Control 2.13: Documentation and Record Keeping

Control ID: 2.13
Pillar: Management
Regulatory Reference: FINRA 4511, FINRA 3110, FINRA 25-07, SEC 17a-3, SEC 17a-4, SOX 302/404, GLBA 501(b), OCC 2011-12, Fed SR 11-7, CFTC 1.31
Last UI Verified: April 2026
Governance Levels: Baseline / Recommended / Regulated

Agent 365 Architecture Update

Agent 365 Unified Registry provides comprehensive agent metadata (usage analytics, risk scores, compliance status) that supports documentation and record-keeping requirements. See Unified Agent Governance for registry metadata capabilities.

Objective

Establish comprehensive documentation and record-keeping requirements for AI agents aligned with FINRA 4511, FINRA 3110, FINRA 25-07, SEC 17a-3/4, OCC 2011-12, and Fed SR 11-7 requirements. This control helps support preservation of agent configurations, decisions, interactions, and governance activities in a format that aids in regulatory examination readiness. Implementation requires organization-specific retention schedules, legal review, and integration with the firm's broader records management program.

Why This Matters for FSI

FINRA 4511: Books and records requirements mandate documentation of automated system operations; records must be retained for the period specified by SEA Rule 17a-4 (default 6 years) with the first 2 years in an easily accessible place
FINRA 3110: Written supervisory procedures (WSPs) must document oversight of AI agent activities, including supervisory review sampling, escalation protocols, and agent approval records
FINRA 25-07: AI-generated communications must be archived and retained under the same books-and-records rules as human-generated communications; record classification follows function, not medium
SEC 17a-3: Record creation requirements — agent activity that generates or evidences a required book or record triggers the 17a-3 creation obligation
SEC 17a-4: Records preservation requirements including WORM or audit-trail alternative per October 2022 amendments (compliance date May 2023); communications records (including agent conversation logs) require 3-year retention per 17a-4(b)(4), financial/accounting records require 6-year retention per 17a-4(a)
SOX 302/404: Internal control documentation must demonstrate control design effectiveness and operating effectiveness; AI agent governance records support management certification
GLBA 501(b): Administrative safeguards require a documented information security program covering AI systems that access or process customer NPI
OCC 2011-12 / Fed SR 11-7: Model risk management requires documentation of model development, validation, outcomes analysis, and ongoing monitoring; agent configuration changes and validation evidence must be maintained per the model inventory
CFTC 1.31: Regulatory records for FCMs, swap dealers, and CPOs must be retained for 5 years in tamper-evident format with the first 2 years readily accessible

Automation Available

See the following companion solutions in FSI-AgentGov-Solutions:

Agent Registry Automation — Automated discovery, registration, and lifecycle governance of AI agents (v1.0.0)
Model Risk Management Automation — OCC 2011-12 / SR 11-7 model risk documentation with inventory, risk scoring, and Agent Card generation (v1.0.0)
RAG Source Validator — Integrity validation for RAG knowledge sources with change detection (v1.0.0)

Control Description

This control establishes record keeping through:

Record Categories - Define categories: configuration, interaction logs, approvals, incidents, governance decisions
Retention Schedule - Establish retention periods per regulatory requirements (6+ years typical)
SEC 17a-4 Compliance - Configure WORM storage or audit-trail alternative per October 2022 amendments
Document Taxonomy - Create consistent classification and metadata standards
Access Controls - Restrict record access to authorized personnel
Retrieval Procedures - Document processes for regulatory examination response

Key Configuration Points

Create SharePoint site hierarchy for AI governance documentation
Configure Purview retention labels per record type:
- Agent conversation logs: 3-year retention (communications per SEC 17a-4(b)(4))
- Financial/transaction records: 6-year retention (per SEC 17a-4(a))
- Governance/approval records: 6-year retention
Configure SEC 17a-4 compliant storage (WORM or audit-trail alternative)
Implement document metadata schema (Agent ID, Category, Date, Owner, Regulatory Reference)
Configure auto-labeling for agent interaction logs
Establish examination response procedures with designated custodians
Schedule quarterly documentation completeness audits

Zone-Specific Requirements

Zone	Requirement	Rationale
Zone 1 (Personal)	Basic documentation; standard retention; annual review	Low regulatory exposure, standard recordkeeping
Zone 2 (Team)	Comprehensive documentation; Purview retention; documented approval chain	Shared agents warrant formal records management
Zone 3 (Enterprise)	SEC 17a-4 compliance (WORM or audit-trail); automated retention; examination-ready documentation; quarterly audit	Customer-facing requires maximum recordkeeping rigor

Roles & Responsibilities

Role	Responsibility
Compliance Officer	Define retention schedule, approve record categories, validate regulatory alignment
SharePoint Admin	Configure site structure, implement retention labels
Purview Records Manager	Manage retention policies, handle record disposition
AI Governance Lead	Ensure agent documentation completeness, coordinate audits

Control	Relationship
1.7 - Audit Logging	Audit logs are key governance records; capture-tier telemetry feeds record-keeping evidence
1.9 - Data Retention	Retention policies apply to agent records; label and policy configuration is prerequisite
1.19 - eDiscovery	eDiscovery cases enable examination response and litigation hold for agent interaction records
2.3 - Change Management	Change records and release documentation feed the governance record set
2.12 - Supervision	Supervision records (WSPs, review logs, sampling evidence) maintained per this control
3.1 - Agent Inventory	Inventory is foundational documentation; provides the authoritative agent register
3.3 - Compliance Reporting	Compliance reports are key governance records requiring retention per this control

Advanced Implementation: Platform Change Governance

For implementing SEC 17a-4 compliant decision logging for platform changes, see Platform Change Governance - Evidence and Audit.

Advanced Implementation: Environment Lifecycle Management

For immutable provisioning audit trails using organization-owned Dataverse tables, see Environment Lifecycle Management - Evidence and Audit.

Implementation Playbooks

Step-by-Step Implementation

This control has detailed playbooks for implementation, automation, testing, and troubleshooting:

Portal Walkthrough — Step-by-step portal configuration
PowerShell Setup — Automation scripts
Verification & Testing — Test cases and evidence collection
Troubleshooting — Common issues and resolutions

Verification Criteria

Confirm control effectiveness by verifying:

SharePoint site structure exists for AI governance documentation with required libraries
Purview retention labels applied with retention periods aligned to SEC 17a-4 record-type matrix (3 years for communications, 6 years for books and records)
SEC 17a-4 compliant storage configured (WORM or audit-trail alternative) for Zone 3 deployments
Document metadata schema implemented with Agent ID, Category, Regulatory Reference, and Classification Date fields consistently populated
Auto-labeling policies configured and operational for agent interaction logs (Zone 2 and Zone 3)
Examination response procedure documented with designated custodians and response SLAs
Copilot Studio agent version history and publish logs preserved per the retention schedule
Quarterly documentation completeness audit conducted with findings remediated (Zone 3)
OCC 2011-12 / Fed SR 11-7 model documentation maintained for agents classified as models

Additional Resources

Updated: April 2026 | Version: v1.4.0 | UI Verification Status: Current