Category Archives: eDiscovery & Compliance

Kim v. Cushman & Wakefield: A Federal Court Confirms That Email Search Terms Don’t Work for Microsoft Teams

By John Patzakis

Blog header about the Kim v. Cushman & Wakefield case, discussing a federal court ruling on email search terms and their ineffectiveness for Microsoft Teams. Includes graphics of a gavel, documents, and message bubbles.

A recent decision out of the Central District of California should be required reading for any legal team that includes Microsoft Teams as data source in their discovery plan. In Kim v. Cushman & Wakefield U.S., Inc., 2026 WL 1353455 (C.D. Cal. Apr. 24, 2026), the court held that search terms that may be appropriate for email may not be sufficient for shorter, less formal communications on a collaboration platform like Teams.

The plaintiff, Ms. Kim, alleged pregnancy discrimination after being terminated upon her return from maternity leave. The defendant asserted the termination was part of a reduction in force; Ms. Kim alleged that rationale was pretextual. The discovery dispute arose when it emerged that the defendant had not searched Microsoft Teams at all—even though, as one of the defendant’s own witnesses testified, Teams was one of the primary communication methods used at the company. To its credit, upon discovering the gap, defense counsel immediately ran the existing email search terms against Teams and produced 47 pages of messages, two of which proved relevant to the pretext analysis.

That partial cure satisfied no one. The plaintiff demanded a nearly indiscriminate search of “all reasonably likely repositories,” while the defendant maintained it had already run the terms against Teams and “there’s nothing left.” The court’s response: “Neither position is quite right.”

The Teams Ruling: Keyword Searches Alone Are Not Enough
The heart of the opinion is the court’s recognition that rerunning email-oriented search terms against Teams data is structurally flawed. The defendant’s terms all required “Connie Kim” as an anchor—e.g., “Connie Kim” NEAR “terminat!”. As the court explained:

“It is arguable whether that may work well enough even for emails, but it cannot work for MS Teams chats about transition planning among managers who might say ‘the Smartsheet’ or ‘Brooke’s workload’ without mentioning Plaintiff by name. Keyword searches alone, without more advanced and thoughtful search techniques, will be inadequate for Teams data—a medium where conversations are shorter, more informal, and less likely to include full names than email.”

The court also underscored the certification obligation that attaches once a party elects to search: “An objecting party that elects to search and produce—rather than move for a protective order—undertakes an obligation to search reasonably. See Fed. R. Civ. P. 26(g)(1)(B).” And the Rule 26(b)(1) proportionality analysis weighed in the plaintiff’s favor as to Teams, since the messages already produced confirmed that relevant communications existed in that repository.

Notably, the court declined to dictate methodology, holding that how the defendant fulfills its supplemental search obligation— “whether through custodian-based collection, refined keyword queries, or technology-assisted review—is Defendant’s choice, so long as the search is reasonable and the production is complete.” The court also traced the root cause to a pro forma Rule 26(f) conference: had the parties conducted a substantive ESI conference identifying repositories, custodians, and communication platforms at the outset, the Teams gap would have been caught months earlier.

In his excellent writeup of this case, Michael Berman of E-Discovery LLC consulted eDiscovery expert Tom O’Connor of the Gulf Coast Legal Technology Center, who raised a critical practical question: what tool was actually used for the search? O’Connor explained that while keyword searches inside Teams work, Teams supports only basic keyword matching and a few command-style filters. Per O’Connor, the native “Teams search indexes chat differently than email,” in that it:

• “Prioritizes exact word matches;
• Does not index message metadata as richly as Outlook;
• Often misses partial-word matches; and
• Returns fewer results when the term is too specific.”

In other words, even well-crafted Boolean terms can silently underperform when run against Microsoft’s native Teams index.

Why Kim Illustrates the Case for X1 Enterprise
The Kim decision validates what we have long argued at X1: when addressing MS 365 data for eDiscovery, the search methodology applied to it must be purpose-built. As we detailed when we launched our advanced MS Teams support, X1 Enterprise enables a targeted, iterative search and collection of Teams data in-place, with the ability to target individual custodians and specific messaging threads—displacing any need to mass download channels—plus unified search across Teams, OneDrive, SharePoint, Mail, laptops, and file shares, and one-click upload into Relativity for review.

