Enterprise Content and AI Security

You can’t talk to a business customer today without AI coming up. While most people seem to have embraced the power of public generative AI tools like OpenAI’s ChatGPT or Google’s Gemini, there’s a lot of hesitation when it comes to using generative AI on enterprise content. The one concern that comes up again and again? 

Security.

Rightfully so. Public AI tools don’t have to worry about security. They’re gobbling up all the data on the public internet with the motto: “Train first, worry about intellectual property rights later.” Technically, nothing is stopping them from doing that, and their models are fed by scrapers and crawlers that grab everything they can find.

In an enterprise, however, that doesn’t work. Enterprise data is privileged, confidential, and subject to privacy laws. The data cannot be shared with everyone, and AI models must respect that. It means two users must receive different answers to the same question, depending on the data they’re authorized to access.

The problem is, if your content isn’t well secured and governed in the first place, AI will expose those holes quickly. You may have been able to hide some data behind cryptic file names, but that won’t stop the AI models. Having solid data governance with granular, clean permissions is imperative. Otherwise, it’s “bad security in, bad security out,” to paraphrase Fuechsel’s Law ("garbage in, garbage out").

It also means you need to bring AI tools to your content rather than trying to bring your content to the AI tools. It’s hard enough to secure your content in the first place, and the idea of copying a snapshot into a separate container for AI would obliterate any of that security.

Don’t expect public AI vendors like OpenAI, Google, Anthropic, Meta, or DeepSeek to solve this problem. Enterprise content is a different animal—one they neither understand nor care to understand. None of these vendors has any enterprise DNA. Security is not their concern, and their models aren’t built with the assumption that data access should vary by user.

To illustrate this point, let me remind you of what happened with enterprise search. Web search, which we all use many times a day, is based on an index created by crawlers that scour the internet to deliver the best content match for your keywords—the same results for everyone. That’s what Google does in simplest terms. But in the enterprise, that approach doesn’t work. Enter enterprise search.

About 20 years ago, Google—the heavyweight search champion—entered the enterprise search space with a bright yellow, rack-mounted Google Search Appliance, drawing a lot of attention with its promise that managing content wasn’t necessary: "Wherever it is, you can find it with Google". Or something like that.

It sounded great—except it didn’t work. Google eventually discontinued the product after a decade of trying. Interestingly, other major players in enterprise search met similar fates. There was FAST, which Microsoft acquired in 2008—only to discover a year later that FAST had been cooking the books. And then there was Autonomy, which HP acquired in 2011, only to eventually sue the CEO and CFO for—you guessed it—cooking the books. The Hollywood-worthy Autonomy saga ended with the CFO in jail and the CEO dying in a freak boating accident. (I described that story in more detail last year in “Mike Lynch, Autonomy, and Incredible Coincidences”.)

Today, search is provided by the companies that own the data. Enterprise search is hard, and usually, only the company that built the repository has a chance of doing it well. On the web, Google finds content that wants to be found—literally. Millions of companies spend billions of dollars each year on SEO to make their content easily discoverable. And there’s no security to worry about.

Enterprise content is different. It’s not optimized for search engines, and security is not optional. This is hard to get right. Eventually, the open-source Apache Lucene solved the problem well enough, and that’s what many enterprise applications use today. Still, you rarely hear anyone say, “Wow, this search is amazing”—because it doesn't match Google’s web search, which sets the expectations bar.

Now, let’s come back to AI. The vector databases at the heart of enterprise AI models must respect data security, just like search indexes do. That’s incredibly difficult for anyone other than the companies that hold the data. Only they understand the data structures, the users, and their permissions. For any external application, sure, it’s possible, but it's really hard to make that work. If you don’t believe me, think back to enterprise search.

AI in the context of enterprise data will be extremely valuable, with the potential to dramatically boost productivity—whether it’s through assistants, agents, or whatever comes next. But in an enterprise, the first rule will always be: respect the data’s security. 

And that makes it hard.

Scalability Redefined

Scalability matters. Obviously. But scalability seems to mean many things to different people. Most commonly, scalability is equated to the number of users - people - accessing a particular system. That's a good start, but we we have to of course consider the degree of concurrency. There is a difference between a solution that 1,000 people use once or twice a week versus a solution that 1,000 people pound upon continuously.

