What goes wrong on Google Workspace.
And what good looks like.
Five anonymized failure patterns at mid-market Workspace shops, and three wins that show what disciplined deployment unlocks. Workspace tends to be more forgiving than M365 on the security side β but governance debt accumulates differently. Shared Drive sprawl, phantom external shares, Vault misses, and unsanctioned Marketplace add-ons are where we find most of the issues.
Five Workspace failure patterns we see at mid-market.
Workspacegovernance The Shared Drive sprawl
The 200-person company whose Workspace tenant accumulated 1,400 Shared Drives over three years β most created by individual managers, owned by departed employees, and containing duplicates of documents nobody could find.
The lesson. Shared Drive governance from day one. A naming convention, an owner per drive, a quarterly cleanup cadence, and admin policy preventing 'Manager' creation by non-admins. The cleanup project after the fact is a quarter of work.
Workspacedata-exposure The phantom external shares
The professional services firm that discovered during a security audit that 600+ documents were shared with 'Anyone with the link' externally β most created during one urgent client engagement two years prior, then forgotten.
The lesson. Workspace DLP rules that block 'Anyone with the link' for sensitive content categories. Quarterly external-share audit reports. The Drive Security Center has the data; nobody runs the report.
Workspacearchitecture The M365-Workspace coexistence mess
The acquired-by-larger-company scenario: legacy team on Workspace, parent on Microsoft 365, 18 months of mail flow that lost messages during forwarding loops, and meeting invites that never showed up on the right calendar.
The lesson. Coexistence requires real architecture work, not just SMTP forwarding. Mail flow design, calendar federation, identity sync via SSO, shared file workflows. We've shipped several of these β it works when designed properly.
Workspacecompliance The no-Vault-policy discovery
The mid-market firm that received its first legal hold notice and discovered that Vault retention had never been configured β meaning the data they were now legally required to preserve had been auto-deleted after 30 days for the past four years.
The lesson. Vault retention policy is a Day-1 configuration, not a Day-30 cleanup. The default 'no retention' policy can create legal exposure that nobody notices until the hold notice arrives.
Workspaceshadow-it The Marketplace add-on you didn't install
The healthcare practice that discovered an unsanctioned Workspace Marketplace add-on, installed by an employee 14 months earlier, had been processing PHI through a third-party SaaS vendor with no BAA in place.
The lesson. Marketplace allowlist enforced via admin policy. App access control restricts which add-ons can read which Workspace data scopes. Default-deny with explicit approval; default-allow is the wrong posture.
Three wins from disciplined deployments.
Workspace engagement M365 β Workspace migration in 6 weeks, zero downtime
A 180-person creative agency migrated from Microsoft 365 to Google Workspace in 6 weeks with zero email downtime β driven by Workspace fitting their actual collaboration patterns better than M365 did.
What made it work. Migration cutover is mostly about preparation. Mailbox sync running for 2 weeks pre-cutover, parallel Drive sync for shared content, identity federation in place before mail flow flips. The cutover weekend is the easy part.
Workspace engagement ChromeOS rolled out to 250 frontline workers
A multi-location franchise rolled ChromeOS Enterprise to 250 frontline workers, replacing aging Windows laptops. Endpoint TCO dropped roughly 40% over 3 years β patching, image management, and lost-device replacement got dramatically simpler.
What made it work. ChromeOS shines for narrow-software-stack roles. The clients who succeed have done the work to identify which roles are good fits (frontline, kiosk, education, regulated environments where less local data = less risk) and which are not (deep Office workflows, specialized engineering tools).
Workspace engagement Vault eDiscovery saved a litigation defense
A mid-market firm received a complex litigation hold covering 5 years of email and chat communications across 35 custodians. Vault eDiscovery + retention policies that had been in place for 3 years made compliance a 2-week project instead of a 6-month panic.
What made it work. Vault is one of those investments that costs little and matters enormously when it matters. Configure retention + eDiscovery + custodian groups before you need them, not after.
Workspace governance is different β and easier β than M365.
Workspace was built cloud-native. The governance primitives (Shared Drive ownership, Vault retention, Marketplace allowlist, BeyondCorp policies) are simpler to operate than the equivalent M365 stack. The catch is that Workspace shops often skip them entirely because the platform feels self-service.