Can AI notetakers be manipulated to alter what gets recorded as the official meeting outcome?

Yes. Researchers have documented four techniques that allow any meeting participant to influence what an AI notetaker captures: high-signal anchor phrases, positional gaming (speaking first or at transition points), contrastive framing, and format mirroring. None of these require technical access — they exploit how summarization models weight language.

What is prompt injection in the context of AI notetakers, and how serious is it?

Prompt injection against AI notetakers works by speaking override instructions — such as 'ignore all prior instructions' — before or during a recorded meeting. At least one documented test against Otter.ai successfully destroyed the entire meeting's notes. Because the attack requires no technical access and leaves no forensic artifact, it is equivalent to log tampering for any meeting where the AI notetaker is the sole record.

Does using an AI notetaker during a legal consultation destroy attorney-client privilege?

A February 2026 court ruling established that conversations with Claude were not protected by attorney-client privilege, because Claude is not an attorney and Anthropic's privacy policy permits broad data use that breaks the confidentiality requirement. The same logic applies to any AI notetaker storing a transcript in a vendor's cloud under permissive terms of service — legal teams must assess this risk before using AI tools in privileged contexts.

What are the minimum enterprise controls security teams should implement for AI notetakers?

Joe Sullivan's framework covers five areas: SSO enforcement (all notetaker tools must authenticate through your identity provider), tiered access controls for sensitive meeting transcripts, defined data retention and deletion schedules, third-party risk assessment for notetaker vendors, and security awareness training covering consent laws and approved tools. Contractual AI recording clauses in vendor and consulting agreements round out the baseline.

AI Notetaker Security Risks: What Every CISO Needs to Know

An employee joins a company all-hands with Granola^[1] running silently on their laptop — no bot in the meeting, no notification to attendees, full transcript saved to a personal cloud account. In two-party consent states like California, that is illegal, yet it happens in enterprise environments every day as AI notetaker security risks go unaddressed. Meanwhile, a researcher proved that saying “ignore all prior instructions” before a recorded meeting can wipe the entire summary.

For security engineers, AI notetakers are no longer a productivity footnote — they are an unmanaged AI endpoint capturing every sensitive discussion, legal deliberation, and incident response decision your company has. This post breaks down the manipulation techniques, data exposure vectors, legal landmines, and the enterprise controls you need before your employees show up wearing Meta glasses.

Key Takeaways

You'll learn how attackers can manipulate AI notetaker summaries using high-signal phrases, positional gaming, and format mirroring — and why security teams must treat meeting AI as an active threat surface.
You'll be able to identify the concrete enterprise risks AI notetakers introduce: viral OAuth scope expansion, silent recording tools, data residue at bankrupt vendors, and prompt injection attacks that can erase or corrupt meeting records.
Apply this to build a defensible AI notetaker policy: SSO enforcement, data retention controls, third-party risk vetting, employee training, and legal team alignment before wearables make covert recording the default.

How AI Meeting Summaries Can Be Gamed and Manipulated

AI notetakers have quietly become the official record of your organization’s most sensitive conversations — and that record can be manipulated by anyone in the room with basic knowledge of how these systems process language. Researchers have already published studies documenting the techniques, and understanding them is essential to recognizing AI notetaker security risks as a legitimate integrity threat surface.

The Manipulation Playbook

1. High-Signal Anchor Phrases

AI meeting summarizers are trained to weight certain language patterns as authoritative markers. Phrases like “the most important thing to remember is,” “the key point here,” or “to summarize what we’ve decided” reliably cause the model to elevate the surrounding content in its summary output. Any participant — not just the meeting organizer — can use these phrases to ensure their agenda items dominate the final notes, regardless of whether those points reflect group consensus or objective priority.

From a security and governance standpoint, this means the AI-generated meeting record is not a neutral transcript. It is a weighted output that favors participants who understand the model’s behavior and are willing to exploit it.