Critically, X1 does not rely on the limited native Microsoft Teams index that O’Connor describes. X1’s patented technology builds its own full-featured index of Teams data, enabling precisely the “more advanced and thoughtful search techniques” the Kim court demanded. That includes detailed Boolean queries with nested operators, proximity, and wildcard/stemming support that execute consistently across both email and chat data—so counsel is not forced to choose between Outlook precision and Teams looseness. X1 also includes the ability to search on emojis, which is critical for Teams and other chat platforms, where a reaction emoji may be the entire substance of a manager’s response to a message about a “transition plan.”

X1’s patented in-place search and classification capabilities extend this further. Through the X1 API, organizations can programmatically execute searches and apply AI-driven classification models directly where the data lives—before anything is collected. Applied to the Kim fact pattern, that means counsel can iteratively test and refine looser, Teams-appropriate search terms against live data, measure the results, and classify what comes back—building a defensible, documented search methodology of exactly the kind the court invited when it referenced “refined keyword queries” and “technology-assisted review.” And because it all happens in place, the proportionality benefits are built in as only potentially responsive data is collected.

The lesson of Kim is straightforward. Courts now expect parties to identify collaboration platforms like Teams at the Rule 26(f) stage, to search them with techniques suited to informal chat data, and to do so reasonably and completely. Meeting that expectation requires solutions designed for the job.

Learn more about the X1 Enterprise Platform, or contact our sales team to schedule a live demo.

Leave a comment

Filed under Best Practices, compliance, Corporations, Data Audit, Data Governance, ECA, eDiscovery & Compliance, Enterprise eDiscovery, Enterprise Search, ESI, Information Access, Information Governance, Information Management, law firm, m365, MS Teams

Enterprise AI Has a Token Cost Problem — But It’s Very Fixable. What most AI vendors aren’t telling you.

By Larry Gill

The promise of AI in the enterprise is everywhere right now. Every eDiscovery vendor, legal tech platform, and cloud provider is claiming to have AI capabilities. But there’s a fundamental architectural flaw in how virtually every one of them applies AI — and it’s a problem that has significant consequences for your costs, your security, and your risk posture.

With our new release of X1 Enterprise v6, we’ve built a genuinely different approach. Last week, our team hosted a live product tour to walk through what that looks like in practice. Here’s a summary of what we covered — and why I believe it changes everything.

The Problem: AI Is Being Applied Too Late
The eDiscovery and data governance workflow has been largely the same for over 20 years: Identify → Collect → Process → Host → Review. Every major vendor with AI capabilities today is applying AI at the very end of that process — at the Review stage — after data has already been moved or copied into their platform.

That’s too late. And it’s not just where they’re applying AI in the workflow — it’s how they’re applying it that’s the real problem.

Before AI ever touches your data in these platforms, you’ve already:
• Copied and transferred sensitive enterprise information to a vendor-controlled environment
• Paid for processing and hosting on the full data volume — including everything that turns out to be irrelevant
• Created security and compliance exposure from that mass data transfer to a third party
• Waited through long, throttled ingestion cycles before any analysis can begin

And now you’re being up-charged for ‘new’ AI capabilities on top of already expensive collection, hosting, and review fees. And the reason why you are being charged so much is that many of these vendors are merely brokering usage (and being charged for it) through large, centralized AI platforms.

If you’re considering pointing a cloud LLM — Claude, Copilot, ChatGPT, or even legal-focused platforms like Harvey — directly at your enterprise data to solve this problem, I want to be direct: they’re the wrong tool for the job. Cloud AI platforms cannot search data in-place. If you try to use them across your full enterprise data estate, you’ll be exfiltrating enormous volumes of data to their AI engines and consuming a massive number of tokens — exploding your costs in the process.

Infographic illustrating X1's approach to applying AI at the source before data moves, featuring steps: Identify, Collect, Process, Host, and Review.

X1’s Answer: AI In-Place, Before Anything Moves
X1 Enterprise v6 takes a fundamentally different architectural approach. We call it AI In-Place.

Rather than copying data into a centralized platform and then applying AI, X1 deploys distributed micro-indexes directly across your enterprise data sources — your M365 environment, endpoints, cloud repositories, and more. Your data stays exactly where it lives. We bring the AI to the data. Not the other way around.

That means AI decisioning happens before collection, before review-set creation, before any exporting, and before anything moves. We apply AI at the very beginning of the eDiscovery and data governance workflow — not at the end.

