Control 2.13: Documentation and Record Keeping
Overview
Control ID: 2.13 Control Name: Documentation and Record Keeping Regulatory Reference: FINRA 4511, SEC 17a-3/4, SOX 404, GLBA 501(b) Setup Time: 2-3 hours initial setup, ongoing maintenance
Purpose
This control establishes comprehensive documentation and record-keeping requirements for AI agents in financial services, aligned with FINRA 4511 and SEC 17a-3/4 requirements for books and records. Financial institutions must maintain complete records of AI agent configurations, decisions, interactions, approvals, and governance activities. These records must be preserved in non-rewritable, non-erasable format (WORM) for the required retention periods and be readily accessible for regulatory examinations. This control defines documentation standards, retention requirements, and access procedures for AI agent records.
Prerequisites
Primary Owner Admin Role: Compliance Officer Supporting Roles: SharePoint Admin, Purview Records Manager
Required Licenses
- Microsoft 365 E3/E5 (for Purview retention policies)
- SharePoint Online (for document management)
- Microsoft Purview (for compliance features)
Required Permissions
- Compliance Administrator (retention policy configuration)
- SharePoint Administrator (site and library configuration)
- Records Manager (record declaration and management)
Dependencies
- Control 1.7 (Audit Logging)
- Control 1.9 (Data Retention)
- Control 2.12 (Supervision and Oversight)
Pre-Setup Checklist
- [ ] Record retention schedule approved by legal
- [ ] Document taxonomy defined
- [ ] SharePoint site structure planned
- [ ] WORM storage configured for SEC 17a-4
Governance Levels
Baseline (Level 1)
Maintain documentation of all agents, policies, approvals, and configurations.
Recommended (Level 2-3)
Centralized documentation repository; version control; annual review and update.
Regulated/High-Risk (Level 4)
Immutable documentation with audit trail; legal hold capability; 10-year retention minimum for Tier 3 (enterprise-managed).
Setup & Configuration
Step 1: Define Record Categories
Establish categories for AI agent-related records.
AI Agent Record Taxonomy:
| Category | Description | Examples | Retention |
|---|---|---|---|
| Agent Configuration | Technical setup and parameters | System prompts, topics, entities, connectors | Life + 6 years |
| Agent Decisions | Recommendations and outputs | Suitability determinations, credit decisions | 6-10 years |
| Customer Interactions | All communications | Conversation transcripts, session logs | 6-7 years |
| Governance Documents | Policies and procedures | WSP, policies, risk assessments | 6 years from last use |
| Approval Records | Deployment approvals | Approval chains, sign-offs, CAB minutes | 6 years |
| Testing Evidence | Validation records | Test results, bias testing, UAT sign-off | 6 years |
| Supervision Records | Oversight activities | Review logs, sample reviews, findings | 6 years |
| Incident Records | Issues and remediation | Incident reports, root cause, resolution | 6 years |
| Model Documentation | MRM records | Model inventory, validation, performance | 7 years |
| Training Records | Competency records | Completion certificates, assessments | 6 years |
Step 2: Configure SharePoint Document Library
Create organized structure for AI governance documentation.
Create SharePoint Site: AI Governance Documentation
- Navigate to SharePoint admin center
- Go to Sites → Active sites → Create
- Select Team site (private)
- Configure:
- Site name: AI Governance Documentation
- Privacy: Private (selected groups)
- External sharing: Disabled
Create Document Libraries:
| Library Name | Purpose | Retention | Content Types |
|---|---|---|---|
| Agent Registry | Agent inventory and configurations | Life + 6 years | Agent Profile, Configuration Export |
| Policies and Procedures | Governance documentation | 6 years from last use | Policy, Procedure, Standard |
| Approvals | Deployment and change approvals | 6 years | Approval Request, CAB Minutes |
| Testing Evidence | Validation and test records | 6 years | Test Plan, Test Results, Sign-off |
| Supervision | Oversight records | 6 years | Review Log, Finding, Action |
| Incidents | Issue documentation | 6 years | Incident Report, RCA, Resolution |
| Model Documentation | MRM records | 7 years | Model Card, Validation Report |
| Training | Competency records | 6 years | Training Record, Certificate |
Step 3: Enable Version Control and Audit
Configure Library Settings:
- Open each document library
- Go to Library settings → Versioning settings
- Configure:
- Require content approval: Yes (for policies)
- Document Version History: Yes - Keep all versions
- Major and minor versions: Keep 500 major, 10 minor
Enable Audit Logging:
- Navigate to Microsoft Purview compliance portal
- Go to Solutions → Audit
- Verify audit logging enabled (on by default for E5)
- Confirm SharePoint activities included
Step 4: Configure Retention Policies
Microsoft Purview Compliance Portal:
- Navigate to compliance.microsoft.com
- Go to Solutions → Records management
- Create file plan with labels:
Create Retention Labels:
| Label Name | Retention Period | Disposition | Scope |
|---|---|---|---|
| AI-Agent-Config | 6 years after last modified | Delete | Agent configurations |
| AI-Customer-Interaction | 6 years from creation | Review | Transcripts |
| AI-Governance-Policy | 6 years from last use | Review | Policies |
| AI-Approval-Record | 6 years from creation | Delete | Approvals |
| AI-Testing-Evidence | 6 years from creation | Delete | Test results |
| AI-MRM-Record | 7 years from creation | Review | Model documentation |
| AI-Supervision | 6 years from creation | Delete | Supervision logs |
| AI-Long-Retention | 10 years from creation | Review | Tier 3 (enterprise-managed) critical |
- Publish labels to AI Governance site
Step 5: Configure SEC 17a-4 Compliance (WORM)
For broker-dealers requiring WORM storage compliance.
