Control 3.2: Data Retention Policies for Copilot Interactions
Control ID: 3.2 Pillar: Compliance & Audit Regulatory Reference: FINRA 4511 (Books and Records), SEC 17a-4 (Preservation of Records), SOX 802 (Criminal Penalties for Altering Documents) Last Verified: 2026-05-25 Governance Levels: Baseline / Recommended / Regulated
Objective
Establish and enforce data retention policies that preserve Copilot-generated content, Copilot chat history, and Copilot-assisted communications for the retention periods required by financial services regulations, using Microsoft Purview retention policies and retention labels.
Why This Matters for FSI
Financial services regulations mandate that specific types of business records be preserved for defined periods. When Copilot drafts a client email, generates a financial summary, or assists with a compliance review, the resulting content may constitute a business record subject to retention requirements. The challenge with Copilot is that AI-generated and AI-assisted content is distributed across multiple M365 workloads -- Exchange mailboxes, Teams chats, OneDrive files, SharePoint sites, and Copilot Pages -- each with distinct retention behaviors.
SEC Rule 17a-4 requires broker-dealers to preserve business communications for at least 3 years (first 2 years in an accessible place) and certain financial records for 6 years. FINRA Rule 4511 extends this to all books and records required under FINRA rules. SOX Section 802 imposes criminal penalties for knowingly altering, destroying, or concealing records relevant to federal investigations.
Without deliberate retention policies targeting Copilot content locations, firms risk inadvertent destruction of records that regulators expect to be preserved. Microsoft Purview retention policies and retention labels provide the mechanism to enforce these requirements across all Copilot content locations.
Control Description
This control covers the configuration of Microsoft Purview retention policies that address every location where Copilot creates or stores content. It includes retention period determination, policy scoping, retention label design, preservation hold implementation, and the FSI retention matrix.
Pages and Notebooks nuances: Branch-aware Copilot Pages retention, Notebook section-level coverage, and Loop component provenance are addressed by Control 3.14 — Copilot Pages and Notebooks Retention and Provenance, which extends this control for those mutable artifact types.
FSI Retention Matrix for Copilot Content
| Content Type | M365 Location | Record Category | Minimum Retention | Regulatory Basis |
|---|---|---|---|---|
| Microsoft 365 Copilot Chat history | Microsoft Copilot experiences (user mailbox hidden folder) | Business communication | 3 years | FINRA 4511, SEC 17a-4(b)(4) |
| Copilot-drafted emails (sent) | Exchange Online | Business correspondence | 3 years | SEC 17a-4(b)(4) |
| Copilot-drafted emails (client-facing) | Exchange Online | Customer correspondence | 6 years | SEC 17a-4(a) |
| Copilot Pages | SharePoint Embedded user-owned container (retention applied through All SharePoint Sites) | Business record | 3 years | FINRA 4511 |
| Teams meeting recaps (Copilot) | Microsoft Copilot experiences / Teams-Exchange | Business communication | 3 years | FINRA 4511, SEC 17a-4(b)(4) |
| Teams meeting transcripts | Teams / Exchange | Business communication | 3 years | FINRA 4511 |
| Teams chat Copilot interactions | Microsoft Copilot experiences / Teams-Exchange | Business communication | 3 years | FINRA 4511, SEC 17a-4(b)(4) |
| Word/Excel/PowerPoint Copilot drafts | SharePoint / OneDrive | Business record | 6 years (if financial) | SEC 17a-4(a), SOX 802 |
| Copilot-assisted financial analyses | SharePoint / OneDrive | Financial record | 6 years | SEC 17a-3(a)(2), SOX 802 |
| Copilot audit log events | Purview UAL | Audit trail | 6 years | SEC 17a-4(a), FINRA 4511 |
Restructured Retention Locations in Microsoft Purview
Microsoft has reorganized Copilot-related retention locations in Purview. For Microsoft 365 Copilot governance, the key point is that Copilot interaction history and Copilot Pages storage no longer map to the same retention target.
