Control 1.8: Information Architecture Review
Control ID: 1.8 Pillar: Readiness & Assessment Regulatory Reference: GLBA 501(b), FFIEC IT Handbook (Information Security Booklet), SOX 302/404 Last Verified: 2026-02-17 Governance Levels: Baseline / Recommended / Regulated
Objective
Review the organization's Microsoft 365 information architecture -- including SharePoint site structure, hub site hierarchy, Teams channel organization, OneDrive folder conventions, and content type definitions -- before deploying Microsoft 365 Copilot to assess the impact of information architecture quality on Copilot grounding accuracy, content discoverability, and governance effectiveness. Well-organized information architecture directly improves the relevance and accuracy of Copilot responses while reducing the risk of inappropriate content surfacing.
Why This Matters for FSI
- GLBA 501(b): Information architecture determines how customer financial information is organized and governed. Poor architecture makes it harder to apply consistent safeguards and increases the risk that Copilot surfaces customer data outside its intended governance context.
- FFIEC IT Handbook (Information Security): Effective information classification and organization is a foundational control. Copilot's reliance on content structure for grounding quality means architecture gaps translate directly into AI governance gaps.
- SOX 302/404: Financial reporting data must be organized within controlled environments. If financial data is scattered across ad-hoc SharePoint sites and Teams channels, Copilot may surface pre-release financial information or draft documents as if they were final.
- SEC Regulation S-P: Consumer financial information must be identifiable and protectable. Clear information architecture supports the ability to locate, classify, and govern regulated data.
- FINRA Rule 4511: Record-keeping requirements are more easily met when information architecture supports clear content lifecycle management and retention policy application.
Control Description
How Information Architecture Affects Copilot
Microsoft 365 Copilot uses content from Microsoft Graph as grounding material for generating responses. The quality, relevance, and accuracy of Copilot's outputs are directly influenced by how content is organized:
| Architecture Quality | Copilot Impact | Example |
|---|---|---|
| Well-organized sites with clear purposes | Copilot retrieves relevant content with appropriate context | Financial reports in dedicated "Quarterly Reporting" site produce accurate grounding |
| Sprawled content across ad-hoc sites | Copilot may retrieve outdated or contextually inappropriate content | Draft financial projections on a defunct project site ground a response alongside finalized numbers |
| Clear naming conventions | Copilot can distinguish between similar content types | "FY25-Q3-Board-Report-FINAL.docx" vs. "report.docx" |
| Proper content types and metadata | Copilot leverages metadata for more precise retrieval | Document type, department, approval status metadata improves relevance |
| Hub site hierarchy | Copilot understands organizational context of content | Hub site associations help Copilot understand content relationships |
| Stale content alongside current content | Copilot cannot reliably distinguish current from outdated | 2019 compliance procedures ground responses about current requirements |
Information Architecture Review Dimensions
1. SharePoint Site Structure
| Review Area | What to Assess | Copilot Impact |
|---|---|---|
| Site proliferation | Total number of active sites, ratio of active to inactive sites | More sites means broader search scope and more potential for irrelevant grounding |
| Site purpose clarity | Are sites clearly purposed and named? Or generic catch-all sites? | Clear purpose improves Copilot's ability to select relevant content |
| Site classification | Are sites classified (e.g., by department, sensitivity, content type)? | Classification enables governance controls and improves search relevance |
| Hub site architecture | Are hub sites used to create logical organizational groupings? | Hub associations provide Copilot with organizational context |
| Template usage | Are site templates used consistently for common site types? | Consistent templates improve metadata consistency and search quality |
| Orphaned sites | Are there sites with no active owner or purpose? | Orphaned sites add noise to Copilot search with no governance oversight |
2. Teams Channel Organization
| Review Area | What to Assess | Copilot Impact |
|---|---|---|
| Team naming conventions | Are Teams named clearly and consistently? | Copilot uses Team names as context when retrieving channel content |
| Channel structure | Are channels organized by topic/function or ad-hoc? | Organized channels improve Copilot's ability to find relevant conversations |
| Private vs. standard channels | Is the private/standard channel distinction used appropriately? | Private channels restrict Copilot access -- appropriate use supports data governance |
| File storage in channels | Is the Files tab used consistently, or are files shared ad-hoc? | Files in the standard Files tab are indexed; ad-hoc shares may not be |
