Control 3.14: Copilot Pages and Notebooks Retention and Provenance
Control ID: 3.14 Pillar: Compliance & Audit Regulatory Reference: SEC Rule 17a-4 (where applicable to required broker-dealer records), FINRA Rule 4511(a), Sarbanes-Oxley §§302/404 (where applicable to ICFR), Federal Reserve SR 21-14 (record retention principles) Last Verified: 2026-06-06 Governance Levels: Baseline / Recommended / Regulated
Objective
Establish retention, versioning, and provenance controls for three mutable Microsoft 365 Copilot collaborative artifact types — Copilot Pages, OneNote Notebooks, and Loop components — so that branching, mutation, and embedding events are captured with sufficient lineage to support firm record-keeping policy and, where applicable to broker-dealer required records under SEC Rule 17a-4, examination evidence requirements. This control supplements the tenant-wide audit and retention baseline in Control 3.2 by addressing artifact-specific lineage gaps that a flat retention policy does not resolve, and works alongside Control 3.11 for eDiscovery and record-hold workflows.
Why This Matters for FSI
Copilot Pages, OneNote Notebooks, and Loop components share a property that distinguishes them from traditional documents: they are mutable, collaboratively edited, and (in the case of Pages and Loop) referenced from multiple hosts. A single Copilot Page can be branched into a new Page, edited in place, embedded in Teams chat, and re-shared into Outlook — all while the underlying content evolves. A retention policy that captures only the "current" state of these artifacts may not preserve the version that was actually viewed, cited, or relied upon at a given point in time.
- FINRA Rule 4511(a) requires member firms to make and preserve books and records as required by FINRA rules, the Exchange Act, and applicable Exchange Act rules. Where Pages, Notebooks, or Loop components are used to draft customer communications, prepare research, or document supervisory decisions, the firm should treat them as record material subject to the same preservation obligations as other business records.
- SEC Rule 17a-4 establishes record-keeping format, accessibility, and retention requirements for broker-dealer records that the rule designates as required records. Where applicable to those required records, the firm should verify that Copilot collaborative artifacts capturing such material are retained in a form that aids in meeting 17a-4 expectations (preservation period, non-rewriteable storage where required, and indexed retrieval). 17a-4 does not, by itself, designate every Copilot artifact a required record — scoping is the firm's responsibility.
- Sarbanes-Oxley §§302/404 (where applicable to ICFR) require management to assess and certify the effectiveness of internal control over financial reporting. Where Pages or Notebooks are used in financial-close workstreams, accounting memos, or SOX-relevant analysis, retention of the version actually relied upon supports auditor walkthroughs and management certifications.
- Federal Reserve SR 21-14 reinforces the broader supervisory expectation that institutions maintain records sufficient to reconstruct decisions and demonstrate ongoing risk management. Branching and mutation events that are not captured create lineage gaps that complicate reconstruction.
The branching property of Copilot Pages is the single largest gap. When a user branches a Page, Microsoft creates a new Page with its own identity; the original continues to evolve independently. A retention policy that holds the "current" Page misses the snapshot at the moment of branch — and any downstream artifact that cites the branched version may reference content that no longer exists in the form it was cited. Loop components compound this: a single Loop component may be embedded in a Teams message, a Word document, and an Outlook email, with each host displaying the live state. Retention must capture the component itself, not just each host.
Control Description
Three Artifact Types — Distinct Retention Profiles
| Artifact | Storage | Mutability | Branching | Multi-host Embedding | Primary Retention Surface |
|---|---|---|---|---|---|
| Copilot Pages | OneDrive/SharePoint (Loop workspace) | High — collaborative edits | Yes — explicit branch creates new Page | Limited (link/embed in Teams, Outlook) | Microsoft 365 retention policy scoped to Loop workspace; version history within the Page |
| OneNote Notebooks | OneDrive (personal), SharePoint (team), or Exchange (legacy) | High — section/page edits, free-form structure | No native branch; copy/duplicate creates a new Notebook | Linked references, section embeds | Microsoft 365 retention policy scoped to Notebook location; OneNote version history per page |
| Loop components | OneDrive (Loop workspace component store) | High — live, real-time co-edit | No branch; duplication creates new component | Yes — embedded in Teams, Outlook, Word, Whiteboard | Retention policy on the component store; component-level audit events |
Why Control 3.2 Is Insufficient on Its Own
Control 3.2 (Audit and Retention) establishes the tenant-wide retention baseline, which is necessary but not sufficient for these artifacts:
- Branch events are not captured by a flat retention policy. A retention policy preserves the state of the current item at the policy's snapshot interval. When a Copilot Page is branched, the policy preserves the original and the new branch, but the lineage relationship (this Page was branched from that Page on this date by this user) is recorded only in the audit log. Without correlating the audit event to the retained content, reconstruction is incomplete.