2. Positional Gaming: Primacy and Recency Bias

Studies show that AI meeting agents behave similarly to human memory: they disproportionately capture content at the beginning of a meeting and at transition points between agenda items. This is the same primacy and recency effect seen in human cognitive science, now embedded in automated summarization systems.

The practical implication: a participant who speaks first, or who deliberately introduces or closes agenda transitions, gains structural influence over what the AI records as significant. In sensitive discussions — vendor negotiations, incident response debriefs, legal reviews — this asymmetry can have material consequences for how decisions are later reconstructed.

3. Contrastive Framing

Deterministic language constructs that establish binary choices or explicit exclusions are particularly sticky for AI summarizers. Statements structured as “let’s do X but avoid Y” or “option A is preferred over option B” give the model a clear, parseable signal that maps cleanly to summary templates. This is contrastive framing, and it makes the speaker’s preferred outcome appear as the documented decision even if the meeting discussion was more ambiguous or contested.

For security engineers, this is directly analogous to how social engineering exploits cognitive shortcuts — except here, the target being manipulated is the AI agent, and the downstream victim is anyone who relies on the meeting record for accuracy.

4. Format Mirroring

AI notetakers generate structured summaries by inferring section headings from the meeting’s content. If a participant repeatedly uses a specific phrase that matches the format a summarizer would use as a heading — for example, repeating “the action items are” or “the risk assessment shows” — that phrase will anchor the section structure of the output. The participant effectively controls the document architecture of the meeting record, not just individual bullet points.

This is particularly dangerous in recurring meetings where the section structure of AI-generated notes becomes institutionalized and trusted as an objective record.

The Accuracy Problem Compounds the Manipulation Problem

Beyond deliberate gaming, AI notetakers introduce a baseline hallucination and transcription error rate estimated at approximately 3% of generated notes. Accent recognition disparities add additional distortion — a speaker saying “impossible” may be transcribed as “possible,” reversing the meaning of a documented position. These unintentional inaccuracies, combined with the manipulation techniques above, mean that the AI-generated meeting record can deviate significantly from what was actually said — in ways that are difficult to detect without a full audio review.

Security Implications for Sensitive Discussions

In any meeting where the AI-generated summary functions as the authoritative record — incident response reviews, architectural decisions, legal consultations, performance conversations — these manipulation vectors represent a social engineering risk with operational and legal downstream effects. The person who controls the AI’s output controls the institutional memory of what was decided, who said it, and what the agreed priorities were.

Actionable Takeaways

Treat AI-generated meeting summaries as untrusted artifacts in sensitive contexts. For incident response debriefs, architectural decision records, and legal consultations, supplement AI notes with human-authored summaries or require review against the full audio/transcript before the notes are considered authoritative.
Include AI notetaker manipulation techniques in security awareness training alongside phishing and social engineering modules. Employees — especially those in negotiation, legal, or leadership roles — should understand that their position in a meeting and the language they use directly affects what the AI records as the official outcome.
Audit the AI notetaker tools deployed in your organization to understand whether their summarization outputs are being used as binding records. If they are, define a verification and challenge process so that any participant can flag a summary as inaccurate and trigger review — establishing an evidentiary standard before those records are needed in a dispute.

Common Pitfalls

Assuming AI meeting summaries are neutral transcriptions. Organizations that treat AI-generated notes as objective records without understanding the weighting mechanisms embedded in summarization models are systematically exposed to summary manipulation — particularly in high-stakes meetings where participants have competing interests in what the record reflects.
Ignoring the ~3% hallucination and transcription error rate as a rounding error. In a one-hour meeting with dozens of decisions and action items, a 3% error rate across the note set can introduce multiple materially inaccurate records. When those notes are the only documentation of a decision, the downstream risk — in audits, legal proceedings, or incident post-mortems — scales with the sensitivity of the meeting content.

AI Notetaker Attack Vectors: Prompt Injection, Silent Recording, and Data Exposure

AI agent security risks are not theoretical for notetakers. Each tool in the enterprise meeting ecosystem introduces a distinct class of vulnerability — and understanding the full attack surface is the first step to managing it.