Azure Immutable Blob Storage:
- Navigate to Azure portal
- Create or select Storage Account
- Go to Container → Access policy
- Configure Immutable blob storage:
- Policy type: Time-based retention
- Retention period: 2555 days (7 years)
- Lock policy: Lock after verification
Alternative: Microsoft 365 Preservation Lock:
- Navigate to compliance.microsoft.com
- Go to Solutions → Records management
- Create retention policy with Preservation Lock enabled
- Note: Once locked, cannot be shortened or disabled
Step 6: Create Document Templates
Establish standardized templates for consistent documentation.
Agent Registration Template:
===============================================================================
AI AGENT REGISTRATION DOCUMENT
===============================================================================
SECTION 1: IDENTIFICATION
--------------------------
Agent Name: [Name]
Agent ID: [Unique Identifier]
Environment: [Dev/Test/UAT/Prod]
Zone Classification: [1/2/3]
SECTION 2: OWNERSHIP
--------------------
Business Owner: [Name, Title]
Technical Owner: [Name, Title]
AI Governance Lead Approval: [Name, Date]
Compliance Approval: [Name, Date] (Tier 2/3 (team- or enterprise-managed) only)
CCO Approval: [Name, Date] (Tier 3 (enterprise-managed) only)
SECTION 3: PURPOSE AND SCOPE
-----------------------------
Business Purpose: [Description]
Use Cases: [List]
Target Users: [Description]
Data Accessed: [List data sources]
SECTION 4: TECHNICAL CONFIGURATION
-----------------------------------
Platform: [Copilot Studio / Custom]
Connectors Used: [List]
Knowledge Sources: [List]
Integration Points: [List]
Deployment Date: [Date]
SECTION 5: RISK ASSESSMENT
---------------------------
Risk Level: [Low/Medium/High/Critical]
Bias Testing Status: [Complete/N/A]
Security Review: [Complete Date]
Data Protection Assessment: [Complete Date]
SECTION 6: COMPLIANCE
----------------------
Regulatory Requirements: [List applicable]
Disclosures Configured: [Yes/No]
Human Escalation Available: [Yes/No]
Records Retention Configured: [Yes/No]
SECTION 7: CHANGE HISTORY
--------------------------
| Date | Version | Change Description | Approved By |
|------------|---------|--------------------------|-------------|
| [Date] | 1.0 | Initial deployment | [Name] |
| [Date] | 1.1 | [Change] | [Name] |
SECTION 8: ATTACHMENTS
-----------------------
[ ] System prompt configuration export
[ ] Connector configuration
[ ] Test results summary
[ ] Bias testing results (if applicable)
[ ] Approval chain documentation
===============================================================================
Document Created: [Date]
Document Owner: [Name]
Next Review Date: [Date]
===============================================================================
Step 7: Implement Legal Hold Capability
Configure eDiscovery for regulatory requests.
Microsoft Purview eDiscovery:
- Navigate to compliance.microsoft.com
- Go to Solutions → eDiscovery → Premium
- Create case for AI governance holds:
- Case name: AI_Agent_Regulatory_Hold
- Description: Legal hold for AI agent records
- Create hold policy:
- Locations: AI Governance SharePoint site, Dataverse
- Keywords: (customize as needed)
- Date range: All dates
Step 8: Establish Documentation Review Cadence
Define ongoing documentation maintenance schedule.