- Notebook section retention is coarser than the unit of work. Microsoft 365 retention policies operate at the Notebook (file) level. A team Notebook with multiple sections covering different business activities may have a single retention requirement applied uniformly, even when one section (e.g., supervisory notes) requires longer retention than another (e.g., scratch planning).
- Loop component provenance crosses host boundaries. A Loop component embedded in a Teams chat and in an Outlook email is the same component, not a copy. A user reading the Outlook email is reading the live state. Retention must record both the component's edit history and the hosts that referenced it at each point in time.
Provenance Lineage Requirements
For each artifact type, the firm should maintain a provenance trail capturing:
- Identity — the immutable artifact identifier (Page ID, Notebook ID, Loop component ID)
- Lifecycle events — create, edit, branch (Pages), share, embed, delete, restore
- Actor — the user identity (Entra object ID) responsible for each event
- Content snapshot reference — pointer to the retained version at the time of each significant event
- Host references (Loop) — list of locations where a Loop component is embedded, with timestamps for embed and removal
This provenance trail aids in eDiscovery search, supervisory reconstruction, and examination response.
Copilot Surface Coverage
| Microsoft 365 Surface | Pages | Notebooks | Loop Components | Notes |
|---|---|---|---|---|
| Microsoft 365 Copilot Chat | Yes | Indirect (search) | Yes | Pages can be created from Chat; Loop components surfaced in responses |
| Microsoft Loop app | Yes | No | Yes | Primary editing surface for Pages and Loop workspaces |
| OneNote (desktop, web, mobile) | No | Yes | Limited | Primary Notebook editing surface |
| Teams (chat, channels, meetings) | Embed | Linked | Yes | Loop components are heavily embedded in Teams chat and meeting notes |
| Outlook (mail, calendar) | Embed | Linked | Yes | Loop components in mail introduce live-state reading by recipients |
| Word, Whiteboard | Limited | Linked | Yes | Loop component embedding |
| SharePoint and OneDrive | Storage | Storage | Storage | Underlying retention surface for all three artifact types |
Governance Levels
| Level | Requirements | Rationale |
|---|---|---|
| Baseline | Include Copilot Pages, OneNote Notebooks, and Loop components within a tenant-wide Microsoft 365 retention policy with a defined minimum retention period; verify the Loop workspace and Notebook storage locations are scoped by the policy; enable unified audit logging for Pages branch events, Notebook edits, and Loop component lifecycle events; document where each artifact type is stored and which retention policy covers it. | Establishes a default retention floor and basic lineage logging suitable for institutions whose Pages, Notebook, and Loop usage is primarily internal productivity rather than record-material work. |
| Recommended | All Baseline requirements plus: configure branch-aware retention for Copilot Pages so that each branched Page is preserved as an independent retained item with a recorded link to its parent; apply section-level retention guidance for Notebooks used in supervisory or compliance workflows (separate sensitive sections into Notebooks scoped to a longer retention policy); maintain a provenance audit trail for Loop components capturing host embeddings and edit history; review Pages and Notebooks usage quarterly to identify new collaborative workstreams that should be brought under retention scope. | Suitable for firms that use Pages and Notebooks for business-record-adjacent work (research, supervisory notes, product memos) and need lineage capture beyond the flat retention floor. |
| Regulated | All Recommended requirements plus: produce an examiner-ready evidence pack covering all artifact versions of in-scope Pages, Notebooks, and Loop components for a representative sampling period, with branch and embed lineage; perform quarterly attestation that branching events for in-scope Pages have been captured and that no branch is unaccounted for in the retention store; obtain independent reviewer (internal audit or third-party) sign-off on the completeness of retention coverage and provenance lineage; verify that retention coverage helps meet, where applicable to broker-dealer required records, SEC Rule 17a-4 format, accessibility, and indexed-retrieval expectations; integrate Pages, Notebook, and Loop holds with the firm's eDiscovery and legal hold workflow under Control 3.11. | Designed for broker-dealers, registered investment advisers, and other regulated firms where Copilot collaborative artifacts intersect with required records under SEC Rule 17a-4, FINRA Rule 4511(a), or SOX §§302/404 ICFR scope, and examination readiness is a regular operational expectation. |
Setup & Configuration
Step 1: Inventory Artifact Storage Locations
Portal: Microsoft 365 Admin Center; SharePoint Admin Center; Microsoft Purview portal
- Identify the OneDrive and SharePoint sites that host Loop workspaces and Copilot Pages. Loop workspaces typically reside in a per-user OneDrive container (
OneDrive/Loop) and, for shared workspaces, in a dedicated SharePoint site provisioned during workspace creation. - Identify Notebook storage locations: personal Notebooks (OneDrive), team Notebooks (SharePoint document libraries), and any legacy Exchange-hosted Notebooks (rare in current tenants).