X1’s AI capabilities are about upstream AI enablement, not (yet another) prompt-wrapper that brokers expensive queries to Anthropic or OpenAI like too many other eDiscovery and Compliance Platforms. X1’s fundamental architectural shift means X1 neither charges nor incurs OEM AI costs, as the models are frozen and deployed in-place. This factor alone results in massive cost savings and efficiencies.

Infographic comparing two data architectures: 'Collect-First' process showing bulk copy and transfer methods, and 'Analyze-In-Place' by X1 featuring AI capabilities for data analysis in real-time.

One Platform, Across Every Critical Use Case
The AI In-Place architecture isn’t a point solution. It’s an enterprise platform that spans your most critical data workflows:

eDiscovery — X1 enables index-in-place early case assessment, data identification, and highly targeted collection. You get full data visibility and AI-powered responsiveness scoring before a single document is exported, resulting in dramatically smaller review volumes and lower costs — beginning before collection even starts.

Risk and Compliance — X1 identifies and remediates PCI, PII, and privacy-regulated data across your enterprise, continuously and without moving it into a compliance platform. It supports departed employee workflows, GDPR, FOIA, HIPAA compliance, and more — all analyzed and remediated in-place.

InfoSec and Investigations — When a breach occurs or an insider threat is suspected, time is critical. X1 gives investigation teams real-time capability at petabyte scale, across endpoint and cloud environments simultaneously — something no centralized architecture can match.

Information Governance — X1 handles large-scale data separation for M&A due diligence and divestitures, ROT analysis, records management policy enforcement, data mapping, and more — all in-place without migration or centralized data processing.

A Hidden Cost Nobody Is Talking About: Enterprise-Wide Token Explosion
There’s another dimension to this problem that rarely gets discussed openly, and it has major financial implications for any organization deploying AI at scale.

AI productivity tools like Claude or Copilot are genuinely valuable for administrative and day-to-day workflows — drafting emails, summarizing meetings, and generating content. But they are fundamentally the wrong tool for enterprise-wide data discovery.

Here’s why:

When you ask a cloud AI platform to find information across your enterprise data, it has no index to work from. It must retrieve and read the actual documents — potentially thousands or millions of them — just to locate what you’re looking for. Every document pulled into context consumes tokens. Every search, every query, every time someone asks a question about your data, the AI is ingesting enormous volumes of content to produce an answer. At enterprise scale, this doesn’t just add up — it explodes.

The costs compound quickly. Token pricing is consumption-based, and when your AI tool is reading entire document sets on every query rather than looking up a precise answer, you are essentially paying to re-read your entire data estate over and over again. For large organizations, this can translate into AI infrastructure costs that are orders of magnitude higher than they need to be.

X1’s local index-in-place technology solves this directly. Because X1 has already built a persistent, AI-enriched index across all your enterprise data sources — right where the data lives — your AI tools don’t need to go find and read the documents. Instead, the AI asks the question, X1 uses its index to identify the precise answer, and then delivers only the targeted files, documents, or data points the AI or end user actually needs. The documents themselves never have to be ingested into the AI platform at all.

The result is dramatically lower token consumption across your organization — because you’re sending the AI targeted answers, not raw document libraries. X1 becomes the intelligent retrieval layer that makes your existing AI investments far more efficient and far less expensive to operate at scale.

Where We’re Headed: X1 as the Governed Retrieval Layer for Enterprise AI
As your organization deploys more AI assistants and agents — through Copilot, Claude, or internal AI tools — they will all need a secure, governed way to retrieve knowledge from your distributed data. X1 is being built to serve as that infrastructure layer that connects your AI tools to your data.

Our vision is for X1 to become the MCP Server for your LLMs — the governed retrieval layer that sits between your centralized AI systems and your enterprise data. Your AI tools will ask the questions. X1 will find and provide the answers — safely, compliantly, at scale, with minimal cost, and without data ever leaving its source.

Three Things I Want You to Take Away

  1. AI In-Place gives you a real strategic advantage. Security, speed, and scalability — at a fraction of the cost — with your data never leaving your environment. There’s no need to collect, move, copy, re-index, or centralize before analysis can begin. The shortest path to insight is leaving the data where it already is.
  2. We will never monetize your data. Full stop. You can analyze your data in place and pay nothing extra for the AI capabilities we’ve built into v6. No data charges. No add-on fees. Ever. Your data is an asset — it shouldn’t be a revenue stream for your software vendor.
  3. Control belongs with you. This industry has been charging customers a premium for over-collection, over-processing, bloated hosting, inefficient review, and now AI add-on fees on top of it all. That model ends here. X1’s AI-native approach cuts through it entirely — dramatically lower costs, no unnecessary data sprawl, and control back where it belongs.

