Control 3.3: eDiscovery for Copilot-Generated Content
Control ID: 3.3 Pillar: Compliance & Audit Regulatory Reference: SEC 17a-4 (Preservation of Records), FINRA 4511 (Books and Records), Federal Rules of Civil Procedure (FRCP) Rules 26, 34, 37(e) Last Verified: 2026-03-22 Governance Levels: Baseline / Recommended / Regulated
Objective
Configure Microsoft Purview eDiscovery to search, hold, review, and export Copilot-generated content across all Microsoft 365 workloads, supporting compliance with regulatory examination requests, litigation discovery obligations, and internal investigation requirements.
Why This Matters for FSI
Financial services firms face frequent discovery obligations -- from FINRA and SEC examinations, to civil litigation, to internal compliance investigations. When Copilot is integrated into daily workflows, the universe of potentially discoverable content expands to include every Copilot interaction, every AI-generated draft, every meeting recap, and every Microsoft 365 Copilot Chat conversation.
SEC Rule 17a-4 requires that records be readily accessible and producible upon regulatory demand. SEC Rule 17a-4(j) specifically requires that broker-dealers produce records stored on electronic media in response to SEC examination requests, including AI-generated interaction records. FINRA Rule 4511 requires that books and records be made available for examination. The Federal Rules of Civil Procedure (FRCP) impose broad discovery obligations that extend to electronically stored information (ESI), including AI-generated content. FRCP Rule 26(b)(1) establishes a proportionality standard requiring that discovery be proportional to the needs of the case -- a standard that applies with particular force as the scope of discoverable Copilot content grows across an organization.
Failure to locate and produce Copilot-generated content during discovery can result in adverse inference instructions, sanctions, regulatory penalties, and reputational harm. Microsoft Purview eDiscovery provides the native capability to search across all Copilot content locations, but it requires deliberate configuration to cover the full scope of Copilot data.
Control Description
This control addresses the end-to-end eDiscovery lifecycle for Copilot content: identifying custodians and content locations, creating cases and holds, running searches across Copilot data sources, reviewing results, and exporting production-ready content.
Unified eDiscovery Experience
As of May 2025, Microsoft consolidated eDiscovery (Standard) and eDiscovery (Premium) into a single unified eDiscovery experience within the Microsoft Purview portal. The unified experience is the current state -- there is no longer a separate Standard portal or Premium portal. Both capability tiers are accessed through the same case management interface at Microsoft Purview > eDiscovery > Cases, with Premium capabilities available to appropriately licensed users within that unified environment.
The unified experience delivers a single case management interface with enhanced search capabilities across all Copilot content locations from a unified search builder. Hold management uses unified custodian and non-custodial data source workflows, and export supports native review set export with direct download options. As of February 2026, the interface introduced further UX simplification: a streamlined case creation workflow with fewer required fields, improved search result preview with inline content rendering for Copilot interactions, and enhanced filtering by Copilot-specific properties -- including filter by Copilot surface, agent name, and interaction type.
Organizations with eDiscovery cases created before the May 2025 migration should verify that Copilot content locations are included in those cases. Pre-migration cases may not automatically include the "Microsoft Copilot experiences" content location -- administrators should open each existing case, navigate to Data sources, and confirm the Copilot content location is present.
Copilot Content Locations in eDiscovery
| Content Type | eDiscovery Location | Search Method |
|---|---|---|
| Microsoft 365 Copilot Chat history | Exchange mailbox (hidden folder) | Custodian mailbox search -- Copilot Chat is stored in a subfolder of the user's mailbox |
| Copilot-drafted emails | Exchange mailbox (Sent Items, Drafts) | Standard Exchange mailbox search |
| Copilot Pages | SharePoint Embedded user-owned container | SharePoint data source / manually targeted container search |
| Teams Copilot interactions | Teams messages / Exchange | Teams message search (channel and chat) |
| Teams meeting recaps | Teams / Exchange | Teams message search and Exchange mailbox search |
| Teams meeting transcripts | Teams / Exchange | Teams message search |
| Word/Excel/PowerPoint drafts | SharePoint / OneDrive | Site search or custodian OneDrive search |
| Copilot audit events | Purview Audit Log | Audit log search (separate from eDiscovery content search) |
eDiscovery Capability Tiers in the Unified Experience
The unified eDiscovery experience provides a single entry point for all eDiscovery work. Capability availability within that unified interface depends on licensing tier:
| Capability | Standard (E3 license) | Premium (E5 or add-on) |
|---|---|---|
| Content search across workloads | Yes | Yes |
| Legal hold | Basic | Advanced custodian management |
| Custodian management | No | Yes -- custodian tracking, communications, holds |
| Review sets | No | Yes -- near-duplicate detection, email threading, themes |
| Export formats | PST, individual messages | PST, loose files, conversation PDF, production sets |
| Analytics | No | Yes -- relevance, predictive coding |
| Copilot Chat search | Yes | Yes |
| Copilot Pages search | Yes | Yes |
| Copilot surface filter | No | Yes -- filter by surface, agent name, interaction type |
For regulated FSI environments, the Premium capability tier is strongly recommended for its custodian management, review set analytics, Copilot surface filtering, and production capabilities.
Key Query Language (KQL) for Copilot Content
Search for all Copilot-generated content by a specific user:
Search for Copilot Chat conversations containing specific terms:
Search for Copilot Pages:
Search for Copilot-related Teams messages:
Filter by Copilot surface (unified experience, Premium tier):
Note: KQL syntax and available properties for Copilot content may evolve as Microsoft updates the platform. Validate queries against current documentation.
Copilot Surface Coverage
| Copilot Surface | Discoverable | Hold Supported | Export Format |
|---|---|---|---|
| Microsoft 365 Copilot Chat | Yes -- via Exchange mailbox search | Yes -- mailbox hold | EML, PST |
| Word Copilot | Yes -- document stored in SharePoint/OneDrive | Yes -- site/OneDrive hold | Native format (.docx) |
| Excel Copilot | Yes -- workbook stored in SharePoint/OneDrive | Yes -- site/OneDrive hold | Native format (.xlsx) |
| PowerPoint Copilot | Yes -- presentation stored in SharePoint/OneDrive | Yes -- site/OneDrive hold | Native format (.pptx) |
| Outlook Copilot | Yes -- email in Exchange mailbox | Yes -- mailbox hold | EML, PST |
| Teams Copilot | Yes -- via Teams message search | Yes -- mailbox hold (Teams data in Exchange) | HTML, CSV |
| Copilot Pages | Yes -- stored in SharePoint Embedded | Yes -- hold supported when the container is added explicitly | Native format (.page) |
Governance Levels
Baseline
- Verify eDiscovery is licensed and accessible in the unified experience (Standard or Premium tier)
- Confirm that Copilot Chat content appears in Exchange mailbox content searches
- Test basic content searches across all Copilot content locations using the unified search builder
- Document Copilot content locations in the firm's ESI data map
- Assign eDiscovery Manager and eDiscovery Administrator roles to appropriate compliance personnel
- Verify any pre-migration eDiscovery cases include the "Microsoft Copilot experiences" content location
Recommended
- Deploy with Premium tier capabilities, including custodian management and review set analytics
- Create standard case templates for FINRA examinations, SEC examinations, and internal investigations
- Configure hold policies that automatically cover all Copilot content locations for custodians
- Develop and test KQL queries for common Copilot discovery scenarios, including Copilot surface filters
- Establish a Copilot-specific eDiscovery playbook with step-by-step procedures for common requests
- Conduct quarterly eDiscovery readiness tests using realistic Copilot content scenarios
- Integrate eDiscovery workflows with the firm's legal hold notification system
Regulated
- Implement automated custodian identification and hold notification workflows
- Configure review sets with analytics for large-scale Copilot content review (near-duplicate detection, email threading)
- Establish production workflows that produce Copilot content in regulator-specified formats
- Maintain a standing eDiscovery case template pre-configured for rapid regulatory examination response (target: case creation to first search results within 2 hours)
- Document chain-of-custody procedures for Copilot content from search through production
- Implement privilege review workflows for Copilot content that may contain attorney-client privileged information
- Conduct annual defensibility assessments of eDiscovery processes for Copilot content
- Maintain eDiscovery process documentation sufficient for court challenge (FRCP Rule 37(e) safe harbor)
Setup & Configuration
Step 1: Assign eDiscovery Roles
- Navigate to Microsoft Purview portal
- Go to Roles & Scopes > Permissions
- Assign the following roles:
- eDiscovery Manager: Can create cases, run searches, manage holds (assign to compliance investigators)
- eDiscovery Administrator: Full case management including deleting cases and accessing all cases (assign to senior compliance leadership)
Step 2: Create an eDiscovery Case for Copilot Content
- Go to eDiscovery > Cases (unified experience)
- Click + Create a case
- Configure:
- Name:
[YYYY-MM] FINRA Examination - Copilot Interactions - Description: eDiscovery case for producing Copilot interaction records in response to FINRA examination
- Members: Add authorized investigators
- Name:
Step 3: Add Custodians and Apply Holds
- Within the case, go to Data sources > Add data source > Add custodians
- Search for and select custodians (the users whose Copilot content is subject to discovery)
- For each custodian, verify the following locations are selected for hold:
- Exchange mailbox (includes Copilot Chat history)
- OneDrive for Business (personal files and drafts where applicable)
- SharePoint sites, including any user-owned SharePoint Embedded container that stores Copilot Pages / Copilot Notebooks
- Teams (includes channel and chat messages)
- Microsoft Copilot experiences (the unified Copilot interaction content location -- verify this is present)
- Enable Hold for all selected custodians and locations
- Configure hold notification (legal hold notice) if using Premium tier
Step 4: Run Content Search
- Within the case, go to Searches > + New search
- Configure search:
- Name:
Copilot-Interactions-[Custodian]-[DateRange] - Custodian locations: Select all held custodian locations