| Stale Teams | Are there Teams with no activity that still contain content? | Stale Teams add noise and may contain outdated information |
3. OneDrive Organization
| Review Area | What to Assess | Copilot Impact |
|---|---|---|
| Business vs. personal content | Is there a clear distinction between business and personal files? | Copilot searches all OneDrive content -- personal files may surface inappropriately |
| Sharing patterns | Are folders shared broadly or with specific people? | Broad sharing creates additional Copilot access paths |
| Content that should be on SharePoint | Is business-critical content stored in OneDrive instead of governed SharePoint sites? | OneDrive lacks site-level governance controls available in SharePoint |
4. Content Types and Metadata
| Review Area | What to Assess | Copilot Impact |
|---|---|---|
| Content type adoption | Are SharePoint content types used to classify documents? | Content types provide Copilot with structured metadata for better retrieval |
| Metadata completeness | Are key metadata fields (department, document type, status) populated? | Rich metadata improves Copilot search precision |
| Managed metadata (term store) | Is the term store used for consistent taxonomy? | Consistent taxonomy helps Copilot understand content relationships |
| Document versioning | Is versioning enabled and managed? | Copilot accesses the current version -- unmanaged versions may contain conflicting information |
Architecture Assessment Scoring
| Dimension | Poor (1) | Adequate (3) | Good (5) |
|---|---|---|---|
| Site structure | No site classification, many orphaned sites | Basic classification, some orphaned sites | Full classification, no orphaned sites, hub hierarchy |
| Naming conventions | No standards, inconsistent naming | Partial standards, mostly followed | Comprehensive standards, consistently enforced |
| Content types | Not used | Used in some sites | Consistently used across all sites |
| Metadata | Minimal metadata | Key metadata populated in most sites | Rich metadata consistently populated |
| Lifecycle management | No lifecycle process | Ad-hoc site cleanup | Automated lifecycle with owner certification |
| Teams organization | Ad-hoc Teams, many stale | Some standards, periodic cleanup | Clear standards, automated lifecycle |
| OneDrive governance | No governance | Basic sharing controls | Clear policies, regular audit |
Copilot Surface Coverage
| Copilot Surface | Architecture Impact | Key Concern |
|---|---|---|
| Microsoft 365 Copilot Chat | Critical | Searches across all workloads -- architecture quality directly affects response relevance |
| SharePoint Copilot | Critical | Site structure, content types, and metadata are the primary drivers of SharePoint Copilot quality |
| Teams Copilot | High | Channel organization affects retrieval of relevant conversations and files |
| Word / Excel / PowerPoint | High | Reference and drafting features depend on finding relevant source documents |
| Outlook Copilot | Medium | Email organization is less affected by SharePoint architecture |
| OneDrive Copilot | Medium | OneDrive folder structure affects personal content retrieval |
| Copilot Pages | High | Pages reference content from across M365 -- architecture affects source quality |
| Loop Copilot | Medium | Loop workspaces reference SharePoint and Teams content |
| Viva Copilot | Medium | Organizational data quality depends on underlying information architecture |
Governance Levels
| Level | Requirement | Rationale |
|---|---|---|
| Baseline | Inventory active SharePoint sites and Teams. Identify orphaned or stale sites and Teams. Review naming conventions for sites and Teams in scope for initial Copilot deployment. Document architecture assessment findings. | Minimum assessment to understand the information architecture landscape before Copilot deployment and identify the most impactful architecture issues. |
| Recommended | All Baseline requirements plus: assess hub site architecture and site classification coverage. Review content type and metadata usage across top sites. Remediate stale and orphaned sites (archive or delete). Establish naming convention standards. Implement site templates for common site types. Create information architecture improvement roadmap. | Provides structured improvement of information architecture to support better Copilot grounding quality and more effective governance. |
| Regulated | All Recommended requirements plus: implement comprehensive site classification scheme. Deploy content types and metadata standards across all in-scope sites. Integrate information architecture standards into site provisioning workflows. Conduct annual information architecture review with compliance input. Document architecture standards in governance framework. Verify architecture quality metrics as part of Copilot governance reporting. | Comprehensive information architecture governance that supports Copilot quality and provides examination-ready documentation of content organization practices. |
Setup & Configuration
Step 1: Site Inventory
Generate a comprehensive inventory of SharePoint sites and Teams:
Navigate to SharePoint Admin Center > Sites > Active sites for full site listing.