Documentation Review Matrix:
| Document Type | Review Frequency | Reviewer | Outcome |
|---|---|---|---|
| Agent Configurations | Quarterly | Agent Owner | Update or retire |
| Policies & Procedures | Annually | AI Governance Lead | Update or archive |
| WSP | Annually | CCO | Approve updates |
| Risk Assessments | Annually | Compliance | Re-validate |
| Training Materials | Semi-annually | AI Governance Lead | Update curriculum |
| Record Taxonomy | Annually | Records Manager | Update categories |
PowerShell Configuration
# ============================================================
# Control 2.13: Documentation and Record Keeping
# ============================================================
# Connect to required services
Connect-MgGraph -Scopes "Sites.FullControl.All"
Connect-IPPSSession # For compliance features
Connect-PnPOnline -Url "https://[tenant].sharepoint.com/sites/AIGovernance" -Interactive
# -------------------------------------------------------------
# Section 1: Create Document Library Structure
# -------------------------------------------------------------
Write-Host "Creating AI Governance documentation structure..." -ForegroundColor Cyan
# Define libraries to create
$Libraries = @(
@{ Name = "Agent Registry"; Description = "Agent inventory and configurations" },
@{ Name = "Policies and Procedures"; Description = "Governance documentation" },
@{ Name = "Approvals"; Description = "Deployment and change approvals" },
@{ Name = "Testing Evidence"; Description = "Validation and test records" },
@{ Name = "Supervision"; Description = "Oversight records" },
@{ Name = "Incidents"; Description = "Issue documentation" },
@{ Name = "Model Documentation"; Description = "MRM records" },
@{ Name = "Training"; Description = "Competency records" }
)
foreach ($Library in $Libraries) {
$Existing = Get-PnPList -Identity $Library.Name -ErrorAction SilentlyContinue
if (-not $Existing) {
New-PnPList -Title $Library.Name -Template DocumentLibrary -Description $Library.Description
Write-Host "Created library: $($Library.Name)" -ForegroundColor Green
# Enable versioning
Set-PnPList -Identity $Library.Name -EnableVersioning $true -MajorVersions 500 -MinorVersions 10
} else {
Write-Host "Library exists: $($Library.Name)" -ForegroundColor Yellow
}
}
# -------------------------------------------------------------
# Section 2: Create Retention Labels (Output for Manual Config)
# -------------------------------------------------------------
Write-Host "`nRetention label configuration..." -ForegroundColor Cyan
$RetentionLabels = @"
RETENTION LABELS TO CREATE IN MICROSOFT PURVIEW
================================================
Navigate to: compliance.microsoft.com
Go to: Solutions -> Records management -> File plan
Create the following labels:
| Label Name | Retention | After Event | Disposition |
|-------------------------|-----------|--------------------| ------------|
| AI-Agent-Config | 6 years | Last modified | Delete |
| AI-Customer-Interaction | 6 years | Creation | Review |
| AI-Governance-Policy | 6 years | Last used | Review |
| AI-Approval-Record | 6 years | Creation | Delete |
| AI-Testing-Evidence | 6 years | Creation | Delete |
| AI-MRM-Record | 7 years | Creation | Review |
| AI-Supervision | 6 years | Creation | Delete |
| AI-Long-Retention | 10 years | Creation | Review |
After creating labels:
1. Publish labels to AI Governance site
2. Enable auto-labeling if desired
3. Train users on label application
"@
Write-Host $RetentionLabels -ForegroundColor Yellow
# -------------------------------------------------------------
# Section 3: Create Metadata Columns for Libraries
# -------------------------------------------------------------
Write-Host "`nAdding metadata columns to libraries..." -ForegroundColor Cyan
# Agent Registry columns
$AgentRegistryColumns = @(
@{ Name = "AgentID"; Type = "Text"; Required = $true },
@{ Name = "GovernanceTier"; Type = "Choice"; Choices = @("Tier 1 (Personal)", "Tier 2 (Team)", "Tier 3 (Enterprise-managed)") },
@{ Name = "BusinessOwner"; Type = "User" },
@{ Name = "TechnicalOwner"; Type = "User" },
@{ Name = "Status"; Type = "Choice"; Choices = @("Active", "Retired", "In Development") },
@{ Name = "LastReview"; Type = "DateTime" },
@{ Name = "NextReview"; Type = "DateTime" }
)
foreach ($Column in $AgentRegistryColumns) {
try {
switch ($Column.Type) {
"Text" {
Add-PnPField -List "Agent Registry" -DisplayName $Column.Name -InternalName $Column.Name -Type Text -Required:$Column.Required -ErrorAction SilentlyContinue
}
"Choice" {
Add-PnPField -List "Agent Registry" -DisplayName $Column.Name -InternalName $Column.Name -Type Choice -Choices $Column.Choices -ErrorAction SilentlyContinue
}