| Retention Location Category | Included Content | Configuration Path |
|---|---|---|
| Microsoft Copilot experiences | Microsoft 365 Copilot Chat history, Copilot interaction history, meeting recap content, and related Copilot experience records | Purview > Data Lifecycle Management > Retention Policies > Microsoft Copilot experiences |
| All SharePoint Sites | SharePoint Online sites and SharePoint Embedded-backed Copilot Pages / Copilot Notebooks containers | Purview > Data Lifecycle Management > Retention Policies > SharePoint sites |
| Enterprise AI Apps | Copilot Studio agents, Power Platform AI integrations | Purview > Data Lifecycle Management > Retention Policies > Enterprise AI Apps |
| Other AI Apps | Third-party AI tools integrated via Microsoft 365 | Purview > Data Lifecycle Management > Retention Policies > Other AI Apps |
Scope guidance for Microsoft 365 Copilot deployments: Use Microsoft Copilot experiences to retain Copilot interaction history and use All SharePoint Sites to retain Copilot Pages and Copilot Notebooks because those files are stored in SharePoint Embedded containers.
Known Issue: Copilot Notebooks Deletion Bug (MC1213768)
Copilot Notebooks Retention Deletion Issue
MC1213768 (January 2026): Deletion of Copilot Notebooks in SharePoint Embedded containers may intermittently fail when retention policies or Preservation Holds apply to the container. This is a known product issue acknowledged by Microsoft.
- Symptom: Notebooks targeted by retention policies may not be deleted at the expected end of their retention period, or manual deletion of Notebooks may fail silently when the container is subject to a Preservation Hold
- Workaround: Temporarily exclude affected SharePoint Embedded containers from retention policies, or remove Preservation Holds via Microsoft Purview before attempting deletion. Re-apply holds after the deletion completes
- FSI impact: Organizations with active litigation holds or regulatory preservation holds on user containers may encounter this issue when attempting to manage Notebook lifecycle. Document the workaround in hold management procedures and monitor Microsoft Message Center for a permanent fix
- Monitoring: Track MC1213768 in the Microsoft 365 Message Center for resolution updates. Organizations should verify that this issue does not affect their ability to comply with disposition review obligations under SEC Rule 17a-4
Retention Coverage for Copilot Pages and Notebooks
Retention coverage for Copilot Pages and Copilot Notebooks is managed via the "All SharePoint Sites" scope in Microsoft Purview retention policies. Because Pages and Notebooks are stored in SharePoint Embedded user-owned containers, they are not covered by OneDrive retention policies — the "All SharePoint Sites" scope is the correct retention location.
- Bulk/manual retention label application: As of early 2026, bulk application and manual application of retention labels to individual Copilot Pages and Notebooks items remains limited. Users cannot manually apply retention labels to Pages or Notebooks through the standard document library interface as they would with traditional SharePoint files. Organizations should rely on retention policies (rather than retention labels) as the primary mechanism for retaining Pages and Notebooks content, and use auto-apply retention label policies where targeted retention is required
- Governance implication: This limitation means that FSI firms cannot implement item-level records management for individual Copilot Pages using manual retention labels — a gap that may be relevant for firms that classify specific Copilot-generated summaries or working notes as regulatory records under FINRA Rule 4511. Document this limitation and apply compensating controls (such as broader retention policies that cover all Pages content) until item-level labeling support is expanded
Retention Policy vs. Retention Label
| Mechanism | Use Case | Behavior |
|---|---|---|
| Retention policy | Blanket retention for all content in a location | Applied automatically to all content; users cannot remove; supports "retain and then delete" or "retain only" |
| Retention label | Targeted retention for specific document types | Applied manually or via auto-labeling; can declare content as a regulatory record; supports disposition review |
For FSI Copilot governance, use retention policies as the baseline to provide coverage for all Copilot content locations, and retention labels for targeted record declaration of high-value regulatory records.