If you missed the webinar, you can watch it now here. And if you’d like to see what AI In-Place looks like in your specific environment — your M365 footprint, your eDiscovery program, your compliance posture — reach out to us at info@x1.com or visit x1.com to schedule a private demo.

The right architecture for AI isn’t about moving your data to the AI. It’s about bringing the AI to your data.”
— Larry Gill, CEO, X1 Discovery

Leave a comment

Filed under Best Practices, Cloud Data, Corporations, Cybersecurity, Data Audit, Data Governance, ECA, eDiscovery & Compliance, Enterprise AI, Enterprise eDiscovery, ESI, GDPR, Information Governance, Information Management

Why X1’s AI In-Place Architecture Is a Genuine Departure from Legal AI’s Status Quo

By John Patzakis

X1 AI In-Place Architecture — AI hub connecting to distributed enterprise data sources including Microsoft 365, email, cloud, and endpoints

The legal technology market has a buzzword problem. Terms like “AI-powered,” “intelligent review,” and “automated analysis” have been applied so broadly—and so inconsistently—that they have largely lost their ability to signal anything meaningful about how a product actually works. Against that backdrop, X1’s announcement last week of AI In-Place for X1 Enterprise represents a genuinely different approach to applying AI within enterprise legal and compliance workflows. The reason for this basis is X1’s unique architecture.

To understand why, it helps to start with the dominant model that most legal AI tools share. The overwhelming majority of AI-enabled eDiscovery and governance platforms are built on a collect-first assumption: data must be moved out of its native environment—copied, ingested, centralized in a vendor-controlled repository—before any AI model can be applied to it. This is not an incidental design choice; it reflects the fundamental architecture of how most of these platforms were built, long before AI became part of the product story. The result is what practitioners have come to call the “prompt wrapper” problem: an AI interface sits in front of a conventional data pipeline, and the underlying mechanics—the cost, the risk, the latency—remain largely unchanged. A large language model with a “middleware” workflow does not solve the structural problem of what happens to sensitive data before the AI touches it.

X1’s AI In-Place architecture inverts that assumption. Rather than requiring data to travel to an AI system, X1’s patented distributed micro-indexing technology deploys AI models directly into lightweight micro-indexes at the data source itself—across Microsoft 365 environments, file shares, cloud repositories, and endpoints. The AI executes where the data lives, and the data does not move. The implications run across multiple dimensions: data never leaves the enterprise perimeter, security policies and endpoint controls remain intact throughout the process, and the computational overhead and massive AI token costs associated with large-scale data ingestion is avoided entirely. For matters involving a terabyte of data or more—where centralized collection is not merely expensive but operationally infeasible—this architectural distinction is not incremental. It changes what is actually possible.

The workflow mechanics reinforce the point. AI models are deployed into X1’s distributed micro-indexes behind the firewall, execute against enterprise data in place, and surface AI-enriched insights—tags, classifications, risk scores—into a central console without the underlying data ever being collected or copied. That means targeted collection decisions, early case assessment, and information governance actions can be driven by AI-informed analysis conducted across the full enterprise data landscape, not just against a subset of data that has already been moved. The distinction matters because the scope of analysis in the collect-first model is constrained by collection costs; in the in-place model, analysis scope is no longer tethered to collection volume. Investigations and governance programs can, in principle, cast a much wider net analytically while actually reducing the volume of data that requires review.

Mandi Ross, CEO of Insight Optix, offered a perspective that cuts to the core of what makes this architecture commercially significant: “Enabling AI directly where the clients’ data resides fundamentally changes the economics, speed, and risk profile of enterprise data discovery, investigations and compliance workflows. With X1 Enterprise AI In-Place, we can deploy AI models, pre-trained or customized for specific matters, data queries, or compliance requirements—securely within client environments, dramatically accelerating time to insight without sensitive information being collected, duplicated, or centralized outside their control.”

