Next Article in Journal
DCAM-DETR: Dual Cross-Attention Mamba Detection Transformer for RGB–Infrared Anti-UAV Detection
Next Article in Special Issue
A Hybrid Ensemble Machine Learning Framework with Membership-Function Feature Engineering for Non-Invasive Prediction of HER2 Status in Breast Cancer
Previous Article in Journal
Explainable Reciprocal Recommender System for Affiliate–Seller Matching: A Two-Stage Deep Learning Approach
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Information
Volume 17
Issue 1
10.3390/info17010102
information-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

DRADG: A Dynamic Risk-Adaptive Data Governance Framework for Modern Digital Ecosystems

by
Jihane Gharib
and
Youssef Gahi
*
Laboratory of Engineering Sciences, National School of Applied Sciences, Ibn Tofail University, Kenitra 14000, Morocco
*
Author to whom correspondence should be addressed.
Information 2026, 17(1), 102; https://doi.org/10.3390/info17010102
Submission received: 18 December 2025 / Revised: 7 January 2026 / Accepted: 15 January 2026 / Published: 19 January 2026
(This article belongs to the Special Issue Information Management and Decision-Making)
Browse Figures
Versions Notes

Abstract

In today’s volatile digital environments, conventional data governance practices fail to adequately address the dynamic, context-sensitive, and risk-hazardous nature of data use. This paper introduces DRADG (Dynamic Risk-Adaptive Data Governance), a new paradigm that unites risk-aware decision-making with adaptive data governance mechanisms to enhance resilience, compliance, and trust in complex data environments. Drawing on the convergence of existing data governance models, best practice risk management (DAMA-DMBOK, NIST, and ISO 31000), and real-world enterprise experience, this framework provides a modular, expandable approach to dynamically aligning governance strategy with evolving contextual factors and threats in data management. The contribution is in the form of a multi-layered paradigm combining static policy with dynamic risk indicator through application of data sensitivity categorization, contextual risk scoring, and use of feedback loops to continuously adapt. The technical contribution is in the governance-risk matrix formulated, mapping data lifecycle stages (acquisition, storage, use, sharing, and archival) to corresponding risk mitigation mechanisms. This is embedded through a semi-automated rules-based engine capable of modifying governance controls based on predetermined thresholds and evolving data contexts. Validation was obtained through simulation-based training in cross-border data sharing, regulatory adherence, and cloud-based data management. Findings indicate that DRADG enhances governance responsiveness, reduces exposure to compliance risks, and provides a basis for sustainable data accountability. The research concludes by providing guidelines for implementation and avenues for future research in AI-driven governance automation and policy learning. DRADG sets a precedent for imbuing intelligence and responsiveness at the heart of data governance operations of modern-day digital enterprises.

Graphical Abstract

1. Introduction

In today’s data-driven economy, ineffective data governance is no longer a minor inefficiency. It can result in substantial financial losses, regulatory penalties, and erosion of customer trust. As organizations navigate increasingly complex data ecosystems, the need for adaptive, risk-aware governance models has become critical. The significant advancement and quick expansion of data in today’s rapidly shifting digital landscape provide businesses and their operations with a variety of options from many sources that can significantly affect their success and competitiveness. According to the literature, data influences decision-making and determines a business’s performance in a rapidly changing market. The majority of organizational actions and choices are nowadays supported by data. Information, efficient data governance, and technology use are therefore crucial to managing and optimizing the value of businesses [1]. As the importance of using data to inform decisions grows, data governance is becoming essential for businesses’ management and optimization. With the growing usage of technologies such as cloud computing, artificial intelligence, and big data, businesses are searching for robust data governance frameworks to capture, handle, and protect data resources [2]. Through appropriate and related ones, such as GDPR [3] and ISO 27001 [4], organizations minimize liabilities associated with data security, privacy, and ethical issues while meeting compliance requirements. However, because the governance frameworks are fragmented and lack standardization, in addition to data ecosystems becoming more complex, many organizations still find it difficult to adopt these frameworks. There is a growing need to find a balance between technological growth and regulatory change while dealing with risk management, which is an important aspect of governance.
The application of traditional data governance systems in modern data-driven environments is limited due to certain flaws. The fast-paced digital ecosystem, evolving technology, and regulatory threats are the primary sources of today’s data governance issues. However, there is still a gap that has to be filled by businesses because data governance is a complicated and developing topic that may be regarded as one of an organization’s most important and difficult features. This gap is related to the need for businesses and their management to fully integrate and elevate data governance into their operations. Data must be regulated in a way that ensures correctness, integrity, validity, and completeness as part of the data governance process, strategy, and actions. Nonetheless, a lot of companies are now only considering data governance from the perspective of non-transactional data (data at rest) [1].
Due to their reliance on manual processes, data governance models are inefficient at managing automated compliance reporting and real-time data analytics, and their limited responsiveness to emerging technologies is the second issue that warrants concern. The complexity of bias explainability and fairness implications that arise with artificial intelligence (AI) development necessitates governance schemes that appropriately manage ethical risk [5]. With AI regulations changing, it is becoming more difficult for businesses to modify governance structures while preserving operational effectiveness due to the complexity of regulatory compliance. It is also difficult for organizations to maintain consistent governance policies because of this uncomfortable way of working with multiple standardized frameworks, such as NIST DGM Profile [6], DAMA-DMBOK [7], COBIT [8], and GDPR [3], as presented in Figure 1.
Data has become a central asset for modern organizations, but its value is tightly coupled with how it is governed and protected. At the same time, regulatory pressure and the complexity of digital ecosystems are steadily increasing. These limitations not only hinder data-driven decision-making but also expose organizations to escalating operational and compliance risks, underscoring the urgency for a paradigm shift. By putting forth a more flexible and integrated model, this study seeks to solve the shortcomings of conventional data governance techniques [9]. Among the main goals and contributions of our work are the following:
  • A gap-driven comparative analysis of major data governance frameworks (DAMA-DMBOK, NIST DGM, COBIT, and GDPR) from a risk-integration, adaptability, and scalability perspective.
  • The design of “DRADG”, a conceptual framework, and RACE, which treats dynamic risk assessment as a first-class driver of data governance.
  • A technical architecture and set of mechanisms (AI models, knowledge graph, observability stack, and policies-as-code) that operationalise DRADG on modern data platforms.
  • A five-step implementation methodology and preliminary quantitative evaluation that demonstrate the feasibility and benefits of risk-adaptive data governance.
Modern digital ecosystems are increasingly exposed to a new generation of data-centric threats that go beyond classical confidentiality–integrity–availability risks. These include AI-driven privacy violations and inferential attacks, algorithmic bias and unfair decision making, cross-border data transfers and data sovereignty issues, supply-chain and cloud misconfigurations, as well as deliberate manipulation of metadata, lineage, and logs. In this work, we focus on governance-relevant threats that materialize along the full data lifecycle: acquisition, processing, sharing, analytics, and retention. “DRADG” is scoped as a governance and risk-adaptive layer that sits on top of heterogeneous data platforms and provides continuous monitoring, assessment, and control for these emerging threats.
To fully take on this challenge, we prepared a list of research questions to cover the objectives of this study. They are as follows:
  • RQ1: How can we design a risk-driven data governance framework that dynamically adapts to emerging threats while ensuring operational efficiency?
  • RQ2: What are the most effective mechanisms for automatically identifying, quantifying, and prioritizing data-related risks in a dynamic environment?
  • RQ3: How can data governance policies be developed to adapt based on identified risk levels automatically?
  • RQ4: Which indicators and metrics can effectively measure the performance of a risk-oriented governance framework?
  • RQ5: What are the critical success factors for implementing risk-based data governance in modern enterprises?
Based on this threat taxonomy, our research questions are structured as follows: RQ1 and RQ3 target the ability of data governance to dynamically adapt to evolving regulatory, ethical, and cyber threats while preserving operational efficiency. RQ2 focuses on how risks can be detected, modeled, and prioritized in a way that is actionable for governance. RQ4 asks to what extent such an approach improves responsiveness, violation prevention, and compliance compared to static baselines, and RQ5 investigates the organizational and adoption conditions required to sustain dynamic, risk-adaptive governance in practice.
In this paper, we first assess how major standardized data governance frameworks align with risk-management principles. Section 2 presents a state-of-the-art review that combines data governance frameworks and risk-management processes, identifies their limitations and gaps, and motivates the need for a comprehensive matrix capturing the degree of risk integration in each framework and governance component. Building on this analysis and the identification of the research gap, Section 3 introduces the DRADG conceptual framework and its key elements, a dynamic and scalable approach that embeds risk management into data-governance practices. Section 4 details the mechanisms and technological solutions that enable dynamic, risk-aware governance. Section 5 and Section 6 outline validation, evaluation, and implementation strategies, including a practical implementation guide and performance metrics to demonstrate applicability across sectors and risk environments. Section 7 concludes by summarizing the main findings and outlining directions for future research.

2. Background and Related Work

2.1. State of the Art in Data Governance and Risk Management

Data governance has emerged as an essential organizational function in increasingly complex digital ecosystems, guaranteeing data security, quality, compliance, and value generation. In the present-day, when data-driven decision-making collides with heightened regulatory scrutiny and expanding cybersecurity risk exposure, the combination of data governance and risk management is now crucial. Laws such as GDPR [3] and HIPAA [10], which are compliance-driven and emphasize an organized strategy for data stewardship and risk evaluation, are frequently used. While risk management finds and eliminates possible threats to organizational goals, data governance makes sure that organizational data is safe, secure, and in line with regulatory and ethical standards. However, the current state of the art reflects a paradigm shift toward value-based and risk-aware governance models, integrating dimensions of privacy, ethics, lifecycle management, metadata control, and operational agility. The confluence of various disciplines has led to the development of modern standardized complex frameworks and techniques for systematically managing data and associated risks [11]. Several existing frameworks help organizations adopt effective data governance and risk management strategies.

2.1.1. DMBOK

A thorough summary of data management best practices and principles is provided by the DMBOK framework, which was created by the Data Management Association (DAMA). It includes data architecture, data quality management, and data security, among other facets of data governance. For businesses looking to create efficient data governance plans, the framework acts as a fundamental manual. With a comprehensive data lifecycle strategy, it is regarded as one of the best structured data governance models. It discusses data quality, security, and metadata, all of which are critical for lowering risk [12]. Throughout the data value chain, DAMA-DMBOK details sourcing strategies, emphasizes data relevance, accuracy, and validation, and offers comprehensive guidance on metadata management, master data governance, and lifecycle policies. DMBOK provides an in-depth focus on profiling, cleansing, and validation processes to ensure data quality. It provides best practices for analytics, emphasizing governance and accuracy, all of which aligns data valorization with business objectives and strategic planning. It encourages data accountability and control systems in accordance with ISO 31000 risk principles [13]. However, it lacks explicit risk assessment frameworks and prioritizes data governance best practices over proactive risk monitoring, making it widely considered theoretical and requiring substantial customization for real-world implementation. Since it is not designed for real-time risk assessment, it must be integrated with NIST or ISO risk models for a more comprehensive risk framework. A study by presented in [14] argued that DAMA-DMBOK [7] is less appropriate for dynamic environments such as cloud computing and AI-driven data processing because it does not provide real-time risk adaptability; it also showed several pitfalls regarding managing human capital and human resources, also referred to as people analytics, as stated by DAMA-DMBOK 2 [15].

