If you've spent any time working with enterprise data and legal compliance, you know what a litigation hold looks like. You know what SEC 17a-4 means. You know that GDPR records-keeping isn't just about deleting data - it's about being able to prove exactly what was retained, when, and by whom.
Microsoft 365 handles all of this. Automatically. Every document ingested into M365 is covered by audit trails, retention policies, and eDiscovery infrastructure that your legal team, your auditors, and your outside counsel have already approved.
A SharePoint list can handle 30 million items. Once it passes 100,000, SharePoint automatically freezes permission settings - so no one can accidentally change who sees what. 200 million monthly active users trust that model. Your legal team does too.
What happens when you copy the data
Here's what happens when you "ingest" M365 data into a vector database for AI search:
- You create a second copy of the data - outside the compliance boundary M365 provides
- Every retention policy, privacy notice, and data-subject-access workflow now needs to be duplicated and kept synchronized
- Every litigation hold needs to cover two systems instead of one
- If the vector copy is stale when a subpoena arrives, you have a problem your lawyers will not enjoy
87% of data science projects never reach production. One major reason: the moment data leaves its compliance boundary, risk and cost skyrocket. Legal gets involved. IT pushes back. The project stalls.
The alternative: keep records where the auditors already know how to find them
SWIRL doesn't move M365 data. It connects to M365 at query time - searching SharePoint, Teams, email, OneDrive, and other M365 sources in real time, with OAuth2 authentication, respecting the permissions that M365 already enforces.
The AI only receives the permissible content for the user making the request. In real time. From the system your auditors already have covered.
No second copy. No new compliance perimeter. No synchronized retention policies to maintain. The records stay where the auditors already know how to find them.
The question isn't whether you can ingest M365 data into a vector database. You can. The question is whether you've thought through what you're giving up when you do - and whether you've told your general counsel.