Control 4.3: Site and Document Retention Management
Control ID: 4.3
Pillar: SharePoint
Regulatory Reference: FINRA 4511, FINRA 3110, FINRA RN 24-09, SEC 17a-3/4, GLBA 501(b), SOX 404/802
Last UI Verified: May 2026
Governance Levels: Baseline / Recommended / Regulated
Objective
Manage the lifecycle of SharePoint sites and documents to ensure proper retention for regulatory compliance and timely disposition of content no longer needed. This helps prevent AI agents from surfacing stale or outdated information that could lead to regulatory violations or poor customer outcomes.
Why This Matters for FSI
- FINRA 4511 / RN 24-09 / Rule 3110: FINRA Rule 4511 requires retention of books and records per regulatory timelines; FINRA Regulatory Notice 24-09 and Rule 3110 extend supervisory expectations to AI-generated content. (FINRA RN 25-07 is a monitored RFC on workplace modernization that touches AI-generated communications recordkeeping; not yet adopted — see framework/regulatory-framework.md.)
- SEC 17a-4(b)(4): Communications retention (3 years, first 2 years readily accessible)
- SEC 17a-4(a): Financial/accounting records retention (6 years, first 2 years readily accessible)
- SEC 17a-4: Non-rewriteable, non-erasable storage requirements; preservation lock blocks modification
- SOX 802 / SEC Rule 2-06: 7-year retention for audit workpapers and financial records[^1]
- GLBA 501(b): Requires administrative, technical, and physical safeguards for customer information; retention policies support secure access controls for protected records
[^1]: SOX Section 802 (18 USC §1520) mandates retention of audit workpapers for "not less than 5 years." The 7-year retention period commonly cited in practice derives from SEC Rule 2-06 of Regulation S-X, which implements and extends the statutory minimum.
Retention Periods
Agent conversation logs typically qualify as communications (3-year retention). See Control 1.9 - Data Retention and Deletion Policies for complete retention period matrix by record type.
No companion solution by design
Not all controls have a companion solution in FSI-AgentGov-Solutions; solution mapping is selective by design. This control is operated via native Microsoft admin surfaces and verified by the framework's assessment-engine collectors. See the Solutions Index for the catalog and coverage scope.
Control Description
This control establishes policies and procedures for managing SharePoint site lifecycles and document retention. For agent governance, retention management helps ensure AI agents access current, compliant content while expired or outdated materials are appropriately archived or disposed.
| Capability | Description |
|---|---|
| Inactive Site Policies | Identify and manage sites with no recent activity |
| Site Ownership Policies | Ensure all sites have active, identified owners |
| Document Retention Labels | Apply regulatory retention periods to content |
| Disposition Workflows | Review and approve content deletion |
| Agent Content Freshness | Flag stale content to prevent agent access |
Key Configuration Points
- Configure inactive site policies in SharePoint Admin Center > Policies > Site lifecycle management (90+ day inactivity threshold) with owner notification and graduated enforcement (notify → read-only → archive)
- Create site ownership policies to identify and remediate orphaned sites before they become unmanaged knowledge sources for AI agents
- Set OneDrive retention to 365 days minimum for regulated organizations (SharePoint Admin Center > Settings > OneDrive)
- Create retention labels in Microsoft Purview for FINRA-aligned (6-year), SEC communications (3-year), SEC financial records (6-year), and SOX/Reg S-X (7-year) content
- Publish retention labels to SharePoint and OneDrive via label policies; auto-apply via sensitivity, KQL query, or trainable classifier where available
- Apply preservation lock to retention policies covering SEC 17a-4(f) electronic-records scope so the policy cannot be disabled, shortened, or deleted
- Coordinate with eDiscovery (Control 1.19) so legal holds override retention deletion and content-on-hold remains preserved
- Document retention coverage for every site flagged as a Copilot or agent knowledge source
Technical Implementation Notes
Dual Retention Strategy
Implement both retention policies and retention labels for comprehensive lifecycle management:
| Mechanism | Scope | Purpose |
|---|---|---|
| Retention Policies | Container-level (entire sites) | Automatic deletion of stale content after defined period |
| Retention Labels | Item-level (individual documents) | Override policies for records requiring longer retention |
Retention policies ensure stale content is removed (improving Copilot response quality), while retention labels preserve authoritative records that must be retained for regulatory examination.