2.1.2. NIST DGM

In order to help organizations integrate data governance and management activities with their current risk management frameworks, the National Institute of Standards and Technology (NIST) created the DGM Profile [6]. Through its alignment with cybersecurity and privacy risk management practices, the profile seeks to improve the efficacy of data governance and offer a comprehensive approach to risk management for data. NIST DGM’s integration of risk-based governance principles with a focus on cybersecurity, privacy, and artificial intelligence threats is one of its advantages. Through alignment with the NIST Cybersecurity Framework (CSF) and Privacy Framework (PF), it guarantees cross-framework risk adaptation. It also provides methods for reducing risk that consider ethical data quality and stakeholder accountability. Data security and the ways in which IT risk interacts with other enterprise risks are given careful consideration.
NIST DGM Profile integrates ethical considerations and accountability into sourcing, ensuring responsible collection practices. It balances usability and security, enabling governance while maintaining accessibility. It promotes governance-driven analytics, aligning processing with organizational and ethical goals, and focuses on maximizing value while adhering to ethical, legal, and societal constraints.
However, it is still relatively new, and its adoption is still limited. It prioritizes government compliance, which makes it more challenging to adapt risk management techniques for the private sector. NIST DGM offers one of the most thorough governance-risk models, but it lacks a structured maturity model that non-governmental organizations can use [16].

2.1.3. COBIT

COBIT is an IT governance framework that was developed by ISACA and offers a set of procedures and control goals for IT management [8]. COBIT incorporates elements related to data governance, such as data privacy and quality management, even though its main focus is on IT governance. In order to make sure that data governance initiatives support overall organizational strategies—particularly with regard to enterprise data risk—the framework places a strong emphasis on coordinating IT goals with business objectives. COBIT focuses on governance-related controls during sourcing to ensure alignment with organizational objectives and risk appetite. It establishes policies and procedures for structuring data storage within governance frameworks, emphasizing secure and compliant data handling. It promotes governance-aligned strategies for data monetization and value creation.
Through the use of risk-based decision-making, the relationship between corporate risk strategy and IT governance is ensured. It is primarily IT-focused, which lessens its effectiveness for more general data governance issues like AI bias or ethical issues. When it comes to real-time AI governance threats, it is less adaptable, requiring modifications for modern cloud-driven ecosystems. A study was conducted by Weber and colleagues. According to [17], COBIT is very successful at managing data risks associated with IT, but it is not integrated with more comprehensive data privacy and compliance risk frameworks.

2.1.4. GDPR

The GDPR [3] is a set of regulations that was implemented by the European Union and regulates the safeguarding of personal information. It places stringent demands on businesses in terms of data governance, such as requirements for impact assessments of data protection, notifications of data breaches, and respect for the rights of data subjects. Strong data governance procedures are required for GDPR compliance in order to guarantee the moral and legal handling of personal data. One of the most comprehensive legal frameworks for privacy and compliance risks is this one. Requiring both Privacy Impact Assessments (PIAs) and Data Protection Impact Assessments (DPIAs) ensures proactive risk identification. GDPR enforces privacy-first data sourcing and ensures transparency in data collection. It demands secure storage and defines retention periods to prevent misuse. However, it primarily focuses on data minimization and purpose limitation; it lacks specific quality improvement mechanisms, and analytics are indirectly addressed through accountability in processing, but detailed technical guidance is absent. Because GDPR ensures data value is balanced with the rights of individuals through accountability mechanisms, and it imposes strict accountability and reporting requirements, it is effective at monitoring data security risks. However, it prioritizes compliance risk over broader risk management related to AI or IT. International corporations face implementation challenges due to regional variations in enforcement. According to [18], GDPR effectively addresses privacy and regulatory risks, but it does not provide systematic methods for mitigating risk beyond noncompliance.

2.1.5. Recent Developments in Data Governance

Recent developments indicate the convergence of machine learning (ML) and data observability platforms to automate data lineage, quality assurance, and anomaly detection [19]. In cloud-native architectures, new frameworks such as the Cloud Data Management Capabilities (CDMCs) [20] are suitable for hybrid governance with an emphasis on automation, data sovereignty, and cross-border compliance. But critical semantic interoperability challenges, quantification of risks, and enforcement of real-time policy remain, which are now compelling greater focus on metadata-driven governance, policy-as-code, and explainable AI integration. As data ecosystems grow ever more complex and regulated, the future of data governance lies in adaptive, AI-enhanced, and risk-aware governance architectures that scale and are transparent [21]. This is our focus in the next sections of our paper.

2.2. The Evolution of Risk Management Approaches

The operational resilience, regulatory compliance, and data security of contemporary organizations have all come to depend heavily on data risk management. Structured risk assessment and mitigation techniques are the main focus of traditional risk management frameworks like ISO 31000 enterprise risk management [13]. It offers a principle-based method for risk management in a variety of fields and businesses. ISO 31000 is a broad framework that can be adjusted to meet different organizational demands, in contrast to sector-specific standards.
The cycle of the risk process is iterative:
  • Risk identification: Identifying opportunities and dangers.
  • Risk assessment: Ranking hazards according to goals and assessing their impact and likelihood.
  • Risk Mitigation: Putting mitigation plans into action.
  • Risk Monitoring and Review: Ongoing evaluation and input.
Recently, the combination of risk management and data governance has garnered a lot of attention as companies seek to enhance decision-making and lower potential risks. Data governance’s primary goals are management security and accessibility of organizational data while also ensuring that it complies with legal requirements. Risk management simultaneously involves identifying, assessing, and reducing hazards in order to safeguard organizational assets. Together, these fields have produced advanced frameworks that employ AI and machine learning for predictive analytics, enhancing the capacity to foresee and mitigate data-related risks.
Nonetheless, interoperability problems, data silos, and ethical concerns remain significant barriers to effective deployment. Current trends strongly emphasize risk-aware governance that incorporates real-time compliance monitoring and predictive analytics to lower risks in cloud-based AI-driven and decentralized systems [22]. When governance shifts from rigid policy-centric models to adaptive, automated, and AI-enhanced approaches, real research must look at the trade-offs between automation, data sovereignty, and ethical considerations in order to build strong and value-driven governance ecosystems. Table 1 below represents a comparative analysis of the most used and highlighted data governance frameworks regarding the ISO 31000:2018 process of risk management:

2.3. Critical Analysis of Existing Frameworks

2.3.1. State of Practice in Data Governance and Risk Management

Incorporating risk management into data governance systems has been the subject of recent research. A thorough analysis reveals that there are differences in the effectiveness of existing frameworks in reducing hazards associated with data. According to a systematic review by Bližnák et al. in [23], while many frameworks place a high priority on data quality and compliance, they usually lack comprehensive risk management components, which could lead to vulnerabilities in data handling methods. Furthermore, a study presented in [24] emphasizes the challenges of implementing data governance, pointing out that traditional frameworks would not be able to adequately tackle emerging hazards associated with big data and cloud computing. To bridge this gap, governance structures must become more adaptable and risk aware. The need for more robust risk management strategies in sensitive data environments is highlighted by [25] scoping review of health information governance frameworks in the healthcare sector, which found that existing models frequently fall short in managing data privacy and security risks.
However, new aspects of data-related concerns, such as data bias, algorithmic equity, privacy weaknesses, and cloud security threats, have emerged with the rise of big data, artificial intelligence (AI), cloud computing, and decentralized architectures (like blockchain). In order to create more proactive, adaptive, and real-time risk management ecosystems, research shows an evolution regarding integrated risk management models that combine quantitative risk analysis (such as the FAIR model) [26], automated monitoring (AI-driven risk detection), and regulatory alignment. Notwithstanding these developments, issues with AI transparency, cross-framework interoperability, and striking a balance between security and innovation still exist. To provide a thorough, value-driven approach to data risk management, research must address the scalability of risk-aware governance, the ethical implications of automated risk assessments, and the integration of real-time analytics into business risk policies [27].
Collectively, these studies show that while current data governance frameworks provide basic frameworks, they typically lack the comprehensiveness and adaptability required to effectively handle evolving data threats. This highlights the importance of developing integrated frameworks that seamlessly implement automated risk management principles to increase data governance’s efficacy.

2.3.2. Automated and AI-Enhanced Data Risk Management

In dynamic and high-velocity data ecosystems, the most plausible mechanisms for automatic identification, quantification, and classification of data-oriented risks include machine learning (ML), probabilistic models, and semantic metadata analytics and profiling in adaptive governance structures. One of the most well-known and used methods is the Bayesian networks and Hidden Markov Models (HMMs) in representing uncertainty and dynamically updating risk estimates in accordance with observed behavior along data pipelines. In addition, AI-enhanced data catalogs with self-service data lineage tracing and anomaly detection (using unsupervised learning, such as autoencoders or Isolation Forests) are being used to detect non-normal patterns of data, such as unauthorized access, schema drift, or integrity loss [28].
To quantify the measuring risk, more recent models utilize quantitative risk scoring engines, including those based on the FAIR model [26], which blends the estimation of financial loss and probability theory to model the effect and probability of specific data threats. Combined with fuzzy logic or Monte Carlo simulation, they support hybrid models that embed subjective expert assessments (e.g., data sensitivity) into mathematically grounded hybrid risk prioritization mechanisms. Technologically, today’s risk-aware systems are increasingly using graph-based data observability platforms like OpenLineage, Marquez, and Amundsen, which integrate into orchestration tools (e.g., Apache Airflow and dbt) to provide real-time visualization of data flows and impact analysis, providing real-time dependency tracking, which is critical in tracing risk causality over distributed pipelines. These platforms enable real-time risk detection and ranking by monitoring data dependencies, freshness, and quality metrics in real-time [29].
But while automation improves scalability and responsiveness, there are challenges in ensuring model interpretability, false positives, and regulatory transparency. While highlighting this, we observed that overreliance on black-box models undermines the transparency of the risk rationale and jeopardizes compliance with standards such as GDPR’s accountability principle [3]. This implies that the integration of explainable AI (XAI) and risk scoring systems becomes a growing imperative, ensuring prioritization mechanisms remain auditable as well as justifiable [30]. It is increasingly being adopted to bridge the auditability gap in AI-driven risk management systems. Technologies such as SHAP (Shapley Additive Explanations) or LIME (Local Interpretable Model-Agnostic Explanations) are now integrated in data governance dashboards so that risk prioritization is nevertheless comprehensible and compliant with regulations on automated decision-making. These abilities allow stakeholders to trace the reasoning behind AI-driven notifications, thus maintaining transparency and credibility in risk scores. In addition, recent studies attest to the rising trend in deployment of AI-Ops for real-time monitoring and automatic healing risk pipes [31]. Tools such as Datahub and Apache Atlas become increasingly interconnected with ML-pipes so that they continue looking at metadata, schema, and rule infractions in real-time and consequently trigger automated compensations.
In conclusion, the synergy of ML-based anomaly detection, probabilistic risk modeling, and metadata-driven data lineage analysis, underpinned by explainable and adaptive governance platforms, is the best paradigm for automated risk identification and prioritization in dynamic environments currently; therefore, this presents a strong base for our next section, which demonstrates our developed framework.

