Data and Information Inventory and Attributes

The Sensitivity Classification attribute on every Data and Information type record references the Data Sensitivity Types Inventory (not yet published — refer to the IF4IT Enterprise Inventory Management Best Practices document). The Data Sensitivity Types Inventory defines the governed sensitivity classifications — PII, PHI, PCI, PFI, and others — with their domains, governing frameworks, regulatory obligations, and scope. This inventory applies those classifications at the data type level.

When the Data Sensitivity Types Inventory is published, Sensitivity Classification values will carry formal Semantic ID references. Until then, the standard value set (PII, PHI, PCI, PFI, Confidential, Regulated, None) is used as plain text. The Data Sensitivity Types Inventory baseline has been designed and is documented in REFERENCE_DATA_INVENTORY_NOTES.md for reference.

When established, this relationship enables enterprise-level sensitivity governance queries: for any sensitivity classification, the complete set of Data and Information types carrying that classification is queryable — and from those types, the complete set of integrations, applications, capabilities, and data stores handling sensitive content is traversable through the Enterprise Model graph.