Site Lifecycle Policy (SAM Feature)
Site Lifecycle Policy is a SharePoint Advanced Management capability that detects inactive sites, notifies owners, and can automatically archive, set to read-only, or delete sites based on inactivity thresholds. This feature is distinct from retention policies and focuses on site-level governance rather than document-level retention.
Microsoft 365 Copilot Interaction Retention
M365 Copilot interactions (prompts and responses) are stored at rest in a hidden folder of the user's Exchange Online mailbox, but the authoritative Purview configuration is a retention policy scoped to the Microsoft Copilot experiences location (Microsoft 365 Copilot, Security Copilot, Copilot in Fabric, Copilot Studio) — not a generic Exchange mailbox policy and not the Teams retention policy. Microsoft has separated Copilot retention from the previous combined "Teams chats and Copilot interactions" location; Teams retention policies no longer capture Copilot AI prompts and responses. Tenants with an existing combined policy should follow Microsoft's separation guidance (Set-RetentionCompliancePolicy -Applications "User:TeamsChatUserInteractions" for the old policy, plus a new policy targeting the Microsoft Copilot experiences location). See Learn about retention for Copilot & AI apps and Create and configure retention policies for the current configuration path.
Impact on Copilot Knowledge Quality
Retention policies that delete stale content improve Copilot response quality by removing "ROT" (Redundant, Obsolete, Trivial) content from the Semantic Index. Consider implementing 2-year retention-then-delete policies for non-regulated content to maintain knowledge source freshness.
Zone-Specific Requirements
| Zone | Requirement | Rationale |
|---|---|---|
| Zone 1 (Personal) | Baseline retention where tenant-wide safety applies; document exceptions | Low risk; minimal friction for personal productivity |
| Zone 2 (Team) | Agent knowledge sources follow retention rules; require owner and approval trail | Shared agents increase blast radius; controls must be provable |
| Zone 3 (Enterprise) | Strictest configuration; policy-enforced retention; change-controlled modifications | Highest audit/regulatory risk; enterprise agents need compliant content |
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| SharePoint Admin | Configure site lifecycle policies and tenant settings |
| Purview Compliance Admin | Create and manage retention policies and labels |
| Purview Records Manager | Manage file plan and disposition workflows |
| AI Governance Lead | Ensure agent knowledge sources have proper retention |
Related Controls
| Control | Relationship |
|---|---|
| 4.1 - Information Access Governance | IAG and Restricted Content Discovery govern which content AI agents can access; retention policies complement by managing content lifecycle |
| 4.2 - Site Access Reviews | Access reviews align with retention periods |
| 1.7 - Audit Logging | Track retention policy events |
| 1.19 - eDiscovery | Legal holds override retention deletion |
Implementation Playbooks
Step-by-Step Implementation
This control has detailed playbooks for implementation, automation, testing, and troubleshooting:
- Portal Walkthrough — Step-by-step portal configuration
- PowerShell Setup — Automation scripts
- Verification & Testing — Test cases and evidence collection
- Troubleshooting — Common issues and resolutions
Verification Criteria
Confirm control effectiveness by verifying:
- Inactive site policy is configured and enabled in SharePoint Admin Center
- Site ownership policy identifies orphaned sites and triggers remediation
- Retention labels are published and visible to users in document libraries
- OneDrive retention is set to 365 days or greater for regulated environments
- Retention policies apply to agent knowledge source sites
- Disposition workflows trigger review before content deletion
Additional Resources
- Site lifecycle management overview
- Retention policies for SharePoint and OneDrive
- Create and configure retention labels
- Use preservation lock for regulatory requirements
Updated: June 2026 | Version: v1.6.2 | UI Verification Status: Current