- Non-custodial locations: Add any additional SharePoint sites
- Query: Use KQL to target Copilot content (see Key Query Language section above)
- Date range: Specify the date range relevant to the examination
- Copilot surface filter: Use the Copilot surface filter (Premium tier) to narrow results by surface type if applicable
- Name:
- Click Submit and monitor search progress
Step 5: Add to Review Set and Export
- After search completes, click Add results to review set
- In the review set, use analytics to identify relevant Copilot content
- Tag relevant items for production
- Export production set in the format required by the requesting party (PST, loose files, or PDF)
Financial Sector Considerations
FINRA Examination Response
FINRA examinations frequently request records of business communications, including AI-assisted communications. Pre-built eDiscovery cases with saved Copilot search queries can reduce response time from days to hours. Firms should maintain:
- A template case for FINRA Rule 8210 information requests
- Pre-configured custodian groups for registered representatives, supervisors, and compliance officers
- Standard export formats that align with FINRA's preferred production formats
SEC Examination Response
SEC examinations may request documentation of internal controls over AI usage, including records of Copilot interactions related to financial reporting, client advisory activities, and investment decision-making. SEC Rule 17a-4(j) requires production of electronically stored records in response to SEC examination requests in a form that is readable by examiners. eDiscovery cases should be structured to produce:
- Copilot interactions by specific individuals during specific time periods
- Copilot interactions related to specific clients, transactions, or investment products
- All Copilot-generated documents classified as financial records
Litigation Readiness
In civil litigation, Copilot content is discoverable ESI. FRCP Rule 26(b)(1) requires that discovery be proportional to the needs of the case, considering factors including the importance of the issues, the amount in controversy, and the parties' resources -- but proportionality does not reduce the firm's obligation to identify and preserve potentially relevant Copilot content. Firms should:
- Include Copilot content locations in their standard litigation hold procedures
- Update ESI protocols and agreements to explicitly address AI-generated content
- Prepare for opposing counsel requests that specifically target Copilot interactions
- Document Copilot content preservation capabilities for Rule 26(f) conferences
Privilege Considerations
Copilot interactions with legal counsel or Copilot-generated content involving legal analysis may be protected by attorney-client privilege. eDiscovery review workflows should include privilege review screens for Copilot content that references legal matters, compliance investigations, or attorney communications.
Verification Criteria
| # | Verification Step | Expected Outcome | Governance Level |
|---|---|---|---|
| 1 | Run a content search for CopilotInteraction content using the unified search builder | Copilot Chat history appears in search results | Baseline |
| 2 | Search for Copilot Pages by file type | Copilot Pages (.fluid/.loop) appear in OneDrive search results | Baseline |
| 3 | Confirm pre-migration cases include Copilot content location | "Microsoft Copilot experiences" data source is present in existing cases | Baseline |
| 4 | Place a custodian on hold and verify Copilot content is preserved | Deleted Copilot content is recoverable from held locations | Recommended |
| 5 | Create an eDiscovery case from template | Case with pre-configured custodian groups and saved queries is created within 30 minutes | Recommended |
| 6 | Export Copilot content in production format | Export file contains valid, readable Copilot interaction records | Recommended |
| 7 | Apply Copilot surface filter in unified experience | Search results are filterable by surface (e.g., Microsoft 365 Copilot, Teams Copilot) | Recommended |
| 8 | Run a mock FINRA 8210 response drill | Complete case creation, search, review, and export within 8 business hours | Regulated |
| 9 | Verify cross-workload search coverage | Single search returns Copilot content from Exchange, OneDrive, SharePoint, and Teams | Regulated |
| 10 | Test custodian hold notification workflow | Automated hold notice is sent and acknowledged within 24 hours | Regulated |
| 11 | Verify privilege review workflow | Privileged Copilot content is flagged and excluded from production | Regulated |
| 12 | Document chain-of-custody for exported content | Export log includes hash values, timestamps, and handler identification | Regulated |
Additional Resources
- Microsoft Purview eDiscovery solutions
- eDiscovery Premium overview
- Content search in Microsoft Purview
- Keyword queries and search conditions for eDiscovery
- FINRA Rule 8210 (Provision of Information)
- Federal Rules of Civil Procedure -- Rule 26
- Control 3.1 -- Copilot Interaction Audit Logging
- Control 3.2 -- Data Retention Policies
-
Related Controls: 3.1 Copilot Audit Logging, 3.2 Data Retention Policies, 3.12 Evidence Collection
FSI Copilot Governance Framework v1.2.1 - March 2026