- Document the inventory in the firm's records inventory or governance register.
Step 2: Apply the Baseline Retention Policy
Portal: Microsoft Purview portal > Solutions > Data Lifecycle Management > Microsoft 365 > Retention policies
- Create or extend a retention policy that covers OneDrive and SharePoint sites identified in Step 1.
- Set the minimum retention period to align with firm policy (commonly 7 years for FSI work areas; longer where SEC Rule 17a-4 broker-dealer required-records scope applies).
- Verify the policy includes Loop workspace SharePoint sites — these are sometimes provisioned outside default retention scope and must be added explicitly.
- Confirm OneNote storage locations (OneDrive and SharePoint) are within scope; OneNote files (.one) are retained as part of the underlying file storage policy.
Step 3: Enable Audit Logging for Lineage Events
Portal: Microsoft Purview portal > Solutions > Audit
- Verify unified audit logging is enabled tenant-wide.
- Confirm the following operation types are logged and retrievable:
- Loop and Pages:
LoopWorkspaceCreated,PageCreated,PageBranched,PageEdited,PageDeleted,PageRestored - OneNote: file-level operations on
.oneand.onetoc2items in OneDrive and SharePoint audit feeds - Loop components:
LoopComponentCreated,LoopComponentEdited,LoopComponentEmbedded,LoopComponentRemoved
- Loop and Pages:
- The exact operation names evolve with the platform; verify current operation names in the Purview audit search interface and update internal monitoring queries accordingly.
# Sample audit query for Pages branching events (last 30 days)
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) `
-Operations "PageBranched","PageCreated" -ResultSize 5000
# Sample audit query for Loop component lifecycle
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) `
-RecordType "MicrosoftLoop" -ResultSize 5000
Step 4: Branch-Aware Retention for Pages (Recommended)
- Build a scheduled job (Power Automate, Logic App, or custom script) that reads
PageBranchedaudit events daily. - For each branch event, verify both the parent Page and the new branched Page are present in the retention store.
- Record the parent-child lineage in a governance ledger keyed on the immutable Page IDs.
- Where the firm operates a records management system separate from M365 retention, mirror the lineage record into the records system.
Step 5: Section-Level Notebook Strategy (Recommended/Regulated)
OneNote retention is applied at the file (Notebook) level, not at the section level. To approximate section-level retention:
- For Notebooks used in mixed-purpose workflows, separate sections that contain record material (supervisory notes, customer communication drafts) into dedicated Notebooks stored in a SharePoint document library with the appropriate retention policy.
- Maintain a Notebook-to-purpose mapping so that supervisors and compliance reviewers know which Notebook to consult for which activity.
- Include the mapping in the records inventory.
Step 6: Loop Component Provenance Trail (Recommended/Regulated)
- From the audit log, build a per-component history capturing edit events and host embedding events.
- For each component embedded in a host (Teams chat, Outlook email, Word document), record the host identifier and the embed timestamp; record the removal timestamp when the component is removed.
- Retain the component's edit history alongside the host audit trail so that a reader can reconstruct what content the component displayed at any point in time.
Step 7: Examiner Evidence Pack (Regulated)
Assemble a standing evidence pack containing:
- The retention policy configuration covering Pages, Notebooks, and Loop components
- Sampled artifact version histories with branch and embed lineage
- The provenance ledger for the sampling period
- Quarterly attestation records (Step 8)
- Independent reviewer sign-off (Step 9)
Step 8: Quarterly Branching Attestation (Regulated)
- On a quarterly cadence, reconcile the count of
PageBranchedaudit events against the count of branched Pages present in the retention store. - Investigate and document any discrepancy.
- Record the attestation in the governance log; the attestation should be signed by the records manager or compliance officer.
Step 9: Independent Reviewer Sign-Off (Regulated)
- Engage internal audit or an independent third-party reviewer to assess the completeness of retention coverage and provenance lineage at least annually.
- Reviewer scope: configuration review, sample-based reconstruction test, audit log integrity check.
- Document findings and remediation actions.
Financial Sector Considerations
- Required-records scoping under SEC Rule 17a-4. Broker-dealers should determine which Pages, Notebooks, and Loop components capture content that the rule designates as required records — typically order memoranda, customer communications, and certain supervisory records. Where applicable, retention configuration should aid in meeting 17a-4 format, accessibility, and indexed-retrieval expectations. The control does not, by itself, satisfy 17a-4; firms should verify configuration against the rule's specific requirements with legal and compliance counsel.