Content Locations for Copilot Data
Understanding where Copilot stores data is critical for comprehensive retention coverage:
- Microsoft Copilot experiences (Purview retention location): Primary location for Copilot Chat history, Copilot interaction data, and meeting recap content
- Exchange Online mailboxes: Copilot Chat history (hidden folder), Copilot-drafted emails, meeting recap summaries
- OneDrive for Business: Copilot-generated files saved to personal OneDrive locations
- SharePoint Online / SharePoint Embedded: Copilot-generated documents stored in team sites plus Copilot Pages and Copilot Notebooks stored in user-owned SharePoint Embedded containers
- Teams channel messages: Copilot summaries posted in channels
- Teams chat messages: Copilot interactions in 1:1 and group chats
- Purview Audit Log: CopilotInteraction events (covered by Control 3.1 retention)
Priority Cleanup for AI-Generated Assets
Microsoft Purview now supports priority cleanup policies that target AI-generated content for earlier disposition review, enabling organizations to reduce storage costs while maintaining regulatory compliance. This capability is particularly relevant for Copilot-generated draft content that users do not finalize — ephemeral drafts that are never sent or saved as formal business records may not warrant the same retention period as finalized content.
Governance considerations for AI-generated drafts:
Priority cleanup allows organizations to configure separate retention treatment for AI-generated content that meets specific criteria. However, FSI organizations must exercise caution in applying shorter retention periods to Copilot-generated content given broad regulatory interpretations of "business records."
| Tier | Priority Cleanup Approach | Rationale |
|---|---|---|
| Baseline | Standard retention (no priority cleanup) | Avoids inadvertent destruction of records; simpler governance |
| Recommended | Priority cleanup for unsent Copilot drafts only | Reduces storage costs for clearly ephemeral content while retaining all sent or saved content |
| Regulated | Retain all Copilot-generated content regardless of draft status | Conservative interpretation of SEC Rule 17a-3(a)(17), which covers "all communications relating to the member's business" — firms under heightened oversight should err toward broader retention |
When configuring priority cleanup at the Recommended tier, scope the cleanup policy narrowly: target only documents in personal OneDrive locations that have never been shared or sent, that have not been modified in 90+ days, and that match Copilot-generated content signatures. Document the scope decisions and the regulatory rationale in the firm's records management schedule.
Threaded Summaries Retention
Copilot-generated meeting summaries and Teams conversation summaries are retained as threaded objects linked to their source content. This threading structure creates a retention consideration that firms must address explicitly in their policies.
The independence principle: Deleting a source message does not delete the Copilot summary, and vice versa. A Teams meeting transcript that is deleted per a normal deletion workflow does not automatically delete the Copilot-generated meeting recap. Similarly, a retention policy that covers meeting transcripts does not automatically extend to the Copilot-generated summary unless the summary's storage location is also covered.
Implications for FSI firms:
- Retention policies must cover both the source content location (e.g., Teams channel messages) and the summary storage location (e.g., Microsoft Copilot experiences) to ensure complete retention of the full interaction record.
- FINRA Rule 4511(c) requires members to preserve books and records in a format and media that comply with applicable regulations. Threaded summaries that capture the substance of a business discussion are books and records for this purpose — they cannot be excluded from the firm's retention inventory.
- When configuring eDiscovery searches, include both Teams message content and the Microsoft Copilot experiences location to ensure threaded summaries are captured in hold and export operations.
- Conduct an annual review of threaded summary retention coverage to verify that policy updates have not created gaps between source content and summary retention.