Prompt Injection: Erasing or Corrupting the Official Record

Prompt injection attack chain against AI notetakers

Perhaps the most alarming vector is prompt injection against AI notetakers. Because tools like Otter.ai^[2] analyze spoken audio and process it through a language model pipeline, they are susceptible to the same class of injection attacks that affect any LLM-based system.

The attack is straightforward: arrive early to a recorded meeting and speak directly to the AI bot. In at least one documented case, a participant said something resembling “ignore all prior instructions” before the meeting began and successfully destroyed the entire meeting’s notes — the bot produced no usable summary. This is not a hypothetical; it is a demonstrated outcome from a real-world test described at [un]prompted 2026.

The implications for enterprise security are significant:

Incident response records could be selectively wiped or distorted by an attacker or insider who understands prompt injection patterns.
Legal and compliance meetings where an AI notetaker is the sole record-keeper become unreliable if the transcript can be corrupted by any participant.
An adversary who knows a meeting is being recorded by an AI tool gains a novel capability: evidence destruction without touching a file system.

Security teams should treat AI notetakers as LLM-adjacent systems subject to prompt injection threat models — not merely as passive transcription tools.

Prompt Injection Attack That Wiped an Entire Meeting’s Notes

Proof of Concept

Pre-meeting access window: When joining a meeting early — before other participants arrive — the AI notetaker bot (e.g., Otter.ai) is already active and listening. This creates a window where an attacker is alone with the AI agent with no witnesses.
Spoken prompt injection payload: The attacker verbally addresses the notetaker directly and speaks a natural-language override instruction. Sullivan referenced the payload as beginning with “ignore all prior instructions” — a canonical prompt injection string that instructs the underlying LLM to abandon its configured behavior and treat subsequent input as a new system directive.
LLM instruction override: Because AI notetakers process the audio transcript through a language model pipeline without robust input sanitization or privilege separation between “user speech” and “system instructions,” the spoken payload is treated as a valid instruction. The LLM’s prior directives (e.g., “summarize this meeting”) are overridden.
Meeting record destruction: The attacker Sullivan spoke with reported successfully destroying all meeting notes for that session. The resulting Otter summary was either blank, corrupted, or replaced with output driven by the injected instruction — leaving no authoritative record of what was discussed.
No forensic artifact: Because the injection was delivered verbally and the notes were wiped, the enterprise has no audit trail of what occurred in the meeting. From a security operations standpoint, this is equivalent to log tampering — an attacker can erase evidence of decisions, commitments, or disclosures made during sensitive discussions.
Broader implications: This attack requires no technical access, no credentials, and no network-level exploitation. Any meeting participant (internal or external) who joins before others can execute it. It is particularly dangerous in incident response settings, legal discussions, board meetings, or any context where AI notetakers serve as the sole memory of the conversation. The ~3% hallucination baseline already undermines trust in AI notetaker accuracy; prompt injection weaponizes that gap intentionally.
Detection and mitigation gap: At the time of the talk, no major AI notetaker vendor had implemented defenses against spoken prompt injection — no input sanitization layer, no anomaly detection for override-style phrases, and no integrity verification for generated summaries. Enterprises relying on AI notetakers for sensitive meeting documentation have no built-in assurance that the record was not manipulated.

Silent Recording Tools: The Invisible Endpoint

Not all AI notetakers announce themselves. Granola^[1] is a prominent example of a tool that runs as a desktop application, capturing meeting audio without injecting a visible bot into the call. There is no “Granola is recording this meeting” notification to other participants. For enterprise defenders, this creates two distinct problems:

1. Compliance and consent violations. In two-party consent jurisdictions — California being the most significant for tech companies — recording a conversation without the knowledge of all parties is illegal. An employee running Granola in a California-based company meeting is potentially breaking the law every time they join a call without disclosing the tool. If a company deploys Granola enterprise-wide without enforcing disclosure policies, the company itself may carry legal liability, not just the employee.

