By Jazz Chee
Maintaining full attention throughout long meetings is difficult, and important details can easily be missed. AI meeting tools have emerged to address this long-standing workplace challenge by automating note-taking and meeting documentation. According to Otter.ai, 62% of working professionals save over one month a year of time by using their AI Meeting Assistant. These Gen AI-powered solutions can record, transcribe, summarise, and analyse both virtual and in-person conversations, reducing the reliance on manual note-taking and allowing participants to focus on discussions and decision-making. Tools such as Otter.ai and Granola have gained traction in business functions as a way to reduce the burden of manual note-taking and ensure that follow-up action items are captured accurately.
While the productivity case is clear, data protection implications of using such tools within a company’s workflows are less so. Introducing AI meeting assistants can incur significant privacy, security, and governance risks as they routinely capture, store, and process sensitive information discussed during meetings. Further, entrusting information collection to Gen AI tools poses a severe threat to data integrity, particularly in high-risk industries such as healthcare and legal where inaccuracy can lead to critical consequences.
The Real Governance Concern: Consent and Data Exposure
While most AI meeting tools follow the industry standard and are SOC 2 Type 2 and GDPR compliant, AI meeting tools come with three categories of risk that DPOs and governance professionals must assess before deployment:
1. Consent – Are ALL meeting participants fully aware that conversations are being recorded and potentially used for internal AI training purposes?
In most cases, the burden of disclosure falls unevenly. While meeting organizers or hosts may be aware that an AI tool is active, individual participants are often not explicitly informed. A brief automated message at the start of a meeting for example, "This call is being recorded" may technically satisfy legal requirements, but it rarely communicates the full picture: that transcripts may be stored, searchable, linked to identities, and potentially used to improve the vendor's AI models. This gap between technical compliance and genuine informed consent is where governance risk accumulates.
2. Data Exposure – Are internal and third-party AI models training on sensitive information revealed in meetings?
Most AI meeting tools contractually prohibit third parties from using customer data to train external models; but that protection stops at the vendor's own door. By default, many platforms reserve the right to use meeting transcripts and recordings to improve their own proprietary models, unless users explicitly opt out – a setting that rarely surfaces prominently. This means sensitive discussions about strategy, personnel, finances, or client relationships may quietly become training signals for the very tools meant to support them.
3. Data Integrity – Is the information summarised from the transcript of a meeting accurate?
Relying on AI transcription tools without verification introduces significant risks, including operational mistakes, compliance breaches, and AI hallucinations. If you feed an inaccurate transcript into a Gen AI tool to create summaries or action items, the AI will build upon those errors. When AI lacks context, it invents details to fill the gaps, compounding the original inaccuracies.
The Otter.ai Lawsuit: A Governance Failure Example
In August of 2025, a class action lawsuit was filed against Otter.ai in a federal court in California. The complaint alleged that Otter.ai’s notetaking services recorded, transcribed and used the contents of private conversations without obtaining proper consent from all meeting participants. The plaintiff claimed that Otter joined Zoom, Google Meet, and Microsoft Teams meetings as participants, transmitted conversations to Otter’s servers, and used the recordings to train its speech recognition and machine learning models.
Here is where the problem lies:
Recording Without Consent: The main charge alleges that meetings took place without all parties consenting to such recordings, violating certain all-party data protection laws.
Data Being Used to Train the AI Model: The complaint claims that Otter likely used conversational data to train its AI, violating data privacy and lawfulness rules.
Employees discreetly incorporating AI tools into meetings is an example of Shadow AI – the use of AI without the firm’s knowledge or IT approval. This creates an operational risk as confidential information may be unintentionally exposed.
Governing AI in the Meeting Room: What Organisations Must Do Now
As AI meeting tools become standard practice in the workplace, organisations cannot afford to treat governance as an afterthought. Employee-led deployment of AI tools should always go through corporate approval to eliminate the use of Shadow AI. Monitoring for Shadow AI should include scanning network activity to identify bots operating without IT approval. If the AI note-taker tool is found violating internal privacy policies, it should be instantly suspended.
On consent, organisations should mandate pre-meeting disclosure, logged affirmative consent, and the ability for any participant to opt out or remove a recording bot. Human-in-the-loop verifications must also be taken at mandated intervals. Before meeting minutes are formalised and distributed, an assigned responsible party takes accountability on its accuracy. Ultimately, responsible deployment of AI meeting tools requires governance that is proactive, not reactive – with clear accountability, enforceable controls, and compliance built into the process from the start.
The AI Lifecycle depicts where AI systems are most vulnerable across the data collection, storage, report, decide, distribute, and dispose phase. This article expounds on the risk incurred by using AI meeting assistants, posing an AI breach risk in the collection stage of the lifecycle. If you're interested in learning more about AI Breaches, register to be contacted when Dr. Kevin Shepherdson's latest book "AI Ethical Breaches to Beware Of" is available for sale.
