AI Records / Retention / Legal Hold / eDiscovery Playbook
AI 系统正在把传统业务行为拆成很多可观察但容易丢失的数字片段。
AI Records / Retention / Legal Hold / eDiscovery Architecture Playbook
定位: 面向高级 AI PM / Senior BA / AI Product Architect / Enterprise Architect / Records Management Lead / Legal Operations Partner / Compliance Technology Lead / Risk Technology Lead / Internal Audit Partner, 把 AI records 从“日志保存”升级为可分类、可保留、可保全、可检索、可生产、可删除、可审计的金融零售生产能力。 适用范围: AI copilot、agentic workflow、customer service RAG、payment dispute assistant、credit underwriting copilot、AML / fraud assistant、complaint remediation agent、wealth advisory assistant、AI platform gateway、model evaluation and incident management。 重要说明: 本文是学习、作品集和内部架构训练材料, 不是法律意见、合规结论、监管解释、eDiscovery strategy、records schedule approval 或 litigation hold advice。正式项目必须由 Legal、Compliance、Privacy、Records Management、Risk、Model Risk、Security、Internal Audit、Business Owner、Operations Owner 和外部律师在适用场景下确认。适用性取决于 entity、product、jurisdiction、customer type、communication channel、record category、regulator、contract 和 litigation posture。
1. Executive Framing
AI 系统正在把传统业务行为拆成很多可观察但容易丢失的数字片段。
一个客户服务 RAG 回答, 可能包含 customer prompt、identity context、uploaded document metadata、system prompt、retrieval query、retrieved chunks、model output、agent edit、approval decision、final customer message、QA evaluation 和 incident flag。
这些片段不一定都要长期保存。 但其中一部分可能是 business record、regulatory record、litigation-relevant ESI、model governance evidence、complaint evidence 或 audit evidence。
本 playbook 的核心判断:
AI recordkeeping is not log retention.
It is obligation-aware evidence architecture.
中文表达:
AI 记录治理不是日志多存几天, 而是把 AI 影响过的业务事实变成可治理证据。
1.1 成熟能力要回答的问题
| Question | Mature answer |
|---|---|
| 什么是 AI record | record object taxonomy, not raw log dump |
| 为什么保存 | retention authority, business need, legal / regulatory / audit need |
| 保存多久 | retention matrix by record category and trigger event |
| 谁能冻结 | legal hold authority and approval workflow |
| 冻结哪里 | app DB, object store, vector store, log store, warehouse, vendor store |
| 如何搜索 | indexed metadata, scoped search, privilege and sensitivity filters |
| 如何生产 | chain-of-custody, redaction log, hash manifest, export package |
| 如何删除 | disposition engine with hold and regulatory conflict checks |
| 如何证明 | immutable audit trail and replayable evidence |
1.2 设计目标
- 让 AI records 有明确 owner。
- 让 record creation 靠近真实事件。
- 让 retention class 在 record-object level 决定。
- 让 legal hold 能跨系统传播。
- 让 deletion 永远先检查 active hold。
- 让监管、审计、诉讼和内部调查可以得到可解释 production。
- 让隐私最小化和 records obligation 同时被管理。
2. Source Anchors
以下官方来源是本文的架构锚点。本文不解释法律义务本身, 而是把这些来源转成 AI records、retention、legal hold、audit trail 和 production capability 的设计语言。
| Anchor | Official link | 本文使用方式 |
|---|---|---|
| FINRA Rule 4511 | https://www.finra.org/rules-guidance/rulebooks/finra-rules/4511 | 用 books and records、preserve、six-year default and SEA Rule 17a-4 reference 说明金融记录保存需要正式 mapping |
| SEC Rule 17a-4 electronic recordkeeping overview | https://www.sec.gov/investment/amendments-electronic-recordkeeping-requirements-broker-dealers | 用 WORM option、audit-trail alternative、third-party recordkeeping 和 prompt production 设计电子记录保存层 |
| CFTC 17 CFR 1.31 | https://www.ecfr.gov/current/title-17/chapter-I/part-1/subject-group-ECFR26e2c365a191fa7/section-1.31 | 用 authenticity、reliability、metadata、system inventory、readily accessible 和 production 设计监管记录能力 |
| Federal Rule of Civil Procedure 37(e) | https://www.law.cornell.edu/rules/frcp/rule_37 | 用 ESI preservation、reasonable steps、routine operation 和 loss consequences 设计 legal hold control |
| NARA records management guidance | https://www.archives.gov/records-mgmt/policy | 用 records lifecycle、electronic records modernization、ERM requirements 和 disposition governance 设计 records program |
| NIST AI RMF | https://www.nist.gov/itl/ai-risk-management-framework | 用 Govern / Map / Measure / Manage 组织 AI record risk、evidence quality、measurement 和 continuous improvement |
2.1 Regulatory Nuance
- FINRA / SEC / CFTC anchors 主要覆盖特定受监管实体和记录类别, 不能机械套用到所有金融零售 AI。
- 银行、信用卡、支付、保险、经纪、投资顾问、期货、加密、RWA 和 vendor AI 的义务可能不同。
- 客户沟通、广告、投诉、信贷、AML、trading、investment advice、privacy 和 employment records 可能有不同 schedule。
- Legal hold 来源可能是 litigation、regulatory inquiry、government investigation、subpoena、internal investigation 或 reasonable anticipation。
- Privacy deletion request 不等于可以删除所有相关记录。
- Retention period 到期不等于可以在 active legal hold 下销毁。
- Vendor 持有 AI records 不等于机构满足 prompt production 或 audit replay 能力。
2.2 NIST AI RMF Mapping
| Function | AI records question | Evidence |
|---|---|---|
| Govern | 谁拥有 record taxonomy、schedule、hold policy、export approval | RACI, policy, governance minutes |
| Map | 哪些 AI use case 产生 regulated, business, legal or audit records | record inventory, data flow, system inventory |