Copilot Surface Coverage
| Copilot Surface | Content Stored | Retention Location | Policy Type |
|---|---|---|---|
| Microsoft 365 Copilot Chat | Chat history with Copilot | Microsoft Copilot experiences | Copilot experiences retention policy |
| Word Copilot | Generated/revised document content | SharePoint or OneDrive (where doc is saved) | SharePoint/OneDrive retention policy |
| Excel Copilot | Generated formulas, analyses, charts | SharePoint or OneDrive | SharePoint/OneDrive retention policy |
| PowerPoint Copilot | Generated slides, design changes | SharePoint or OneDrive | SharePoint/OneDrive retention policy |
| Outlook Copilot | Drafted/revised emails | Exchange mailbox (Sent Items, Drafts) | Exchange retention policy |
| Teams Copilot | Meeting recaps, chat summaries | Microsoft Copilot experiences / Teams-Exchange | Teams + Copilot experiences retention policy |
| Copilot Pages | Page content, collaborative edits | SharePoint Embedded user-owned container | SharePoint retention policy covering All SharePoint Sites |
Governance Levels
Baseline
- Create retention policies covering all Copilot content locations for a minimum of 3 years — required locations: Exchange Online (Copilot Chat substrate, Outlook drafts), Microsoft Copilot experiences (Copilot interaction history), SharePoint Online / All SharePoint Sites (team-shared files plus SharePoint Embedded containers used by Copilot Pages and Copilot Notebooks), OneDrive for Business (personal files and documents saved there, but not Pages storage), Teams Channel messages, Teams Chat messages, and Microsoft 365 Groups
- Configure via Purview portal: Microsoft Purview portal > Solutions > Data Lifecycle Management > Microsoft 365 > Retention policies > + New retention policy
- Configure a retention policy for the Microsoft Copilot experiences location to capture Copilot Chat history
- Verify Copilot Chat history is included in the Microsoft Copilot experiences retention scope
- Confirm that Copilot Pages and Copilot Notebooks are covered through a retention policy scoped to All SharePoint Sites because the content is stored in SharePoint Embedded containers
- Note: Copilot interactions in Teams are captured under the same
TeamsChatLocation(1:1, group) andTeamsChannelLocation(channels) as standard Teams messages — no separate location parameter is needed specifically for Teams Copilot content - Note: Copilot-generated content in Word/Excel/PowerPoint is retained wherever the host file is stored (SharePoint or OneDrive) and is covered by those location policies
- Document retention policy assignments in the firm's records management schedule
- Test retention by verifying that deleted Copilot content is recoverable within the retention period
Recommended
- Implement differentiated retention periods based on the FSI retention matrix (3 years for communications, 6 years for financial records)
- Create retention labels for "Regulatory Record -- Financial" (6-year) and "Regulatory Record -- Communication" (3-year)
- Configure auto-apply retention labels using trainable classifiers or keyword queries for Copilot-generated financial documents
- Implement preservation hold policies for users under regulatory investigation or litigation hold
- Use adaptive scopes to target retention policies by department, office, or job title — create via Microsoft Purview > Data Lifecycle Management > Adaptive scopes > + Create scope; available scope types: Users (based on Entra ID attributes → applies to OneDrive + Exchange), SharePoint sites (based on site name, URL, or sensitivity labels), and Microsoft 365 Groups (based on group attributes); limitation: adaptive scopes cannot currently filter within Teams Chat/Channel locations by Copilot-specific attributes — the entire Teams location is included
- Monitor retention policy status and coverage through Purview data lifecycle management reports
- Conduct quarterly retention coverage audits to identify gaps
- Configure priority cleanup for unsent Copilot drafts with appropriate scope controls
- Verify that threaded summary retention covers both source and summary locations
- Confirm PowerShell-based policy creation covers all supported workload locations — reference:
New-RetentionCompliancePolicy -ExchangeLocation All -SharePointLocation All -OneDriveLocation All -TeamsChannelLocation All -TeamsChatLocation All -ModernGroupLocation All. The cmdlet does not expose a-CopilotLocationparameter (verify against the currentNew-RetentionCompliancePolicysyntax); the Microsoft Copilot experiences retention location must be configured through the Microsoft Purview portal at Data lifecycle management > Microsoft 365 > Retention policies > + New retention policy until Microsoft documents PowerShell coverage for that location
Regulated
- Configure WORM-immutable retention for records subject to SEC Rule 17a-4(f) requirements — use
New-RetentionComplianceRulewith-RetentionComplianceAction KeepAndDeleteto support immutable retain-then-delete behavior required for WORM compliance - Enable Preservation Lock on retention policies governing regulated records — once enabled, the policy cannot be deleted and the retention period cannot be shortened; this satisfies the 17a-4(f) WORM requirement per SEC no-action letters (⚠️ this action is irreversible); enable via Purview > Retention policies > [policy] > Lock policy
- Implement regulatory record declaration using retention labels with "Mark items as a regulatory record" enabled
- Establish disposition review workflows for records reaching end of retention period
- Create preservation hold policies that can be activated within 4 hours of a regulatory preservation notice
- Configure retention policies for a minimum of 6 years across all Copilot content locations including Microsoft Copilot experiences — example PowerShell with 7-year FSI standard for the workload locations exposed by the cmdlet:
New-RetentionCompliancePolicy -Name "FSI-Copilot-7yr-Retention" -ExchangeLocation All -SharePointLocation All -OneDriveLocation All -TeamsChannelLocation All -TeamsChatLocation All -ModernGroupLocation Allfollowed byNew-RetentionComplianceRule -Policy "FSI-Copilot-7yr-Retention" -RetentionDuration 2556 -RetentionComplianceAction Keep. The Microsoft Copilot experiences retention location is not exposed byNew-RetentionCompliancePolicy(the cmdlet has no-CopilotLocationparameter — see theNew-RetentionCompliancePolicysyntax); create a parallel retention policy targeting Microsoft Copilot experiences through the Microsoft Purview portal under Data lifecycle management > Microsoft 365 > Retention policies and document the portal-managed policy alongside the PowerShell-managed workload policies in the firm's records management schedule - Implement cross-workload retention reporting to verify no Copilot content falls outside retention scope
- Document retention policy exceptions and compensating controls for any gaps
- Conduct annual retention policy effectiveness testing with documented results
- Adopt conservative retention posture for all Copilot-generated content per SEC Rule 17a-3(a)(17) interpretation
Setup & Configuration
Step 1: Create Microsoft Copilot Experiences Retention Policy
- Navigate to Microsoft Purview portal
- Go to Data lifecycle management > Microsoft 365 > Retention policies
- Click + New retention policy
- Configure:
- Name:
FSI-Copilot-Experiences-Retention-3Year - Description: Retains Microsoft Copilot Chat history, meeting recaps, and Copilot interaction content
- Locations: Select Microsoft Copilot experiences — toggle to On (covers all Copilot interaction history and AI-assisted content)
- Retention settings: Retain items for 3 years, then do nothing (retain only)
- Name:
- Click Submit
- For regulated deployments requiring 6-year retention, create a second policy:
FSI-Copilot-Experiences-Retention-6Yearwith 6-year duration
Step 2: Create Exchange Retention Policy (Email + Legacy Copilot Chat Coverage)
- Create a new retention policy:
- Name:
FSI-Copilot-Exchange-Retention-3Year - Description: Retains Exchange content including Copilot-drafted emails for 3 years
- Locations: Exchange mailboxes -- include all users (or scoped groups)
- Retention settings: Retain items for 3 years, then do nothing (retain only)
- Name:
- Click Submit
Step 3: Create OneDrive Retention Policy (Personal Files and Draft Documents)
- Create a new retention policy:
- Name:
FSI-Copilot-OneDrive-Retention-3Year - Description: Retains OneDrive content including personal Copilot-generated documents for 3 years
- Locations: OneDrive accounts -- include all users
- Retention settings: Retain items for 3 years, then do nothing
- Name:
- For financial records requiring 6-year retention, create an additional policy or use retention labels
Step 4: Create SharePoint Retention Policy (Includes Copilot Pages / Notebooks)