Key data points to capture: - Site URL, name, template type - Last activity date - Primary admin / site owner - Storage used - Hub site association - Sensitivity label (if any)
Step 2: Assess Site Health
For each site in scope, evaluate: - Is the site actively used (activity in past 90 days)? - Does the site have an active owner? - Is the site purpose clear from its name and description? - Is the site appropriately classified? - Are content types and metadata used?
Step 3: Teams Inventory
Navigate to Teams Admin Center > Teams > Manage teams and inventory: - Team name, description, owner(s) - Channel count and organization - Last activity date - Associated SharePoint site URL
Step 4: Identify Remediation Priorities
Based on the assessment, prioritize: 1. Immediate: Archive/delete stale sites and Teams (removes noise from Copilot scope) 2. Short-term: Standardize naming conventions for in-scope sites 3. Medium-term: Implement hub site hierarchy and site classification 4. Long-term: Deploy content types and metadata standards across all sites
Step 5: Establish Architecture Standards
Document information architecture standards that will govern ongoing site and Teams creation: - Site naming convention template - Required metadata fields per site type - Content type definitions for common document types - Hub site hierarchy design - Teams naming and channel organization standards
Financial Sector Considerations
- Regulatory Content Organization: Sites containing regulatory filing data, examination materials, and compliance documentation should be organized in a clear hierarchy that supports both Copilot grounding quality and regulatory evidence management.
- Client vs. Internal Content Separation: Information architecture should clearly separate client-facing content from internal-only content. This separation supports Copilot governance by making it easier to apply differentiated controls to client data.
- Financial Reporting Sites: Sites containing financial reporting data (quarterly earnings, annual reports, board materials) require particular architectural attention because Copilot responses grounded in draft financial documents could create disclosure risks.
- Department-Specific Architecture: Different financial services business lines (wealth management, commercial banking, capital markets) may have distinct architecture needs. Ensure the architecture review accounts for these differences while maintaining enterprise-level consistency.
- Migration Legacy: Many financial institutions have migrated content from legacy systems (file shares, Documentum, SharePoint on-premises). Migrated content often has poor architecture and metadata. Prioritize architectural cleanup of migrated content before including it in Copilot scope.
- Content Duplication: Financial institutions often maintain duplicate copies of documents across multiple sites (e.g., a policy document in both the policy site and a project site). Identify and reduce duplication to prevent Copilot from grounding on outdated copies.
Verification Criteria
- Comprehensive inventory of active SharePoint sites has been completed with key metadata captured
- Comprehensive inventory of Teams has been completed with key metadata captured
- Orphaned and stale sites and Teams have been identified and documented
- Naming conventions have been reviewed and gaps identified for in-scope sites and Teams
- Architecture assessment scoring has been completed for each review dimension
- Stale and orphaned sites have been remediated (archived or deleted) or have documented justification for retention
- Hub site architecture and site classification coverage has been assessed (Recommended and Regulated levels)
- Content type and metadata usage has been assessed for top sites (Recommended and Regulated levels)
- Information architecture improvement roadmap has been created with prioritized actions and timelines
- Information architecture standards document exists and is being applied to new site and Teams creation (Regulated level)
Additional Resources
- Microsoft Learn: Plan your SharePoint site structure
- Microsoft Learn: SharePoint hub sites overview
- Microsoft Learn: Introduction to content types and content type publishing
- Microsoft Learn: Manage Teams in the Teams admin center
- Microsoft Learn: SharePoint site templates
- Related Controls: 1.1 Copilot Readiness Assessment, 1.7 SharePoint Advanced Management, 1.4 Semantic Index Governance, 3.2 Data Retention Policies, 4.1 Admin Settings & Feature Management
- Playbooks: Playbook 1.8.1 (Site Inventory Export Procedure), Playbook 1.8.2 (Architecture Assessment Scoring Template), Playbook 1.8.3 (Hub Site Design Guide for FSI), Playbook 1.8.4 (Content Type and Metadata Standards)
FSI Copilot Governance Framework v1.2.1 - March 2026