| Measure | capture 是否完整, hold 是否传播, export 是否可重放 | completeness metrics, audit replay, exception report |
| Manage | 记录缺失、误删、hold 失败、production 失败如何处置 | incident runbook, CAPA, management report |
3. Record Object Taxonomy For AI Systems
3.1 Core Terms
| Term | Practical meaning |
|---|---|
| AI record | AI workflow 中有业务、监管、法律、审计或模型治理意义的 record object |
| Raw telemetry | 用于 debugging / observability 的技术事件, 不必天然成为长期 record |
| ESI | electronically stored information, litigation / discovery 语境下的电子信息 |
| Record class | 决定 owner、retention、access、hold eligibility、export profile 的类别 |
| Retention trigger | retention clock 启动事件, 如 created、case closed、account closed、transaction maturity |
| System inventory | 说明哪些系统维护 record, 如何 access / search / produce |
| Legal hold | 暂停相关 records 的 routine disposition, 以满足 preservation obligation |
| Disposition | 到期后的 deletion、archive、transfer 或 destruction certification |
| Chain-of-custody | 记录从 capture 到 review 到 export 的 custody evidence |
| Immutable audit trail | 可证明记录创建、修改、删除、访问、hold 和 export 的 tamper-evident trail |
3.2 Top-Level Record Families
| Record family | Examples | Typical owner |
|---|---|---|
| Interaction records | prompt, chat transcript, uploaded file metadata, final response | Channel / business owner |
| Retrieval records | RAG query, retrieved chunks, source ids, ranking, source hash | Knowledge / platform owner |
| Generation records | system prompt version, model output, refusal, confidence, citation | AI platform / product owner |
| Decision records | recommendation, human decision, approval, override, action hash | Business process owner |
| Execution records | tool call, API request, side effect, tool response, error | Tool owner / operations |
| Communication records | customer email, chat, letter, SMS, in-app notice | Channel / communications owner |
| Model governance records | eval dataset, score, defect, validation, release approval | Model risk / AI governance |
| Incident records | alert, triage, impact, containment, notification, CAPA | Incident / risk owner |
| Audit records | access, modification, deletion, hold, export, replay | Security / records / audit |
3.3 Obligation-Based Categories
| Obligation category | Description | Examples |
|---|---|---|
| Business record | 支撑业务决策和客户服务 | dispute decision packet, complaint resolution note |
| Regulatory record | 被法规、监管规则或监管预期要求保存 | customer communication, broker-dealer books and records |
| Litigation-relevant ESI | 与现有或合理预期争议相关 | prompt and output for disputed decision |
| Model governance evidence | 证明模型设计、测试、监控和变更控制 | eval results, approval memo, monitoring report |
| Security / operational evidence | 证明访问、工具调用、incident handling | audit event, incident timeline |
| Transient telemetry | 短期 observability, 没有业务结论 | latency traces, token counts without content |
3.4 Classification Dimensions
| Dimension | Examples |
|---|---|
| record_type | user_prompt, rag_retrieval, tool_call, approval, eval_result |
| business_domain | payments, lending, AML, fraud, complaints, wealth, servicing |
| business_object | case id, account id, application id, transaction id |
| actor_chain | user, agent, model, service account, approver |
| customer_impact | none, internal only, customer-visible, financial action, adverse action |
| legal_sensitivity | normal, privileged candidate, litigation hold, investigation |
| privacy_class | no PII, PII, financial data, sensitive data, confidential |
| retention_class | transient, business, regulatory, model governance, incident |
| source_authority | policy, contract, regulatory rule, business schedule, investigation |
| export_profile | audit, regulator, litigation, privacy request, management |
3.5 Record Lifecycle
event occurs
-> capture
-> classify
-> enrich metadata
-> assign retention and access policy
-> persist in retention-capable store
-> monitor hold eligibility
-> search / review / export when authorized
-> disposition when eligible and no hold conflict
-> disposition certificate
4. Retention / Legal Hold Reference Architecture
4.1 High-Level Architecture
AI channels and agents
-> Record Capture SDK
-> Metadata Enrichment Service
-> AI Record Classifier
-> Retention Policy Decision Point
-> Records Registry
-> Retention-Capable Storage
-> Legal Hold Service
-> Search and Review Workbench
-> eDiscovery / Regulator Export Service
-> Disposition Engine
-> Immutable Audit Trail
4.2 Component Responsibilities
| Component | Responsibility |
|---|---|
| Record Capture SDK | standard event capture from chat, RAG, tool, approval, eval and incident flows |
| Metadata Enrichment | add actor, business object, model, source, channel, privacy and obligation metadata |
| AI Record Classifier | classify record type, retention class, legal sensitivity and hold eligibility |
