There is a pattern I see every time a regulator, auditor, or sophisticated customer asks the same question in different words: “Show me how this works in practice.”

Most legal teams still answer with contracts.

They pull the clause. They point to the vendor’s certification. They attach the policy. Then they act surprised when the response comes back as some version of: that’s nice, now show the evidence.

This is why “we had it in the contract” is no longer a defense. It is not because contracts stopped mattering. It is because regulators have made it clear that obligations are only real when they are operational.

The contract is not the control

Contracts are instructions. Controls are machinery.

A contract can say you retain certain records for seven years. A control is the system that captures the records, applies retention rules, prevents deletion, and produces them on demand.

A contract can say a vendor will notify you of incidents within 72 hours. A control is the intake path, the escalation workflow, the tested playbook, and the record of what happened when the email actually arrived at 2:13 a.m. on a Saturday.

When obligations tracking breaks down, it usually breaks down in three ways.

First, the obligation never gets translated into an owned task. It lives in a PDF and nowhere else.

Second, the obligation gets translated once, manually, and then drifts. The contract changes, the playbook does not.

Third, the obligation exists, but there is no audit trail for performance. You cannot prove it happened.

Regulators are increasingly enforcing against all three failure modes.

Recordkeeping enforcement is the clearest warning shot

The August 2024 SEC recordkeeping settlement is blunt: 26 firms admitted widespread failures to maintain and preserve required electronic communications and paid $392.75 million in combined civil penalties, with the SEC emphasizing that the impact goes beyond bad productions.

The January 2025 SEC recordkeeping settlement repeats the lesson in a slightly different form: firms were charged not only with recordkeeping violations but also with failure to reasonably supervise, and the SEC called out off-channel communications involving supervisors and senior managers.

That is the point for contract operations. This enforcement wave is not about the wording of retention policies. It is about control design, adoption, and proof.

If you want a parallel in the contract world, it is the vendor obligation that everyone agrees to in redlines and then no one builds into the operating model.

Regulators are saying, in effect, that governance is what you do, not what you wrote down.

Cybersecurity enforcement is moving from standards to performance

Cybersecurity enforcement is converging on the same operational posture.

In the NYDFS Healthplex settlement, the regulator tied a real incident to basic control failures and noted, as part of its findings, that Healthplex had no data retention policy to limit storage of emails.

That detail matters. Most organizations think of retention as “legal asked for a schedule.” NYDFS treated it as a cybersecurity control, because long-lived email stores expand blast radius, complicate investigation, and increase exposure.

At the federal level, the Civil Cyber-Fraud Initiative is turning cybersecurity contract requirements into enforceable obligations. The DOJ Raytheon settlement resolved allegations of non-compliance with cybersecurity requirements in DoD contracts, with $8.4 million paid. The DOJ MORSECORP settlement is another example of FCA exposure tied to cybersecurity requirements.

This is what it looks like when “it’s in the contract” becomes a liability instead of comfort. The obligation becomes a representation. The representation becomes a payment condition. The gap between paper and reality becomes the case.

Privacy enforcement is testing reality, not narratives

Privacy regulators are following the same logic: prove it.

The Irish DPC TikTok decision involved cross-border transfer questions and transparency. Whatever your view of TikTok, the enforcement posture is the takeaway. The DPC assessed the lawfulness of transfers and whether users were told the truth in a way the GDPR requires, then imposed €530 million in fines and a six-month compliance order.

This is the privacy version of obligations tracking failure. A company can have transfer addenda, SCCs, and vendor commitments. If actual data flows and disclosures do not match, regulators focus on the mismatch.

Contracts are part of the record. They are not the record of performance.

“Obligations tracking” is really a system of evidence

When I say obligations tracking, I do not mean a spreadsheet of clauses.

I mean an operating layer that can answer three questions quickly and credibly:

• What are we required to do, and where did the requirement come from
• Who owns the work, and how do we know they did it
• What proof can we produce, at speed, under scrutiny

That evidence layer cuts across privacy, cybersecurity, and recordkeeping. It also cuts across internal and third-party obligations, which is where most programs fail.

A contract obligation without an owner is a suggestion. A contract obligation without proof is a story.

Regulators and auditors have less patience for stories now, because electronic systems can generate evidence. The expectation has moved.

You can see the same posture in disclosure enforcement. The SEC cybersecurity disclosure cases included charges tied to misleading incident-related statements and, in at least one case, deficient disclosure controls. The theme is consistent: controls, governance, and demonstrable process matter.

Where CLM either helps or becomes part of the problem

CLM can be a filing cabinet, or it can be part of the control surface.

If your CLM is just storage, it amplifies obligations tracking failure. It creates false confidence because everything looks organized while nothing is operational.

In my day-to-day work, I prefer CLM tooling that produces usable evidence. Concord’s audit trails show me who approved what and when, and I can point to tamper-evident handling and retention management features that matter when questions come in under pressure. I also set deadline reminders in Concord, so key notice dates and renewal events are less dependent on someone’s calendar hygiene, which is where compliance quietly dies.

That is not marketing. It is the difference between a frantic, manual reconstruction and a calm, fast production.

A practical playbook that survives regulatory scrutiny

If you want obligations tracking that holds up, treat it like a controls program.

1. Segment obligations by regulator lens, not by clause library.
   Build three buckets: privacy, cybersecurity, and recordkeeping. Each bucket has different proof expectations, as you can see across SEC, FTC, NYDFS, DOJ, and DPC actions.
2. Normalize obligations into “trigger, action, evidence.”
   The trigger is the event that starts the clock. The action is what must happen. The evidence is what you can produce. The FTC Blackbaud order is a good example of a regulator turning “retention” into a required schedule and deletion practice, which is triggerable and auditable.
3. Assign ownership where the work actually happens.
   Legal almost never performs the obligation. Security, IT, Finance, HR, and vendor management do. The SEC recordkeeping settlements underscore that supervision failures are part of the enforcement posture, so ownership and oversight design matter.
4. Build exception handling, because exceptions are where enforcement lives.
   Off-channel communications, shadow IT, unapproved vendors, and rushed renewals are the places controls fail. If you cannot track exceptions, you cannot credibly claim the program works.
5. Test proof production like an incident drill.
   Pick one obligation in each bucket and run a timed exercise: produce the contract, the owner, the last performance date, and the evidence artifact. When HIPAA enforcement focuses on risk analysis and safeguards, as shown in the HHS OCR USR resolution agreement, you want to know what you can produce before someone else asks.

The truth is that obligations tracking is not breaking down because people forgot to negotiate clauses. It is breaking down because the volume of obligations outpaced manual coordination, and regulators have stopped giving credit for intent.

Contracts still set the rules. Regulators are now grading the operating system.