2.4. Research Methodology and Framework Steps

This work follows a design-science approach. We first conducted a structured review of data governance and risk management frameworks (DAMA-DMBOK, NIST DGM, COBIT, GDPR, CDMC, and recent AI-assisted risk-management proposals). From this review, we extracted a set of requirements for a risk-adaptive data governance framework, with particular emphasis on the following:
  • Lifecycle coverage (from data acquisition to decommissioning);
  • Explicit modeling of data risks and controls;
  • Capability for continuous monitoring and adaptation;
  • Interoperability with existing frameworks and regulatory regimes.
Existing data and IT governance frameworks provide important building blocks but do not fully address dynamic, risk-adaptive data governance. DAMA-DMBOK offers a broad catalog of data-management disciplines, yet treats risk largely as an organizational concern rather than as an operational, real-time process. NIST DGM defines functions that relate data activities to mission and risk, but leaves the design of concrete risk-aware controls and automation outside of its scope. COBIT focuses on IT control objectives and assurance, with limited attention to data-centric risk analytics, and the GDPR defines legal obligations without specifying how to embed them into adaptive data operations. None of these frameworks provides a unified architecture that couples continuous risk assessment, dynamic control selection, and interoperable policy execution in modern, heterogeneous data platforms. DRADG is proposed precisely to fill this gap.
DRADG adopts and extends ideas from this body of work. It borrows AI techniques for detection and prediction and metadata-driven lineage from research prototypes, but packages them into a governance-first framework that explicitly embeds risk scoring, policy execution, and interoperability as architectural concerns, rather than as isolated tools.
In a second step, we analyzed multiple enterprise data platforms and governance practices to identify recurring pain points (static policies, delayed adaptation, fragmented tools) and to elicit architectural constraints (heterogeneous stacks, need for incremental adoption). These requirements and constraints guided a set of design decisions, leading to the following:
  • The multi-layer DRADG framework;
  • The RACE for risk scoring and control selection;
  • The choice of AI techniques for detection and prediction (Bayesian networks, deep neural networks, deep Q-learning, and Isolation Forests);
  • The integration of observability and knowledge graph components.
Finally, we instantiated DRADG on a representative platform and applied it to pilot scenarios, refining the framework through expert feedback. The remainder of the paper presents the resulting artifacts and investigates to what extent they address our research questions.

3. Conceptual Framework: The Enhanced Dynamic Risk-Adaptive Data Governance Framework (DRADG)

Imagine a world where data-protection frameworks do not follow conventional practices, but work like living systems, ones that are constantly alert, ready to tackle new dangers the moment they emerge. That is the main idea behind the Dynamic Risk-Adaptive Data Governance framework, or DRADG for short. We wanted to rethink how data protection works completely. Traditional setups like DAMA-DMBOK, NIST DGM, or even GDPR face the difficulty of being committed to an outcome that cannot be achieved, and are always a step behind the latest tech threats. However, DRADG introduces a risk-adaptive perspective that is not explicitly covered in existing data governance standards. We have encountered fairly advanced AIs, and exceptional contributions such as knowledge graphs have the capacity to convert data governance from an idle construct into a concept that actively stays ahead of potential hazards. After investigating the problems with the conventional methods, we came up with a system that is structured around layers, working together to not only manage data but to actually foresee risks and stop them before they become a problem. In the following sections, we will go through the rudimentary components of how DRADG is built, showing how every part fits together to create a data protection setup that is quick, smart, and ready for whatever comes its way. DRADG is a multi-layer data-governance framework in which each layer (strategy, governance, risk analytics, controls, and platform) is coordinated by the RACE, a central loop that continuously scores data risks and selects governance controls. It operationalises this loop using AI-based components (Bayesian networks, deep neural networks, deep Q-learning, and anomaly-detection models) and observability/metadata signals to adapt policies and controls in near real time.

3.1. Overall Architecture of the DRADG Framework

The DRADG framework is built on five interconnected layers, each tackling a different component of data governance and risk management: Data Quality and Risk Assessment, Policy and Governance, Data Operations and Control, Analytics and Intelligence, and lastly Integration and Interoperability. What really makes this model stand out is the Risk-Aware Contextual Engine, RACE for short, which runs through all the layers. RACE uses knowledge graphs to identify risks that matter most to a specific organization, comparatively better than traditional setups.
We designed these layers to communicate with each other in both directions, constructing feedback loops that let the whole system adjust as circumstances change. In Figure 2, we will see a visual breakdown of this setup. Figure 2 illustrates the five-layer architecture with its primary data flows. External data sources and risk signals constitute the main inputs at the bottom layer (Data Quality and Risk Assessment), while governance decisions, compliance reports, and audit logs represent the outputs at the top layer (Integration and Interoperability). Feedback loops operate bidirectionally: bottom-up flows carry risk scores and anomaly alerts to inform policy generation, while top-down flows propagate enforcement directives and updated thresholds back to operational layers. The RACE acts as a central hub, receiving contextual signals from all layers and redistributing risk-aware guidance accordingly. To achieve this seamless coordination without introducing performance bottlenecks, the architecture relies on an event-driven communication model. Layers exchange information through a distributed event bus (Apache Kafka), allowing asynchronous processing without blocking. DRADG distinguishes three feedback loop tiers based on urgency: (i) real-time loops (sub-second) for critical responses such as blocking anomalous transfers; (ii) near-real-time loops (seconds to minutes) for policy adjustments when risk thresholds are crossed; and (iii) batch loops (hours to days) for strategic refinements based on aggregated KPIs. Latency is minimized through in-memory caching of active policies, pre-computed decision trees for common scenarios, and a knowledge graph subset within RACE for frequent risk-context queries. Pilot benchmarks indicate median latencies of 850 ms for tier-1 responses and under 15 s for tier-2 updates. Three types of events trigger governance adaptation: (i) threshold-based triggers, activated when risk scores exceed predefined bounds (e.g., RS > 0.7 initiates tier-1 response); (ii) event-based triggers, fired upon specific occurrences such as policy violations, access anomalies, or regulatory updates; and (iii) temporal triggers, scheduled evaluations (hourly and/or daily) that reassess cumulative risk trends and KPI drift. Each trigger type maps to the appropriate feedback tier, ensuring proportionate response times. We put the DRADG framework specifically to tackle interoperability issues and ethical concerns, as pointed out before. Unlike most frameworks, which are overly focused on simply meeting regulatory requirements, DRADG takes a fresh approach by weaving risk management into every single layer. This makes it a forward-thinking model that prioritizes staying ahead of problems rather than haphazardly fixing them after the fact.
While several of the reviewed approaches are tailored to specific regulations, for example, HIPAA in healthcare [10], they reveal recurrent, cross-sector challenges: lack of explicit data-risk models, limited automation, and weak integration with operational governance. DRADG is designed to be sector-agnostic: sector-specific regulations are captured as domain policies and risk factors within the RACE, while the underlying architecture, risk-scoring mechanisms, and governance layers remain generic and reusable across industries.
The following subsections provide a detailed specification of each layer: its internal components and their interactions (Section 3.2), followed by the mechanisms enabling dynamic adaptation (Section 3.3), and Section 4 further elaborates on each component with dedicated architectural diagrams and implementation details.

3.2. Main Components and Their Interactions

Five layers make up the DRADG model, and each one has several elements specifically designed to handle problems with data quality, risk analysis, policy-making, operational management, analytical techniques, and interoperability. Working across all levels, the RACE module guarantees that its features are maximized depending on the particular situation of the company, see Table 2. Below are the purposes of each layer, the corresponding elements, and their interactions with one another:

3.2.1. Data Quality and Risk Assessment Layer

When looking at RQ1, which focuses on dynamic adaptation, and RQ2, all about risk identification mechanisms, this component acts as the groundwork, searching for, measuring, and analyzing data risks in real time. It includes the following:
  • Metrics: Strong foundations for data quality estimates and risk level assessments are numerical measures, including error rates, completeness scores, and risk scores.
  • Taxonomy of Risk: To enable methodical risk analysis, a formal ontology was created to classify risks into particular classes, such as cyber threats, ethical concerns, and compliance issues.
  • Deep Neural Networks (DNN) are used in anomaly detection to identify risk pattern anomalies and establish data quality, including anomalies in data flow or inconsistency.
While obtaining predictive analytics, interactions at this level help the Policy and Governance Layer to exchange risk intelligence, thus guiding policy-making.

3.2.2. Policy and Governance Layer

This layer focuses on creating and tweaking governance policies based on the risks we have identified, directly addressing RQ3, which is all about automating policy generation. It covers the following:
  • Policy Generation: The approach uses deep Q-networks (DQNs), a reinforcement learning technique, to generate adaptive policies, tightening access controls as threats become severe.
  • Compliance Mapping: This process enacts policies formulated against standards such as Refs. [3,4] to ensure that laws and ethics are in alignment.
  • Interactions: It takes risk input from the Risk Assessment and Data Quality Layer, creates policy changes, and sends them to the Data Operations and Control Layer to enforce. It also collaboratively integrates contextual changes into policies such that they complement the strategic goals of the company by means of the RACE module.
Through its interactions, this layer shares monitoring insights with the Analytics and Intelligence Layer, helping to refine risk predictions while ensuring policies adapt to real-time conditions.

3.2.3. Data Operations and Control Layer

The Data Operations and Control Layer is where we handle the execution of governance policies and monitor real-time data streams, tying directly into RQ2’s focus on prioritizing risks. It is made of the following:
  • AI agents that monitor data streams at all times are constantly looking for anything unusual, like unauthorized access or odd patterns that do not align with expectations.
  • Automated systems that enforce policies, like redirecting or even shutting down a data stream if a risk emerges, act as the control mechanisms that keep components functional.
  • Finally, the interaction component: this layer engages with RACE’s ability to understand the context of risks, altering operations based on the specific situation at hand. It also keeps the process up to date by looping in feedback, such as monitoring logs, and communicating the information to the Analytics and Intelligence Layer for deeper insights.
Through these interactions, this layer keeps policies adaptable to risks and shares key insights with Analytics, helping the framework improve at spotting and handling threats down the line.

3.2.4. Analytics and Intelligence Layer

The Analytics Layer addresses RQ4 by giving us the tools we need to measure performance and make informed predictions that help with risk-aware governance. When it was tested, we focused on three key pieces that improved decision-making.
Firstly, we have Bayesian networks that investigate both historical data and what is happening right now to predict potential threats. Unlike those rigid, black-and-white models, these networks give us predictions in probabilities, like telling us there is a 65% chance of a data breach in the next month based on how people are accessing the system right now.
We also set up some practical metrics for organizations to consider, such as how fast we respond to threats. We are aiming for 20 s or less, compliance rates, where we are shooting for a 97% benchmark, and data quality scores. Tracking these KPIs over time clearly shows how the framework is performing and where we need to step up.
The way this layer interacts with the others creates some really useful feedback loops. It pulls in operational data from the Operations Layer, sharpens its predictions with RACE’s contextual know-how, and then sends those insights over to the Quality Layer to fine-tune risk assessments.

3.2.5. Integration and Interoperability Layer

Now, at the top of our framework, we have the Integration Layer, which deals with RQ5 by linking up with external systems and standards. We added compliance modules right into this layer, so it automatically handles regulations like GDPR with things like automated anonymization, ISO 31000 [13] through structured risk workflows, and NIST DGM [6] by setting up cybersecurity protocols. We also added API connectors to make integration a breeze with systems like cloud platforms and blockchain networks.

3.2.6. Risk-Aware Contextual Engine (RACE)

Then there is the RACE module, which ties everything together across all the layers, tailoring risk assessments to fit the organization’s specific context. Its knowledge graphs are like a map, showing how different risks, contextual factors, and governance responses all connect, for example, linking ethical risks to specific regulatory rules we need to follow.
RACE is constantly interacting with every layer. It hands over contextual risk data to quality, fine-tunes policies for the Policy Layer, gives operational guidance to operations, provides predictive insights to analytics, and ensures standards alignment for integration.
Put all of this together, and it provides a seamless approach to data governance that weaves risk management into every step. It tackles the kind of fragmentation and stiffness that we pointed out when we looked at traditional frameworks.
Table 2 summarizes each layer following a consistent structure to facilitate comparison.