"User" {
Add-PnPField -List "Agent Registry" -DisplayName $Column.Name -InternalName $Column.Name -Type User -ErrorAction SilentlyContinue
}
"DateTime" {
Add-PnPField -List "Agent Registry" -DisplayName $Column.Name -InternalName $Column.Name -Type DateTime -ErrorAction SilentlyContinue
}
}
Write-Host "Added column: $($Column.Name)" -ForegroundColor Green
} catch {
Write-Host "Column may already exist: $($Column.Name)" -ForegroundColor Yellow
}
}
# -------------------------------------------------------------
# Section 4: Document Inventory Report
# -------------------------------------------------------------
Write-Host "`nGenerating documentation inventory..." -ForegroundColor Cyan
$DocumentInventory = @()
foreach ($Library in $Libraries) {
$Items = Get-PnPListItem -List $Library.Name -PageSize 100 -ErrorAction SilentlyContinue
foreach ($Item in $Items) {
$DocumentInventory += [PSCustomObject]@{
Library = $Library.Name
FileName = $Item.FieldValues.FileLeafRef
Created = $Item.FieldValues.Created
Modified = $Item.FieldValues.Modified
Author = $Item.FieldValues.Author.Email
Version = $Item.FieldValues._UIVersionString
}
}
}
if ($DocumentInventory.Count -gt 0) {
$DocumentInventory | Export-Csv "AI_Governance_Doc_Inventory_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
Write-Host "Exported $($DocumentInventory.Count) documents to inventory" -ForegroundColor Green
}
# -------------------------------------------------------------
# Section 5: Compliance Reporting
# -------------------------------------------------------------
Write-Host "`nGenerating documentation compliance report..." -ForegroundColor Cyan
$ComplianceReport = @"
===============================================================================
AI GOVERNANCE DOCUMENTATION COMPLIANCE REPORT
Generated: $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')
===============================================================================
DOCUMENT LIBRARY STATUS
-----------------------
$(($Libraries | ForEach-Object { "- $($_.Name): Active" }) -join "`n")
DOCUMENT COUNTS BY LIBRARY
--------------------------
$(($Libraries | ForEach-Object {
$Count = (Get-PnPListItem -List $_.Name -PageSize 1 -ErrorAction SilentlyContinue | Measure-Object).Count
"- $($_.Name): [Count pending]"
}) -join "`n")
RETENTION COMPLIANCE
--------------------
[?] Retention labels created and published
[?] Labels applied to libraries
[?] Retention policies active
VERSIONING STATUS
-----------------
All libraries configured with:
- Version history: Enabled
- Major versions: 500
- Minor versions: 10
SEC 17a-4 COMPLIANCE (if applicable)
------------------------------------
[?] WORM storage configured
[?] Immutability policy locked
[?] Third-party attestation obtained
LEGAL HOLD CAPABILITY
---------------------
[?] eDiscovery case configured
[?] Hold policy tested
[?] Custodians identified
UPCOMING REVIEWS
----------------
[List documents due for review]
RECOMMENDATIONS
---------------
1. Verify all retention labels applied correctly
2. Test legal hold with sample documents
3. Document SEC 17a-4 compliance if required
4. Schedule annual taxonomy review
===============================================================================
"@
$ComplianceReport | Out-File "Documentation_Compliance_Report_$(Get-Date -Format 'yyyyMMdd').txt"
Write-Host $ComplianceReport
# -------------------------------------------------------------
# Section 6: FINRA 4511 / SEC 17a-4 Checklist
# -------------------------------------------------------------
Write-Host "`nRegulatory records compliance checklist..." -ForegroundColor Cyan
$RegulatoryChecklist = @"
===============================================================================
FINRA 4511 / SEC 17a-4 AI RECORDS COMPLIANCE CHECKLIST
===============================================================================
BOOKS AND RECORDS REQUIREMENTS:
[ ] All agent configurations preserved as records
[ ] Customer interaction transcripts retained
[ ] Approval documentation maintained
[ ] Supervision records preserved
[ ] Testing evidence retained
RETENTION PERIODS:
[ ] 6-year minimum for most records (FINRA 4511)
[ ] 7-year retention for model documentation (SR 11-7)
[ ] Extended retention for Tier 3 (enterprise-managed) critical records
WORM COMPLIANCE (SEC 17a-4):
[ ] Electronic records stored in non-rewritable format
[ ] Non-erasable for retention period
[ ] Third-party access available if required
[ ] Attestation letter obtained from vendor
ACCESSIBILITY:
[ ] Records retrievable within reasonable time
[ ] Index maintained for record location
[ ] Regulatory examination access configured
AUDIT TRAIL:
[ ] All modifications logged
[ ] Access attempts recorded
