Redundant, obsolete, and trivial data was always a cost problem. In a regulated, AI-enabled insurance enterprise, it has quietly become a compliance problem.
Every Property & Casualty insurer I have worked with runs on documents. Applications, declarations pages, endorsements, loss runs, adjuster notes, photographs of a dented bumper, subrogation correspondence — a single auto claim can generate dozens of artifacts across email, SharePoint, network drives, and a claims system. Multiply that by millions of policies and renewals, and you get one of the most document-dense industries in existence.
For years, the prevailing storage philosophy was simple: keep everything, forever, just in case. Storage was cheap, deleting felt risky, and nobody got fired for holding on to a file. That instinct is now actively working against insurers — and the arrival of Microsoft Copilot has turned a slow-burning cost issue into an urgent governance one.
This post is about why electronic records management (eRecords) has moved from “nice to have” to “regulatory necessity” in P&C, and how the Microsoft 365 ecosystem gives engineering and IT teams a practical way to fix it.
The compliance baseline: insurers don’t get to keep everything or nothing
P&C insurers operate under a patchwork of retention obligations. The NAIC’s model record-retention standards generally call for records to be kept for the current year plus three — and many states extend that to five, seven, or longer depending on the record type. Original applications (issued and declined), complete policy files, endorsements, and claim records each carry their own clock, and a policy renewal often starts a brand-new retention period from the renewal effective date.
The stakes are not theoretical. In the 2024 NAIC Market Conduct Annual Report, recordkeeping deficiencies ranked as the third most common examination finding, behind only claims handling and producer licensing. The pattern examiners reward is documentation: organizations with a documented records-management system were dramatically more likely to walk away from an exam clean.
Here is the tension that defines the problem. Retention law is bidirectional:
- Destroy a record too early, and you face regulatory penalties, spoliation claims, and an indefensible position in litigation.
- Keep a record too long, and you have expanded your attack surface, your discovery burden, and your privacy exposure — often against data-minimization expectations under modern privacy regimes.
You cannot keep everything. You cannot delete on instinct. You need a defensible, automated lifecycle — and that is precisely where most insurers are weakest.
Enter ROT: the silent majority of your data estate
Information governance has a name for the data that accumulates when “keep everything” meets “no lifecycle”: ROT — Redundant, Obsolete, and Trivial.
- Redundant — the same loss-run report saved in an adjuster’s mailbox, a SharePoint library, a shared drive, and three people’s Downloads folders. Which one is authoritative?
- Obsolete — superseded policy drafts, expired quotes, the 2019 version of a procedure that was rewritten twice since.
- Trivial — the “thanks, got it” emails and meeting-logistics files that were never records to begin with.
Industry analysis consistently estimates that roughly a third of enterprise data is ROT or dark data. For a document-heavy insurer, that fraction is often higher. The cost is real — large enterprises are estimated to waste tens of millions of dollars storing data they could safely delete — but in insurance the deeper danger is that ROT is indistinguishable from genuine records until someone proves otherwise. Every redundant copy of a claim file is one more thing to produce in discovery, one more place a privacy breach can originate, one more reason an examiner loses confidence in your controls.
Why Copilot just moved the deadline forward
For a long time, ROT could be ignored because it was passive — it sat in a forgotten library, costing storage and nothing more. Generative AI removes that luxury.
Microsoft Copilot surfaces everything a user can already access — including redundant, obsolete, and trivial content. Ask Copilot to “summarize what we have on the Henderson claim,” and it will happily blend the authoritative claim file with a superseded draft, an obsolete reserve estimate, and a colleague’s half-finished note, presenting the result with equal confidence. Weak governance no longer just wastes storage; it now produces wrong answers, surfaced instantly, to the people least equipped to catch the error.
In a regulated claims-handling context, that is not a productivity annoyance — it is a compliance and bad-faith-litigation risk. The lesson the governance community has converged on is blunt: clean up ROT before you turn on AI, not after. Copilot doesn’t create the mess; it broadcasts it.
What good eRecords management looks like in Microsoft 365
The encouraging part: if your organization is on M365, you already own the toolset. Microsoft Purview provides a records-management capability designed for exactly this problem. The work is less about buying technology and more about engineering a defensible lifecycle. A pragmatic sequence:
- Map the obligations before you touch the tooling. Build a retention schedule that translates NAIC and state requirements into concrete rules per record type — applications, policies, endorsements, claims, financials. The configuration is downstream of this.
- Clean up ROT first — and scope the project honestly. Eliminating redundant and obsolete content before a labeling rollout dramatically shrinks the scope of everything that follows. Trying to classify a data estate that is one-third garbage is how governance projects stall.
- Use retention labels and policies to automate the lifecycle. Purview’s retention labels, retention policies, auto-classification, and adaptive scopes let you retain what regulators require and dispose of what they don’t — automatically, with an audit trail. The goal is to replace human instinct (“better keep it”) with policy.
- Separate retention from preservation. Retention governs the routine lifecycle; legal hold protects specific records from disposition when litigation is reasonably anticipated. Conflating the two is a common, expensive mistake — design them as distinct controls.
- Make disposition defensible and reviewable. When a record is destroyed, you want proof it was destroyed on schedule, per policy. Defensible disposition — with disposition review and immutable logs — is what converts “we deleted it” into “we deleted it correctly,” which is the difference an examiner cares about.
The takeaway
In P&C insurance, records management used to be a back-office storage concern. It isn’t anymore. Bidirectional retention law, intensifying market-conduct scrutiny, privacy-driven data minimization, and now an AI layer that actively surfaces your worst-governed content have combined to make eRecords a front-line compliance discipline.
The good news is that this is a solvable engineering problem, and the tools sit inside the M365 stack most insurers already run. The work is to translate regulation into a retention schedule, purge ROT, automate the lifecycle in Purview, and make disposition defensible — ideally before Copilot makes the mess visible to everyone.
The insurers who treat records governance as infrastructure will hand their examiners a clean exam and their AI a clean knowledge base. The ones who keep everything “just in case” will spend the next few years discovering that just in case was the most expensive policy they ever wrote.
Have you started cleaning up ROT ahead of a Copilot rollout, or are you tackling it after the fact? I’d like to hear how other insurance and M365 teams are approaching the sequencing — leave a comment below.
This article reflects general industry practice and is not legal or compliance advice. Confirm specific retention obligations with your legal and compliance teams.
P&C Tech Hub 
Leave a comment