In large deployments, there is also the question of how many systems are actually really being used. Early in my career, I spent several years working at Novell. It was the heyday before Windows NT and the company enjoyed a commanding market share. Large and small companies used Novell networks. But we knew, that an average (software) server always had only about 100-200 users working on it. Sure, there were some companies with 100,000 employees that used Novell NetWare. Those were big deals, big deployments, and examples of high scalability. Right? Well, not really.

Those large companies were in reality running hundreds of separate Novell server instances and each one of them would still get just a couple hundred users. I see a similar pattern with today's deployments of Microsoft SharePoint and, to some extent, also with Exchange. It is quite a different kind of scalability when 100,000 users all share a single instance of an OpenText repository - even if that repository runs physically across multiple hardware servers.

There are more dimensions to scalability than just the number of users, though. The number of operations or transactions comes to mind - from MIPS to the number of credit card purchases. How about the number of objects under management? Examples could be the number of documents, number of customers, number of transactions, number of contracts, number of relationships, number of suppliers, etc.

To be scalable, enterprise software must not be just capable of holding the number of objects in a database or repository. It also has to provide the ability to efficiently view and manipulate the data. If your web-based user interface shows the objects in blocks of 20 while you have millions of objects to sort through, your application might not be very scalable! By the way, having a single data container capable of holding millions of objects is another dimension of scalability.

There is yet another factor that needs to be added to the definition of scalability: the metadata. This is the data that describes your data. Without metadata, your data only contains what is explicitly stated in it. Sometimes, that may be useful by itself but in most cases, we want to add lots of enterprise related context. We want to add information about people and teams who work with the data. Information about the organizational structure and approval hierarchies. Information about projects to which the data belongs. The deadlines, the cost centers, the retention requirements, etc. The metadata can be often richer (= bigger) than the data itself. But it is absolutely critical in the enterprise and your application needs to scale to accommodate it.

There are many factors that define scalability and looking just at the number of users can be often insufficient or even misleading.

The Social Groupthink

The groupthink is a well documented psychological phenomenon where a group of people, usually insulated from any counterbalancing point of view, ends up making gravely irrational decisions. During the phenomenon, the group is driven by the spirit of harmony, collaboration and the desire to reach consensus. The more the reasoning progresses, the more the group is mutually reinforcing its one-sided perspective while it completely discounts any alternate point of view. The results can be disastrous and many events in history have been attributed to the groupthink, including the US Navy negligence prior to the attack on Pearl Harbor or the US invasion of the Bay of Pigs.

The John F. Kennedy cabinet during the Cuban Missile Crises - another "groupthink" at work

In the world of social media, groupthink is very common. On social media, we tend to follow people who share views that are consistent with our own views. Hockey fans follow other hockey fans, single mothers follow single mothers, wine connoisseurs follow wine connoisseurs, and democrats follow democrats. This natural selection is the result of a rational behavior - we engage with people with whom we share common interests.

On top of that, social media like Facebook employ filtering algorithms to reduce the torrent of updates we get exposed to. These filters are based on explicit personal preferences (i.e. interests stated in our profiles) as well as on the results of our interactions. If you like a post about kittens the algorithm will reason that you like kittens and chances are you will be seeing more posts about kittens. Over time, you end up ‘liking’ various comments, pictures, and pages. Based on your liking, Facebook starts presenting you more of the stuff you like from the people who’ve shared liked news before. That happens at the cost of all other news in your newsfeed. As a result, you get exposed only to views from friends who you “like" more and more and you won’t get exposed to anything else. This is a fertile breeding ground for a groupthink with all its shortcomings.

Now, consider social software in the enterprise. Its promise was to stimulate employee effectiveness and foster innovation by bringing together diverse groups of employees who bring in different expertise and who share different points of view. Yet, if we end up with conversations where only the employees thinking the same way talk to each other, the results of social software will be greatly reduced.  

There are, of course, many other great uses for social software in the enterprise i.e. collective decision making, process collaboration, or customer service. Yet with the need to drive the corporate innovation agenda on top of the priority list for many CEOs, the promise to use social software for ideation is very compelling.

