Skip to content

Control 2.13: Documentation and Record Keeping

Control ID: 2.13 Pillar: Management Regulatory Reference: FINRA 4511, SEC 17a-3/4, SOX 404, GLBA 501(b) Last UI Verified: January 2026 Governance Levels: Baseline / Recommended / Regulated Last Verified: 2026-02-03

Agent 365 Architecture Update

Agent 365 Unified Registry provides comprehensive agent metadata (usage analytics, risk scores, compliance status) that supports documentation and record-keeping requirements. See Unified Agent Governance for registry metadata capabilities.

Objective

Establish comprehensive documentation and record-keeping requirements for AI agents aligned with FINRA 4511 and SEC 17a-3/4 requirements, ensuring agent configurations, decisions, interactions, and governance activities are preserved in compliance-ready format.

Why This Matters for FSI

  • FINRA 4511: Books and records requirements mandate documentation of automated system operations
  • SEC 17a-3/4: Records retention requirements (WORM or audit-trail alternative per October 2022 amendments)
  • SOX 404: Internal control documentation demonstrates control effectiveness
  • GLBA 501(b): Administrative safeguards require documented information security program

Control Description

This control establishes record keeping through:

  1. Record Categories - Define categories: configuration, interaction logs, approvals, incidents, governance decisions
  2. Retention Schedule - Establish retention periods per regulatory requirements (6+ years typical)
  3. SEC 17a-4 Compliance - Configure WORM storage or audit-trail alternative per October 2022 amendments
  4. Document Taxonomy - Create consistent classification and metadata standards
  5. Access Controls - Restrict record access to authorized personnel
  6. Retrieval Procedures - Document processes for regulatory examination response

Key Configuration Points

  • Create SharePoint site hierarchy for AI governance documentation
  • Configure Purview retention labels per record type:
    • Agent conversation logs: 3-year retention (communications per SEC 17a-4(b)(4))
    • Financial/transaction records: 6-year retention (per SEC 17a-4(a))
    • Governance/approval records: 6-year retention
  • Configure SEC 17a-4 compliant storage (WORM or audit-trail alternative)
  • Implement document metadata schema (Agent ID, Category, Date, Owner, Regulatory Reference)
  • Configure auto-labeling for agent interaction logs
  • Establish examination response procedures with designated custodians
  • Schedule quarterly documentation completeness audits

Zone-Specific Requirements

Zone Requirement Rationale
Zone 1 (Personal) Basic documentation; standard retention; annual review Low regulatory exposure, standard recordkeeping
Zone 2 (Team) Comprehensive documentation; Purview retention; documented approval chain Shared agents warrant formal records management
Zone 3 (Enterprise) SEC 17a-4 compliance (WORM or audit-trail); automated retention; examination-ready documentation; quarterly audit Customer-facing requires maximum recordkeeping rigor

Roles & Responsibilities

Role Responsibility
Compliance Officer Define retention schedule, approve record categories, validate regulatory alignment
SharePoint Admin Configure site structure, implement retention labels
Purview Records Manager Manage retention policies, handle record disposition
AI Governance Lead Ensure agent documentation completeness, coordinate audits
Control Relationship
1.7 - Audit Logging Audit logs are key governance records
1.9 - Data Retention Retention policies apply to agent records
2.12 - Supervision Supervision records maintained per this control
3.1 - Agent Inventory Inventory is foundational documentation

Advanced Implementation: Platform Change Governance

For implementing SEC 17a-4 compliant decision logging for platform changes, see Platform Change Governance - Evidence and Audit.

Advanced Implementation: Environment Lifecycle Management

For immutable provisioning audit trails using organization-owned Dataverse tables, see Environment Lifecycle Management - Evidence and Audit.

Implementation Playbooks

Step-by-Step Implementation

This control has detailed playbooks for implementation, automation, testing, and troubleshooting:

Verification Criteria

Confirm control effectiveness by verifying:

  1. SharePoint site structure exists for AI governance documentation
  2. Purview retention labels applied with appropriate retention periods
  3. SEC 17a-4 compliant storage configured (WORM or audit-trail alternative) for Zone 3
  4. Document metadata schema implemented and consistently applied
  5. Examination response procedure documented with designated custodians

Additional Resources

Updated: January 2026 | Version: v1.2 | UI Verification Status: Current