Control 1.16: Information Rights Management (IRM) for Documents

Control ID: 1.16 Pillar: Security Regulatory Reference: GLBA 501(b), SEC Reg S-P, FINRA 4511, SOX 404 Last UI Verified: January 2026 Governance Levels: Baseline / Recommended / Regulated Last Verified: 2026-02-03

Objective

Implement persistent document protection for content accessed by Copilot Studio agents using Information Rights Management (IRM) to control viewing, editing, copying, printing, and forwarding rights, with content expiration and revocation capabilities.

Why This Matters for FSI

GLBA 501(b): IRM restricts unauthorized copying and sharing of customer NPI
SEC Reg S-P: Watermarks and access restrictions protect consumer financial information
FINRA 4511: IRM audit trail provides access history for books and records
SOX 404: Helps prevent unauthorized document distribution through internal controls

Control Description

This control establishes IRM protection through:

Azure Rights Management Service - Activate Azure RMS for tenant-wide document protection
IRM-Enabled Sensitivity Labels - Create labels with encryption, access control, and content marking
SharePoint Library IRM - Enable IRM on document libraries containing agent knowledge sources
Agent Access Configuration - Grant agent service accounts minimum required rights (typically View-only)
Document Tracking and Revocation - Enable tracking of protected document access with revocation capability
Auto-Labeling Policies - Configure automatic IRM application based on sensitive information detection

Key Configuration Points

Activate Azure Rights Management Service in Microsoft 365 Admin Center
Create sensitivity labels with encryption and rights assignment
Grant agent service accounts Viewer rights in label permissions
Enable IRM on SharePoint libraries with download restrictions
Configure content expiration (90 days for enterprise managed)
Set offline access limits (7-14 days for regulated environments)
Enable watermarking with dynamic viewer identification
Configure super user account for compliance access

Zone-Specific Requirements

Zone	Requirement	Rationale
Zone 1 (Personal)	IRM optional; print/copy allowed; no expiration; 30-day offline access	Low risk, flexibility needed
Zone 2 (Team)	IRM required; print/copy blocked; 180-day expiration; 14-day offline	Team collaboration requires protection
Zone 3 (Enterprise)	IRM mandatory; full watermark; 90-day expiration; 7-day offline; screen capture blocked	Customer-facing requires maximum protection

Roles & Responsibilities

Role	Responsibility
Purview Info Protection Admin	Create and manage sensitivity labels, configure IRM settings
SharePoint Admin	Enable IRM on document libraries
Compliance Officer	Define protection requirements, review access logs
AI Governance Lead	Ensure agent access respects IRM restrictions

Control	Relationship
1.5 - DLP and Sensitivity Labels	Label-based protection
1.15 - Encryption	Underlying encryption
1.3 - SharePoint Governance	Library permissions
4.1 - SharePoint IAG	Content discovery control

Implementation Playbooks

Step-by-Step Implementation

This control has detailed playbooks for implementation, automation, testing, and troubleshooting:

Portal Walkthrough — Step-by-step portal configuration
PowerShell Setup — Automation scripts
Verification & Testing — Test cases and evidence collection
Troubleshooting — Common issues and resolutions

Verification Criteria

Confirm control effectiveness by verifying:

Azure RMS shows "Protection is activated" status
IRM-enabled sensitivity labels are published and available to users
SharePoint library IRM blocks downloads without protection applied
Agent can read IRM-protected content but cannot bypass restrictions
Document access events appear in audit logs with viewer details

Additional Resources

Updated: January 2026 | Version: v1.2 | UI Verification Status: Current