3.3. Mechanisms of Dynamic Adaptation

As brought up in RQ1, the DRADG model is specifically intended to quickly meet the fast-evolving threats and organizational demands that modern data governance must contend with. The latter systems offer this agility.
In this proposed model, all the layers interact with each other to create continuous feedback loops. For example, KPI measures like compliance rates are shared across the Analytics Intelligence Layer and the Data Quality and Risk Assessment Layer. The Analytics Intelligence Layer receives inputs from the Data Quality Layer in order to refine its risk taxonomy. Similarly, operational feedback that enters the Data Operations and Control Layer is shared with the Policy and Governance Layer so that all the layers can make any necessary adjustments to keep governance aligned with the operational reality.
Our work shows that AI affects the rapidness of organizations’ responses to threats in a big way. The Bayesian networks we have built into the Analytics Layer are early warning systems keen on spotting potential issues well before they are likely to have a serious impact. For example, the networks would be flagging unusual patterns of database access, simplifying this process.
Our Policy Layer uses Deep Q-Networks to deal with threats such as a rapidly increasing number of phishing attempts. These are not the only problems, of course, and not every issue can be satisfactorily handled this way. But using Deep Q-Learning has allowed us to put a framework in place that can also be employed for everything from fine-tuning email filters to coming up with next-generation external message policies that lay the groundwork for further automation.
The early warning signals that older rule-based systems often miss are caught very nicely by the deep neural networks that we have put into the Data Quality Layer. This makes them ideally suited to fulfilling the second part of RQ2, which is all about spotting risks early in the data quality pipeline.
RACE introduces a critical context-awareness to the framework, often absent in other methodologies, by leveraging knowledge graphs to integrate and analyze a range of influencing factors. These factors include industry-specific regulations like HIPAA, the very nature of the data involved (e.g., how secure it is or can be), and even the geographic location of the organization (e.g., what regional, state, or local laws apply). This allows a staggered adoption where organizations can take their time to incorporate the specific layers they need before moving on to additional ones. The flexibility of the modular design aligns well with the objectives of both RQ1 and RQ5.
To formalize the feedback loop mechanism, Algorithm 1 provides a high-level pseudo-code illustrating the three-tier response logic and continuous learning process.
Algorithm 1. Feedback loop processing in DRADG
WHILE system_active DO
  event ← receive_event(EventBus)
  risk_score ← RACE.compute_risk(event, context)

  // Tier-1: Real-time response
  IF risk_score > THRESHOLD_CRITICAL THEN
    action ← enforce_immediate_control(event)
    log_audit(event, action, "tier-1")

  // Tier-2: Near-real-time policy adjustment
  ELSE IF risk_score > THRESHOLD_HIGH THEN
    policy ← PolicyLayer.DQN_generate(event, risk_score)
    OperationsLayer.apply_policy(policy)
    log_audit(event, policy, "tier-2")

  // Tier-3: Batch analytics
  ELSE
    queue_for_batch_analysis(event)
  END IF

  // Continuous learning
  update_knowledge_graph(event, outcome)
  IF scheduled_interval_reached() THEN
    retrain_models(AnalyticsLayer)
  END IF
END WHILE

3.4. Theoretical Validation

The theoretical effectiveness of the DRADG framework was compared with other frameworks, namely, DAMA-DMBOK, NIST DGM, and GDPR, along these dimensions: lifecycle coverage, explicit risk constructs, dynamic adaptability, automation support, and interoperability. The results are shown in Table 3. To compare DRADG with widely adopted frameworks, we constructed an evaluation grid capturing key properties required by risk-adaptive governance: (i) explicit risk identification and classification, (ii) structured assessment and prioritization, (iii) support for mitigation and continuous monitoring, (iv) capability for dynamic adaptation, (v) degree of automation, and (vi) compliance and interoperability coverage. Each framework was scored qualitatively on a three-level scale (low, moderate, or strong) based on its documentation and independent secondary analyses. Two authors performed the assessment independently and reconciled discrepancies through discussion. Each criterion was assessed on a three-level scale: low indicates the framework does not explicitly address or only marginally covers the aspect; moderate indicates partial coverage with implicit mechanisms or limited scope; and strong indicates explicit, comprehensive treatment with defined processes or tools. For example, regarding dynamic adaptation, low means no provision for runtime adjustment, moderate implies manual update procedures exist, and strong requires automated or semi-automated adaptation mechanisms. Importantly, this comparison is positioned as an assessment of conceptual coverage, not as an empirical performance benchmark: it evaluates which concepts and mechanisms are prescribed or enabled by each framework, rather than measuring real-world maturity of specific tool implementations.
Based on this conceptual comparison, DRADG demonstrates broader coverage across the evaluated criteria, particularly due to its adaptive design and embedded risk mechanisms. It adapts. Practitioners can put that model of risk-aware data governance in a variety of environments, and it works better than most because it integrates RACE, artificial intelligence automation, and embedded risk management systems at every level.

4. Risk-Driven Data Governance Components

The operational mechanisms of the DRADG platform are presented in the subsequent sections. Section 4 provided a high-level overview of the architectural framework. This section delves into the specific tools and techniques that enable each component, examining their contributions to the overall research objectives.
An existing prevalent limitation in governance frameworks is the disconnect between risk management and data governance. Instead, risk management needs to be imbued into the data governance framework as a foundation element.
In order to deal with this shortcoming, we present a component-by-component analysis of the DRADG platform. We take particular care to focus on the very mechanisms that allow risk considerations to be integrated effectively. We also throw in some practical use cases to show how each element does its thing under real-world conditions.
The selection of AI techniques was guided by three criteria: suitability for the task, interpretability, and operational maturity. Deep Neural Networks (DNNs) were chosen for anomaly detection due to their capacity to learn complex nonlinear patterns in high-dimensional data streams. Isolation Forests complement DNNs for unsupervised anomaly detection, offering computational efficiency and robustness to irrelevant features without requiring labeled training data. Deep Q-Networks (DQN) were selected for policy generation because reinforcement learning naturally models the sequential decision-making required for adaptive governance, and DQN’s experience replay stabilizes learning in dynamic environments. Bayesian networks were preferred for risk prediction as they explicitly model uncertainty and causal dependencies, enabling interpretable probabilistic reasoning. These choices assume that sufficient historical data is available for model training, that risk patterns exhibit learnable regularities, and that the operational environment provides timely feedback for reinforcement learning updates.

4.1. Data Quality and Risk Assessment

The Data Quality and Risk Assessment layer constitutes a foundational pillar of the proposed governance model.
This component takes in raw data and manages it. It applies a series of quality metrics to the data to check the integrity of the incoming records. These metrics, error rate estimations, for example, quantify the proportion of entries that are not quite right, that show some kind of anomaly or inconsistency.
The indicators that emerge from this process have a twofold function. They serve to inform the dashboards and monitoring systems of our quality assurance processes, and they are used in the computation of our risk scores. In this context, let us define what we mean by risk scores (RS) as follows: RS = 0.6 × Error Rate + 0.4 × Impact Score. This weighting scheme reflects a deliberate calibration that emphasizes prioritizing the frequency of errors while still considering the potential impacts of those errors.
At the component’s right-hand side in Figure 3, the action of semantic processing is depicted. This is the work of the component’s engine, and it is carried out on data events. Those events are subject to a risk taxonomy. That taxonomy is a structure that allows the data events to be sorted meaningfully. This allows the component to steer the sorted data toward the appropriate ontology. An ontology serves as a kind of model that makes the next step of processing possible, for reasons that will become clear shortly.
The way risk taxonomies are built makes this sorting and the next step possible. The sorts of taxonomies that are being used allow for a risk-based, nuanced understanding of the kinds of threats that data events might represent.
To allow for board-level action, a priority allocation mechanism is necessary. For example, a dataset classified as sensitive shows an 8% error rate; the computed risk score indicates high regulatory exposure, and the system flags it for immediate remediation.
Unlike classical governance frameworks such as DAMA-DMBOK, which tend to separate quality assurance from risk evaluation, our model tightly integrates the two. This alignment permits organizations to concentrate their mitigation efforts on quality issues that present significant risk, rather than applying uniform remediation to all inconsistencies.

4.2. Policy and Governance Layer

The second fundamental constituent of the framework deals with the formation and coordination of governance policies derived from risk assessments carried out in real time. This layer transforms risk scores into actionable governance controls.
A comparative analysis of policy-learning techniques led to the selection of Deep Q-Networks (DQNs) for this project. This was because DQNs, as “end-to-end” models, not only represent the optimal policies that the techniques were found to yield but also learn to be optimal in real time and on scales of time and space that were not reachable by the older techniques themselves. It also helped that DQNs have a kind of reinforcement-learning structure that is well understood and very broadly applicable.
We use a reward function, defined as
R = 0.7 × Risk Reduction − 0.3 × Operational Cost
The state vector s encodes current risk context: aggregated risk scores per data category, active policy count, recent violation frequency, and system load metrics. The action space A comprises discrete governance interventions: access restriction levels (none, partial, or full), encryption enforcement, audit frequency adjustment, and data routing decisions. The agent follows an ε-greedy exploration strategy, with ε decaying from 1.0 to 0.05 over 10,000 episodes to balance exploration of new policy combinations with exploitation of learned optimal responses. Experience replay (buffer size: 50,000) and target network updates (every 1000 steps) stabilize training.
For high-stakes decisions (e.g., blocking critical data pipelines and/or revoking access to sensitive systems), DRADG enforces mandatory safeguards. Actions exceeding a defined impact threshold require human-in-the-loop validation before execution: the system generates a recommendation with supporting evidence, but enforcement awaits explicit approval from authorized personnel. Additionally, hard constraints prevent certain actions regardless of risk scores (e.g., cannot disable audit logging and/or cannot override regulatory retention rules). All automated decisions are reversible within a configurable grace period, allowing rapid rollback if unintended consequences are detected.
This is a risk-based bias, giving more weight to security improvements but still weighing costs, too. The approach is in line with the law enforcement “cybersecurity operations strategic risk mitigation framework”.
When risk signals are received, the system automatically produces governance directives, such as enforcing multi-factor authentication or limiting access to certain sensitive data. These controls are directly sent to the relevant operational components for immediate real-time enforcement.
A representative case is shown in Figure 4. There is a situation in which a high-severity cybersecurity threat has just been detected. This has triggered the DQN model. The system is now working through the potential responses it could make to this incident. It is weighing the security benefits that these remediation steps would accomplish against the operational costs of implementing them. And based on this evaluation, it is producing tailored remediation policies.
This adaptive and automated mechanism tackles a vital restriction found in age-old governance models, like COBIT [8]. These old models demand manual updates to governance policies. Automating the update process tackles a big problem: the moment a human hand touches a policy, the policy update is already out of sync with the risk environment. In contrast, our approach ensures continuous alignment between governance measures and the risk environment [17].

4.3. Data Operations and Control

The Data Operations and Control component functions as the oversight mechanism of the entire DRADG framework.
Figure 5 shows that there is a real-time surveillance system. It ensures that there is continuous monitoring of the data workflows. And it does ensure that the workflows are in step with something called “governance standards”. These are how we say a workflow ought to behave if it is operating correctly.
At the heart of this component lies the use of Isolation Forests, an unsupervised machine learning algorithm specifically tailored for anomaly detection in high-dimensional spaces. The system works employing a dual-phase mechanism. First, it builds the isolation trees by examining typical behavior patterns across the data pipelines and then uses these trees to find unexpected deviations, which may signify a security breach or a governance violation. What kinds of deviations is it looking for? For example, are there data transfers happening that seem to violate the expected governance model? Are there access patterns that seem to be unusual? Has the workflow in the data pipelines been disrupted in a way that seems to be intentional?
When an anomaly is detected, the system starts predefined mitigation procedures. These may consist of suspending certain data processes, activating incident response protocols, or implementing access restrictions, all for the sake of maintaining data integrity, while the anomaly is further analyzed.
The operational workflow shown in Figure 5 shows this process; in this instance, it is a high-risk anomaly being handled. A monitoring routine detects a high-risk anomaly. When the anomaly is detected, the next phase in the routine is activated: a containment protocol that tries to neutralize a potential threat in real time (minutes or, at most, hours).
In comparison with conventional rule-based systems, like those outlined in the NIST Data Governance Model (DGM), DRADG offers significant advancements and employs an ensemble of different types of Isolation Forests, which serve as dynamic, data-defined decision trees, to classify data items in a way that allows to, reliably, and with less false positive detection, find emergent, trend-resembling, or subtle threats in our systems. This dynamic nature of Isolation Forests (and of DRADG, consequently) lets us adapt more easily to changes in the system and to changes in the patterns that the data we use assumes.

