Control 1.19: eDiscovery for Agent Interactions
Control ID: 1.19 Pillar: Security Regulatory Reference: SEC 17a-4, FINRA 4511, SOX 802, GLBA 501(b) Last UI Verified: February 2026 Governance Levels: Baseline / Recommended / Regulated Last Verified: 2026-02-03
Objective
Enable legal discovery and regulatory response capabilities for Copilot and Copilot Studio agent interactions by configuring eDiscovery cases, content searches, and legal holds to preserve, search, and export AI-generated content for litigation and examination response.
Why This Matters for FSI
- SEC 17a-4: Enables preservation and production of AI communications on regulatory demand
- FINRA 4511: Maintains searchable records of AI interactions as required
- SOX 802: Preserves documents related to audits and investigations
- GLBA 501(b): Protects and produces customer information in legal proceedings
Control Description
This control establishes eDiscovery capabilities using the unified eDiscovery experience in the Microsoft Purview portal (purview.microsoft.com > Solutions > eDiscovery). Classic eDiscovery (Standard/Premium) was retired August 31, 2025 and replaced by a single, unified experience.
- Case Management - Create and manage eDiscovery cases for investigations (unified case type replaces former Standard/Premium split)
- Content Search - KeyQL queries across Teams, SharePoint, Exchange for agent interactions; Content Search is now available as a system-generated case within eDiscovery rather than a separate tool
- Copilot Activity Query - Use the Copilot activity query condition to search specifically for AI-generated interactions within eDiscovery cases
- Legal Hold - Preserve agent-related content during litigation or regulatory inquiry
- Export - Export search results in legal-defensible format
- Search Templates - Pre-built KeyQL queries for common agent content searches
- Audit Integration - Combine eDiscovery with audit log searches for complete evidence
Key Configuration Points
- Access the unified eDiscovery experience at purview.microsoft.com > Solutions > eDiscovery
- Assign eDiscovery Manager role to legal/compliance team members
- Document all agent content locations (Teams, SharePoint, Dataverse, Exchange)
- Create case templates for common regulatory inquiry scenarios
- Use the Copilot activity query condition when searching for AI agent interactions
- Configure KeyQL queries for agent-specific searches (e.g.,
kind:microsoftteams AND (from:"Copilot" OR subject:"Agent")) - Use Content Search via its system-generated case within eDiscovery for broad searches
- Establish legal hold procedures with documented approval workflow
- Configure hold policies for SharePoint sites used as agent knowledge sources
- Retain eDiscovery evidence per retention schedule (6+ years for regulated)
Zone-Specific Requirements
| Zone | Requirement | Rationale |
|---|---|---|
| Zone 1 (Personal) | Unified eDiscovery basic search capabilities; as-needed holds; standard export | Low risk, minimal tracking |
| Zone 2 (Team) | Unified eDiscovery with custodian management and review sets; documented search procedures; tracked export | Team collaboration requires discoverability |
| Zone 3 (Enterprise) | Unified eDiscovery full advanced features and analytics; proactive/standing holds; controlled export with approval; quarterly drills | Customer-facing agents highest regulatory risk |
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| Purview eDiscovery Roles | Create and manage cases, configure holds |
| Legal/Compliance Officer | Approve legal holds, review search methodology |
| AI Governance Lead | Document agent content locations, scope assistance |
| Microsoft Purview Admin | Portal access and permissions management |
Related Controls
| Control | Relationship |
|---|---|
| 1.7 - Audit Logging | Activity records complement content searches |
| 1.9 - Data Retention | Retention policies ensure data availability |
| 1.6 - DSPM for AI | AI interaction visibility for scoping |
| 2.13 - Documentation | Record keeping requirements |
Implementation Playbooks
Step-by-Step Implementation
This control has detailed playbooks for implementation, automation, testing, and troubleshooting:
- Portal Walkthrough — Step-by-step portal configuration
- PowerShell Setup — Automation scripts
- Verification & Testing — Test cases and evidence collection
- Troubleshooting — Common issues and resolutions
Verification Criteria
Confirm control effectiveness by verifying:
- eDiscovery Manager can create cases and searches in Purview portal
- Content search for agent interactions returns expected results
- Legal hold successfully preserves content in identified locations
- Export completes and produces defensible evidence package
- eDiscovery actions appear in audit log
Additional Resources
Classic eDiscovery Retirement (February 2026)
Microsoft retired all classic eDiscovery experiences on August 31, 2025. The legacy eDiscovery documentation now applies only to organizations hosted in Microsoft 365 operated by 21Vianet (China). For all other organizations, use the new eDiscovery experience in the Microsoft Purview portal.
- Microsoft Learn: eDiscovery Solutions
- Microsoft Learn: Create eDiscovery Cases
- Microsoft Learn: KeyQL Reference
- Microsoft Learn: Create eDiscovery Holds
Updated: February 2026 | Version: v1.2 | UI Verification Status: Current