Control 4.3: Site and Document Retention Management
Control ID: 4.3 Pillar: SharePoint Regulatory Reference: FINRA 4511, SEC 17a-3/4, GLBA 501(b), SOX 404 Last UI Verified: February 2026 Governance Levels: Baseline / Recommended / Regulated Last Verified: 2026-02-03
Objective
Manage the lifecycle of SharePoint sites and documents to ensure proper retention for regulatory compliance and timely disposition of content no longer needed. This helps prevent AI agents from surfacing stale or outdated information that could lead to regulatory violations or poor customer outcomes.
Why This Matters for FSI
- FINRA 4511: Requires retention of books and records per regulatory timelines
- SEC 17a-4(b)(4): Communications retention (3 years, first 2 years readily accessible)
- SEC 17a-4(a): Financial/accounting records retention (6 years, first 2 years readily accessible)
- SEC 17a-4: Non-rewriteable, non-erasable storage requirements; preservation lock blocks modification
- SOX 802: 7-year retention for audit workpapers and financial records
- GLBA 501(b): Requires administrative, technical, and physical safeguards for customer information; retention policies support secure access controls for protected records
Retention Periods
Agent conversation logs typically qualify as communications (3-year retention). See Control 1.9 - Data Retention and Deletion Policies for complete retention period matrix by record type.
Control Description
This control establishes policies and procedures for managing SharePoint site lifecycles and document retention. For agent governance, retention management helps ensure AI agents access current, compliant content while expired or outdated materials are appropriately archived or disposed.
| Capability | Description |
|---|---|
| Inactive Site Policies | Identify and manage sites with no recent activity |
| Site Ownership Policies | Ensure all sites have active, identified owners |
| Document Retention Labels | Apply regulatory retention periods to content |
| Disposition Workflows | Review and approve content deletion |
| Agent Content Freshness | Flag stale content to prevent agent access |
Key Configuration Points
- Configure inactive site policies (90+ days threshold) with notification and archive actions
- Create site ownership policies to identify and remediate orphaned sites
- Set OneDrive retention to 365 days minimum for regulated organizations
- Create retention labels for FINRA (6-year), SEC (6-year), and SOX (7-year) content
- Publish retention labels to SharePoint via label policies
- Coordinate with eDiscovery for legal hold integration
Technical Implementation Notes
Dual Retention Strategy
Implement both retention policies and retention labels for comprehensive lifecycle management:
| Mechanism | Scope | Purpose |
|---|---|---|
| Retention Policies | Container-level (entire sites) | Automatic deletion of stale content after defined period |
| Retention Labels | Item-level (individual documents) | Override policies for records requiring longer retention |
Retention policies ensure stale content is removed (improving Copilot response quality), while retention labels preserve authoritative records that must be retained for regulatory examination.
Site Lifecycle Policy (SAM Feature)
Site Lifecycle Policy is a SharePoint Advanced Management capability that detects inactive sites, notifies owners, and can automatically archive, set to read-only, or delete sites based on inactivity thresholds. This feature is distinct from retention policies and focuses on site-level governance rather than document-level retention.
Microsoft 365 Copilot Interaction Retention
M365 Copilot interactions (prompts and responses) are retained in the user's Exchange Online mailbox, separate from SharePoint document retention. Configure Exchange retention policies to retain Copilot interactions for the required regulatory period. Copilot interactions in Teams channels follow Teams retention policies.
Impact on Copilot Knowledge Quality
Retention policies that delete stale content improve Copilot response quality by removing "ROT" (Redundant, Obsolete, Trivial) content from the Semantic Index. Consider implementing 2-year retention-then-delete policies for non-regulated content to maintain knowledge source freshness.
Zone-Specific Requirements
| Zone | Requirement | Rationale |
|---|---|---|
| Zone 1 (Personal) | Baseline retention where tenant-wide safety applies; document exceptions | Low risk; minimal friction for personal productivity |
| Zone 2 (Team) | Agent knowledge sources follow retention rules; require owner and approval trail | Shared agents increase blast radius; controls must be provable |
| Zone 3 (Enterprise) | Strictest configuration; policy-enforced retention; change-controlled modifications | Highest audit/regulatory risk; enterprise agents need compliant content |
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| SharePoint Admin | Configure site lifecycle policies and tenant settings |
| Purview Compliance Admin | Create and manage retention policies and labels |
| Purview Records Manager | Manage file plan and disposition workflows |
| AI Governance Lead | Ensure agent knowledge sources have proper retention |
Related Controls
| Control | Relationship |
|---|---|
| 4.1 - Information Access Governance | IAG and Restricted Content Discovery govern which content AI agents can access; retention policies complement by managing content lifecycle |
| 4.2 - Site Access Reviews | Access reviews align with retention periods |
| 1.7 - Audit Logging | Track retention policy events |
| 1.19 - eDiscovery | Legal holds override retention deletion |
Implementation Playbooks
Step-by-Step Implementation
This control has detailed playbooks for implementation, automation, testing, and troubleshooting:
- Portal Walkthrough — Step-by-step portal configuration
- PowerShell Setup — Automation scripts
- Verification & Testing — Test cases and evidence collection
- Troubleshooting — Common issues and resolutions
Verification Criteria
Confirm control effectiveness by verifying:
- Inactive site policy is configured and enabled in SharePoint Admin Center
- Site ownership policy identifies orphaned sites and triggers remediation
- Retention labels are published and visible to users in document libraries
- OneDrive retention is set to 365 days or greater for regulated environments
- Retention policies apply to agent knowledge source sites
- Disposition workflows trigger review before content deletion
Additional Resources
- Site lifecycle management overview
- Retention policies for SharePoint and OneDrive
- Create and configure retention labels
- Use preservation lock for regulatory requirements
Updated: February 2026 | Version: v1.2 | UI Verification Status: Current