4.4. Analytics and Intelligence

The Analytics and Intelligence component functions as the predictive engine of the DRADG framework.
Figure 6 shows the processing of two streams of input. The first stream supplies historical and real-time data to predictive models. The second stream supplies operational data that is used to evaluate key performance indicators.
To predict events, the system uses Bayesian networks, which permit the probabilistic modeling of complicated scenarios. This modeling approach goes beyond simple, deterministic decision-making and allows for the incorporation of uncertainty and interdependencies among variables. Through these networks, the system computes the probabilities of various events happening and their expected impacts, assigning, for instance, a 65% likelihood that some sort of non-compliance is in our near future and estimating what kind of financial and reputational damage it might cause.
At the same time, the system keeps an eye on governance effectiveness through a set of predefined key performance indicators (KPIs). These indicators include the system’s responsiveness to emerging risks, with a predefined reaction time target; the compliance rate, which reflects how well policies that have been implemented are actually being followed; and the data quality score, which aggregates several quality metrics into a normalized scale. These operational metrics are continuously synthesized into performance reports that shed some light on the overall health and maturity of the data governance framework.
An illustrative scenario showcases the integration of these functions: the system detects an ethical risk stemming from algorithmic bias, assigns it a likelihood of 65%, and correlates this with a data quality score of 88 out of 100. Using this assessment, it proposes a remediation plan targeting the root causes of the detected bias.
This component sets itself apart by adopting the probabilistic risk assessment framework. This is not the binary governance logic found in many conventional risk frameworks. We use risk governance frameworks in which risk deciders can interpret risk in a more nuanced fashion and with an understanding that real-world environments are inherently uncertain.

4.5. Integration and Interoperability

The Integration and Interoperability component ensures that the DRADG framework remains aligned with existing regulatory standards and enterprise systems. As depicted in Figure 7, this layer performs systematic compatibility checks throughout data operations, validating conformity with multiple regulatory frameworks.
To manage the intricate variety of standards, the framework has specialized compliance modules. The module for the General Data Protection Regulation handles automated anonymization of processes so that we can satisfy the privacy requirements. The module for ISO 31000 runs structured workflows necessary for risk assessment. And the module for the National Institute of Standards and Technology’s Data Governance and Management manages compliance with federal cybersecurity guidelines.
The architecture’s core is the Unified Integration component, which ensures the execution logic of all modules is in harmony and governs the pipeline effectively. This clearly laid-out design allows for the simultaneous application of a diverse set of compliance rules that govern the specialized operations of each module, all without fragmenting operational workflows. Take, for instance, the system’s treatment of sensitive data: First, it applies rule set A for GDPR-based anonymization; next, it applies rule set B for conducting risk assessments that comply with the prescribed way in ISO 31000; and last, for this instance, it applies rule set C for conducting security operations that are in compliance with rules prescribed by the NIST. These are three sets of rules governing the operation of three different modules. This is a significant break from conventional governance models like COBIT that rely on manual policy updates and segregated processes for each compliance requirement [17]. In contrast, DRADG provides a modular yet orchestrated governance mechanism that ensures consistency across the governance, risk, and compliance (GRC) landscape with minimal redundancy, and not just neatness, but also ensures continuous alignment with our evolving regulatory demands.
A core design requirement for DRADG is interoperability with existing regulatory and governance frameworks rather than replacing them. To this end, DRADG exposes governance rules as policies-as-code and maintains an explicit mapping to GDPR requirements and NIST DGM functions. Concretely, DRADG represents governance controls as machine-readable policy templates (in a rule or policy DSL) that encode conditions, obligations, and sanctions. These templates are instantiated from higher-level requirements such as
  • GDPR: lawful basis and purpose limitation, data minimisation, storage limitation, data subject rights, and Data Protection Impact Assessment (DPIA) obligations;
  • NIST DGM: the Govern, Map, Measure, Manage functions across data assets, business processes, and risks.
At runtime, policies are evaluated by the RACE and enforced through control actions (blocking a transfer, triggering additional logging, requesting consent, or routing a dataset to a restricted zone). Each policy decision and enforcement action is recorded in an immutable audit trail, including the triggering events, the risk scores, and the applied controls. This audit trail supports internal and external audits and enables evidence-based compliance reporting. The GDPR and NIST mappings are maintained in a governance catalog: every DRADG control is linked to one or more GDPR articles and NIST DGM activities. This allows organizations to trace how regulatory requirements are instantiated as executable policies, and to verify coverage and gaps when regulations evolve.

5. Technical Architecture of the DRADG Platform

The DRADG platform, based on a multi-layered architecture emphasizing resilience [32], modularity, and adaptation to context, was developed with the main goal of designing a system that manages operations on huge datasets and both reduces risks downstream and prevents them from starting upstream. The platform can dynamically enforce policies and preserve real-time governance by (1) applying well-accepted methods for data engineering and (2) using a missing-bits combination of AI-powered components and semantic intelligence. The architecture is shown in Figure 8 and arranged in six functional areas:
  • Data sources.
  • Ingestion and transport.
  • Core data platform.
  • Transversal services.
  • Data access layers.
  • Governance with observability.

5.1. Data Sources and Entry Points

The design permits the use of various input sources that mirror real business environments. These encompass unstructured information obtained from external APIs, semi-structured content from user file uploads, and structured data from internal databases and business applications. The need to apply governance solutions over different organizational divisions with diverse data requirements makes this disparate approach essential.
Another key element is partner APIs, which enable controlled data flow between companies while maintaining adherence to accepted access control systems. All source types link to the ingestion infrastructure through secured channels that are under constant monitoring to ensure data integrity.

5.2. Ingestion and Transport Layer

The ingestion layer uses three processing paradigms [33] to handle the many kinds of incoming data flows: batch operations, real-time streaming, and change data capture (CDC).
Batch jobs automatically validate and transform arriving files into routed destinations. This is performed using workflow orchestration and a style that borrows from landing zones. To use Kafka and MQTT to implement real-time streaming is to deliver event-driven data, just in time for an alerting system to detect a risk signal at the earliest possible moment. This prompted risk signal detection.
Distributing the changes that make up an incremental update with the least amount of system overhead is the job of change data capture (CDC). The implementation uses Debezium and Kafka Connect to track database changes at the row level.
This method ensures that both old and new kinds of data are processed in the same way that these kinds of data were processed before they were integrated into the core data infrastructure. Complete traceability is maintained throughout the process.
To handle traffic spikes without bottlenecks, the ingestion layer leverages Kafka’s horizontal scalability through topic partitioning and consumer groups, allowing parallel processing across multiple nodes. Kubernetes Horizontal Pod Autoscaler (HPA) dynamically adjusts the number of processing pods based on CPU and memory thresholds. For enforcement, a backpressure mechanism throttles upstream producers when downstream policy evaluation lags, preventing queue overflow. Critical policy decisions are prioritized through dedicated fast-path partitions, ensuring that high-risk events are processed with minimal delay even under heavy load.

5.3. Core Data Platform

The central platform component integrates storage, computation, and data exposition under a single architectural framework.
Data persistence utilizes Apache Iceberg and Parquet formats [34,35], chosen because they support versioning, partition pruning, and schema evolution. They work with scalable object storage systems (such as S3-compatible infrastructures [36]), around which durable and low-cost large installations can be built.
Operations of processing can offer execution that is parallelized and fault-tolerant by using distributed computing engines like Spark and Dask [37,38]. Large-scale computational tasks are run on the Kubernetes infrastructure [39] to ensure that the resources used are well-isolated and that the system is scalable and reproducible. The JupyterHub-MlFlow combo [40] offers an environment that is well-tailored for machine learning operations. This is where one would target to assist in performing the ops part of the MLOps life cycle.
There is a flexible layer supporting the various access needs that form the basis of data exposition. This layer contains a number of different elements. The first is exportable extracts for external consumption. The second is carefully chosen data products for specific use cases. The third, and perhaps the most interesting, is NoSQL document stores, which, for us at least, is an indication that the analysts making these decisions are harnessing the advantages of using NoSQL and flexible querying. The fourth element is graph databases that are tuned for relationship analysis [41].
This computational and combined exhibition infrastructure ensures continuous risk assessment [42]. It tracks behavioral patterns and creates regulatory insights [43,44].

5.4. Transversal Components and Contextual Intelligence

The transversal layer is where the shared services necessary to maintain the consistency and semantic clarity of the platform are found. Shared services, for ensuring consistency and semantic clarity over the platform, come from the transversal layer.
At its core, the RACE, Risk-Aware Contextual Engine [45], uses a knowledge graph to encode business rules, link data entities, and render context-aware inferences. This engine guarantees dynamic alignment of policies and decisions with the company’s environmental and risk landscape by feeding enhanced, contextual metadata to every other component and avoiding a fixed state of affairs.
A metadata catalog and lineage tracking system, like Apache Atlas or Amundsen [46], supports data governance. It satisfies a management requirement that is necessary for effective data governance to be achieved.
Using Keycloak with OAuth2 [47] allows centralized authentication and very detailed authorization. This setup can enforce security rules quite easily. It can ensure that active governance rules, data sensitivity, and user roles all work together to control access to the data.
Communication based on events has, at its core, a widely distributed Event Bus Kafka [48]. This provides a means to couple together some parts of an increasingly event-driven architecture while still yielding highly responsive data services. The Event Bus links together ingestion events and access events, updating service policies in between as needed and allowing for some service monitoring around the edges. If services were no longer coupled together by events, they would hardly seem to serve anything at all.

5.5. Access to Data and Interaction

Data consumers engage with the platform via several access points. Driven by tools such as Superset or Metabase [49], dashboards give real-time operational KPIs and risk score visibility. Particularly helpful for risk analysts and data scientists, data notebooks help with exploratory research.
By means of REST or GraphQL APIs [50], custom applications can interact with the governed data, enabling business-specific processes. Respecting access and compliance rules, a self-service workspace lets users run searches, run inquiries, and independently produce insights.
This architecture guarantees that, in the proper context, with the proper protections, the correct people access the correct data.

5.6. Governance and Observability

Governance is integrated into architecture [51]. Dedicated layers ensure data quality, data discovery (data catalog), data lineage, access rules, and auditability.
The observability stack [52] comprises tools for logging, monitoring, alerting, testing, and tracking. These services incessantly assess the data pipeline’s health alongside the model’s performance and compliance level. When the observability stack [53] uncovers a troubling situation, it might trigger model retraining, policy changes, or reprocessing [54].
This integration of observability with contextual intelligence via RACE makes closed-loop governance possible [55]. Closed-loop governance is when a system observes itself, learns from its surroundings, and modifies its behavior. In human systems, we call this learning and modification of behavior “governance”.

5.7. Architectural Contributions to Risk and Data Management

Every architectural decision takes us nearer to the objective of data management and adaptive governance of risk that is effective, efficient, and robust. Every decision directly advances us toward that goal. The architecture itself is modular and event-driven, a framework within which we can understand data as it moves through various kinds of change. The intelligence resides in the decision-making processes that the architecture supports [56].
Think about an underwriter in the insurance sector who is faced with the task of evaluating a complex assortment of data and associated risk scores. In this context, the RACE’s capabilities are designed to assist human experts by capturing the domain’s nuances and backing informed, context-aware decisions. From a DHS perspective, achieving this level of capability corresponds to creating an intelligent orchestration layer that embeds expert reasoning into the platform’s risk-adaptive behavior.