2. Data exfiltration by design. When an external consultant, contractor, or partner joins your meeting with Granola running, they silently receive a full transcript of your internal discussion — saved to their personal Granola account, outside your governance and compliance controls. Unlike a visible bot that you could detect and remove from a call, there is no technical mechanism to detect a desktop app recording on a remote participant’s machine. Your meeting data has left the building with zero visibility.

This is a particularly high-risk vector for: M&A discussions, executive strategy sessions, security incident response calls involving external responders, and legal and compliance reviews.

Proof of Concept

Silent installation on the recording participant’s device: The attacker or uninformed employee installs Granola as a standard desktop application. Unlike Otter.ai or Fireflies.ai^[3], Granola does not send a bot into the meeting’s participant list. There is no “Granola is recording this meeting” system message visible to other attendees.
Meeting join with no visible indicator: The recording participant joins a video call (Zoom, Google Meet, Teams, etc.) normally. Other participants see only the person’s name and video — no bot, no recording badge, no banner. From the perspective of everyone else in the meeting, there is no AI notetaker present.
Background audio capture: Granola intercepts the system audio stream on the recording participant’s machine, capturing everything spoken in the meeting in real time. This requires no special meeting permissions, elevated network access, or API integration with the conferencing platform — it operates entirely at the OS audio layer.
Transcript generation and storage in personal cloud: The full meeting transcript is processed and stored in the user’s personal Granola cloud account. If the recording participant is an employee joining a customer meeting, a partner call, or an all-hands, all spoken content from that session is now resident in an external account outside the host organization’s data governance controls. The host organization has no visibility into this, no audit trail, and no ability to enforce retention or deletion.
Two-party consent violation (California example): California Penal Code § 632 requires all parties to consent to being recorded. Because no notification is given to other meeting participants, the silent Granola recording violates two-party consent law. The speaker acknowledged using Granola himself and stated directly: “If I don’t tell people that I’m running Granola, I’m probably breaking the law because I’m in California and it’s a two-party consent state.”
Corporate data exfiltration pathway: If an external attendee — a contractor, a consultant, a vendor — joins a company meeting with Granola running, they silently capture the full transcript of that meeting and retain it in their own personal account. The host company has no contractual, technical, or policy mechanism in place to prevent or detect this unless they have explicitly addressed AI notetaker use in their meeting agreements or third-party risk frameworks.
Legal and enterprise risk outcome: The combination of silent recording, cross-boundary data capture, and personal cloud storage creates three simultaneous risks: (a) criminal or civil liability for the recording party under applicable consent laws; (b) potential trade secret exposure for the host organization if confidential information was discussed; (c) orphaned data outside any enterprise data retention or eDiscovery policy.

Viral OAuth Scope Expansion: From One User to 80,000 Endpoints

Viral OAuth scope expansion from one share link to 80,000 endpoints

Otter.ai^[2] provides a documented case study in how OAuth permission abuse can propagate through an enterprise at machine speed. The mechanism was built around a sharing feature: when a user shared meeting notes with a colleague, the recipient had to install Otter to view them.

The OAuth permission flow presented during installation was a standard click-through experience — users were focused on accessing the meeting notes, not reviewing the scope of permissions they were granting. By accepting, they authorized Otter to access their calendar. Otter then used that access to insert itself as a participant in every future meeting on that calendar.

