Digital Integrity Reference Model
A formal nine-stage process framework for the Digital Integrity discipline, spanning governance architecture through continuous threat intelligence. The DIRM defines how organizations operationalize authenticity, provenance, and evidence integrity at every stage of the content lifecycle.
On this page
What the DIRM does
The DIRM is the process reference model for Digital Integrity, analogous to EDRM for electronic discovery or ITIL for service management. It defines the sequential activities practitioners perform to govern, detect, verify, investigate, assess, and respond to digital integrity challenges.
The DI standards series defines what organizations must know. The DIRM defines what they must do. It serves as the practitioner's process map, the audit framework's stage structure, and the curriculum spine for professional accreditation.
Interactive reference model
Select any stage to expand its purpose, key activities, and governing standards.
Stage 09 completes the cycle: intelligence findings update governance frameworks and detection models, initiating the next iteration.
Model overview
The DIRM emerged from the need for a unified process framework that could bridge the Digital Integrity discipline's technical, legal, and governance dimensions. Existing frameworks such as NIST CSF, ISO 27001, and EDRM address adjacent domains, but none provides end-to-end guidance for digital content authenticity in an environment of AI-generated and algorithmically manipulated media.
The DIRM draws structural inspiration from the Electronic Discovery Reference Model (EDRM), which transformed legal practice by providing a shared process vocabulary. The DIRM applies the same principle to digital integrity: a standard map of stages that any organization, practitioner, or tool vendor can reference.
The model is sequentially ordered but not strictly linear. In practice, the Detect, Verify, and Investigate stages run concurrently within an active incident. The Intelligence stage is continuous: it operates in parallel with all other stages rather than only at the conclusion of a response cycle.
Four functions of the DIRM
- Process map. Defines what practitioners do at each stage of a digital integrity engagement, from initial governance design through post-incident intelligence capture.
- Audit framework. Provides the stage structure against which organizations can assess their Digital Integrity program maturity.
- Curriculum structure. Forms the spine of the DI professional accreditation and certification program, with each stage mapped to a practitioner competency domain.
- Interoperability bridge. Aligns Digital Integrity process language with related frameworks such as ISO/IEC 27037, NIST SP 800-86, and EDRM to enable cross-framework mapping.
The nine stages
Each stage addresses a distinct function in the Digital Integrity process lifecycle.
01 · GovernGOV domain
Establishes the organizational policies, accountability structures, roles, and governance frameworks required to manage digital integrity risk. Govern is the foundation on which all subsequent stages operate. Outputs include a Digital Integrity Policy, risk register, roles matrix, and executive accountability framework.
02 · IdentifyGOV/DETECT domains
Catalogues digital assets, maps threat exposure, and profiles risk across content types, channels, and organizational contexts. Produces an asset inventory, threat exposure map, and prioritized risk register. Identify scopes subsequent detection and verification activity and informs resource allocation decisions.
03 · PreserveEVID domain
Establishes chain-of-custody procedures, acquisition protocols, and metadata preservation standards to ensure that digital content and evidence remain admissible and tamper-evident from first encounter. Preserve is especially critical when litigation, regulatory investigation, or law-enforcement interaction is foreseeable.
04 · DetectDETECT domain
Applies technical detection capabilities to identify synthetic, manipulated, or inauthentic content. Encompasses AI-based deepfake detection, provenance signal analysis, metadata anomaly detection, and continuous monitoring of content pipelines. Detection outputs are passed to Verify for confirmation and Investigate for forensic examination.
05 · VerifyVERIFY domain
Confirms or refutes authenticity and establishes provenance through structured verification procedures. Verification applies cryptographic provenance checking, attestation review, cross-source corroboration, and expert analysis. Outputs include an authenticity determination and a confidence-graded provenance record suitable for legal and regulatory use.
06 · InvestigateEVID domain
Applies forensic methodology to characterize the nature, origin, and extent of a digital integrity incident. Investigation includes deep technical analysis of detected artefacts, attribution assessment, scope determination, and documentation of findings in forms suitable for litigation, regulatory submission, or internal governance review.
07 · AssessRESP domain
Evaluates the impact, legal exposure, and risk implications of confirmed digital integrity incidents. Assessment integrates technical findings with legal analysis, stakeholder impact evaluation, and regulatory notification obligations. Outputs guide proportionate response planning and inform executive decision-making under time pressure.
08 · RespondRESP domain
Executes remediation, disclosure, and mitigation actions. Respond covers content takedown, platform notification, regulatory reporting, public communications, legal filings, and internal corrective action. Response plans are developed during Assess; Respond is the execution stage, concluded with a post-incident review and lessons-learned capture.
09 · IntelligenceTRAIN/GOV domains
Operates continuously across all stages, capturing threat intelligence, updating detection models, refining governance policies, and feeding insights back into Stage 01. The Intelligence stage is the discipline's learning mechanism rather than a terminal step. Threat landscapes evolve, and the Intelligence stage ensures that the organization's Digital Integrity posture evolves with them.
↺ 01 · Govern, Renewed GOV domain · Cycle continues
The loop-back mechanism. Stage 09 initiates the next iteration of the DIRM rather than concluding the current one. Intelligence outputs feed directly back into Stage 01 (Govern), refreshing the governance foundation with operational knowledge earned through the preceding cycle. The DIRM is therefore a continuous improvement system rather than a one-time process. Each pass through the model produces a better-governed and better-calibrated program than the last.
