Control 1.19: eDiscovery for Agent Interactions

Control ID: 1.19
Pillar: Security
Regulatory Reference: SEC 17a-4, FINRA 4511, FINRA 25-07, FINRA 8210, SOX 802, GLBA 501(b)
Last UI Verified: February 2026
Governance Levels: Baseline / Recommended / Regulated

Objective

Enable legal discovery and regulatory response capabilities for Copilot and Copilot Studio agent interactions by configuring eDiscovery cases, content searches, and legal holds to preserve, search, and export AI-generated content for litigation and examination response.

Why This Matters for FSI

SEC 17a-4(b)(4): Helps preserve and produce AI-mediated communications as books-and-records on regulatory demand. Standard retention is 6 years total, first 2 years easily accessible; eDiscovery holds preserve Copilot prompts and responses in the SubstrateHolds mailbox container so they survive end-user deletion of the Copilot chat thread.
SEC 17a-4(f) (October 2022 amendment): Permits an audit-trail alternative to traditional WORM storage. The eDiscovery export package (native content + load file + metadata + chain-of-custody log) supports this audit-trail mode when written to immutable storage outside the live tenant.
FINRA Rule 4511: Helps meet the books-and-records preservation obligation for AI-generated communications retained in Exchange / Teams / SharePoint / OneDrive locations discoverable through unified eDiscovery.
FINRA Regulatory Notice 25-07 (March 2025): Reaffirms that supervisory and recordkeeping obligations apply to generative-AI tools; documented eDiscovery readiness for Copilot and Copilot Studio interactions supports the WSP requirement.
FINRA Rule 8210: Supports timely production of AI-agent records in response to FINRA examination requests; Zone 3 drills validate the production SLA (typically ~30 days from request).
SOX Section 802: Helps meet anti-spoliation and document-destruction-prohibition obligations for AI records under audit or investigation scope.
GLBA 501(b) Safeguards Rule: Helps preserve and produce customer NPI surfaced through agent interactions during legal proceedings.
FRCP 37(e): Supports the duty to preserve electronically stored information (ESI) when litigation is reasonably anticipated; eDiscovery legal holds are the primary preservation mechanism for AI interaction ESI.

No companion solution by design

Not all controls have a companion solution in FSI-AgentGov-Solutions; solution mapping is selective by design. This control is operated via native Microsoft admin surfaces and verified by the framework's assessment-engine collectors. See the Solutions Index for the catalog and coverage scope.

License Requirements

eDiscovery (Standard) — included with Microsoft 365 / Office 365 E3; covers case creation, content search across Exchange / Teams / SharePoint / OneDrive, and basic legal hold.
eDiscovery (Premium capabilities) — requires Microsoft 365 E5, E5 Compliance, or the eDiscovery Premium add-on; gates custodian management with hold-notice workflow, review sets, conversation reconstruction (Teams / Copilot), transcription, predictive coding, and advanced indexing. Required for Zone 2 review-set workflows and all Zone 3 features.
Microsoft 365 Copilot — required on the custodian for Copilot prompts and responses to be in scope of eDiscovery via the Copilot interactions location/condition. Loss of license can affect retrievability — pair with a Purview retention policy scoped to Copilot interactions (Control 1.9).
Microsoft Purview Audit (Standard / Advanced) — Standard Audit included with most M365 SKUs; Advanced Audit (long retention, high-value events including eDiscoveryAdminOperation and ComplianceSearch*) requires E5 / E5 Compliance.
Immutable export storage (third-party) — required only when relying on the SEC 17a-4(f) audit-trail alternative; the eDiscovery export itself is not WORM — the storage layer must be.

Re-verify SKU eligibility at deploy time against the Microsoft 365 security & compliance licensing guidance.

Sovereign Cloud Parity (verify at deploy time)

Capability	Commercial	GCC	GCC High	DoD
Unified eDiscovery experience (Purview portal)	GA	GA	GA	GA
eDiscovery Premium (review sets, custodian, predictive coding)	GA	GA	Verify	Verify
Copilot interactions as eDiscovery location/condition	GA	Rolling	Lagging — verify	Lagging — verify
Conversation reconstruction (Teams / Copilot threading)	GA	Rolling	Verify	Verify
Microsoft 365 Copilot (custodian-side prerequisite)	GA	GA	Limited preview as of early 2026 — verify	Limited / verify
Purview Audit (Advanced)	GA	GA	GA	GA

Treat any cross-cloud parity gap as a compensating-control conversation, not an assumption of feature parity. Broker-dealer or federal-adjacent advisory tenants on GCC / GCC High / DoD must re-verify against the Microsoft 365 government service description before relying on eDiscovery for AI as a primary control.

