Automatic Data Preservation for High-Risk Users
Jul 1 2026
Retain deleted data for high-risk employees before a legal hold is in place
This Purview Data Lifecycle Management retention label feature will work in concert with the Adaptive Protection feature in Purview Insider Risk Management. Adaptive Protection protects your organization’s data by using dynamic insider risk levels derived from users’ data-related activities. Through its integration with Data Lifecycle Management, this new feature can automatically apply retention labels to preserve deleted emails and files according to each user’s insider risk level.
What’s Changing and When
This is a new feature within the Purview Data Lifecycle Management module.
Microsoft 365 Roadmap ID: 392839
Preview: N/A
Expected GA: October 2026
Why This Matters
This new Purview Data Lifecycle Management feature introduces adaptive scope policies that respond to Insider Risk Management (IRM) risk levels. As user risk increases, organizations can automatically shift from standard disposition to preservation for deleted emails and files, ensuring critical emails and files are retained during periods of heightened insider risk.
Microsoft Purview IRM aggregates various user activities to detect potential malicious or unintentional risks, including intellectual property theft, data loss, and security policy violations, and raises these issues as alerts to Incident Management or Information Security teams to review. To properly triage these requests, organizations can employ the calculation of “risk levels” to identify users or user groups with elevated risk, including those with access to critical information.
Key Risks Organizations Should Consider
Retention and Deletion Risks
Applying different retention labels based on insider risk levels can lead to over-retention, inconsistent recordkeeping, and conflicts with legal holds, statutory retention rules, or deletion/erasure requests.
Data Protection and Privacy Principles
Using behavioral data for insider risk assessment must comply with applicable lawful basis, purpose limitation, data minimization, transparency, and data subject requirements, which can be difficult when the system logic is complex or opaque. Additionally, monitoring activities to generate insider risk levels may implicate employee privacy, notice, and other legal obligations in various jurisdictions.
How eMerge Can Help
eMerge can help your organization evaluate whether and how to deploy the Data Lifecycle Management retention label integration with Adaptive Protection risk levels. eMerge can assist in bridging the legal, governance, and technical considerations of this type of retention capability. In coordination with Troutman’s Privacy + Cyber attorneys, eMerge can assess your current data governance and retention framework, identify the legal, regulatory, and privacy implications of using automated retention labeling, and help design configurations that are defensible, proportionate, and aligned with your risk exposure. We can also develop and document appropriate policies, notices, and workflows, and coordinate with information security stakeholders so that any rollout is technically sound and legally defensible.
Bottom Line
This feature can help your organization automate preservation of certain content, enabling incident response teams to review that content to assess potential security incidents. It is important to think through when and how this automated preservation will be curtailed so that the organization avoids over-retention of unnecessary content. User-based risk leveling and resulting automated preservation should only be undertaken in a manner that complies with local, state, and federal regulations and privacy laws.
Want to talk through whether and how this new capability should be enabled in your environment?
Please contact eMerge Information Governance.