| Policy Decision Point | apply retention schedule, access rule, hold rule and export restriction |
| Records Registry | searchable catalog of records, locations, owners and lifecycle state |
| Retention Store | preserve payload and metadata under WORM or audit-trail capable controls |
| Legal Hold Service | create, propagate, monitor, release holds and block disposition |
| Review Workbench | legal / compliance / audit search, review, tagging, redaction and privilege workflow |
| Export Service | controlled production package with hashes, load files and chain-of-custody |
| Disposition Engine | delete, archive or transfer only when eligible and no conflict exists |
| Immutable Audit Trail | tamper-evident history of create, read, update, delete, hold, export and policy decisions |
4.3 Storage Pattern
Metadata ledger: structured, immutable or append-only
Payload store: encrypted prompt / output / document / eval payloads
Index store: search index with rebuild lineage
Vector store: retrieval embeddings and chunk pointers
Archive store: customer communications and regulatory records
Evidence binder: exportable bundle for case, audit, regulator or litigation
4.4 WORM And Audit-Trail Capable Design
AI 架构语言应关注:
- original record preservation。
- modification and deletion history。
- actor identity and trusted timestamp。
- reason code and policy version。
- ability to recreate original record。
- integrity controls, signatures or hash chain。
- split duties for log administration。
Implementation patterns:
- object lock with retention mode。
- append-only event store。
- cryptographic hash chain。
- externalized audit ledger。
- periodic integrity verification。
4.5 Cross-System Hold Propagation
Legal hold 不能只设置在一个主数据库。 AI 相关 records 可能分散在 application database、chat transcript store、object store、vector database、search index、data warehouse、model observability platform、ticketing system、case management system、communication archive、vendor AI platform、backup and disaster recovery store。
Hold propagation evidence 应记录 hold id、scope definition、target systems、propagated time、acknowledgement、failed targets、retry status、exception owner 和 release time。
5. Prompt / RAG / Tool / Approval / Output / Eval / Incident Records
5.1 Prompt Records
Prompt records can include user message、system prompt version、developer prompt version、hidden policy instruction id、uploaded file metadata、identity context、channel metadata and safety classification。
Design questions:
- Is this prompt a customer communication, employee workpaper, privileged request or transient instruction?
- Was it used to produce a customer-impacting output?
- Does a legal hold need to find it by customer, product, model version or topic?
Controls:
- field-level minimization where lawful and usable。
- payload encryption。
- retention class at message level。
- prompt template version control。
5.2 RAG Records
RAG records include normalized query、retrieval query、repository、document id、chunk id、chunk text hash、source version、rank、score、filters and citation。
Design questions:
- Can the organization prove which policy or document version was retrieved?
- Can it distinguish retrieved-but-not-used from cited-and-used?
- Can legal hold freeze a source document version and retrieval metadata?
Controls:
- immutable source snapshots for regulated knowledge。
- source version id and content hash。
- retrieval event linked to generation event。
- index rebuild audit trail。
5.3 Tool Call Records
Tool records include requested tool、schema version、parameters、approval id、action hash、service account、execution time、response payload、side effect id、error and rollback result。
Design questions:
- Did the tool change money, account status, customer communication or case closure?
- Was approval required and bound to exact parameters?
- Is the tool call a record even if it failed?
Controls:
- approval-before-action。
- single-use approval token。
- immutable execution log。
- parameter hash。
- dual-control evidence for high-impact actions。
5.4 Approval And Override Records
Approval records include reviewer identity、role、authority、evidence viewed、decision、reason code、edits、override flag、time spent、conflict check and approval expiration。
Design questions:
- Was the reviewer independent of maker?
- Did the reviewer see original evidence or only AI summary?
- Was approval attached to final output or only to general intent?
Controls:
- evidence-first review UI。
- mandatory reason code。
- action-bound approval。
- conflict-of-interest rule。
- rubber-stamp monitoring。
5.5 Output Records
Output records include model output、edited output、final sent output、delivery channel、recipient、timestamp、citation list、refusal or escalation and required language。
Design questions:
- Is this customer-visible?
- Does it contain financial advice, credit decision, complaint response or fee information?