5.8. Preliminary Quantitative Comparison

To provide a first quantitative indication of DRADG’s benefits, we instantiated the architecture on a representative data platform and implemented a cross-border data-sharing scenario involving multiple datasets, jurisdictions, and changing regulatory constraints. We compared four configurations:
  • Static governance, manual policies, and periodic audits only;
  • Rules-only governance, a fixed rule engine without adaptive risk scoring;
  • Traditional framework instantiation, controls derived from DAMA/NIST but implemented as static checklists;
  • DRADG-RACE with risk scoring, threshold-based enforcement, and policy adaptation.
For each configuration we measured the metrics associated with RQ4: (i) adaptation latency (time between a new risk signal or policy change and enforcement of an updated control), (ii) number of violations detected and avoided over a fixed time window, (iii) operational overhead (additional processing time and resource usage), and (iv) a simple compliance score (percentage of events satisfying the applicable policies) as presented in Table 4.
The evaluation was conducted on a synthetic cross-border data-sharing scenario involving 12 datasets, three jurisdictions (EU, US, and APAC), and 150 simulated policy change events over a 30-day period. The platform was deployed on a Kubernetes cluster (eight nodes at 32 GB RAM each). AI components were configured as follows: Isolation Forests (100 estimators with a contamination rate of 0.05), Bayesian networks (discrete CPTs learned from 10,000 historical incidents), and DQN (a three-layer MLP, with a learning rate of 0.001 and a replay buffer of 50,000). Risk scores were computed using the formula defined in Section 4.1. Metrics captured include adaptation latency (time until enforcement), violation detection rate, and compliance score (percentage of events satisfying applicable policies).
Table 4. Comparison of the four configurations of frameworks.
Table 4. Comparison of the four configurations of frameworks.
ConfigurationAdaptation Latency Violations DetectedViolations PreventedOperational OverheadCompliance Score
Static governance (manual only) ~30 days150~0%68%
Rules-only governance (fixed rules)~7 days3210~3%79%
Traditional framework instantiation~3 days4118~5%86%
DRADG (risk-adaptive)<4 h5736~8%93%
The current evaluation relies on simulation rather than production deployment, which limits generalisability. However, several measures were taken to mitigate this threat: (i) the scenario design was informed by real enterprise data governance challenges identified through practitioner interviews; (ii) the technical architecture uses production-grade components (Kafka, Kubernetes, Apache Iceberg) widely adopted in industry; and (iii) the framework was iteratively refined based on expert feedback from data governance professionals. Nonetheless, full empirical validation through pilot deployments in operational environments remains essential future work.

6. Implementation Guide

Implementing the DRADG framework within an organization requires careful planning and preparation, as it is not a straightforward process. A structured strategy is essential to achieve meaningful outcomes without disrupting existing operations. To address this, we have developed a comprehensive roadmap for implementation, see Figure 9. This roadmap outlines the necessary prerequisites for initiating the process, followed by a detailed breakdown of the five primary implementation phases. Additionally, it provides methods to evaluate the framework’s effectiveness, aligning with the objectives of RQ4 as discussed earlier, and includes a reference table for practical guidance. This approach directly addresses the fifth research question, which seeks to understand the key factors that enable effective risk-focused data governance in contemporary organizational contexts. It builds upon the innovative components introduced in Section 5, translating them into actionable steps.

6.1. Five-Step Implementation Methodology

The implementation of the DRADG framework has been structured into five distinct phases, designed to systematically enhance an organization’s existing governance system to better adapt to emerging risks. Each phase addresses specific implementation challenges, ensuring that the framework meets organizational requirements while maintaining compliance with regulatory standards. The process begins with a comprehensive assessment of the organization’s current governance policies, risk management strategies, and technical infrastructure. This initial step is critical, as it enables the identification of vulnerabilities within the existing system, such as fragmented data structures or gaps in monitoring, emphasizing the strategic integration of DRADG to mitigate these identified issues effectively.
The next phase involves technical integration, during which the framework is incorporated into the organization’s data environment. This process entails deploying the framework’s layers, such as Policy and Governance, and Data Quality and Risk Assessment, while ensuring their seamless interoperability with existing systems. The AI components, including Deep Q-Networks, are calibrated to generate contextually appropriate policies, integrate effectively with data systems, and continuously monitor for potential threats.
The third phase centers on training, which is essential for ensuring the framework’s effective utilization. This phase involves collaboration with the organization’s data engineers, governance teams, and IT personnel to build their proficiency in using the framework’s tools, such as interpreting risk scores and leveraging predictive analytics to inform decision-making. Particular emphasis is placed on the RACE, which enables teams to tailor risk assessments to the organization’s specific priorities.
During the deployment phase, the framework’s real-time monitoring and policy enforcement functionalities are activated across the organization. A phased deployment strategy is adopted, beginning with the most critical operations and progressively expanding to other areas, thereby minimizing operational disruptions. To ensure continuity when critical components fail, DRADG incorporates graceful degradation mechanisms. If the RACE becomes unavailable, the system reverts to a cached policy ruleset that enforces baseline governance controls until full functionality is restored. For AI component failures (DQN and Bayesian networks), static rule-based defaults take over, maintaining essential risk detection albeit with reduced adaptability. Kafka unavailability triggers local queuing with automatic replay upon recovery. All fallback events are logged for post-incident analysis, and automated alerts notify governance teams to enable rapid intervention.
The final phase focuses on post-deployment evaluation, where the framework’s performance is assessed through the analysis of previously established performance indicators and the collection of feedback to identify areas for refinement. This evaluation provides a comprehensive understanding of the framework’s effectiveness, particularly in its capacity to address compliance requirements efficiently and enhance overall adherence to regulatory standards.

6.2. Prerequisites for Implementation

Setting up the right foundation is crucial before jumping into DRADG implementation. Organizations need solid technical and organizational groundwork to make the most of this risk-aware framework.
First of all, we will need a decent cloud infrastructure that can handle processing in real-time and scale as needed. We have found platforms like AWS or Azure work well since they provide the computing muscle needed for the framework’s AI components, whether it is running Bayesian networks for risk assessment or using Isolation Forests to spot anomalies [57]. This setup lets us process mountains of data while keeping an eye out for threats.
The technical skills are another hurdle. Having people who understand AI is not just an additional benefit; it is essential for making the system operational and keeping it optimized. Teams need to be comfortable with probabilistic modeling, unsupervised learning techniques, and reinforcement learning approaches like Deep Q-Networks. Without this knowledge, even the best framework will struggle to deliver reliable risk management insights.
While the full DRADG implementation assumes robust infrastructure and AI expertise, the framework’s modular design enables incremental adoption. Smaller organizations can start with the foundational layers (Data Quality and Policy) using open-source tools (e.g., Apache Atlas, and OpenMetadata) and managed cloud services that reduce operational burden. Pre-trained risk models and policy templates can lower the AI expertise barrier. As maturity grows, organizations can progressively integrate advanced components such as the RACE. This staged approach aligns with the scalability objectives discussed in Section 3.3 and allows SMEs to achieve meaningful governance improvements without upfront heavy investment.

6.3. Performance Indicators

We needed reliable methods for measuring whether DRADG actually works after implementation, which is what RQ4 pertains to. So we came up with some key indicators that let us see real impact on operations, compliance, and risk handling.
The first thing we track is how fast the system responds when it spots a problem. We have set 20 s as our target; anything faster is optimal, and anything slower means we need to optimize. Then there is compliance tracking, which basically states what percentage of data activities follow rules like GDPR or ISO standards. We are aiming for 98% or better. The last significant metric looks at how well risks stay fixed once addressed; we want to see at least 95% of the identified issues resolved without them emerging again.
The KPIs and target values reported before are illustrative benchmarks rather than universal thresholds. Values such as a 20 s detection window or 95–98% coverage are inspired by typical reliability and compliance objectives observed in large-scale data and IT governance programs and by our industrial experience. In practice, each organization is expected to calibrate these targets to its own risk appetite, regulatory requirements, and operational constraints.
These numbers give us a no-nonsense way to judge if the framework delivers on its promises. Companies using DRADG can point to concrete improvements and also spot where tweaks might be needed. Sure, we could track dozens of metrics, but we have found that these three give the clearest picture of overall success with minimal overhead.
Table 5 summarizes the proposed implementation steps and can serve as a high-level guide for organizations considering DRADG adoption. We have mapped out the five main steps needed before starting, and included the key metrics to track success.

6.4. Summary of Implementation Strategy

Our implementation guide for DRADG gives a clear path to better data governance while keeping both regulators and business leaders aligned, following agility and dataops components [58]. We have proposed five main steps that take an organization from assessing where it stands today all the way through deployment, training the team, and measuring how well it is working.
What is good about this approach is how it uses AI to gradually reduce risk exposure throughout the whole process. The metrics we developed give concrete ways to show improvement, addressing that measurement question from RQ4 while making it possible to adapt implementation across different types of organizations (RQ5).
We have been upfront about what organizations need technically: a solid cloud infrastructure and prior AI knowledge are must-haves for this to work well. Looking at both the overarching idea and day-to-day operations, DRADG delivers both a solid concept and a practical solution that helps companies balance risk management with keeping things running smoothly. This helps organizations level up their data governance, respond quickly to ethical challenges, and maintain strong compliance and overall resilience.
Beyond technical and AI capabilities, DRADG assumes a minimum level of organizational maturity in data governance. At the strategy and governance layers, organizations should have defined governance roles and bodies, such as a data governance council and a risk or compliance committee, with clear escalation paths and decision rights. At the operational level, a network of data stewards and owners is required to curate metadata, maintain policy catalogs, and interpret risk signals in their domains. In addition, basic change-management capacity (training, communication, and process ownership) is necessary to translate DRADG outputs into sustainable changes in processes and behaviors. Without these organizational foundations, the technical components of DRADG (RACE, AI models, observability stack) risk remaining underused or inconsistent with actual decision-making structures.

7. Conclusions

In an era where data has become both an asset and a liability, traditional data governance frameworks no longer suffice. As businesses navigate increasingly complex data landscapes shaped by rapid technological advancement and evolving regulatory demands, the need for integrated, adaptable governance models has never been greater.
This paper proposed a novel framework that not only addresses the gaps in existing approaches but also promotes a proactive, risk-aware methodology. By aligning governance strategies with business objectives and incorporating dynamic monitoring tools, organizations can transform governance from a compliance obligation into a driver of value and innovation. While challenges remain, particularly in achieving standardization across diverse data environments, the proposed model offers a promising path forward.
DRADG’s effectiveness depends on AI model accuracy; false positives may trigger unnecessary restrictions while false negatives leave threats unaddressed. Continuous model monitoring and human-in-the-loop validation for high-impact decisions are essential safeguards. Additionally, automating governance raises accountability concerns when AI-driven policies block operations. DRADG addresses this through explainable AI components that justify risk scores, immutable audit trails logging all policy decisions, and periodic bias audits on training data to detect scoring inequities. Regarding unforeseen threats such as quantum computing attacks [59], DRADG’s modular design and knowledge graph-based risk taxonomy facilitate extensibility. New threat categories can be incorporated by updating the RACE ontology and retraining detection models without architectural changes.
However, empirical validation against emerging threats remains future work, and proactive collaboration with threat intelligence communities will be necessary to ensure timely adaptation. Future work will focus on refining this framework through real-world applications and exploring its scalability across different industry sectors.

