata fields to generate automatically

• Project metadata: Project code, client, stage (RIBA/AIA), discipline, originator
• Document metadata: Document type (e.g., GA drawing, RFI response, submittal), sheet number, revision, status (WIP/Shared/Published/Archive)
• Classification: Uniclass (UK) or OmniClass (US) codes; system/element tags
• Governance: Sensitivity label (e.g., Internal/Confidential/Restricted), retention category (with trigger), legal hold flag
• Corporate: Vendor name, PO number, invoice date/amount, cost code; employee ID for HR files; NDA/contract type for legal documents

Precision tips

• Use a project code dictionary and pattern detection (e.g., PRJ-XXXX) to anchor classification
• Keep per-project models or few-shot examples for titles and transmittal templates
• Store mapping tables (e.g., sheet number to discipline) centrally and version them
• Maintain human review queues for low-confidence or high-risk categories (privacy, legal holds, sensitive projects)

Anonymised real-world examples (UK and US composites)

• Studio North (UK, 150-person practice): AI-assisted classification in the CDE and Outlook suggests ISO 19650-compliant naming, applies Uniclass tags and proposes retention categories at upload. Within three months, misfiled documents dropped by 62%, search success rates increased materially, and ISO 9001 audit prep time halved.

• ArcDesign LLP (US, 280-person multi-office): A private knowledge assistant using RAG across BEPs, EIRs/AIA protocols, decision logs and lessons learned accelerates bid responses and BEP drafting. A recent healthcare bid saved ~40 hours with stronger alignment to client BIM requirements and clear citations to prior winning approaches.

• MetroForm Group (UK/US, 1,000+ staff): A deliverable compliance checker tests COBie and model exports from Stage 3 onwards. AI flags missing fields and inconsistent classifications, producing annotated reports. Handover remediation effort fell sharply, and client snags linked to information quality reduced across both UK and US projects.

• Harbor & Co. (US, 400-person): Finance and legal AI services ingest invoices and contracts from SharePoint and Nasuni. The system auto-codes invoices to Deltek, detects duplicates and extracts contractual obligations into a live register. Month-end close shortened by two days; missed insurance renewal notices dropped to zero.

Designing an AI-enabled IG architecture (with SharePoint and Nasuni in mind)

• Connectors and sources

  • SharePoint/Teams via Graph; email via Microsoft 365; CDEs (ACC, Procore, Newforma); Nasuni via SMB/API
  • Business systems (ERP/CRM/HRIS) for reference data

• Processing and RAG

  • OCR, de-duplication, metadata extraction, embeddings and indexing per security boundary
  • RAG orchestration that always cites authoritative sources; permission-aware across SharePoint/Nasuni

• Model strategy

  • Managed APIs vs self-hosted/open models depending on sensitivity, performance and cost
  • Domain-adapted prompts and few-shot examples; human-in-the-loop for critical outputs
  • For federal US projects, use FedRAMP-authorised services; for UK sensitive projects, align with ISO 19650-5 controls

• Security and privacy

  • Role-based and conditional access; encryption in transit and at rest
  • Microsoft Purview for labels/retention in M365; extend label awareness to Nasuni via policy agents or gateways where feasible
  • Keep embeddings/prompts within your security perimeter where required; log interactions and apply retention to logs

• Guardrails and quality

  • Grounding and citations; confidence thresholds; human review
  • Red-teaming and adversarial testing pre- and post-go-live
  • Version control for prompts, taxonomies and policy rules

• Integration and UX

  • Surface AI where people work: SharePoint, Outlook, Teams, Revit, Procore/Newforma
  • “Why tagged” transparency and one-click corrections to improve models over time

Risk, ethics and legal considerations (UK and US)

• Privacy

  • Establish lawful basis (GDPR/UK DPA); complete DPIAs; honour subject rights; data minimisation
  • In the US, map obligations under CCPA/CPRA and other state laws; maintain deletion workflows that include indexes and logs

• Confidentiality and IP

  • Security-minded classifications for sensitive projects; clear vendor data handling and non-training commitments
  • Respect third-party IP; maintain provenance for AI outputs

• Accuracy and accountability

  • Treat AI outputs as recommendations unless policy says otherwise; keep humans accountable where risk warrants
  • Provide citations and enable challenge/correction

• Bias and fairness

  • Audit classifications and automation for bias (e.g., access/retention categories)

• Safety and misuse

  • Prompt injection defences, content filters, rate limits; user education

• Regulatory horizon and standards

  • EU AI Act and UK guidance on AI assurance; NIST AI Risk Management Framework (US); ISO/IEC 23894 and emerging 42001

• Procurement and third-party risk

  • Due diligence: security certifications (ISO 27001, SOC 2), data residency, SLAs, audit rights
  • Exit strategy: portability of indexes and metadata; avoid lock-in

Implementation roadmap: from policy to practice with AI

1. Baseline and business case

• Assess policies, repositories (SharePoint/Nasuni), data quality, pain points across project and corporate functions
• Quantify risk and cost: rework, claims, audit effort, slow close, bid churn
• Prioritise 2–3 high-value, low-risk use cases: auto-tagging in SharePoint/Nasuni, BEP assistant, contract obligations, invoice coding