The result: one user sharing one meeting note could cause Otter to propagate to 80,000 enterprise endpoints within the same organization. This is not a vulnerability in the traditional sense — it is a product feature operating exactly as designed. But from a security posture standpoint, it represents uncontrolled AI deployment at scale:

No IT approval or procurement review for each installation
No centralized visibility into how many meetings are being captured
No consistent data handling or retention policy enforcement
Calendar access as a persistent foothold for ongoing meeting capture

Proof of Concept

Initial share event: A user inside a target organization used Otter.ai to record a meeting and then shared the resulting meeting notes with an external or internal recipient via Otter’s native share link mechanism.
Forced app download gate: The recipient clicking the share link was presented with a gate requiring them to download and authenticate with the Otter.ai application before they could access the shared notes. This is a deliberate virality mechanic — access to shared content is withheld unless the new user installs and authorizes the app.
OAuth permission prompt — calendar scope: During the Otter.ai sign-up or authentication flow, the user was presented with an OAuth permission request. Because the user was focused on reaching the shared notes, they clicked through without carefully reviewing the requested scopes. The OAuth grant included access to the user’s calendar — a broad permission enabling the application to read all existing and future calendar events.
Automated calendar crawl and meeting injection: With calendar OAuth access granted, Otter.ai automatically read all calendar events for the new user and inserted itself as a participant (bot) into every future scheduled meeting. This required no further user action — the application used the calendar access to self-propagate across the user’s entire meeting schedule.
Exponential enterprise spread: The newly onboarded user now had Otter present in all their meetings. When those meetings occurred, other attendees encountered Otter’s bot. Some of those attendees then received or were invited to share their own notes, repeating the same share-link → OAuth-grant → calendar-access → auto-join cycle. This viral loop expanded Otter’s presence from a single initial user to approximately 80,000 endpoints within one enterprise environment, as documented in research by Nudge Security.
Security implication: At each of the 80,000 endpoints reached through this OAuth permission abuse mechanism, Otter.ai captured full meeting transcripts and stored them in Otter’s cloud infrastructure — outside the enterprise’s data governance controls. Security teams had no visibility into which meetings were being recorded, who had authorized access to those transcripts, how long data was being retained, or whether the vendor’s security posture met enterprise standards.
Defensive takeaway: Organizations must enforce SSO for all AI note-taking tools so that OAuth grants require enterprise identity provider approval. Third-party risk management programs should evaluate which AI notetaker vendors are permitted in the environment, audit OAuth scopes already granted by employees, and implement calendar access controls that prevent unauthorized application self-injection — before a single shared link silently expands to tens of thousands of unmanaged AI endpoints inside corporate meeting infrastructure.

AI Hallucinations in the Meeting Record: The 3% Problem

AI notetakers are not passive transcribers — they are language models generating a plausible representation of what was said. Research cited in the talk found that approximately 3% of AI-generated meeting notes contain inaccuracies. This is not a negligible error rate when the stakes are high.

Sources of hallucination include:

Accent and diction misrecognition: A speaker saying “impossible” may be transcribed as “possible,” inverting the meaning of a commitment or finding.
Technical terminology errors: Security-specific terms, product names, CVE identifiers, and vendor names are frequently mishandled by general-purpose transcription models.
Contextual inference filling gaps: When audio quality drops, models fill gaps with statistically likely words — which may not reflect what was actually said.

For security operations, a 3% hallucination rate creates a specific risk profile: incident response timelines may contain fabricated facts; post-incident legal review of AI-generated notes could surface inaccuracies that undermine the organization’s legal position; action items may be attributed to the wrong person or contain incorrect technical details.

AI meeting summaries should never be treated as verbatim records. They are a probabilistic approximation — valuable for convenience, dangerous as authoritative documentation.

Orphaned Transcripts at Bankrupt Vendors

Several AI notetaker companies have already shut down since the category exploded in 2023–2024. When a vendor goes out of business, the data they hold does not simply disappear — it enters an uncertain custody chain:

Cloud storage containing full meeting transcripts may persist indefinitely under the control of the acquirer, bankruptcy trustee, or cloud infrastructure provider
Data deletion processes for bankrupt companies are inconsistent and often not prioritized
Customers have limited legal recourse to demand data deletion when the vendor no longer exists as an operating entity

If your organization used a notetaker service that subsequently failed, your complete library of sensitive meeting transcripts — executive discussions, M&A calls, security incident reviews, legal strategy sessions — may exist in uncontrolled cloud storage with no active security team responsible for protecting it.