What the renewed Stage 01 updates. The intelligence loop refreshes four specific elements. Threat posture: the risk register is revised in light of newly characterized threats and adversary tactics observed during Detect and Investigate. Policy: the Digital Integrity Policy is amended where gaps were exposed during Assess and Respond. Detection calibration: confidence thresholds and sensitivity parameters are recalibrated based on observed false-positive and false-negative rates. Maturity targets: the program's maturity trajectory is adjusted to reflect capability gaps the completed cycle revealed.
The compounding effect. The practical consequence of the intelligence loop is that the DIRM compounds over time. An organization on its third or fourth cycle governs with a risk register shaped by lived incident experience, detects with models trained on its own threat history, and responds with playbooks tested and refined in the field. The difference between a first-cycle program and a mature cycling program is structural rather than incremental. The loop-back is the mechanism that turns Digital Integrity from a compliance exercise into an institutional capability.
Stage reference matrix
Mapping each stage to its control domain, primary output, and governing DI standards series.
| # | Stage | Domain | Primary output | Governing DI series | Key controls |
|---|---|---|---|---|---|
| 01 | Govern | GOV | Digital Integrity Policy; risk register; accountability framework | DI-200, DI-000 | Policy management, risk governance, executive accountability |
| 02 | Identify | GOV / DETECT | Asset inventory; threat exposure map; risk register | DI-100, DI-200 | Asset classification, threat profiling, exposure assessment |
| 03 | Preserve | EVID | Chain-of-custody record; preserved evidence package | DI-300, DI-500 | Acquisition procedures, metadata preservation, legal hold |
| 04 | Detect | DETECT | Detection alerts; anomaly reports; content flags | DI-100, DI-500 | AI detection, provenance signals, continuous monitoring |
| 05 | Verify | VERIFY | Authenticity determination; provenance record | DI-400, DI-200 | Cryptographic provenance, attestation, expert verification |
| 06 | Investigate | EVID | Forensic analysis report; attribution assessment | DI-300, DI-500 | Forensic methodology, attribution analysis, documentation |
| 07 | Assess | RESP | Impact assessment; response plan; notification schedule | DI-300, DI-200 | Impact scoring, legal exposure, regulatory obligations |
| 08 | Respond | RESP | Remediation record; disclosure package; post-incident review | DI-500, DI-300 | Content takedown, regulatory reporting, corrective action |
| 09 | Intelligence | TRAIN / GOV | Threat intelligence update; control refinements; training outputs | DI-600, DI-700 | Threat intelligence, model updates, governance refresh |
Implementing the DIRM
Starting your DIRM implementation
Organizations should begin DIRM implementation at Stage 01 (Govern), regardless of where they perceive their most pressing risk. Without governance architecture, detection and investigation activity lacks accountability and legal defensibility.
A lightweight initial implementation consisting of a Digital Integrity Policy, a basic asset inventory, and documented chain-of-custody procedures provides the governance foundation from which detection and verification capabilities can be built progressively.
For organizations already operating detection capabilities without governance foundations, a retrospective implementation of Stages 01 through 03 is both feasible and necessary before extending into advanced investigation and response.
Maturity progression
- Level 1, Foundation. Stages 01 through 03 operational. Policy exists. Assets identified. Evidence preservation procedures documented.
- Level 2, Detection. Stages 04 and 05 operational. Detection tooling deployed. Verification procedures established. Detection-to-verify pipeline functional.
- Level 3, Response. Stages 06 through 08 operational. Forensic capacity available. Incident response plans tested. Regulatory reporting procedures documented.
- Level 4, Intelligence. Stage 09 operational. Threat intelligence feeds active. Detection models updated from incident data. Governance refreshed on cycle.
Governing standards
The DIRM is grounded in and cross-references the following Digital Integrity standards series and external frameworks.
DI-000 · Master Index
Repository governance, document dependency graph, and the canonical standards catalog that structures every DIRM stage reference.
DI-100 · Threat Landscape
Provides the threat taxonomy and adversary models that underpin Stages 02 (Identify) and 04 (Detect).
DI-200 · Standards & Controls
The DIRC-1 control catalog maps directly to DIRM stages. DIS-1 governance standard governs Stage 01 implementation.
DI-300 · Legal & Evidence
Provides the evidence admissibility standards, chain-of-custody procedures, and litigation playbooks for Stages 03, 06, and 07.
DI-400 · Architecture
The DIRA-1 reference architecture defines the technical systems that operationalise Stage 05 (Verify) at scale.
DI-500 · Implementation
Deployment playbooks for each DIRM stage, with sector-specific guidance for media, legal, financial, and government contexts.
DI-600 · Research
Benchmark studies and maturity measurement that inform Stage 09 (Intelligence) outputs and drive framework improvement cycles.
DI-700 · Global Governance
International adoption frameworks and ecosystem strategy that extend DIRM implementation across jurisdictions and sectors.
External framework alignment
- EDRM (Electronic Discovery Reference Model). Structural analogue in the legal discovery domain. The DIRM extends the concept to content authenticity across all digital lifecycle stages.
- ISO/IEC 27037:2012. Digital evidence identification, collection, acquisition, and preservation. Directly governs DIRM Stage 03.
- NIST SP 800-86. Guide to integrating forensic techniques into incident response. Informs DIRM Stages 04 through 06.
- NIST Cybersecurity Framework. The Identify / Protect / Detect / Respond / Recover mapping aligns with DIRM Stages 01 through 08.
- Daubert standard (US) and Turnbull guidelines (UK). Legal reliability standards for expert evidence that DIRM Stages 05 and 06 are designed to satisfy.
- EU AI Act (2024). High-risk AI system transparency and auditability requirements addressed by the DIRM governance and verification stages.
Access the full DI-010 standard
Download the complete DIRM specification, capability matrix, implementation guidance, and cross-reference tables from the Digital Integrity standards library.