Ross identifies three dimensions the in-place approach changes: economics, speed, and risk. On economics, a significant lever is the reduction in review population size—AI-informed pre-collection filtering means fewer documents proceed to human review. Additionally, costs associated with collection and processing, including expensive AI token utilization, are all but eliminated. On speed, running analysis in situ, without waiting for collection and ingestion cycles, compresses time to first insight—critical in time-sensitive investigations and regulatory responses. On risk, data that does not move cannot be breached in transit, does not reside in vendor infrastructure outside the client’s control, and does not generate the compliance exposure of large-scale cross-boundary transfers. Her comment reflects what experienced practitioners understand but marketing language tends to obscure: the most consequential question about any legal AI tool is not what the AI does, but what happens to the data before and during its operation.

The enterprise deployment model reflects design discipline that distinguishes AI In-Place from retrofitted solutions. Organizations retain centralized governance over AI usage while processing remains local under existing security policies and endpoint controls. AI capabilities are fully optional and configurable at the data source level—important for organizations operating across multiple jurisdictions with differing regulatory requirements—and customer data is never used to train, fine-tune, or enrich underlying AI models, addressing a standard due diligence concern in enterprise AI procurement.

The practical use case implications are significant across several domains. In legal and eDiscovery contexts, in-place TAR and pre-collection analytics allow AI-informed decisions about what to collect before collection begins, directly reducing review volumes and costs. In information governance, AI-driven classification and policy enforcement can operate continuously across the full enterprise data estate rather than against periodic snapshots, enabling more responsive and defensible governance programs. In security and investigations, real-time insider risk detection at petabyte scale—across endpoint and cloud environments simultaneously—becomes feasible where centralized architectures make it impractical. In each case, analytical scope is no longer constrained by collection logistics.

Most legal AI products apply AI to data after it has already moved through the conventional collection pipeline. AI In-Place asks a more fundamental question: whether the pipeline itself should be reconceived. We will demonstrate it live on Wednesday, June 24—for those evaluating enterprise AI in legal, compliance, or governance contexts, it is worth seeing what a genuinely different architecture looks like in practice.

Register for the June 24 AI In-Place™ Product Tour →

Leave a comment

Filed under Best Practices, Cloud Data, Corporations, Cybersecurity, Data Audit, Data Governance, ECA, eDiscovery & Compliance, Enterprise AI, Enterprise eDiscovery, Enterprise Search, ESI, GDPR, Information Access, Information Governance, Information Management, m365, MS Teams, OneDrive, SharePoint

De-NISTing in eDiscovery: A Costly Provision That Shouldn’t Be in Model Orders in the First Place

By John Patzakis

A model eDiscovery order I recently came across from a federal district court issued by a respected judge included a provision requiring parties to de-NIST their files in the course of eDiscovery production. On its face, this may seem like a reasonable technical requirement to some practitioners. But this provision reflects a fundamental misunderstanding of how proportional, targeted eDiscovery collection should work — and it points to a broader problem in our industry that deserves some attention.

For those unfamiliar with the term, de-NISTing refers to the process of filtering out known, irrelevant system files from a forensic collection using the National Institute of Standards and Technology’s reference database of known file signatures. The NIST database catalogs hundreds of thousands of known operating system files, executables, DLL files, and other system-generated data that have no evidentiary value whatsoever. De-NISTing removes these files from a collection so that reviewers are not burdened with wading through mountains of irrelevant system data. The reason you need to de-NIST in the first place is because you collected a full-disk image — capturing everything on the drive, relevant or not.

And that is precisely the problem with requiring de-NISTing in a model eDiscovery order. As I have written extensively, including in our recent white paper on proportionality in eDiscovery, courts have consistently held that full-disk imaging is not the appropriate default for civil litigation collections. Going all the way back to Deipenhorst v. City of Battle Creek in 2006, courts have warned that imaging a hard drive results in the production of massive amounts of irrelevant — and potentially privileged — information. More recently, in Motorola Solutions v. Hytera Communications Corp., the court emphasized that forensic examination of a party’s computers “is no routine matter” and that courts must use caution to avoid unduly impinging on privacy interests. A model order that presupposes full-disk imaging by requiring de-NISTing is, at minimum, inconsistent with this well-established body of case law.

The 2015 amendments to Federal Rule of Civil Procedure 26(b)(1) established a clear six-pronged proportionality framework for eDiscovery, requiring parties and courts to weigh factors including the importance of the issues at stake, the amount in controversy, the parties’ resources, and whether the burden or expense of proposed discovery outweighs its likely benefits. Courts have taken these amendments seriously and have consistently limited overbroad discovery requests on proportionality grounds. A blanket model order requirement to de-NIST implicitly endorses a collect-everything methodology that runs counter to the proportionality principles embedded in Rule 26(b)(1) and the extensive case law that has developed around it.

