Skip to content

Portal Walkthrough: Control 2.13 - Documentation and Record Keeping

Last Updated: January 2026 Portal: SharePoint, Microsoft Purview Estimated Time: 4-6 hours

Prerequisites

  • SharePoint Admin role
  • Purview Records Manager role
  • Retention requirements documented per FINRA 4511
  • Document taxonomy defined

Step-by-Step Configuration

Step 1: Create SharePoint Site Hierarchy

  1. Open SharePoint Admin Center
  2. Create AI Governance hub site:
  3. Name: AI-Governance
  4. Template: Team site
  5. Create document libraries:
  6. Agent Configurations
  7. Interaction Logs
  8. Approval Records
  9. Incident Reports
  10. Governance Decisions

Step 2: Configure Document Metadata

  1. Create site columns:
  2. Agent ID (text)
  3. Document Category (choice: Configuration, Log, Approval, Incident, Decision)
  4. Regulatory Reference (choice: FINRA 4511, SEC 17a-4, SOX 404, GLBA)
  5. Retention Period (choice: 3 years, 6 years, 7 years, Permanent)
  6. Classification Date (date)
  7. Create content types using site columns
  8. Apply content types to libraries

Step 3: Configure Retention Labels

  1. Open Microsoft Purview
  2. Navigate to Records management > File plan
  3. Create retention labels:
Label Retention Action Apply To
FSI-Agent-6Year 6 years Delete Agent records
FSI-Agent-7Year 7 years Delete Regulatory records
FSI-Agent-Permanent Permanent None Critical governance
  1. Publish labels to AI Governance site

Step 4: Configure SEC 17a-4 Compliant Storage (Zone 3)

Per the October 2022 SEC amendments (effective May 2023), broker-dealers can choose either WORM storage or an audit-trail alternative.

Option A: WORM Storage (Azure Immutable Blob)

  1. Open Azure Portal
  2. Create storage account with immutability:
  3. Enable blob versioning
  4. Configure immutability policy (time-based)
  5. Set retention period: 6+ years
  6. Configure Purview to use immutable storage

Option B: Audit-Trail Alternative

  1. Ensure complete audit trail of all record access and modifications
  2. Implement integrity verification mechanisms
  3. Document procedures demonstrating modification detection capability
  4. Consult compliance/legal for specific implementation requirements

Step 5: Configure Auto-Labeling

  1. In Purview > Auto-labeling:
  2. Create policy for agent interaction logs:
  3. Condition: Location = AI Governance site
  4. Condition: Content type = Interaction Log
  5. Action: Apply FSI-Agent-6Year label
  6. Enable policy

Step 6: Create Examination Response Procedures

Document procedures for regulatory examination: 1. Designated custodians and contact info 2. Search procedures for agent records 3. Export and production process 4. Chain of custody documentation

Configuration by Governance Level

Setting Baseline (Zone 1) Recommended (Zone 2) Regulated (Zone 3)
Retention 3 years 6 years 6-7 years
Metadata Basic Comprehensive Full taxonomy
Auto-Labeling None Recommended Required
SEC 17a-4 N/A N/A WORM or audit-trail
Audit Annual Quarterly Monthly

FSI Example Configuration

Document Management: AI Governance Records

SharePoint Site: https://tenant.sharepoint.com/sites/AI-Governance

Libraries:
  - AgentConfigurations: Manifest exports, prompt versions
  - InteractionLogs: Conversation transcripts
  - ApprovalRecords: Deployment approvals, change requests
  - IncidentReports: Security incidents, compliance issues
  - GovernanceDecisions: Policy decisions, risk acceptances

Retention:
  Default: 6 years
  SEC 17a-4 content: 7 years (6-year requirement + 1-year buffer; WORM or audit-trail alternative)
  Permanent: Board approvals, critical decisions

Auto-Labeling:
  Enabled: Yes
  Scope: All libraries
  Default Label: FSI-Agent-6Year

Examination Readiness:
  Custodian: [Name]
  Backup: [Name]
  Response SLA: 48 hours

Validation

After completing these steps, verify:

  • SharePoint site hierarchy created
  • Metadata columns and content types configured
  • Retention labels published and applied
  • SEC 17a-4 compliant storage configured (WORM or audit-trail, Zone 3)
  • Examination procedures documented

Back to Control 2.13 | PowerShell Setup | Verification Testing | Troubleshooting