- Is final sent output different from model draft?
Controls:
- channel archive integration。
- final-output hash。
- pre-send review for sensitive categories。
- source citation preservation。
5.6 Evaluation Records
Eval records include dataset id、test case、expected behavior、model version、prompt version、score、defect category、reviewer note and release gate decision。
Design questions:
- Is eval evidence part of model governance retention?
- Does it include real customer data?
- Can audit reproduce the eval?
Controls:
- dataset lineage。
- sampling protocol。
- reviewer independence。
- test result immutability。
- release approval linkage。
5.7 Incident Records
Incident records include detection alert、timeline、affected model / prompt / tool、customer impact、records impact、containment、legal / compliance notification、recovery and CAPA。
Design questions:
- Did the incident involve lost records, wrong deletion, missing hold or improper output?
- Does it trigger legal hold or regulator production?
- Are incident communications themselves records?
Controls:
- incident evidence binder。
- preservation snapshot。
- impacted-record query。
- management signoff。
- post-incident audit replay。
6. Retention Matrix
以下是设计模板, 不是正式保存期限。实际期限由 Legal / Compliance / Records Management 按适用义务批准。
| Record class | Examples | Trigger | Design retention approach | Hold eligible |
|---|---|---|---|---|
| Transient observability | latency, token count, non-content traces | event created | short operational window | limited |
| Prompt with no business impact | internal brainstorming prompt | session closed | short business need | possible |
| Customer communication prompt | customer asks product / account question | message created | align to communication schedule | yes |
| Customer-visible AI output | final chat / email / letter | message sent | align to channel and product rules | yes |
| RAG retrieval evidence | policy chunks used in answer | output generated | align to related output / decision | yes |
| Business recommendation | dispute, credit, complaint recommendation | recommendation issued | align to case record | yes |
| Human approval | approve / reject / override | decision made | align to underlying action | yes |
| Tool execution | payment, account status, case closure | execution attempted | align to transaction / case | yes |
| Model eval | test result, release gate evidence | eval completed | model governance schedule | yes |
| Incident record | AI error, missing record, wrong output | incident opened / closed | incident schedule | yes |
| Audit trail | create, modify, delete, hold, export | event created | linked record period by policy | yes |
| Legal hold notice | hold notice and acknowledgement | hold issued | until release plus policy period | yes |
6.1 Retention Trigger Examples
| Trigger | Use case |
|---|---|
| record_created | prompt, retrieval, tool event |
| output_sent | customer communication |
| case_closed | dispute, complaint, AML alert |
| account_closed | account servicing records |
| loan_paid_off_or_denied | lending records |
| model_retired | model governance records |
| incident_closed | incident and CAPA |
| hold_released | preserved ESI disposition review |
6.2 Retention Classifier Output
{
"record_id": "air_20260630_119_0001",
"record_type": "rag_retrieval",
"business_domain": "complaints",
"business_object": "complaint_case_8814",
"customer_impact": "customer_visible",
"privacy_class": "financial_data",
"retention_class": "business_regulatory_case_record",
"retention_trigger": "case_closed",
"hold_eligible": true,
"export_profile": ["audit", "regulator", "litigation"],
"policy_version": "records-ai-2026.06.30"
}
6.3 Retention Clock Controls
- clock_start_event must be explicit。
- system must prevent silent trigger changes。
- retention policy version must be preserved。
- derived records must link to source records。
- deletion eligibility must be calculated, not guessed。
- disposition must be blocked by active hold。
- manual deletion must require authorized exception and audit trail。
7. Legal Hold Trigger And Workflow
7.1 Trigger Sources
Legal hold may be triggered by filed litigation、reasonably anticipated litigation、regulatory inquiry、subpoena、civil investigative demand、enforcement investigation、internal investigation、customer dispute escalation、whistleblower report、data breach、AI incident、product-wide complaint pattern or employment dispute involving AI monitoring。
7.2 Hold Scope Dimensions
| Dimension | Examples |
|---|---|
| custodians | employee, supervisor, model owner, operations analyst |
| systems | chat, RAG, case management, tool gateway, archive, vendor platform |
| date range | before and after trigger |
| business objects | account, loan, dispute case, complaint, alert |
| record types | prompt, output, retrieval, approval, tool, eval, incident |
| model context | model id, prompt version, policy version |
| topics / keywords | product, fee, merchant, policy, protected term |
| channels | email, chat, SMS, call transcript, in-app message |
| sensitivity | privileged, PII, SAR-sensitive, confidential |
7.3 Hold Workflow
trigger intake
-> legal review and matter id
-> scope definition
-> system inventory mapping
-> hold creation
-> hold propagation
-> custodian notice and acknowledgement
-> preservation verification
-> collection and review
-> periodic scope refresh
-> release approval
-> disposition review
7.4 Preservation Verification
| Control | Evidence |
|---|---|
| target system acknowledgement | hold propagation receipt |
| deletion job blocked | disposition job conflict log |
| records sampled | sample ids and preserved status |
| vendor confirmed hold | vendor acknowledgement and SLA evidence |
| backup policy reviewed | backup exception note |
| custodian notice completed | acknowledgement log |
| scope refreshed | updated query and delta collection |
8. Deletion vs Hold Conflict Handling
当 deletion request、retention expiry、privacy minimization、regulatory retention 和 legal hold 冲突时, 产品不能在 UI 层做简单判断。
推荐 priority decision 由 policy service 处理:
active legal hold
-> block disposition and preserve
regulatory retention still active
-> block deletion unless legal authority permits a controlled transformation
business retention still active
-> preserve until schedule permits disposition
privacy deletion request
-> evaluate exemptions, delete eligible non-held data, defer blocked data
retention expired and no hold
-> disposition workflow
8.1 Conflict Decision Record
| Field | Example |
|---|---|
| request_id | privacy or deletion request |
| record_id | affected AI record |
| decision | deleted, deferred, denied, transformed, archived |
| reason | active hold, regulatory retention, business need, no longer needed |
| authority | policy version and legal / privacy reviewer |
| next_review_date | date for release or re-evaluation |
| evidence | decision packet and audit event |
8.2 Design Rules
- A user-facing delete confirmation must not imply records under legal hold were destroyed.