So how does a provision like this end up in a model court order? The answer, I believe, lies in the undue influence that certain eDiscovery service providers have had on collection practices and, ultimately, on the drafting of court orders and guidelines. Some service providers have a clear financial incentive to collect as much data as possible, since their fees are calculated on a per-gigabyte basis — meaning the more data collected, processed, and hosted, the higher the bill. This volume-based business model has shaped industry “best practices” in ways that favor over-collection, and that mindset has quietly seeped into the thinking of some federal judges and the model orders they issue. What gets dressed up as technical diligence is, in many cases, simply an artifact of a business model that profits from excess.

If you are conducting a properly scoped, targeted eDiscovery collection that is consistent with the principles of proportionality — as the Federal Rules and overwhelming case law require — there is simply no reason to de-NIST. A targeted collection does not reach system files, executables, DLLs, or other non-user-generated data in the first place. You are collecting potentially relevant ESI from identified custodians, scoped by search terms, date ranges, file types, and data sources. You never touch the data that de-NISTing is designed to filter out, which means the entire de-NISTing step — and its associated cost and processing time — is unnecessary overhead born entirely of an overbroad collection methodology.

This is precisely the approach built into X1 Enterprise, which enables legal and IT teams to conduct targeted, remote collections across large numbers of custodians without ever capturing the system-level data that necessitates de-NISTing. X1 Enterprise collects only the user-generated, potentially relevant ESI within defined parameters, preserving full metadata integrity and maintaining a documented chain of custody — satisfying every requirement for forensic soundness without the bloat, expense, and proportionality concerns of full-disk imaging. In an era where courts are increasingly scrutinizing eDiscovery costs and demanding proportionality, practitioners and judges alike should be asking not how to manage the mess created by over-collection, but how to avoid creating that mess in the first place.

Leave a comment

Filed under Best Practices, Case Law, Cloud Data, Cybersecurity, Data Audit, Data Governance, eDiscovery, eDiscovery & Compliance, Enterprise eDiscovery, GDPR, Information Governance, Information Management

Why Most Tools Fall Short for Large-Scale Information Governance and What Actually Works

By John Patzakis

For more than a decade, enterprise organizations have struggled with a persistent and costly challenge: how to effectively search, collect, manage, and analyze large volumes of unstructured on-premise data for information governance, eDiscovery, and enterprise search use cases. We are talking about environments with many terabytes of data distributed across file servers, email archives, endpoints, and Microsoft 365 data that must be rapidly interrogated, precisely analyzed, and in many cases urgently remediated in response to a regulatory inquiry, a data breach, or an M&A transaction. Despite the proliferation of tools claiming to address this challenge, none has ever truly solved it at scale. The core reason is architectural. Most of these tools are built on a flawed foundation from the start.

The gravitational pull toward Elasticsearch as the search foundation for enterprise data tools is easy to understand. It is open source, it is widely documented, and it is written in Java a language familiar to a large pool of developers. For these reasons, a basic centralized search and analysis tool can be assembled relatively quickly, and hundreds of vendors and in-house development teams have taken exactly this path. The problem is not that Elasticsearch lacks capability for general-purpose search. The problem is that general-purpose search and large-scale enterprise information governance are fundamentally different problems, and what works for one fails badly at the other. What is rarely discussed openly but what practitioners learn the hard way is that Elasticsearch’s architectural limitations are not configuration issues that can be engineered around. They are structural constraints baked into the platform’s design, and they surface precisely at the scale and complexity that serious information governance work demands.

The result is a graveyard of failed or severely limited information governance deployments: tools that work impressively in demos on curated datasets of a few hundred gigabytes, but that buckle, stall, or simply break when asked to operate on the multi-terabyte, distributed, live data environments that characterize real enterprise compliance projects.

The Structural Limitations of Elasticsearch for Information Governance
The memory problem with Elasticsearch begins with Java itself, which requires a significant amount of compute power over other code bases when addressing large volumes of data. The Java Virtual Machine (JVM) requires a heap to manage object allocation, and as data volumes grow, the memory demands scale dramatically. Each Elasticsearch index must be loaded into memory to be searched, and in a multi-terabyte environment with complex query patterns — the kind that information governance work consistently requires — the JVM heap pressure becomes severe and unmanageable. Organizations that have attempted to deploy Elasticsearch-based platforms against over 10 terabytes of enterprise data consistently encounter the same outcome: massive hardware requirements, constant tuning, and performance that degrades as the dataset grows rather than holding steady. The compute overhead is not a solvable problem; it is an inherent consequence of building a memory-intensive centralized index on a Java runtime, and it places a practical ceiling on what Elasticsearch-based governance tools can realistically accomplish.