Control Description

This control establishes eDiscovery capabilities using the unified eDiscovery experience in the Microsoft Purview portal (purview.microsoft.com > Solutions > eDiscovery). Classic eDiscovery (Standard/Premium) was retired August 31, 2025 and replaced by a single, unified experience.

Case Management - Create and manage eDiscovery cases for investigations (unified case type replaces former Standard/Premium split)
Content Search - KeyQL queries across Teams, SharePoint, Exchange for agent interactions; Content Search is now available as a system-generated case within eDiscovery rather than a separate tool
Copilot Activity Query - Use the Copilot activity query condition to search specifically for AI-generated interactions within eDiscovery cases
Legal Hold - Preserve agent-related content during litigation or regulatory inquiry
Export - Export search results in legal-defensible format
Search Templates - Pre-built KeyQL queries for common agent content searches
Audit Integration - Combine eDiscovery with audit log searches for complete evidence

Key Configuration Points

Access the unified eDiscovery experience at purview.microsoft.com > Solutions > eDiscovery
Assign eDiscovery Manager role to legal/compliance team members
Document all agent content locations (Teams, SharePoint, Dataverse, Exchange)
Create case templates for common regulatory inquiry scenarios
Search for AI agent content via the Copilot interactions eDiscovery location (selects the user's mailbox-side hidden Copilot store) and/or the Copilot activity condition card (filters any search by Copilot/Agent involvement). Do not attempt to find Copilot content with from:"Copilot" keyword filters — Copilot prompts and responses are not Teams chat messages with sender "Copilot"; they live in the custodian's mailbox under a hidden folder structure.
Example KeyQL pattern (date + sensitive-info type narrowing on Copilot location): (date>=2026-01-01 AND date<=2026-03-31) AND (sensitivetype:"U.S. Social Security Number (SSN)" OR sensitivetype:"Credit Card Number") — scoped to the Copilot interactions location, not a from: filter.
Use Content Search via its system-generated case within eDiscovery for broad keyword sweeps that don't yet need a custodian / hold workflow.
Plane separation: eDiscovery returns content (prompt body, response body, grounding files) from Exchange / Teams / SharePoint / OneDrive locations. The Unified Audit Log CopilotInteraction record (Control 1.7) returns activity metadata (who/when/which agent/which thread/sensitive-data-touched) but does not contain prompt body text. Build evidence packages by joining both — eDiscovery for content, UAL for activity context.
Establish legal hold procedures with documented approval workflow
Configure hold policies for SharePoint sites used as agent knowledge sources
Retain eDiscovery evidence per retention schedule (6+ years for regulated)

Zone-Specific Requirements

Zone	Requirement	Rationale
Zone 1 (Personal)	Unified eDiscovery basic search capabilities; as-needed holds; standard export	Low risk, minimal tracking
Zone 2 (Team)	Unified eDiscovery with custodian management and review sets; documented search procedures; tracked export	Team collaboration requires discoverability
Zone 3 (Enterprise)	Unified eDiscovery full advanced features and analytics; proactive/standing holds; controlled export with approval; quarterly drills	Customer-facing agents highest regulatory risk

Roles & Responsibilities

Role	Responsibility
eDiscovery Administrator (Purview eDiscovery role)	Org-wide case access; can reassign cases, access all cases regardless of membership, and recover orphaned cases. Treat as super-user; assign sparingly and via Entra PIM.
eDiscovery Manager (Purview eDiscovery role)	Create and manage own cases; configure custodians, holds, searches, review sets, and exports within owned cases. Day-to-day legal/compliance role.
Reviewer (Purview eDiscovery role)	Review-set access only; can tag, redact, and code documents but cannot export (separation of duties for SOX 404 / FINRA 3110).
Legal / Compliance Officer	Approve legal holds, review search methodology, sign off on production packages for FINRA 8210 responses.
Designated Supervisor / Registered Principal	FINRA Rule 3110 supervisory sign-off on AI-content production for broker-dealer recordkeeping-scope agents.
AI Governance Lead	Maintain the agent ↔ content-location map (cross-reference Control 1.2) so legal/compliance scope cases correctly; convene quarterly Zone 3 production drills.
Microsoft Purview Admin	Purview portal RBAC and tenant-level Purview configuration; does not implicitly grant eDiscovery role membership — assignment must be explicit.
Records Manager (Purview Records Manager role)	Coordinates retention-label posture (Control 1.9) with eDiscovery hold posture so a label-driven deletion does not prematurely purge held content.