- Deferral reason should be understandable but not disclose privileged matter details unnecessarily.
- Disposition jobs must query hold service in real time or use a verified hold snapshot.
- Hold release does not automatically delete; it triggers disposition eligibility review.
- Backups need a documented approach: restore controls, overwrite cycle or legal exception.
- Derived records must be checked; deleting prompt payload may not delete final business record.
9. eDiscovery / Export Workflow
9.1 Workflow
request intake
-> authority verification
-> scope definition
-> search plan
-> collection
-> de-duplication and threading
-> sensitivity and privilege review
-> redaction
-> quality control
-> export package creation
-> chain-of-custody signoff
-> production delivery
-> post-production audit
9.2 Search Scope
Search should support matter id、customer id or hashed customer reference、account / loan / transaction / case id、date range、channel、record type、model id、prompt template version、policy version、source document id、tool id、approver id、output text、keyword and semantic query、legal sensitivity tag and retention class。
9.3 Export Package
| Package element | Purpose |
|---|---|
| production manifest | list of exported record ids |
| metadata dictionary | explains fields and values |
| native payloads | prompts, outputs, attachments, source snapshots |
| rendered views | human-readable transcript or case packet |
| load file | import into review platform |
| hash manifest | integrity verification |
| redaction log | why content was redacted |
| privilege log support | where applicable, managed by legal process |
| chain-of-custody | who collected, reviewed, exported and delivered |
| completeness statement | authorized certification of scope |
9.4 AI-Specific Export Issues
| Issue | Design response |
|---|---|
| Prompt contains multiple customers | field-level segmentation or review tagging |
| RAG chunk source changed later | source version snapshot and content hash |
| Model output regenerated | preserve each generation and final selected output |
| Human edited AI draft | keep draft, edit diff and final sent version |
| Tool call produced side effect | export approval packet and execution result |
| Vector store cannot produce text | store chunk id and source snapshot outside vector index |
| Search index was rebuilt | index rebuild audit and source-of-truth registry |
| Privileged legal prompt | privilege workflow and restricted access |
10. Immutable Audit Trail
10.1 Required Events
Audit trail should capture record created、record classified、retention policy assigned、record accessed、record modified、record deleted or dispositioned、legal hold applied、legal hold released、export searched、export collected、export redacted、export produced、policy changed and vendor export received。
10.2 Event Fields
| Field | Description |
|---|---|
| event_id | unique event id |
| event_type | create, classify, access, modify, delete, hold, export |
| record_id | affected record |
| actor | human, service, agent or system |
| actor_role | role and authority |
| timestamp | trusted time source |
| before_hash / after_hash | prior and new payload or metadata hash |
| policy_version | policy applied |
| reason_code | business or control reason |
| correlation_id | workflow, matter or case id |
10.3 Tamper-Evidence Patterns
- append-only event store。
- object lock。
- hash chain。
- periodic notarization or external hash anchoring。
- admin action monitoring。
- split role for audit configuration。
- immutable export of audit logs。
- automated integrity checks。
10.4 Audit Replay Test
For one customer-impacting AI decision, audit should reconstruct:
customer input
-> retrieved sources and versions
-> model and prompt versions
-> AI recommendation
-> human edit / approval / override
-> tool execution
-> customer-visible output
-> retention class
-> legal hold status
-> access and export history
11. Regulator / Audit Production
11.1 Production Principles
- Produce from governed workflow, not ad hoc database dumps。
- Preserve original metadata and export metadata。
- Include chain-of-custody。
- Explain record taxonomy and system inventory。
- Separate responsive, non-responsive, privileged and sensitive materials。
- Maintain repeatability of search and collection。
- Record all redaction and exclusion decisions。
- Validate export completeness before delivery。
11.2 Regulator Readiness Pack
| Artifact | Content |
|---|---|
| AI records inventory | systems, record types, owners, locations |
| retention matrix | category, trigger, period, authority, disposition |
| system inventory | where AI records live and how they are produced |
| legal hold procedure | trigger, propagation, verification, release |
| sample replay binder | one end-to-end decision chain |
| immutable audit design | WORM or audit-trail capability |
| vendor recordkeeping schedule | data retention, export SLA, audit rights |
| incident record protocol | record loss, missed hold, production failure |
