No, IT are on the hook for services they provide withint the SLAs agreed with the business. Everything else is out of scope. If you don't feel able to push back on things you don't support you either need to leave or get better at interacting with the business. It's not IT's job to shackle the business. It's not even IT on the hook for compliance, it's the business. In my experience the professionals within a business outside of IT are more attuned to compliance than IT are. It's rare to even find an IT person who's read the regulation docs, let alone understand them. Usually IT just block everything, store everything and hope; usually becoming non-compliant in the process. The number of 7 year backup retention regimes I've seen pointlessly implemented and costing millions unnecessarily is astounding.