Author Contributions

Conceptualization, Y.G. and J.G.; methodology, Y.G. and J.G.; software, Y.G.; validation, Y.G. and J.G.; formal analysis, J.G.; investigation, Y.G.; resources, J.G.; data curation, Y.G. and J.G.; writing—original draft preparation, Y.G. and J.G.; writing—review and editing, Y.G. and J.G.; visualization, Y.G. and J.G.; supervision, Y.G. and J.G.; project administration, Y.G. and J.G. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

The original contributions presented in this study are included in the article. Further inquiries can be directed to the corresponding author.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Bernardo, B.M.V.; Mamede, H.S.; Barroso, J.M.P.; Santos, V.M.P.D.D. Data governance & quality management—Innovation and breakthroughs across different fields. J. Innov. Knowl. 2024, 9, 100598. [Google Scholar] [CrossRef]
  2. Yaqoob, F. Data Governance in the era of Big Data: Challenges and Solutions. 2022. Available online: https://zenodo.org/records/8415833 (accessed on 15 December 2025). [CrossRef]
  3. General Data Protection Regulation (GDPR)—Legal Text. Available online: https://gdpr-info.eu/ (accessed on 9 December 2025).
  4. ISO/IEC 27001:2022; Information Security Management Systems. International Organization for Standardization: Geneva, Switzerland, 2022. Available online: https://www.iso.org/standard/27001 (accessed on 9 December 2025).
  5. Lacity, M.C.; Coon, L. (Eds.) Human Privacy in Virtual and Physical Worlds: Multidisciplinary Perspectives. In Technology, Work and Globalization; Springer Nature: Cham, Switzerland, 2024. [Google Scholar] [CrossRef]
  6. Data Governance and Management (DGM) Profile|NIST. Available online: https://www.nist.gov/privacy-framework/new-projects/data-governance-and-management-profile (accessed on 9 December 2025).
  7. DAMA® Data Management Body of Knowledge (DAMA-DMBOK®), DAMA International®. Available online: https://dama.org/learning-resources/dama-data-management-body-of-knowledge-dmbok/ (accessed on 9 December 2025).
  8. COBIT®|Control Objectives for Information Technologies®, ISACA. Available online: https://www.isaca.org/resources/cobit (accessed on 9 December 2025).
  9. Marsolo, K.; Kirkendall, E.S. Data Governance and Strategies for Data Integration. In Pediatric Biomedical Informatics; Hutton, J., Ed.; Springer: Singapore, 2016; Volume 10. [Google Scholar] [CrossRef]
  10. Abraham, R.; Schneider, J.; vom Brocke, J. Data governance: A conceptual framework, structured review, and research agenda. Int. J. Inf. Manag. 2019, 49, 424–438. [Google Scholar] [CrossRef]
  11. Marcucci, S.; Alarcón, N.G.; Verhulst, S.G.; Wüllhorst, E. Mapping and Comparing Data Governance Frameworks. arXiv 2023, arXiv:2302.13731. [Google Scholar] [CrossRef]
  12. Analysing Data Quality Frameworks and Evaluating the Statistical Output of United Nations Sustainable Development Goals’ Reports|Renewable Energy and Environmental Sustainability. Available online: https://www.rees-journal.org/articles/rees/abs/2022/01/rees210081/rees210081.html (accessed on 9 December 2025).
  13. ISO 31000:2018(en), Risk Management—Guidelines. Available online: https://www.iso.org/obp/ui/#iso:std:iso:31000:ed-2:v1:en (accessed on 9 December 2025).
  14. Data Sovereignty in Information Systems|Electronic Markets. Available online: https://link.springer.com/article/10.1007/s12525-024-00693-4 (accessed on 9 December 2025).
  15. Ruslan, I.F.; Alby, M.F.; Lubis, M. Applying Data Governance Using DAMA-DMBOK 2 Framework: The Case for Human Capital Management Operations. In Proceedings of the 8th International Conference on Industrial and Business Engineering, Macau, China, 27–29 September 2022; Available online: https://dl.acm.org/doi/abs/10.1145/3568834.3568866 (accessed on 9 December 2025).
  16. Cybersecurity Capabilities for Critical Infrastructure Resilience|Information and Computer Security|Emerald Publishing. Available online: https://www.emerald.com/ics/article-abstract/30/2/255/111698/Cybersecurity-capabilities-for-critical?redirectedFrom=fulltext (accessed on 9 December 2025).
  17. Thabit, T.H.; Ishhadat, H.S.; Abdulrahman, O.T. Applying Data Governance Based on COBIT2019 Framework to Achieve Sustainable Development Goals. J. Tech. 2020, 2, 9–18. [Google Scholar] [CrossRef]
  18. Layode, O.; Naiho, H.; Adeleke, G.; Labake, T.; Udeh, E. Data privacy and security challenges in environmental research: Approaches to safeguarding sensitive information. Int. J. Appl. Res. Soc. Sci. 2024, 6, 1193–1214. [Google Scholar] [CrossRef]
  19. Data Governance Risk Management in the Digital Age. Available online: https://semarchy.com/blog/data-governance-risk-management/ (accessed on 9 December 2025).
  20. Cloud Data—CDMC’, EDM Council. Available online: https://edmcouncil.org/frameworks/cdmc/ (accessed on 9 December 2025).
  21. Dasin, S. From Analytics to Action: How AI-Enhanced Analytics Transform Organizational Decision-Making Effectiveness Through Trust Mechanisms and Data Governance. SSRN, August 2025. Available online: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=5383554 (accessed on 9 December 2025).
  22. Emerging Models of Data Governance in the Age of Datafication—Marina Micheli, Marisa Ponti, Max Craglia, Anna Berti Suman. 2020. Available online: https://journals.sagepub.com/doi/full/10.1177/2053951720948087 (accessed on 9 December 2025).
  23. Bližnák, K.; Munk, M.; Pilková, A. A Systematic Review of Recent Literature on Data Governance (2017–2023). IEEE Access 2024, 12, 149875–149888. [Google Scholar] [CrossRef]
  24. Alhassan, I.; Sammon, D.; Daly, M. Critical Success Factors for Data Governance: A Theory Building Approach: Information Systems Management. Inf. Syst. Manag. 2019, 36, 98–110. Available online: https://www.tandfonline.com/doi/abs/10.1080/10580530.2019.1589670 (accessed on 9 December 2025).
  25. Sathyaprakash, P.; Alagarsundaram, P.; Devarajan, M.V.; Alkhayyat, A.; Poovendran, P.; Rani, D.R.; Savitha, V. Medical Practitioner-Centric Heterogeneous Network Powered Efficient E-Healthcare Risk Prediction on Health Big Data. Int. J. Coop. Inf. Syst. 2025, 34, 2450012. [Google Scholar] [CrossRef]
  26. The Importance and Effectiveness of Cyber Risk Quantification. Available online: https://www.fairinstitute.org/what-is-fair (accessed on 9 December 2025).
  27. Informing the Global Data Future: Benchmarking Data Governance Frameworks|Data & Policy|Cambridge Core. Available online: https://www.cambridge.org/core/journals/data-and-policy/article/informing-the-global-data-future-benchmarking-data-governance-frameworks/23C5B7F8C65F21602DD5175DDE49E3BF (accessed on 9 December 2025).
  28. Autoencoder-Based Anomaly Detection System for Online Data Quality Monitoring of the CMS Electromagnetic Calorimeter|Computing and Software for Big Science. Available online: https://link.springer.com/article/10.1007/s41781-024-00118-z (accessed on 9 December 2025).
  29. Hassan, N.A.B. Managing Data Dependencies in Cloud-Based Big Data Pipelines: Challenges, Solutions, and Performance Optimization Strategies. Orient J. Emerg. Paradig. Artif. Intell. Auton. Syst. 2025, 15, 20–28. [Google Scholar]
  30. A Hybrid Framework Using Explainable AI (XAI) in Cyber-Risk Management for Defence and Recovery Against Phishing Attacks—ScienceDirect. Available online: https://www-sciencedirect-com.eressources.imist.ma/science/article/pii/S016792362300177X (accessed on 9 December 2025).
  31. Eu Regulatory Ecosystem for Ethical AI|AI and Ethics. Available online: https://link.springer.com/article/10.1007/s43681-025-00749-x (accessed on 9 December 2025).
  32. Halevy, A.; Rajaraman, A.; Corp, K.; Ordille, J. Data Integration: The Teenage Years. In Proceedings of the 32nd International Conference on Very Large Data Bases, Seoul, Republic of Korea, 12–15 September 2006. [Google Scholar]
  33. Kiran, M.; Murphy, P.; Monga, I.; Dugan, J.; Baveja, S.S. Lambda architecture for cost-effective batch and speed big data processing. In Proceedings of the 2015 IEEE International Conference on Big Data (Big Data), Santa Clara, CA, USA, 29 October–1 November 2015; pp. 2785–2792. [Google Scholar] [CrossRef]
  34. Keeping the Data Lake in Form: Proximity Mining for Pre-Filtering Schema Matching: ACM Transactions on Information Systems: Vol 38, No 3. Available online: https://dl.acm.org/doi/abs/10.1145/3388870 (accessed on 9 December 2025).
  35. Nambiar, A.; Mundra, D. An Overview of Data Warehouse and Data Lake in Modern Enterprise Data Management. Big Data Cogn. Comput. 2022, 6, 132. [Google Scholar] [CrossRef]
  36. Prasetyo, A.; Nugroho, F. An Examination of Cloud Native Data Platform Architectures and Their Impact on Scalability, Flexibility, and Analytical Performance in Enterprise Environments. Arch. Interdiscip. Sci. Eng. Res. 2025, 15, 1–11. [Google Scholar]
  37. Zaharia, M.; Xin, R.S.; Wendell, P.; Das, T.; Armbrust, M.; Dave, A.; Meng, X.; Rosen, J.; Venkataraman, S.; Franklin, M.J.; et al. Apache Spark: A unified engine for big data processing. Commun. ACM 2016, 59, 56–65. [Google Scholar] [CrossRef]
  38. Rocklin, M. Dask: Parallel Computation with Blocked algorithms and Task Scheduling. Presented at the Python in Science Conference, Austin, TX, USA, 30 January–2 February 2015; pp. 126–132. [Google Scholar] [CrossRef]
  39. Burns, B.; Grant, B.; Oppenheimer, D.; Brewer, E.; Wilkes, J. Borg, Omega, and Kubernetes. Queue 2016, 14, 70–93. [Google Scholar] [CrossRef]
  40. Chen, A.; Chow, A.; Davidson, A.; DCunha, A.; Ghodsi, A.; Hong, S.A.; Konwinski, A.; Mewald, C.; Murching, S.; Nykodym, T.; et al. Developments in MLflow: A System to Accelerate the Machine Learning Lifecycle. In Proceedings of the Fourth International Workshop on Data Management for End-to-End Machine Learning, Portland, OR, USA, 14 June 2020; Available online: https://dl.acm.org/doi/abs/10.1145/3399579.3399867 (accessed on 9 December 2025).
  41. Survey of Graph Database Models|ACM Computing Surveys. Available online: https://dl.acm.org/doi/abs/10.1145/1322432.1322433 (accessed on 9 December 2025).
  42. Raza, A. Real-time Machine Learning Pipelines for Big Data in Cloud Environments: Implementing Streaming Algorithms on Apache Kafka. Open J. Robot. Auton. Decis.-Mak. Hum.-Mach. Interact. 2023, 8, 1–11. [Google Scholar]
  43. Kramer, J.; Lu, T. A Reproducible Framework for Benchmarking Machine Learning Operations (MLOps) Infrastructures: Comparing Bare-Metal and Orchestrated Machine Learning Workflows. Cureus J. Comput. Sci. 2025, 2, 1–13. [Google Scholar] [CrossRef]
  44. Yallop, A.; Seraphin, H. Big data and analytics in tourism and hospitality: Opportunities and risks. J. Tour. Futures 2020, 6, 257–262. [Google Scholar] [CrossRef]
  45. Giotis, K.; Kryftis, Y.; Maglaris, V. Policy-based orchestration of NFV services in Software-Defined Networks. In Proceedings of the 2015 1st IEEE Conference on Network Softwarization (NetSoft), London, UK, 13–17 April 2015; pp. 1–5. [Google Scholar] [CrossRef]