12. Operating Model
12.1 RACI
| Activity | Business | AI PM | Senior BA | Architect | Legal | Compliance | Privacy | Records | Security | Model Risk | Ops | Audit |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Define AI record taxonomy | A | R | R | C | C | C | C | A/R | C | C | C | I |
| Map use case records | A | R | R | C | C | C | C | R | C | C | R | I |
| Approve retention schedule | C | C | C | C | A/R | A/R | C | A/R | I | C | C | I |
| Design capture architecture | C | R | C | A/R | C | C | C | C | C | C | C | I |
| Operate legal hold | I | C | C | C | A/R | C | C | R | C | I | C | I |
| Configure disposition | C | C | C | R | C | C | C | A/R | C | I | R | I |
| Produce records | C | C | C | R | A/R | C | C | R | C | C | C | I |
| Test replay | C | C | C | R | C | C | C | R | C | C | C | A/R |
R = Responsible, A = Accountable, C = Consulted, I = Informed.
12.2 Governance Cadence
| Review | Frequency | Output |
|---|---|---|
| AI records inventory review | monthly for active rollout | new record types and systems |
| Retention policy review | quarterly or on regulatory / product change | updated matrix and approvals |
| Legal hold operations review | monthly | active holds, exceptions, propagation failures |
| Disposition review | monthly | eligible records, blocked deletions, certificates |
| Vendor recordkeeping review | quarterly | export tests and SLA evidence |
| Audit replay sample | quarterly or risk-based | replay result and CAPA |
| Incident review | event-driven | record loss, wrong deletion, missed hold |
12.3 Role-Specific Focus
| Role | Focus |
|---|---|
| AI PM | PRD record requirements, customer impact, archive needs, vendor constraints |
| Senior BA | process state, record triggers, taxonomy, evidence fields, legal hold workflow |
| Architect | capture SDK, evidence ledger, policy engine, immutable store, export and disposition |
| Legal / Compliance / Records | schedule approval, hold procedure, production protocol, conflict decisions |
| Security / Privacy | access, encryption, minimization, deletion request workflow |
| Internal Audit | independent replay, control design and operating effectiveness testing |
13. Metrics And KRIs
13.1 Completeness Metrics
| Metric | Purpose |
|---|---|
| capture success rate | detect dropped AI record events |
| unclassified record rate | identify taxonomy gaps |
| records missing business object | prevent orphan records |
| RAG events missing source version | ensure replayability |
| tool calls missing approval id | detect control bypass |
| outputs missing channel archive id | detect communication gaps |
| eval records missing model version | ensure governance evidence |
| audit trail integrity pass rate | prove tamper evidence |
13.2 Legal Hold And Production Metrics
| Metric | Purpose |
|---|---|
| hold propagation SLA | speed from hold creation to system freeze |
| failed target systems | identify preservation gaps |
| deletion blocks due to hold | prove control operation |
| custodian acknowledgement rate | operational compliance |
| vendor hold acknowledgement time | third-party risk |
| export package defect rate | quality of production |
| chain-of-custody completeness | defensibility |
| audit replay success | evidence integrity |
13.3 Risk KRIs
| KRI | Yellow | Red |
|---|---|---|
| high-impact output without retained source context | isolated exception | repeated or customer-impacting pattern |
| active hold propagation failure | one retry needed | any system not frozen within required SLA |
| deletion attempted on held record | blocked and explained | executed deletion or missing evidence |
| vendor cannot export AI records | export delayed | no contractual or technical access |
| audit trail gap | missing non-critical metadata | cannot reconstruct create / modify / delete |
| RAG source version missing | sample gap | systemic missing source version |
| eDiscovery export manual workaround | controlled exception | unrepeatable production |
| over-retention of sensitive prompts | limited scope | broad indefinite retention without authority |
14. Financial Retail Scenario Patterns
| Scenario | Record chain | Key controls |
|---|---|---|
| Payment dispute assistant | intake, transaction retrieval, policy retrieval, AI recommendation, approval, provisional credit tool call, customer notice | source version, approval packet, action hash, channel archive |
| Credit underwriting copilot | application data, policy citations, AI memo draft, underwriter edits, decision, override reason, eval | distinguish draft from decision, preserve adverse action support, restrict sensitive data |
| AML / fraud assistant | alert data, transaction summary, red flag analysis, investigation notes, closure or escalation, QA sample | restricted access, human closure evidence, investigation hold, access audit |