- Create a new retention policy:
- Name:
FSI-Copilot-SharePoint-Retention-6Year - Description: Retains SharePoint content including Copilot-generated documents and SharePoint Embedded-backed Copilot Pages / Copilot Notebooks
- Locations: SharePoint sites -- include All SharePoint Sites (or specific financial record sites where appropriate)
- Retention settings: Retain items for 6 years, then do nothing
- Name:
Step 5: Create Teams Retention Policy
- Create a new retention policy:
- Name:
FSI-Copilot-Teams-Retention-3Year - Description: Retains Teams messages and Copilot meeting recaps for 3 years
- Locations: Teams channel messages and Teams chats -- include all
- Retention settings: Retain items for 3 years, then do nothing
- Name:
Step 6: Create Regulatory Record Retention Labels (Regulated)
- Go to Data lifecycle management > Microsoft 365 > Labels
- Create label:
- Name:
FSI-Regulatory-Record-Financial-6Yr - Description: Regulatory record -- financial records retained for 6 years per SEC 17a-4
- Retention: 6 years from date created
- Mark items as a regulatory record: Yes
- At end of retention: Trigger a disposition review
- Name:
- Publish the label to relevant locations and user groups
Step 7: Configure Preservation Hold (As Needed)
For users under litigation hold or regulatory investigation:
# Apply preservation hold to a specific user's mailbox
Set-Mailbox -Identity "user@firm.com" -LitigationHoldEnabled $true -LitigationHoldDuration 2555 -LitigationHoldOwner "compliance@firm.com"
Financial Sector Considerations
Retention Period Conflicts
When a single piece of Copilot content could be classified under multiple retention categories (e.g., an email is both a "business communication" and a "financial record"), the longest applicable retention period should apply. Microsoft Purview follows the principle that retention wins over deletion when policies conflict.
Departed Employee Records
When employees leave the firm, their Copilot content must remain subject to retention policies. Convert departed user mailboxes to shared mailboxes or inactive mailboxes to maintain retention policy coverage. OneDrive content should be reassigned to a manager or compliance account before the OneDrive deletion timer expires (default 30 days after account deletion). Verify that the Microsoft Copilot experiences retention policy continues to cover departed users' content after account changes.
Merger and Acquisition Considerations
During M&A activities, Copilot content from acquired entities may need to be preserved under the acquiring firm's retention obligations. Plan for cross-tenant retention migration or implement preservation holds before tenant consolidation.
Cost of Long-Term Retention
Retaining 6+ years of Copilot content across all workloads has storage cost implications. Work with Microsoft account teams to understand storage consumption patterns and plan for archive mailbox usage where applicable. The Microsoft Copilot experiences retention location adds storage volume beyond traditional Exchange and SharePoint retention — include this in annual storage capacity planning.
Microsoft 365 Archive for Inactive Content
Microsoft 365 Archive provides a lower-cost storage tier for inactive but high-value SharePoint content. When sites are moved to Archive:
- Copilot exclusion: Archived sites are not processed by Copilot for grounding — content in Archive is not surfaced in Copilot responses, reducing the risk of stale or obsolete information appearing in AI-generated output
- Regulatory preservation: Archived content remains subject to retention policies and can be searched via eDiscovery, supporting SEC Rule 17a-4 and FINRA Rule 4511 recordkeeping obligations
- Cost management: Archive storage is priced lower than active SharePoint storage, helping organizations manage the cost of retaining 6+ years of content for regulatory purposes
FSI use case: Financial institutions often have large volumes of SharePoint content that must be retained for regulatory examination but is no longer actively referenced. Moving these sites to Microsoft 365 Archive simultaneously reduces Copilot grounding scope (improving response relevance) and lowers storage costs while maintaining compliance obligations. Organizations should verify that archived content remains discoverable via eDiscovery before relying on Archive as a retention strategy.