To make that happen, we must avoid the social groupthink. We have to be very careful about the filtering algorithms we employ and we have to devise strategies that encourage employees to engage with others beyond their existing teams and functions. Tribal interactions are good, but engaging across a variety of employees is what stimulates corporate innovation.

Darwin Meets the Innovator's Dilemma - in the Cloud

In his book Dealing with Darwin, Geoffrey Moore - the one of the Crossing the Chasm fame - has explained the difference between the complex systems and volume operations. According to this concept, technology vendors fall into one of two categories. The complex systems vendors focus on a relatively small number of high-value, high-touch transactions that are delivered in the form of sophisticated, customized solutions, usually integrated with other systems.

Geoffrey Moore's model for Complex Systems vs Volume Operations

The volume operators are doing exactly the opposite. They deliver relatively simple, inexpensive solutions through low-touch transactions - no direct sales force but resellers, retailers or online sales. These solutions come with no customization, no integration with other systems, and a limited feature set - one size fits all. While there are many scenarios in between (i.e. small business offerings), Geoffrey Moore suggests the the more a vendor is focused on one or the other extreme, the more effective the business model. IBM and Oracle are examples of complex system vendors while Apple and Google are volume operators.

The most important point that Moore makes is that vendor business models become so optimized for one or the other business architecture that crossing from one side to the other is impossible. Having started on one side of the model, the vendor’s business model, business processes, and key performance metrics are completely hard-wired towards the particular model that makes switching practically impossible.

Geoffrey Moore at an AIIM project

Now, let’s mesh the Moore model with another one - the Innovator’s Dilemma by Clayton Christensen. Professor Christensen suggests that disruptive innovations will always be attacking the incumbents from the bottom up - by providing low-end solutions for the less demanding customers and thus flying under the radar of the incumbent market leaders - until they gain the critical mass and sufficient functionality to challenge the incumbents.

Clayton Christensen's Innovator's Dilemma model 

OK, time to put the two models to work - in enterprise software. The established vendors including IBM, Microsoft, and Oracle are supposedly being challenged by the disruptors coming from the lower end of capabilities - just like the Innovator’s Dilemma predicted. Those disruptors are companies such as Salesforce, Google, Dropbox and others. They all have one thing in common - they are cloud based. But how do they do it when we look through the Geoffrey Moore lense?

Salesforce is a cloud based disruptor that has initially targeted the sales force automation (SFA) market and later the customer relationship management (CRM) market with a cloud based solution. Salesforce has clearly started as a complex system from day one and they have continued evolving in that direction. Their initial customer base were mostly smaller companies and departments but they continued focusing on complex systems - evolving towards more valuable and more complex deployments. Salesforce never had to shift from one side to another on the Geoffrey Moore model. Today, a typical Salesforce deployment involves integration to marketing automation and enterprise resource planning systems.

Microsoft started as a complex systems vendor with enterprise on-premise offerings such as Exchange and SharePoint (note: I’m discussing the enterprise software here, not their Xbox business). To take on the cloud challenge seriously, Microsoft created Office 365 - a cloud based offering that is clearly going in the direction of volume operations on the Moore model. That actually explains why Microsoft uses different branding for the cloud based solution and why they are not particularly worried about the integration between Office 365 and the on-premise offerings. While Microsoft shouldn’t be able to switch from the complex systems model to a volume operations model, they are applying their considerable financial resources to power through those challenges, ignoring the business model altogether.

Clayton Christensen during his visit in Waterloo, ON

Google and Dropbox started as cloud-based offerings focused purely on volume operations - on the consumers. The consumer focus and free price helped them to grow their user base quickly, often infiltrating the enterprise. But the offerings have been clearly designed as consumer software aiming to attract as many eyeballs as possible at the least possible cost. That means basic feature set, no customizations, no integrations, no direct sales force - simply one size fits all service.

While vendors such as Google, Dropbox - and also Apple, Amazon, Evernote, etc. - have a good formula to drive user adoption and even penetrate the enterprise, their business model has been designed to cater to the consumer and not to the enterprise. Enterprises need, I repeat “need” customization and integration with other systems. Just think of managing user lists and groups. Sharing content on Dropbox with your friends might be easy, sharing something with all the employees in Sales or Marketing in your company is much less trivial. You can’t manage all the user groups by hand and thus you need to integrate with other existing systems - i.e. directory services and HR Management system. Enterprise software can do that. Consumer software can’t.  