| Complaint remediation agent | complaint intake, severity, policy/account evidence, remediation recommendation, review, response, closure | escalation triggers, source context, closure checklist, topic-wide hold |
| Wealth / advisory assistant | client question, suitability context, product retrieval, AI explanation, advisor review, final communication | distinguish education from recommendation, preserve advisor edits, archive final communication |
15. Vendor And Third-Party Design
Vendor arrangements should address record ownership、retention periods、legal hold propagation、export SLA、format and metadata、audit rights、deletion certificates、subprocessor handling、incident notification、data residency and privileged / confidential content。
| Risk | Control |
|---|---|
| Vendor stores prompt but cannot export | require API export and periodic test |
| Vendor deletes traces before institution schedule | institution captures required copy or vendor aligns retention |
| Vendor cannot apply granular hold | route sensitive workflows to controlled store |
| Vendor changes model without evidence | preserve model id and release metadata |
| Vendor support accesses records | access logs and approval workflow |
| Subprocessor holds copies | contract inventory and deletion evidence |
Vendor exit must include full record export、metadata dictionary、hold-preserved records、deletion or transfer certificate、hash manifest validation、continuity of legal hold and archive import test。
16. 30-Day Lab
目标: 30 天内完成一套可展示的 AI Records / Retention / Legal Hold / eDiscovery architecture portfolio pack。
Week 1: Inventory And Taxonomy
| Day | Artifact | Task |
|---|---|---|
| 1 | use-case-boundary-card.md | Define product, entity assumption, channel, customer impact and AI role |
| 2 | ai-record-inventory.md | List prompt, RAG, tool, approval, output, eval, incident and audit records |
| 3 | record-object-taxonomy.md | Define record types, owners, privacy class and business objects |
| 4 | system-inventory.md | Map chat, RAG, vector, object, case, archive, warehouse and vendor stores |
| 5 | obligation-map.md | Map business, regulatory, legal, privacy and audit reasons for preservation |
| 6 | authoritative-copy-map.md | Decide source of truth for payload, metadata and final business record |
| 7 | taxonomy-review.md | Review orphan records, missing source versions and vendor-held records |
Week 2: Retention And Hold Design
| Day | Artifact | Task |
|---|---|---|
| 8 | retention-matrix.md | Define class, trigger, approach, owner and disposition |
| 9 | retention-classifier-spec.md | Define classifier inputs, outputs, review override and policy version |
| 10 | legal-hold-trigger-table.md | Define triggers and scope dimensions |
| 11 | legal-hold-workflow.md | Draw intake, propagation, verification, release and disposition review |
| 12 | deletion-conflict-rules.md | Define privacy deletion, expiry, legal hold and regulatory conflict rules |
| 13 | hold-propagation-map.md | Map each system to hold API, manual process or vendor process |
| 14 | disposition-certificate.md | Define deletion evidence and approval fields |
Week 3: Evidence And Production
| Day | Artifact | Task |
|---|---|---|
| 15 | evidence-ledger-schema.md | Define create, classify, access, modify, delete, hold and export events |
| 16 | immutable-audit-design.md | Select WORM, audit trail, hash chain or object lock pattern |
| 17 | rag-replay-spec.md | Define source id, chunk id, content hash and index rebuild evidence |
| 18 | tool-call-replay-spec.md | Define approval id, action hash, execution result and rollback evidence |
| 19 | ediscovery-export-spec.md | Define search, collection, redaction, manifest, load file and custody |
| 20 | regulator-production-binder.md | Build sample package for one AI decision |
| 21 | vendor-recordkeeping-addendum.md | Define vendor retention, hold, export and audit requirements |
Week 4: Operations, Metrics And Interview Pack
| Day | Artifact | Task |
|---|---|---|
| 22 | records-raci.md | Build operating model |
| 23 | kri-dashboard-spec.md | Define capture, hold, export, deletion and vendor KRIs |
| 24 | incident-runbook-record-loss.md | Define response to missed hold, wrong deletion or export failure |
| 25 | audit-replay-test.md | Reconstruct one customer-impacting AI workflow end to end |
| 26 | tabletop-privacy-vs-hold.md | Run customer deletion request during litigation hold |
| 27 | tabletop-vendor-export-failure.md | Run vendor cannot produce prompt records scenario |
| 28 | executive-memo.md | Summarize architecture, risk, controls, residual risk and investment |
| 29 | interview-qa.md | Prepare 30-second and 2-minute answers |
| 30 | portfolio-index.md | Package artifacts into a role-ready portfolio story |
17. Interview Answers
Q1: What is the difference between AI logs and AI records?
30 秒:
Logs describe technical events. AI records are obligation-aware evidence objects that may support business decisions, customer communications, regulatory books and records, litigation preservation, model governance or audit replay.