  46. Kropshofer, J.; Schrott, J.; Wöß, W.; Ehrlinger, L. A Survey on the Functionalities of Data Catalog Tools. IEEE Access 2025, 13, 83297–83319. [Google Scholar] [CrossRef]
  47. Norimatsu, T.; Nakamura, Y.; Yamauchi, T. Policy-Based Method for Applying OAuth 2.0-Based Security Profiles. IEICE Trans. Inf. Syst. 2023, E106.D, 1364–1379. [Google Scholar] [CrossRef]
  48. Kreps, J.; Narkhede, N.; Rao, J. Kafka: A Distributed Messaging System for Log Processing. Proc. NetDB 2011, 11, 1–7. [Google Scholar]
  49. Aveiro, D.; Mendes, J.; Pinto, D.; Freitas, V. A Comparative Analysis of Open-Source Business Intelligence Platforms for Integration with a Low-Code Platform. In Proceedings of the International Conference on Information Systems Development (ISD), Lisbon, Portugal, 30 August–1 September 2023; Available online: https://aisel.aisnet.org/isd2014/proceedings2023/datascience/5 (accessed on 15 December 2025).
  50. Biehl, M. GraphQL API Design; API-University Press: Rotkreuz, Switzerland, 2018. [Google Scholar]
  51. A Systematic Literature Review of Data Governance and Cloud Data Governance|Personal and Ubiquitous Computing. Available online: https://link.springer.com/article/10.1007/s00779-017-1104-3 (accessed on 9 December 2025).
  52. Souza, A. Observability and Monitoring. In Tech Leadership Playbook: Building and Sustaining High-Impact Technology Teams; Souza, A., Ed.; Apress: Berkeley, CA, USA, 2024; pp. 171–191. [Google Scholar] [CrossRef]
  53. Nogare, D.; Silveira, I.F. MLOps for Machine Learning Model Lifecycle Automation—A Systematic Literature Review. Available online: https://www.authorea.com/doi/full/10.36227/techrxiv.175329541.19088779?commit=79f5ec553262b386282b91f3d398919ce5ffb61f (accessed on 9 December 2025).
  54. Ruan, G.; Zhang, H. Closed-loop Big Data Analysis with Visualization and Scalable Computing. Big Data Res. 2017, 8, 12–26. [Google Scholar] [CrossRef]
  55. Risk-Aware Data Governance: Using AI to Detect Policy Violations in SAP Records and Transaction Logs|Request PDF. Available online: https://www.researchgate.net/publication/397705978_Risk-Aware_Data_Governance_Using_AI_to_Detect_Policy_Violations_in_SAP_Records_and_Transaction_Logs (accessed on 9 December 2025).
  56. Amershi, S.; Begel, A.; Bird, C.; DeLine, R.; Gall, H.; Kamar, E.; Nagappan, N.; Nushi, B.; Zimmermann, T. Software Engineering for Machine Learning: A Case Study. In Proceedings of the 2019 IEEE/ACM 41st International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP), Montreal, QC, Canada, 25–31 May 2019; pp. 291–300. [Google Scholar] [CrossRef]
  57. Elbarmile, S.; Gharib, J.; Gahi, Y. Risks Assessment of AI Integration in Cybersecurity: A Synergistic Approach with FMECA and ISO 31000. In Proceedings of the 4th International Conference on Advances in Communication Technology and Computer Engineering (ICACTCE’24); Iwendi, C., Boulouard, Z., Kryvinska, N., Eds.; Lecture Notes in Networks and Systems; Springer: Cham, Switzerland, 2025; Volume 1312. [Google Scholar] [CrossRef]
  58. Aymen, F.; Jihane, G.; Youssef, G. Enhancing DataOps practices through innovative collaborative models: A systematic review. Int. J. Inf. Manag. Data Insights 2025, 5, 100321. [Google Scholar] [CrossRef]
  59. Gharib, J.; Gahi, Y. Quantum Computing and AI Applications in Industry 5.0 Use Cases. In Quantum Computing and Artificial Intelligence: The Industry Use Cases; Raj, P., Sundaravadivazhagan, B., Ouaissa, M., Kavitha, V., Kumari, S.K., Eds.; Wiley: Hoboken, NJ, USA, 2025. [Google Scholar] [CrossRef]
Information 17 00102 g001
Figure 1. Standardized data frameworks.
Figure 1. Standardized data frameworks.
Information 17 00102 g001
Information 17 00102 g002
Figure 2. Conceptual architecture of Dynamic Risk-Adaptive Data Governance Framework.
Figure 2. Conceptual architecture of Dynamic Risk-Adaptive Data Governance Framework.
Information 17 00102 g002
Information 17 00102 g003
Figure 3. Detailed Data Quality and Risk Assessment component.
Figure 3. Detailed Data Quality and Risk Assessment component.
Information 17 00102 g003
Information 17 00102 g004
Figure 4. Detailed Policy and Governance Layer component.
Figure 4. Detailed Policy and Governance Layer component.
Information 17 00102 g004
Information 17 00102 g005
Figure 5. Detailed Data Operations and Control component.
Figure 5. Detailed Data Operations and Control component.
Information 17 00102 g005
Information 17 00102 g006
Figure 6. Detailed Analytics and Intelligence component.
Figure 6. Detailed Analytics and Intelligence component.
Information 17 00102 g006
Information 17 00102 g007
Figure 7. Detailed Integration and Interoperability component.
Figure 7. Detailed Integration and Interoperability component.
Information 17 00102 g007
Information 17 00102 g008
Figure 8. Technical architecture of Dynamic Risk-Adaptive Data Governance Platform.
Figure 8. Technical architecture of Dynamic Risk-Adaptive Data Governance Platform.
Information 17 00102 g008
Information 17 00102 g009
Figure 9. Comprehensive implementation strategy for DRADG: five-step methodology with prerequisites and performance indicators.
Figure 9. Comprehensive implementation strategy for DRADG: five-step methodology with prerequisites and performance indicators.
Information 17 00102 g009
Table 1. Comprehensive matrix of data governance frameworks and risk management.
Table 1. Comprehensive matrix of data governance frameworks and risk management.
FrameworkRisk IdentificationRisk AssessmentRisk MitigationRisk Monitoring and Reporting
DAMA Moderate: Identifies risks in data relevance, accuracy, and quality but does not address broader cybersecurity or ethical risks.Moderate: Focuses on assessing data quality risks (e.g., inconsistencies, errors) rather than systemic risks.Strong: Provides in-depth strategies for improving data quality (e.g., cleansing, validation) to mitigate risks.Moderate: Does not explicitly emphasize risk monitoring and focuses on governance for quality control.
COBIT (Control Objectives for Information and Related Technologies)Moderate: Identifies governance-related risks in IT systems but does not delve into privacy or operational risks explicitly.Moderate: Focuses on aligning IT risks with business objectives, emphasizing strategic assessment.Moderate: Includes IT governance controls but lacks comprehensive coverage of technical safeguards for mitigation.Strong: Emphasizes robust reporting structures and accountability for monitoring risks within IT governance.
GDPR (General Data Protection Regulation)Strong: Requires Privacy Impact Assessments (PIAs) and Data Protection Impact Assessments (DPIAs) to identify privacy risks.Strong: Assesses risks in data processing based on principles of minimization, fairness, and transparency.Moderate: Provides legal and procedural mitigation measures but lacks technical guidance for implementation.Moderate: Mandates periodic reviews and audits but does not provide specific tools for continuous monitoring.
NIST DGM Profile (2024) Strong: Integrates identification of governance-related risks, including ethical, operational, and stakeholder impacts.Moderate: Holistic risk assessment across privacy, cybersecurity, and data governance, with cross-framework alignment.Strong: Encourages multi-faceted mitigation strategies that combine technical, operational, and ethical safeguards.Strong: Promotes continuous risk tracking, governance reviews, and transparent reporting mechanisms.
Table 2. Summary of DRADG layers.
Table 2. Summary of DRADG layers.
LayerPurposeSubcomponentsAlgorithmsInteractions
Data Quality and Risk Assessment Identify and quantify risks in real-timeMetrics, Risk TaxonomyDeep Neural NetworksSends risk scores to Policy; receives analytics from Intelligence
Policy and GovernanceGenerate adaptive governance policiesPolicy Generation, Compliance MappingDeep Q-Networks (DQNs)Receives risk input; sends directives to Operations
Data Operations and ControlMonitor and enforce policiesAI Monitoring Agents, Control MechanismsIsolation ForestsReceives policies; sends logs to Analytics
Analytics and IntelligencePredict threats and measure KPIsBayesian networks, KPI DashboardsBayesian inferenceReceives operational data; sends insights to Quality
Integration and InteroperabilityEnsure regulatory alignmentGDPR/ISO/NIST Modules, API ConnectorsRule-based mappingReceives from all layers; outputs compliance reports
RACE (Transversal)Contextualize risk across layersKnowledge GraphSemantic reasoningBidirectional with all layers
Table 3. Comparison of DRADG with existing data governance frameworks.
Table 3. Comparison of DRADG with existing data governance frameworks.
Criterion DAMA-DMBOKNIST DGMDRADG
Lifecycle coverageBroad, process-orientedBroad, function-orientedBroad, explicit layers and events
Explicit risk constructsPartially (policies, stewardship)High-level (risk is referenced but abstract)Central (risk models, scores, thresholds)
Dynamic adaptationNot specifiedNot specifiedCore capability (RACE, continuous monitoring)
Automation supportImplicit, left to toolsNot explicitExplicit AI and policy automation
Interoperability ConceptualConceptualOperational mapping via policies-as-code
Table 5. DRADG implementation roadmap.
Table 5. DRADG implementation roadmap.
StepObjectiveKey ActivitiesRoles InvolvedArtifacts
1. Initial Evaluation Assess current state and gapsAudit existing governance policies, identify infrastructure gaps, map risk exposureData Governance Council, IT ArchitectsGap analysis report, risk inventory
2. Technical IntegrationDeploy DRADG componentsInstall platform layers, configure AI models, integrate with data sourcesData Engineers, ML EngineersDeployed platform, configuration specs
3. TrainingBuild team proficiencyConduct workshops on RACE, train on risk score interpretationData Stewards, Governance TeamsTraining materials, competency assessments
4. DeploymentActivate live operationsPhased rollout starting with high-risk areas, enable real-time monitoringOperations Team, Security OfficersGo-live checklist, monitoring dashboards
5. EvaluationMeasure and refineTrack KPIs, collect feedback, iterate on policies and modelsAll StakeholdersPerformance reports, improvement backlog
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Gharib, J.; Gahi, Y. DRADG: A Dynamic Risk-Adaptive Data Governance Framework for Modern Digital Ecosystems. Information 2026, 17, 102. https://doi.org/10.3390/info17010102

AMA Style

Gharib J, Gahi Y. DRADG: A Dynamic Risk-Adaptive Data Governance Framework for Modern Digital Ecosystems. Information. 2026; 17(1):102. https://doi.org/10.3390/info17010102

Chicago/Turabian Style

Gharib, Jihane, and Youssef Gahi. 2026. "DRADG: A Dynamic Risk-Adaptive Data Governance Framework for Modern Digital Ecosystems" Information 17, no. 1: 102. https://doi.org/10.3390/info17010102

APA Style

Gharib, J., & Gahi, Y. (2026). DRADG: A Dynamic Risk-Adaptive Data Governance Framework for Modern Digital Ecosystems. Information, 17(1), 102. https://doi.org/10.3390/info17010102

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop