Records Management in the AI Era
Records management in 2026 is no longer just about retention schedules and file plans. The explosion of AI-generated content, the proliferation of collaboration tools, and increasingly aggressive regulatory enforcement have made records management a board-level concern.
SharePoint, integrated with Microsoft Purview, is the foundation of enterprise records management for Microsoft 365 organizations. This guide covers the complete records management lifecycle — from policy design through AI-assisted classification to defensible disposition.
The SharePoint + Purview Records Management Stack
Microsoft Purview Compliance Portal includes Records Management (File Plan, Retention Labels, Retention Policies, Disposition Reviews, Events), Data Lifecycle Management (Retention Policies, Adaptive Scopes), and Information Protection (Sensitivity Labels, DLP Policies). SharePoint Online provides Document Libraries (records repositories), Preservation Hold Library (immutable copies), Content Type Hub (record content types), and Microsoft Graph API (programmatic access).
Designing Your File Plan
The file plan is the backbone of records management. It defines what records you keep, how long you keep them, and what happens when retention expires.
File Plan Structure
| Category | Record Type | Retention Period | Trigger | Disposition |
|----------|------------|-----------------|---------|-------------|
| Finance | Tax Returns | 7 years | Tax year end | Destroy |
| Finance | Invoices | 7 years | Invoice date | Destroy |
| Finance | Audit Reports | Permanent | N/A | Archive |
| HR | Employee Records | Employment + 7 years | Termination date | Destroy |
| HR | Benefits Elections | 6 years | Plan year end | Destroy |
| HR | I-9 Forms | Employment + 3 years | Termination date | Destroy |
| Legal | Contracts | Contract term + 6 years | Contract end | Review |
| Legal | Litigation Hold | Until released | Case closure | Review |
| Legal | Board Minutes | Permanent | N/A | Archive |
| Operations | Policies | Until superseded + 3 years | Superseded date | Review |
| Operations | Project Records | Project end + 5 years | Project closure | Destroy |
| IT | System Logs | 1 year | Log date | Destroy |
| IT | Security Incidents | 5 years | Incident date | Review |
| Healthcare | Patient Records | Last encounter + 10 years | Last encounter | Review |
| Healthcare | Clinical Trial Data | 15 years | Study completion | Archive |
Regulatory Requirements by Industry
Healthcare (HIPAA): Medical records minimum 6 years (state law may require longer). HIPAA audit logs 6 years. Insurance claims 10 years. Patient consent forms duration of treatment + 6 years.
Financial Services (SOX, SEC): Financial statements permanent. Audit workpapers 7 years. Trading records 6 years (FINRA). Client communications 3 years (SEC Rule 17a-4).
Government (NARA, State Archives): Federal records per NARA disposition schedule. State records per state archives requirements. FOIA request records 6 years after closure.
Implementing Retention Labels
Create the Retention Label Structure
# Create retention labels using PowerShell
Connect-IPPSSession
# Financial records - 7 year retention
New-ComplianceTag -Name "Finance - Tax Records" -Comment "Tax returns and supporting documentation" -RetentionAction Delete -RetentionDuration 2555 -RetentionType CreationAgeInDays -ReviewerEmail "[email protected]" -IsRecordLabel $true -Regulatory $false
# HR records - employment + 7 years (event-based)
New-ComplianceTag -Name "HR - Employee Record" -Comment "Employee records retained from termination date" -RetentionAction Delete -RetentionDuration 2555 -RetentionType EventAgeInDays -EventType "Employee Termination" -ReviewerEmail "[email protected]" -IsRecordLabel $true
# Legal - permanent retention
New-ComplianceTag -Name "Legal - Board Minutes" -Comment "Board meeting minutes - permanent retention" -RetentionAction KeepForever -IsRecordLabel $true -Regulatory $true
# Healthcare - patient records
New-ComplianceTag -Name "Healthcare - Patient Record" -Comment "Patient health information - HIPAA compliant retention" -RetentionAction Delete -RetentionDuration 3650 -RetentionType EventAgeInDays -EventType "Last Patient Encounter" -ReviewerEmail "[email protected]" -IsRecordLabel $true -Regulatory $true
Write-Host "Retention labels created successfully"
Publish Labels to SharePoint Sites
# Publish retention labels to specific SharePoint sites
New-RetentionCompliancePolicy -Name "Finance Records Policy" -SharePointLocation "https://contoso.sharepoint.com/sites/Finance" -Enabled $true
Set-RetentionCompliancePolicy -Identity "Finance Records Policy" -AddSharePointLocation "https://contoso.sharepoint.com/sites/Accounting"
Write-Host "Labels published to Finance sites"
Auto-Classification with AI
Trainable Classifiers
Microsoft Purview trainable classifiers use machine learning to automatically identify record types.
Built-in classifiers available: Financial statements, Resumes/CVs, Source code, Contracts/agreements, Business plans, Tax forms, Invoices, Healthcare/medical forms.
Custom classifiers for your organization:
- Seed content: Provide 50-500 example documents of the record type
- Training: Purview trains the classifier on your examples
- Testing: Validate with a separate test set
- Deployment: Apply to auto-labeling policies
Record Declaration and Immutability
Declaring Records in SharePoint
When a document is declared as a record in SharePoint:
- The document becomes immutable — no edits, no deletion
- Metadata can still be updated (depending on configuration)
- The document is preserved in place (or copied to Preservation Hold Library)
- Retention timer starts based on label configuration
- Audit trail captures the declaration event
Record Lock Levels
| Lock Level | Edit Content | Edit Metadata | Delete | Move |
|-----------|-------------|--------------|--------|------|
| No restriction | Yes | Yes | Yes | Yes |
| Record - Locked | No | Yes | No (until retention expires) | No |
| Regulatory Record | No | No | No (ever, until admin unlocks) | No |
Regulatory records are the strictest — even global admins cannot delete them until the regulatory record label is removed by a compliance admin.
Disposition Reviews
When retention expires, records with disposition review enabled don't auto-delete. Instead, a reviewer must approve destruction.
Disposition Workflow
Retention expires, then a Disposition Review is created in the Purview portal. The reviewer is notified by email. Reviewer options: Approve Disposition (record permanently deleted), Extend Retention (new retention period set), Relabel (apply different retention label), or Add Reviewers (escalate for additional review). Finally, a Disposition Certificate is generated as proof of destruction.
Event-Based Retention
Some records don't start their retention clock on creation date. Instead, retention begins when a business event occurs.
Common Event Triggers
| Event | Trigger | Records Affected |
|-------|---------|-----------------|
| Employee Termination | HR updates employee status | Employee records, I-9, benefits |
| Contract Expiration | Contract end date reached | Contract documents, amendments |
| Project Closure | PM marks project complete | Project deliverables, correspondence |
| Patent Expiration | Patent term ends | Patent applications, research docs |
| Product End of Life | Product retired | Design documents, test results |
| Legal Case Closure | Case settled/dismissed | Litigation hold documents |
| Patient Last Encounter | Patient has no visits for 1 year | Medical records, consent forms |
Automating Event-Based Retention
# Trigger retention event when employee is terminated
function Invoke-EmployeeTerminationEvent {
param(
[string]$EmployeeEmail,
[datetime]$TerminationDate
)
Connect-IPPSSession
New-ComplianceRetentionEvent -Name "Termination - $EmployeeEmail - $($TerminationDate.ToString('yyyy-MM-dd'))" -EventType "Employee Termination" -SharePointAssetIdQuery "EmployeeEmail:$EmployeeEmail" -EventDateTime $TerminationDate -Comment "Automated trigger from HR system"
Write-Host "Retention event created for $EmployeeEmail (termination: $TerminationDate)"
}
# Example usage
Invoke-EmployeeTerminationEvent -EmployeeEmail "[email protected]" -TerminationDate (Get-Date)
Records Management Governance Dashboard
Key Metrics to Monitor
| Metric | Target | Alert Threshold |
|--------|--------|----------------|
| Records with retention labels | 95%+ of eligible content | Less than 80%% |
| Pending disposition reviews | Resolved within 30 days | More than 30 days pending |
| Auto-classification accuracy | 90%+ | Less than 85%% |
| Litigation holds active | Reviewed quarterly | Holds older than 1 year |
| Orphaned records (no owner) | 0%% | More than 5%% |
Migration: Moving from Legacy Records Management
From SharePoint Records Center (Classic)
If you are still using the SharePoint 2010/2013 Records Center site template:
- Inventory existing records and their retention schedules
- Map old content types to Purview retention labels
- Create equivalent retention labels in Purview
- Migrate records to modern SharePoint libraries with labels applied
- Decommission the Records Center site after validation
- Verify all records have correct labels and retention dates
From Third-Party Systems
Migrating from systems like OpenText, Hyland, Iron Mountain, or Micro Focus:
- Export metadata mapping (record type to retention label)
- Migrate content to SharePoint using SPMT or ShareGate
- Apply retention labels during or after migration
- Validate record integrity (checksums, metadata completeness)
- Maintain chain of custody documentation
Common Mistakes in Records Management
1. Treating all documents as records — Not everything is a record. Over-declaring creates unnecessary retention burden and storage costs.