- Supervisory record-keeping under FINRA Rule 4511(a) and Rule 3110. Where Pages or Notebooks are used to document supervisory reviews, the retained version should reflect the content actually reviewed. Quarterly attestation under the Regulated tier helps meet this expectation.
- SOX §§302/404 ICFR linkage. Where applicable to ICFR, Pages and Notebooks used in financial-close, accounting memo, or control-testing workflows should be brought under the Regulated tier so that the version relied upon by management is preserved for auditor walkthroughs.
- eDiscovery and legal hold integration. Pages, Notebooks, and Loop components should be discoverable and holdable through the same workflow as other M365 content. See Control 3.11 for the eDiscovery and record-hold pattern. Branch lineage should be reflected in hold scope so that all relevant versions are preserved during litigation hold.
- Information barrier alignment. Where the firm operates information barriers, verify that Pages and Loop components do not bypass barrier scope through cross-segment embedding. A Loop component originating in one segment that is embedded in another segment's Teams chat may surface content across the barrier; review this with the barrier owner.
- Proportionality. For institutions whose Pages, Notebook, and Loop usage is limited to internal productivity (meeting notes, brainstorm scratch, draft outlines that are not record material), the Baseline tier is recommended to provide a retention floor without imposing the operational cost of branch-aware lineage tracking.
- Cross-reference to Control 3.2. This control supplements, and does not replace, the tenant-wide audit and retention baseline in Control 3.2. Firms should treat 3.14 as the artifact-specific extension that addresses lineage gaps in mutable collaborative artifacts.
Verification Criteria
| # | Verification Step | Expected Outcome | Governance Level |
|---|---|---|---|
| 1 | Confirm Copilot Pages, OneNote Notebooks, and Loop components are within scope of a Microsoft 365 retention policy | Retention policy explicitly covers OneDrive and SharePoint sites hosting these artifact types | Baseline |
| 2 | Verify unified audit logging captures Pages branch events, Notebook edits, and Loop component lifecycle events | Sample audit queries return events with actor, timestamp, and artifact identifier | Baseline |
| 3 | Confirm storage location inventory documents where Pages, Notebooks, and Loop components reside | Records inventory entry exists with location, owner, and applicable retention policy | Baseline |
| 4 | Verify branch-aware retention for Copilot Pages | Each branched Page is retained as an independent item with a recorded parent-child lineage link | Recommended |
| 5 | Confirm Notebooks containing record material are isolated into Notebooks with appropriate retention scope | Notebook-to-purpose mapping exists; record-material sections are not co-located with scratch sections under a shorter retention | Recommended |
| 6 | Verify Loop component provenance trail captures host embeddings | Per-component audit history shows embed and removal events with host identifiers and timestamps | Recommended |
| 7 | Confirm quarterly review of new collaborative workstreams brings them under retention scope | Quarterly review record exists with workstream additions and policy updates | Recommended |
| 8 | Produce an examiner-ready evidence pack covering Pages, Notebooks, and Loop components for a sampling period | Evidence pack includes version histories, lineage records, and policy configuration | Regulated |
| 9 | Verify quarterly attestation that all PageBranched audit events reconcile to retained branches |
Attestation log shows reconciliation count, discrepancies investigated, and signature | Regulated |
| 10 | Confirm independent reviewer sign-off on retention completeness | Reviewer report on file with findings and remediation status | Regulated |
| 11 | Verify, where applicable to broker-dealer required records, that retention helps meet SEC Rule 17a-4 format and accessibility expectations | Configuration review documents 17a-4 scoping decisions and the corresponding storage configuration | Regulated |
| 12 | Confirm Pages, Notebook, and Loop holds integrate with the eDiscovery and legal hold workflow | Test hold demonstrates that branch lineage is preserved within hold scope | Regulated |
Additional Resources
- Microsoft 365 Copilot overview
- Manage Microsoft Loop in your organization
- Loop component governance and Microsoft 365 storage
- Retention for SharePoint and OneDrive in Microsoft Purview
- Microsoft Purview retention policies overview
- Microsoft Purview unified audit log search
- SEC Rule 17a-4 — Records to Be Preserved by Certain Exchange Members, Brokers, and Dealers
- FINRA Rule 4511 — General Requirements (Books and Records)
- Sister Solution: Solution 22 — Pages and Notebooks Retention Tracker (FSI-CopilotGov sister-solution catalog) — operational tooling for branch-aware lineage tracking and quarterly attestation reporting
- Related Controls: 3.2 Data Retention Policies, 3.11 Record Keeping, 3.8 Model Risk Management
FSI Copilot Governance Framework v1.4.0 - April 2026