2 分钟:
I would not treat every token trace as a long-term record, but I also would not keep only the final answer. A financial retail AI workflow may create prompts, RAG retrieval evidence, model outputs, approvals, tool calls, final customer messages, eval results and incident events. Each object needs classification: business domain, customer impact, privacy class, retention class, legal hold eligibility and export profile.
Q2: How would you build retention for AI systems?
Start with record inventory and taxonomy, then assign retention classes at record-object level. The retention clock may start at creation, output sent, case closed, account closed, model retired or incident closed. Storage should support WORM or audit-trail capabilities where required, and the disposition engine must query legal hold before deletion.
Q3: What does legal hold mean for AI records?
Legal hold means the organization must preserve relevant ESI and stop routine deletion for scoped records. For AI, scope can include prompts, outputs, RAG sources, vector metadata, approvals, tool calls, evals, incidents and vendor-held records. I would implement it as a cross-system service with matter id, scope, propagation, acknowledgement, verification and release workflow.
Q4: How do you handle a privacy deletion request during legal hold?
Route the request to a policy decision service. Records under active legal hold or mandatory retention are deferred or otherwise handled according to Legal, Privacy and Compliance direction. Eligible unrelated records can be deleted. The system records the decision, reason, authority, next review date and evidence.
Q5: What is needed for eDiscovery export of AI records?
A defensible export needs scoped search, collection protocol, metadata dictionary, native payloads, rendered views, redaction log, hash manifest, chain-of-custody and production manifest. AI-specific metadata includes prompt version, model version, RAG source ids, chunk hashes, human edits, approvals, tool calls, final sent output and policy decisions.
Q6: How do you prove an AI answer used the correct RAG source?
Preserve retrieval event details: query, repository, document id, chunk id, source version, content hash, rank, score and citation. The export package should include source snapshot or a verifiable reference to the authoritative source as it existed at the time of generation.
Q7: How would you explain WORM vs audit-trail alternative in architecture terms?
WORM prevents rewriting and erasure for preserved records. An audit-trail capable approach maintains complete time-stamped evidence of creation, modification and deletion so the original record can be recreated if changed. The exact regulatory acceptability depends on the entity and rule, but architecturally both require integrity, metadata, access controls and production readiness.
Q8: What would you put in PRD acceptance criteria?
Every customer-impacting AI output must link to prompt, model version, RAG source version, final sent message, human edits, approval if required and retention class. Legal hold must block disposition across all in-scope stores. Export must produce a manifest, metadata, payloads, hashes and chain-of-custody. Deletion must create a disposition certificate or conflict decision record.
18. Portfolio Deliverables
| Deliverable | Shows |
|---|---|
| Executive memo | ability to frame risk and business value |
| AI records inventory | ability to discover record-producing events |
| Record taxonomy | ability to classify beyond generic logs |
| Retention matrix | ability to connect business process to lifecycle |
| Legal hold architecture | ability to design preservation controls |
| eDiscovery workflow | ability to support production and chain-of-custody |
| Immutable audit trail schema | ability to prove integrity |
| Deletion conflict decision tree | ability to balance privacy, retention and hold |
| Vendor recordkeeping requirements | ability to manage third-party AI risk |
| Audit replay binder | ability to prove end-to-end evidence |
| KRI dashboard spec | ability to operate and measure controls |
| Interview answer pack | ability to communicate at senior level |
19. Common Pitfalls
| Pitfall | Why it fails | Better design |
|---|---|---|
| Treating AI records as chat history only | misses RAG, tool, approval, eval and incident evidence | record object taxonomy |
| Keeping everything forever | increases privacy, breach, cost and discovery exposure | schedule by obligation and business need |
| Keeping too little | loses decision evidence and preservation ability | classify customer-impacting and regulated records |
| Legal hold only in case system | prompt, vector, archive and vendor records may be deleted | cross-system hold propagation |
| No RAG source version | cannot replay why answer was generated | source id, version and hash |
| Tool calls not retained | business action cannot be reconstructed | approval-bound tool execution log |
| Approval separate from output | reviewer approved a different artifact than final sent | action hash and final output linkage |
| Manual eDiscovery exports | unrepeatable, weak custody | controlled export workflow |
| Vendor data inaccessible | production failure | contract export SLA and periodic test |
| Deletion ignores hold | spoliation and regulatory risk | disposition conflict check |
| Audit trail mutable by admins | evidence credibility weak | immutable or tamper-evident audit |
| No record owner | policies drift and exceptions accumulate | RACI and governance cadence |
20. Final Operating Principle
AI recordkeeping is a product and architecture capability, not a compliance afterthought.
For advanced AI PM / Senior BA / Architect, the practical skill is to turn every AI-influenced business event into a governed evidence object:
captured at source,
classified by obligation,
retained by policy,
preserved under hold,
produced with custody,
deleted only when eligible,
and replayable under audit.