Beyond the memory constraints, the workflow required to use Elasticsearch for information governance introduces a second, equally serious problem: it requires a full copy of the data under governance to be made and migrated into the centralized index. For a 50-terabyte dataset, this means creating 50 additional terabytes of sensitive material — often including personally identifiable information, privileged communications, and confidential business records — and transferring it outside its original, controlled location. Requiring the wholesale copying and centralization of that same data in order to govern it is a fundamental contradiction, one that legal, security, and compliance stakeholders increasingly and rightly reject.

The timeline problem compounds the data duplication problem. Copying, transferring, and indexing 50 terabytes of enterprise data into a centralized Elasticsearch platform is not a weekend project. In real-world deployments, this process can take months, even under favorable conditions. And information governance use cases are rarely patient ones. Data breach impact assessments operate under regulatory notification deadlines measured in days. M&A-related data audits run on compressed timelines driven by transaction closing schedules. By the time the data has been staged and indexed into a centralized Elasticsearch platform, the underlying data has changed, and the copied index set is already stale.

Finally, even if an organization tolerates the data duplication, survives the timeline, and manages the memory overhead, there is a “last mile” problem that the centralized Elasticsearch architecture cannot solve: remediation. Information governance is not just about finding sensitive or problematic data — it is about acting on it — Deleting records past their retention period. Quarantining compromised PII. Tagging and separating data in support of a corporate divestiture. When the discovery and analysis workflow is built on a centralized copy of the data, the organization is operating on clones, not originals. The identified data still exists in its original locations distributed across file servers, Microsoft 365 environments, laptops, and cloud storage. Tracing back from a finding in a centralized index to the live source, and then executing a remediation action on that source, is a manual, error-prone, and operationally disruptive process.

How X1 Enterprise’s Micro-Indexing Architecture Solves What Elasticsearch Based Tools Cannot
X1 Enterprise is built on a fundamentally different architectural premise: rather than requiring data to be copied and centralized, X1’s patented micro-indexing technology indexes, searches, analyzes, and remediates data entirely in place where it lives, within the corporate environment, without ever moving it. This architectural difference is consequential at every stage of a large-scale governance project. The micro-indexing engine is written in C++, which delivers dramatically more efficient memory utilization than a Java-based runtime. Individual micro-indexes do not need to be loaded into memory simultaneously; the architecture is genuinely distributed and parallelized, enabling X1 Enterprise to operate effectively at multi-terabyte scale, including at hundreds of terabytes, without the memory walls and hardware escalation that make Elasticsearch-based platforms impractical for serious enterprise deployments.

Because X1 Enterprise operates in place, the data duplication problem is eliminated entirely. There is no second copy of your sensitive data to govern, secure, or explain to regulators. The indexed data remains in its original location, under the organization’s existing controls, throughout the entire governance workflow. This means that X1 Enterprise not only avoids compounding compliance risk, it actively reduces it, by ensuring that sensitive data never leaves its controlled environment. For organizations subject to GDPR, HIPAA, CCPA, or sector-specific data residency requirements, the ability to conduct large-scale information governance analysis entirely within the corporate firewall is not a luxury. It is a hard requirement. X1 Enterprise is the only platform in the market that can meet this requirement at multi-terabyte scale without architectural compromise.

Perhaps most powerfully, the in-place architecture closes the remediation loop that Elasticsearch-based tools leave permanently open. When X1 Enterprise identifies data that must be deleted, preserved, tagged, or acted upon, it can execute that remediation directly on the source data in Microsoft 365, on file servers, on endpoints, wherever the data resides. There is no manual tracing back from a centralized index to a distributed original. The finding and the action occur in the same environment, with full auditability and chain-of-custody documentation.

X1 Enterprise delivers the architecture that the industry has needed for years.

To learn more, schedule a briefing today at sales@x1.com or visit x1.com/solutions/x1-enterprise-platform.

Leave a comment

Filed under Best Practices, Business Productivity Search, Data Governance, eDiscovery & Compliance, Enterprise AI, Enterprise eDiscovery, Enterprise Search, ESI, Information Governance, Information Management