[ ] Retention actions documented
DISPOSITION:
[ ] Disposition review before deletion
[ ] Approval workflow for destruction
[ ] Destruction certificates maintained
===============================================================================
"@
Write-Host $RegulatoryChecklist -ForegroundColor Yellow
Write-Host "`nDocumentation configuration complete" -ForegroundColor Green
Financial Sector Considerations
Regulatory Alignment
| Regulation | Records Requirement | Control Implementation |
|---|---|---|
| FINRA 4511 | Maintain and preserve books and records | Comprehensive documentation system |
| SEC 17a-3 | Create required records | Agent configuration, interactions |
| SEC 17a-4 | Preserve records in WORM format | Azure immutable storage / Purview lock |
| SOX 404 | Maintain audit trail for financial controls | Version history, access logs |
| GLBA 501(b) | Safeguard records containing NPI | Access controls, encryption |
| Fed SR 11-7 | Maintain model documentation | 7-year MRM record retention |
Zone-Specific Configuration
| Zone | Retention Period | Storage Requirement | Access Control |
|---|---|---|---|
| Zone 1 - Personal | 6 years | Standard | Owner + Governance |
| Zone 2 - Team | 6 years | Standard + versioning | Team + Governance + Compliance |
| Zone 3 - Enterprise | 10 years | WORM compliant | Restricted + Audit trail |
FSI Record Categories
Customer Communications:
- Conversation transcripts
- Email/chat logs
- Recommendations provided
- Retention: 6-7 years
Business Records:
- Agent configurations
- Decision logs
- Performance reports
- Retention: 6 years
Compliance Records:
- Approval documentation
- Supervision logs
- Examination responses
- Retention: 6 years from last use
Verification & Testing
Verification Steps
- Documentation Structure
- Review SharePoint site structure
- Verify all libraries created
-
Confirm metadata columns configured
-
Retention Policies
- Microsoft Purview → Records management
- Verify labels published to site
-
Test label application
-
Version Control
- Edit a document and save
- Verify version history captures changes
-
Confirm old versions accessible
-
Legal Hold
- Review eDiscovery case configuration
- Test hold application
- Verify held content protected
Compliance Checklist
- [ ] SharePoint documentation site created
- [ ] Document libraries with appropriate structure
- [ ] Retention labels created and published
- [ ] Versioning enabled on all libraries
- [ ] WORM storage configured (if SEC 17a-4 required)
- [ ] Legal hold capability tested
- [ ] Document templates created
- [ ] Access controls configured
- [ ] Documentation review schedule established
Troubleshooting & Validation
Issue: Retention Policy Not Applying
Symptoms: Documents not receiving retention labels Solution:
- Verify label is published to correct location
- Check for conflicting retention policies
- Allow 24-48 hours for policy propagation
- Use Compliance Center to verify label assignment
- Manually apply labels if auto-labeling not working
Issue: Version History Missing
Symptoms: Cannot see previous document versions Solution:
- Verify versioning enabled on library
- Check version limits (increase if needed)
- Confirm user has view permission
- Check if versions were deleted
Issue: Cannot Access Records for Examination
Symptoms: Regulatory request, records not accessible Solution:
- Use eDiscovery search to locate records
- Export from SharePoint/Dataverse
- Verify user has appropriate permissions
- Check if legal hold is preventing access
- Engage Records Manager for assistance
Issue: WORM Compliance Questions
Symptoms: Auditor questions about immutability Solution:
- Provide Azure immutability policy documentation
- Show Microsoft 365 preservation lock configuration
- Obtain attestation letter from Microsoft
- Engage third-party for compliance verification
- Document controls in SOC 2 Type II report
Additional Resources
- Microsoft Purview Records Management
- Retention labels and policies
- SharePoint document libraries
- eDiscovery solutions
- Azure immutable blob storage
Related Controls
| Control | Relationship |
|---|---|
| 1.7 - Audit Logging | Audit logs are records |
| 1.9 - Data Retention | Coordinates retention periods |
| 2.12 - Supervision | Supervision records retained |
| 2.6 - Model Risk Management | MRM documentation |
| 3.1 - Agent Inventory | Inventory is documentation |
Support & Questions
For implementation support or questions about this control, contact:
- AI Governance Lead (governance direction)
- Compliance Officer (regulatory requirements)
- Technical Implementation Team (platform setup)
Updated: Dec 2025
Version: v1.0 Beta (Dec 2025)
UI Verification Status: ❌ Needs verification