The consumer vendors might be penetrating the enterprise but today, they don’t have any enterprise offerings.

PS: This post has been inspired by a spirited discussion during the last AIIM Board meeting. I love these conversations with my fellow Board members!

Does Windows Phone Stand A Chance?

I must say, I am pretty impressed by the Windows Phone operating system. Unlike the Google Android which is, let’s face it, a poor copy of the the Apple iOS, Microsoft created a truly original user experience. The notion of having the same OS that spans the desktop, laptop, tablet, and the smartphone is a very compelling idea. Even Apple didn’t quite make that happen as their Mac OS is still distinct from  iOS.

I have also been impressed by some of the strategic moves Microsoft has been making with their Windows Phone. The partnership with Nokia is a strong endorsement - no matter how long and painful Nokia’s recovery might be. Microsoft also recruited many other vendors including Samsung, LG, HTC, Dell, and others.

Since Google acquired Motorola, there is more and more doubt about Google’s innocence when it gets down to the openness of the Android operating system. That fact alone makes the Windows Phone operating system a rather compelling alternative for the hardware vendors. While none of them have publicly switched their allegiances yet, I’m sure they all are talking to Microsoft.

Also, the recently announced deal with Barnes & Noble and their Nook ebook reader could be a major coup for Microsoft. Sure, Nook runs on Android today but I would bet many chips that the next release will run the Windows Phone OS. Not a bad move for Microsoft if you ask me!

With all of these strategic moves going in Microsoft’s favor, it is surprising that the Windows Phone market share continues sliding down. According to the latest ComScore market share report, Windows Phone has merely 3.9% of the US market - compared with 4.7% three months ago. The trend has been heading south over the last 18 months and frankly, any player in the single digits is questionable...

So what should Microsoft do to reverse this trend? Well, releasing a truly differentiated and innovative operating system is a good start. Windows 8 with all its bells and whistles and particularly with the Metro-style user interface is very promising. The Metro-style apps that Microsoft is going to release next look awesome. But one thing is still missing...

A mobile operating system is supposed to be a platform. And a platform requires applications. This is where Microsoft is not doing so well. When I try to find my favorite iPhone apps on the Windows Phone, I am striking out more often than not. Yet Microsoft understands how to cater to developers. Their tools and developer programs are second to none in the software industry. But there is more to that.

Microsoft should be actively recruiting developers to port their apps to Windows Phone. That is not a slam dunk for most developers as Windows Phone is currently their number 4 platform of choice after Apple, Google and RIM. Yeah sure, RIM has some problems but the BlackBerry OS still has more than double the market share than Windows Phone. Today, building an app for Windows OS is a major gamble with uncertain payoff.

This is where Microsoft could and should use its market power. Instead of billboards, Microsoft could be paying a few thousand dollars to the developers of the key apps to port their apps to Windows Phone. Microsoft should just go aggressively after all these developers and entice them to make it happen.

Particularly in the enterprise market , Microsoft should aggresively solicit the vendors’ support. Right now, Windows Phone OS is the number 4 priority on the list for any enterprise software vendor - after Apple, Google, and RIM. Number 4 rarely makes it into a released product. Everybody’s budget is tight and the money is barely enough for priorities 1 and 2...

Developing apps for a platform that has 3.9% market share with a declining trend is a tough business case to make. This is the top problem Microsoft has to focus on to make Windows Phone a success and without addressing this issue, the platform will likely fail.

Struggles of a Professional iPhone User

A few weeks ago, I have made the switch from BlackBerry to iPhone. I’ve owned an iPad for almost a year now and there appeared to be no hope that most of the cool apps that iPad offers would ever appear on the BlackBerry OS. I was also getting increasingly disenchanted with the poor browser experience, with the lack of an iTunes-like tool to manage my content library (not that I am enamored with iTunes - a pretty poor program if you ask me) and with a variety of performance issues and freezes that plagued my BlackBerry lately. And so when the renewal time came up, I have made the switch into the promised land of Apple. 

