The rules of professional exposure have changed. What was once an institutional risk, absorbed by the organization, quietly settled with a fine, and managed by in-house counsel, has shifted to something far more personal. Regulators are no longer content to penalize companies. They are naming the people who run them.
Approximately two-thirds of the SEC’s standalone enforcement actions in fiscal year 2025 charged individual bad actors, a 27-percent increase year-over-year, rising to nearly nine in ten under the most recent commission leadership. That is not a statistical anomaly. A fine paid by the firm does not follow the executive to their next job. A bar order does. For facility owners, design/build professionals, and the directors and officers who sign off on project delivery, this enforcement posture represents a category-level shift in personal liability.
The question is no longer whether your organization has records. The question is whether you, as a fiduciary, can prove the chain of custody behind them.
THE INDIVIDUAL IS NOW THE TARGET
SEC enforcement under recent leadership has combined corporate settlements with targeted charges against officers, directors, and gatekeepers, driven by a longstanding belief that guilt should be personal, and that the most effective deterrent is achieved when responsible individuals face consequences. This philosophy is accelerating. The current SEC administration has focused more heavily on individual accountability, with nearly 90 percent of stand-alone actions filed since the presidential inauguration involving individual charges.
For executives in the facility and design/build sector, this development demands an immediate reframe. The instinct is to view records management as a compliance function, something delegated to operations or project management teams. That instinct is now professionally dangerous. When regulators investigate a facility audit failure or a data gap in a design/build project, they no longer stop at the organizational chart. They are asking who knew, who should have known, and who signed.
“I didn’t know the records were lost” is no longer a defensible answer. Under emerging “failure to prevent” liability frameworks, the absence of a documented oversight process is itself the violation. Ignorance of a records gap does not insulate an executive; it confirms the gap in governance that regulators are looking for.
THE CUSTODIAN RISK
Facility owners and design/build professionals occupy a uniquely exposed position in this environment. They sit at the intersection of physical infrastructure, sensitive project data, permitting records, inspection logs, and asset documentation. Every one of those record types is subject to regulatory scrutiny. And the integration of A.I.-driven tools into the litigation and inspection process means that gaps in the public record are increasingly discoverable without a formal investigation ever being opened.
The integration of A.I. into workplace safety practices significantly expands the universe of potentially discoverable materials in litigation, increasing both the volume and complexity of safety-related data and subjecting employers to heightened scrutiny following an incident.
The facility professional who operates without a structured identity framework for their asset data is, in practical terms, a custodian of sensitive information without a chain of custody. That is the definition of errors and omissions exposure.
STRUCTURAL FRAMEWORKS THAT PROTECT FIDUCIARIES
The solution is not more documentation. It is smarter documentation built on a consistent, system-agnostic identity architecture that travels with the asset regardless of who owns the software platform, manages the project, or inherits the facility decades from now.
The core problem in most facility and design/build operations is that records are created within software ecosystems that change. Platforms get upgraded, vendors get replaced, and project data gets migrated in ways that sever the original chain of custody. What remains is a collection of records that exist, but cannot be traced. In an audit or a litigation event, untraced records are functionally equivalent to missing records.
A structured identity system solves this by anchoring every asset record to a universal, persistent reference that does not depend on any single platform or database. When that reference exists, the data lineage is provable. When regulators, insurers, or opposing counsel ask for the history of a decision or the documentation behind an asset certification, the thread is intact. This is what transforms a records archive from a liability into a defense.
The practical implementation involves four disciplines. First, assign a stable, universal identity to every asset at the point of creation, not at the point of concern. Second, enforce consistent record linkage at each project phase so that commissioning data, inspection records, and as-built documentation share a common reference. Third, ensure that the identity standard is system-agnostic, meaning it will survive platform migrations and remain readable regardless of the software environment. Fourth, conduct regular data lineage audits so that gaps are discovered internally before they are discovered externally.
TRANSPARENCY IS NOT OPTIONAL
The regulatory pressure driving this shift is not limited to the SEC’s individual accountability pivot. With the GENIUS Act’s implementing regulations expected by July 2026 and enforcement mechanisms including civil penalties, criminal prosecution, and license revocation, organizations must act now. While the GENIUS Act’s primary architecture addresses digital financial instruments, its transparency and data lineage principles are being absorbed into the broader federal compliance posture. Regulators across agencies are converging on a common expectation: Prove what you claim, and prove it through a documented chain of evidence that an external reviewer can independently verify.
For facility and design/build executives, this means the “documented or it didn’t happen” standard is no longer aspirational. It is the baseline for audit survival and personal liability protection. For facility owners and design/build professionals operating in this regulatory climate, the competitive advantage belongs to those who build the chain of custody before anyone asks for it.
about the author
Trevor Vick is the CEO of UMIP, Inc. and the founder of the Global Infrastructure Identity Standard (GIIS). For more, visit www.umipinc.com.