[EDRM Editor’s Note: This article was first published here on December 10, 2025, and EDRM is grateful to Trusted Partner Exterro for permission to republish. EDRM is happy to amplify our Trusted Partners news and events.]

The year 2025 will be remembered as the year AI went mainstream inside the enterprise, fundamentally changing the landscape of data governance, privacy, and legal risk. Organizations witnessed the way data is collected, preserved, and governed shift faster than ever before. While the technology offers unprecedented value, it has simultaneously created new categories of discoverable information, and escalated enforcement from regulators. For compliance, legal, and forensics professionals, this seismic shift means one thing: the manual and inconsistent processes of the past are no longer tenable, as courts are rapidly losing patience. 

Given this massive shift, it was only natural that the Data Xposure team sat down to discuss the trends, where they were heading, and implications for 2026 recently–and you can listen in on the conversation for tips to ensure your organization is protected against emerging data risks. Read on to learn key takeaways from this conversation between Fahad Diwan, Jenny Hamilton, and Justin Tolman.

Listen to the episode here.

2025: The Boiling Point of Data Risk

One of the biggest shifts in 2025 was the rapid realization that data risk extends far beyond the organization’s firewall. Following numerous high-profile breaches in late 2024 and throughout 2025, companies had to focus not just on securing their own in-house data, but on the data posture of every third-party provider they partner with. As Digital Forensics expert Justin Tolman noted, “I’ve seen a shift in the thinking in 2025 of, okay, we don’t just need to secure our own data, but we also need to look at our vendors… Are they protecting my information that they’re using to provide my services?” Since many software companies are interdependent on major LLM providers to build new products, protecting data necessarily means managing the risk of every single third party in the pipeline.

Simultaneously, the widespread availability and affordability of AI tools led to a serious internal risk: Shadow AI. Employees were often using personal, unsanctioned applications like personal ChatGPT or Gemini Pro accounts to process company data, leading to a significant risk of data leakage. The solution was for organizations to provide “an appropriate work AI sanctioned app.” This trend, where risk professionals use AI to mitigate the risks arising from AI, was surprising to many, including Chief Legal Officer Jenny Hamilton, who said: “I haven’t seen legal and compliance adopt something [AI applications] so quickly for its own use that they’re also managing the risk of for the business.”

The sheer volume of new discoverable information generated by enterprise AI systems quickly overshadowed other data concerns, marking a significant change in litigation risk. AI note-takers and transcription services are now creating the single biggest volume of data. This trend transforms every interaction that happens through the digital sphere into recorded and transcribed content, making the old advice, “don’t write anything in an email you don’t want read aloud in a courtroom,” feel quaint. The new worry, according to Hamilton, is the risk of AI-generated summaries that “totally manipulate the meaning and intention” of something stated in a meeting, which then becomes a powerful source of evidence because it can and has to be preserved. With such summaries discoverable, are we heading to an era of “don’t say anything in a meeting?”

2026: The Mandates for Automation and Deletion

Looking ahead, the response to 2025’s data upheaval must be decisive, focusing on two non-negotiable mandates: automating core legal functions and aggressively tackling data rot. Courts are already signaling that manual preservation is inherently risky, especially when facing new and growing data sources. For the legal and compliance function, the single highest-value move for 2026 is to leverage AI to automate preservation. Hamilton insists that preservation is the ultimate “must do” task. It’s a massive burden that is nearly impossible to outsource, and automation can make this duty less stressful by using AI to draft legal hold notices, identify custodians, and continuously follow up on new data sources.

The second critical mandate is to address data sprawl by deleting unnecessary data, or “killing the data rot.” This practice is central to risk management because, as Tolman put it, the more data you have, “the more risk you have, and the more risk you have, the higher the cost when it gets out.” The biggest hurdle for large enterprises is the element of fear: everyone agrees on the need to delete redundant, obsolete, and trivial (ROT) data, but as Hamilton states, “nobody wants to push the button.” The solution is to use automation and AI to define clear rules for deletion, making the “invisible visible” by surfacing risky, unnecessary data to decision-makers. Tolman summarizes this best: “The less data, the less you have to protect, the less you have to investigate, et cetera. So kill the data rot.”

Ultimately, AI governance has now become “table stakes” for every organization. As AI becomes like electricity—embedded everywhere and providing undeniable value —the organizations that embrace automation and apply those strong governance principles will be the ones that succeed.

Listen to the Full Conversation!

This article only scratches the surface of the insightful discussion between Fahad Diwan, Jenny Hamilton, and Justin Tolman. To hear their full thoughts on the merger of forensics and IT, specific examples of AI-generated errors, and how compliance teams are building on the “shoulders of giants” to define good governance, listen to the complete Data Xposure Podcast: 2025 Recap and 2026 Predictions.

Read the original article here.

Assisted by GAI and LLM Technologies per EDRM’s GAI and LLM Policy.