Control	Relationship
1.5 - DLP and Sensitivity Labels	Sensitivity labels propagate to Copilot-discovered content and drive review-set filtering and redaction posture
1.6 - DSPM for AI	DSPM for AI surfaces sensitive-data interactions used to scope eDiscovery cases for Copilot agents
1.7 - Audit Logging	`CopilotInteraction` activity records (UAL) complement eDiscovery content retrieval — join both for full evidence
1.9 - Data Retention	Retention policies help maintain content availability ahead of and outside of legal-hold scope; coordinate to avoid label-driven purge of held content
1.10 - Communication Compliance Monitoring	Comm Compliance Copilot reviewer queues feed escalations into eDiscovery cases for supervisory action
1.14 - Data Minimization and Agent Scope	Defines the agent ↔ grounding-surface inventory that determines eDiscovery scope per agent
1.21 - Adversarial Input Logging	Comm Compliance + Defender XDR Copilot incident evidence is preserved under eDiscovery hold for SEC 17a-4(b)(4) production
2.13 - Documentation and Record-Keeping	Record-keeping policy framework that eDiscovery operationalises
4.6 - Grounding Scope Governance	Grounding posture (RCD / RSS / DAG) determines what SharePoint content lands in scope of an eDiscovery hold

Implementation Playbooks

Step-by-Step Implementation

This control has detailed playbooks for implementation, automation, testing, and troubleshooting:

Portal Walkthrough — Step-by-step portal configuration
PowerShell Setup — Automation scripts
Verification & Testing — Test cases and evidence collection
Troubleshooting — Common issues and resolutions

Verification Criteria

Confirm control effectiveness by verifying:

An assigned eDiscovery Manager can create a case, add a custodian, configure a hold, run a search, build a review set, and request an export end-to-end in the unified eDiscovery experience at purview.microsoft.com.
A search using the Copilot interactions location (and/or Copilot activity condition) against a test custodian returns both the prompt body and the response body for known Copilot threads — confirming content-plane retrieval, not just activity metadata.
A legal hold survives end-user deletion: have a test custodian delete a held Copilot chat, then re-run the search and confirm the prompt/response is still discoverable (preserved in the SubstrateHolds container).
Export package contains native content, load file, metadata, and a chain-of-custody / audit-trail log suitable for the SEC 17a-4(f) audit-trail alternative; package is written to immutable storage outside the live tenant.
eDiscovery activities (eDiscoveryAdminOperation, ComplianceSearchCreated, ComplianceSearchExported, CaseHoldCreated, etc.) appear in the Unified Audit Log within expected latency and are retained per Advanced Audit retention (Control 1.7).
eDiscovery role assignments (Administrator, Manager, Reviewer) are reviewed quarterly; Administrator membership is gated by Entra PIM with just-in-time elevation.
Retention/label policy (Control 1.9) and eDiscovery hold posture are reconciled — no held content is at risk of label-driven purge; Records Manager has signed off.
KeyQL templates for common FSI inquiry scenarios (FINRA 8210 production, suspected NPI exposure, suspected market-abuse comms via Copilot) are version-controlled and tested against synthetic data.
Copilot interactions in scope of the hold include content from all custodian surfaces in use (web Copilot, Teams Copilot, M365 app Copilot, Copilot Studio agents whose transcripts persist to mailbox); Copilot Studio agents whose transcripts persist only to Dataverse are documented and a separate Dataverse retention/audit story exists (see Control 1.9).
Sovereign-cloud parity confirmed for the deployment cloud (Commercial / GCC / GCC High / DoD); any GCC-High/DoD parity gap on the Copilot interactions location is documented as a compensating control.
Zone 3 customer-facing agents have a quarterly production drill documented (case → hold → search → review set → export → 17a-4(f)-style immutable handoff), with elapsed time measured against the FINRA 8210 ~30-day SLA.
Exported evidence is retained per SEC 17a-4(b)(4) (6 years total, first 2 years easily accessible) for recordkeeping-scope agents; retention floor documented in the WSP and tied to the agent registry (Control 1.2).

Additional Resources

Classic eDiscovery Retirement (February 2026)

Microsoft retired all classic eDiscovery experiences on August 31, 2025. The legacy eDiscovery documentation now applies only to organizations hosted in Microsoft 365 operated by 21Vianet (China). For all other organizations, use the new eDiscovery experience in the Microsoft Purview portal.

Updated: April 2026 | Version: v1.4.0 | UI Verification Status: Current (re-verified April 2026)