iPhone Calendar

I should mention that I am at this point an all-in Apple user, having embraced at home everything from iMac, iPad, iPod, iTunes, AirPort, Time Capsule, AppleTV to now also the iPhone. I expected the iPhone to be inferior for making actual phone calls but who cares - the last thing I want to do with a smartphone is make phone calls. But actually, the iPhone makes phone calls just fine. I have, though, discovered numerous challenges that I honestly miss from my BlackBerry: 

1. Calendar
The calendar is pathetic which I knew from using it already on the iPhone. It does not not support the Exchange categories and so my iPhone calendar is monochromatic in contrast to the colorful experience in Outlook. That’s rather odd considering that this is an Apple calendar - as if the cool hip Mac guy swapped cloths with the chubby dull PC guy. I’m also having issues with the calendar not caching properly which means it always tries to rebuild itself by downloading all data from the server. Pretty annoying actually - even though this issue could have to do with our IT architecture rather than with my iPhone. 

2. Appointments
The most glaringly missed feature, one that suggests that Steve Jobs is secretly carrying a Blackberry under his black turtle-neck, is the inability to simply click on a phone number in a calendar appointment to dial it. Conference calls are apparently not something iPhone users are expected to do. This is such an appalling omission that I must suspect that Apple developers never actually used the iPhone 4 for anything but to track the performance of the Apple stock. 

3. Appointments (again)
The calendar does not allow some of the basic functions - I cannot forward an appointment, I cannot suggest an alternate time, the calendar message gets truncated and I don’t see a setting to prevent that. BlackBerry did these things and I need to use them daily. And while I’m complaining about the appointments, here are three requests I have for Microsoft: I want to be able to decline an appointment (saying clearly ‘no’) while keeping it in case my other engagement gets canceled which keeps happening all the time. I also want to see an ability to prioritize my appointments. And finally, I also want to have notes associated with calendar appointment before, during and after the appointment.  

4. Email Search
Where is the search button in email? Seriously? Is there some kind of magical four-finger flick motion I need to learn to evoke this basic function? C’mon, Apple! 

5. Contacts
My iPhone doesn’t allow me to look up people numbers in our corporate Exchange directory. Why not? Does Apple expect me to download the entire directory to the iPhone and maintain it by hand? Steve Jobs must apparently not be calling many people at Apple. Also,  phone numbers stored in incomplete format such as (519) 123-4567 cannot be dialed when roaming. Your number has to be in the complete format with a country code e.g. +1 (519) 123-4567. That limitation is regrettable and odd given that the OS knows when I am roaming and what my default country is and could thus easily complete the number automatically. 

6. No super-apps
I always thought that the super-app concept from BlackBerry was a little bogus - it touts cross-integration between apps that makes so much sense that I couldn’t imagine it would not be there. Well, I can imagine it now since the apps on my iPhone are completely isolated from each other. The concept is pretty straight forward - for example, every time I see a person in an app, I should be able to access that person’s profile straight from within the app - I should be able to call, email, IM, or whatever other means of communication I have. Similarly, I should be able to share (via email, Twitter, Facebook, etc.) any content asset from within any application. These things are inherent to the BlackBerry OS and yet they don’t exist on the iPhone.

7. Multi-tasking
Apple’s claim that multi-tasking is supported since iPhone 4 - true, as long as one of the tasks is listening to music. Something as basic as checking the calendar while on the phone is not possible. This one threw me off as I always thought that all those teenage consumers - the primary target audience for Apple - are heavily into multi-tasking doing chats in 10 sessions at a time while talking on the phone, tweeting, facebooking, and doing homework all at the same time. They might but not on the iPhone. 

These are some of the examples of functionality I miss from my iPhone. They are basic level features used daily by every professional in business. My experience is re-affirming to me what I have already suspected - Apple does not care for nor understand the business user. They will keep piling up awesome features for playing music, movies, talking to friends, taking pictures and all the other things consumers do and love but the business users are not Apple’s priority. 

I still think that the iPhone is a superior device and I am going to stay with it for now. I am locked into my 2 year plan anyway - courtesy of my customer-loving wireless service provider. But the lack of support for business users is a huge opportunity for RIM which has a massive head start in this space. This is where they grew up and this is where they should dominate. Their marketing messages should be focused on the business user rather than chasing consumers (which I wrote about in December 2010). Business users like me should be told to keep their BlackBerry but nobody is telling them that.