Verification Criteria
| # | Verification Step | Expected Outcome | Governance Level |
|---|---|---|---|
| 1 | List all active retention policies in Purview | Policies covering Microsoft Copilot experiences, Exchange, OneDrive, SharePoint, and Teams are present and enabled | Baseline |
| 2 | Delete a Copilot Chat message and verify recovery | Content is recoverable from the Recoverable Items folder within the retention period | Baseline |
| 3 | Verify Copilot Pages are covered by retention | Copilot Pages appear in eDiscovery search of OneDrive/Copilot experiences content | Baseline |
| 4 | Run a retention policy status report | All policies show "On" status with no distribution errors | Recommended |
| 5 | Verify differentiated retention periods | 3-year policies apply to communications; 6-year policies apply to financial records | Recommended |
| 6 | Test preservation hold activation | Hold is applied and content is preserved within 4 hours of activation | Regulated |
| 7 | Verify regulatory record label immutability | Content with regulatory record label cannot be deleted or modified by users | Regulated |
| 8 | Run cross-workload retention gap analysis | No Copilot content locations fall outside active retention policy scope | Regulated |
| 9 | Verify departed employee content retention | Inactive mailbox and OneDrive content remain subject to retention policies | Recommended |
| 10 | Test disposition review workflow | Records reaching end of retention trigger disposition review for authorized reviewers | Regulated |
| 11 | Verify Microsoft Copilot experiences policy distribution | Copilot experiences retention policy shows DistributionStatus: Success | Baseline |
| 12 | Confirm threaded summary retention coverage | Teams meeting recaps retained independently of source transcript deletion | Recommended |
Advisory: Copilot Memory as a Retention Surface
Emerging Surface — Assess Retention Coverage
M365 Copilot now includes a persistent user-level memory feature that retains context across conversations. Copilot memory stores user preferences, prior interactions, and contextual data to personalize future responses.
Retention and records implications for FSI:
- Records classification: Copilot memory may constitute a business record under FINRA Rule 4511(a) and SEC Rule 17a-4 if it contains information derived from client interactions, investment discussions, or financial analysis. Organizations should assess whether memory content falls within their books-and-records obligations.
- Retention policy coverage: Current Microsoft Purview retention policies for "Microsoft Copilot experiences" may not cover the memory data store. Organizations should verify whether memory content is included in existing retention policy scope and monitor Microsoft documentation for updates.
- User-level deletion: Users can view and delete their own Copilot memory entries. For regulated environments, this creates a potential records destruction risk if memory content is subject to retention obligations. Organizations should evaluate whether administrative controls exist to prevent user deletion of memory during hold or retention periods.
- eDiscovery scope: Organizations should verify whether Copilot memory content is discoverable through Purview eDiscovery searches (see Control 3.3 — eDiscovery). If memory is not searchable, firms should assess compensating controls.
Recommended actions:
- Monitor Microsoft documentation for retention policy coverage of Copilot memory
- Assess whether Copilot memory content is within scope of existing legal holds
- Evaluate whether to disable Copilot memory for high-risk user populations until retention coverage is confirmed
- Include Copilot memory in data mapping exercises for regulatory examinations
Additional Resources
- Learn about retention policies and retention labels
- Create and configure retention policies
- Declare records by using retention labels
- Inactive mailboxes in Exchange Online
- SEC Rule 17a-4 electronic storage requirements
- FINRA Rule 4511
- Control 3.1 -- Copilot Interaction Audit Logging
- Control 3.3 -- eDiscovery for Copilot-Generated Content
-
Control 3.11 -- Record Keeping and Books-and-Records Compliance
-
Related Controls: 3.1 Copilot Audit Logging, 3.11 Record Keeping, 3.3 eDiscovery for Copilot Content
FSI Copilot Governance Framework v1.4.0 - April 2026