2. Using retention policies instead of labels — Policies are broad; labels are precise. Use labels for records management, policies for general data lifecycle.
3. Ignoring disposition — Creating retention labels without disposition reviews means records auto-delete without oversight.
4. No event-based triggers — Most HR, legal, and contract records need event-based retention, not date-based.
5. Forgetting about Teams/Exchange — Records exist in Teams chats, emails, and Planner tasks, not just SharePoint libraries.
Frequently Asked Questions
What is the difference between a retention label and a retention policy?
Retention labels are applied to individual items and give you granular control — different documents in the same library can have different retention periods. Retention policies apply to entire locations (all of SharePoint, specific sites, all Exchange mailboxes) and apply the same retention to everything in that location.
Can users delete records in SharePoint?
If a document has a record label, users cannot delete it until the retention period expires (and disposition is approved, if configured). Regulatory record labels prevent deletion even by administrators until the label is explicitly removed by a compliance admin.
How does records management work with Microsoft Copilot?
Copilot respects retention labels and sensitivity labels. It will not surface content that is under litigation hold to unauthorized users, and it honors the record's metadata for context. However, Copilot may reference content that is approaching disposition — ensure your disposition process accounts for AI-generated references.
Do records management features require additional licensing?
Basic retention policies are included in Microsoft 365 E3. Advanced features — record labels, regulatory records, disposition reviews, event-based retention, trainable classifiers, and adaptive scopes — require Microsoft 365 E5 Compliance or the standalone Information Governance add-on.
How do we handle records during a SharePoint migration?
During SharePoint migration, preserve record status, retention dates, and metadata. Use migration tools that support retention label mapping. After migration, validate that all records have correct labels and that retention timers were not reset.
Building Your Records Management Program
Records management is not a technology project — it is a governance program that uses technology. Start with policy, move to process, then implement technology.
- Policy: Define your retention schedule with legal, compliance, and business input
- Process: Design declaration, review, and disposition workflows
- Technology: Implement in SharePoint + Purview
- Training: Educate content owners on their responsibilities
- Monitoring: Continuous compliance reporting and remediation
EPC Group designs and implements enterprise records management programs for organizations in healthcare, financial services, and government. We bring 25+ years of experience in compliance-heavy environments where defensible disposition is not optional. Contact us to discuss your records management strategy.
Written by Errin O'Connor
Founder, CEO & Chief AI Architect | Microsoft Press Bestselling Author | 25+ Years Microsoft Ecosystem
Errin O'Connor is a Microsoft Press bestselling author of 4 books covering SharePoint, Power BI, Azure, and large-scale migrations. He leads our SharePoint consulting practice with expertise spanning 500+ enterprise migrations and compliance implementations across HIPAA, SOC 2, and FedRAMP environments.
Expert SharePoint Services
Need Expert Help?
Our SharePoint consultants are ready to help you implement these strategies in your organization.