2. Foundations and quick wins

• Refresh IG policies: classification, retention, email governance, system of record
• Confirm data standards: ISO 19650/AIA naming, Uniclass/OmniClass mapping, parameter templates
• Pilot SharePoint auto-tagging using Syntex/SharePoint Premium and an LLM for edge cases; measure precision/recall; institute human review
• Pilot Nasuni crawler in a non-sensitive share; write tags to sidecar/extended attributes; verify access controls
• Trial a BEP/EIR/AIA protocol assistant; collect feedback and iterate

3. Scale and integrate

• Roll out auto-tagging across SharePoint libraries and priority Nasuni shares; apply Purview sensitivity/retention labels
• Stand up a knowledge assistant with RAG over approved repositories; permission-aware
• Integrate deliverable compliance checks into stage gates; add finance automation for invoices/expenses

4. Institutionalise and assure

• Formalise roles (stewards, IG lead, AI product owner); define support and MLOps
• Monitor model performance and policy adherence; run internal audits; remediate findings
• Train widely: project and corporate teams; champions in each office

5. Optimise and extend

• Add multimodal analysis for site photos/mark-ups where ROI is proven
• Extend to privacy automation (PII detection/redaction) post-DPIA
• Link governance KPIs to firm outcomes: faster bids, fewer snags, shorter month-end close

KPIs and measuring ROI

• Efficiency: Time saved in filing/searching/transmittals/audits; faster RFI response; shorter month-end close
• Quality and risk: Metadata completeness; policy compliance; COBie completeness earlier; fewer mis-issues; reduced disputes referencing missing records
• Financial: Reduced write-offs; lower storage via defensible disposal/deduplication; AP processing cost down; improved bid conversion
• Adoption: Active users of assistants; satisfaction and reduction in support tickets

Simple ROI illustration

• A 200-person firm saving 30 minutes per person per week on auto-tagging, search and BEP drafting yields ~100 hours weekly. At £60/hour, that’s ~£6,000 per week or >£300,000 annually—before risk avoidance or faster close.

Change management: make governance invisible (in a good way)

• Meet people in their tools: SharePoint, Outlook, Teams, Revit, Procore/Newforma
• Explain the “why”: fewer late nights before issue dates; fewer disputes; faster close
• Start assistive, not autonomous: allow veto and correction to build trust
• Celebrate wins and iterate quickly; publish a visible roadmap
• Apply policies consistently; no special exceptions without documented risk justification

Budget considerations

• One-off: Policy refresh, taxonomy work, connectors, initial model configuration, pilot data curation, training/change
• Recurring: Model/API usage and hosting; vector databases; MLOps/support; monitoring/audits; SharePoint Premium/Syntex; Purview licensing
• Hidden costs to reduce: Storage sprawl; shadow IT; duplicated tools; last-minute handover remediation; manual AP processing
• Funding: Tie to project and corporate outcomes (handover quality, bid win rates, month-end speed); consider client co-funding on frameworks

Future trends to watch

• BIM-aware language models that reason over geometry and semantics
• Multimodal orchestration across text, images, point clouds and models
• Linked data and ontologies improving interoperability end-to-end
• Digital twins with shared governance and assurance metrics in operations
• AI assurance standards maturing, simplifying procurement and audit
• Regulatory clarity (EU AI Act, UK guidance, US sectoral/state rules)

Practical checklists
Quick-start IG checklist

• Up-to-date information classification policy and retention schedule?
• System of record defined per information type and communicated?
• ISO 19650 naming and folder structures consistently applied?
• Email governance that doesn’t rely on user heroics?
• Legal/e-discovery hold procedures documented, tested and integrated with SharePoint/Nasuni?

Quick-start DG checklist

• Uniclass/OmniClass libraries, parameter templates and COBie mappings under change control?
• Automated data quality checks at each stage gate?
• Data owners/stewards named for project master data, classification and COBie?
• Lineage/provenance captured for exports and handover datasets?

AI readiness checklist

• Two or three high-value, low-risk AI use cases identified (including auto-tagging SharePoint and Nasuni)?
• DPIAs/US privacy assessments completed; controls defined?
• Consistent permissions across sources, and can AI respect them?
• Policy for prompts/logs (retention, sensitivity, access)?
• Human-in-the-loop review, metrics and continuous improvement plan in place?

Conclusion: build the bridge between policy and practice
IG and DG aren’t buzzwords; they’re the quiet systems that make brilliant architecture deliverable, defensible and repeatable. IG sets the rules and responsibilities for managing information across its lifecycle. DG makes the data itself usable, consistent and trustworthy. Together they reduce risk, unlock knowledge and improve client outcomes across both project delivery and corporate operations—in the UK and the US.

Generative AI is the missing accelerator—turning governance from a chore into an assistive capability that saves time, improves quality and enhances compliance. The magic happens when AI runs on top of sound policy, clear roles, robust security and thoughtful change.

Start small. Anchor in standards. Scan what you already have in SharePoint and Nasuni to generate the metadata you’ve always needed. Measure what matters. Scale what works. When governance “just works”, your teams can focus on what they do best: designing places that improve lives. If you’d like to discuss where to begin, which use cases return value fastest in your context, or how to align IG, DG and AI into a practical roadmap, we’re here to help.