Threat Model Summary

Attack Vector	Mechanism	Risk Level
Prompt injection	Verbal injection before/during recording	High — can destroy evidence
Silent recording (Granola-type)	Desktop app, no bot in call	High — undetectable, exfiltrates data
Viral OAuth expansion (Otter-type)	Share link → calendar access → mass deployment	High — uncontrolled AI footprint
AI hallucination	LLM inference errors (~3%)	Medium — integrity risk in legal/IR contexts
Orphaned vendor transcripts	Bankruptcy leaves data in uncontrolled cloud	Medium-High — persistent data exposure

Actionable Takeaways

Conduct an AI notetaker inventory: identify every tool currently in use across the organization (including personal tools like Granola), determine which vendors are still operating, and assess where meeting transcript data is stored and who has access. Pay particular attention to any vendors that have shut down — their data custody status requires immediate legal review.
Treat AI notetakers as LLM-adjacent systems in your threat model. Specifically test whether the tools in use are susceptible to prompt injection by attempting to corrupt or erase notes using standard injection patterns before meetings begin. Document results and use findings to inform vendor selection criteria.
Audit OAuth permissions granted to AI notetaker applications across your identity provider. Revoke calendar and meeting-join access for any tools that were not approved through IT/security procurement, and implement a process to review AI tool OAuth grants quarterly. Otter's viral expansion pattern is not unique — any tool with calendar access has the same potential footprint.

Common Pitfalls

Assuming that because a meeting bot is not visible in the call, no AI recording is occurring. Silent desktop tools like Granola are invisible to meeting hosts and participants alike. Standard bot-detection approaches (looking for an unusual participant in the attendee list) will miss this entire class of tool. Policies and controls must address both bot-style and desktop-style notetakers.
Treating AI-generated meeting notes as authoritative records in legal, incident response, or compliance contexts. A ~3% hallucination rate combined with prompt injection vulnerability means the AI notetaker's output is a probabilistic summary, not a verbatim transcript. Using it as evidence or as the sole record of what was decided and by whom introduces integrity risk that can be exploited or challenged in litigation.

Corporate meeting recording compliance is no longer a theoretical concern — it is an active legal exposure that most security teams have not yet surfaced to their legal departments. AI notetakers introduce three distinct legal risk categories: wiretapping and consent law violations, destruction of attorney-client privilege, and inadvertent trade secret disclosure.

In the United States, recording laws vary by state. One-party consent states (such as Missouri) allow a single participant to record a conversation without notifying others. Two-party (or all-party) consent states — including California — require that all participants in a conversation consent before any recording takes place.

Granola^[1] illustrates this risk precisely. Unlike bot-based notetakers (Otter, Fireflies) that appear as a visible participant in the meeting, Granola runs as a silent desktop application. If a user runs Granola in a meeting without disclosing it to other participants, and that meeting takes place in a two-party consent jurisdiction, they are likely breaking the law — and they may not realize it.

The practical exposure compounds when employees join external meetings: if your employee uses Granola in a call with a customer or partner in California, they capture that organization’s meeting content and store it in a personal cloud account. The other organization loses any control over that data entirely.

Campbell Soup CISO Fired After Employee Recording Surfaces in Wrongful Termination Suit

Proof of Concept

The covert recording is made: A Campbell Soup employee met one-on-one with the company’s CISO. Without notifying the CISO, the employee recorded the conversation. The recording was made in Missouri, which is a one-party consent state — meaning only one party to the conversation (the employee doing the recording) needs to consent for the recording to be legal. No enterprise AI notetaker policy existed to prevent or detect this.
The CISO makes damaging statements: During the recorded meeting, the CISO allegedly made comments about Campbell Soup’s products — reportedly characterizing them as food made “for poor people” — and may have made racially insensitive remarks, according to published reports. These statements were captured verbatim because the employee had a full, accurate recording, not a secondhand account.
The employee is terminated: At some subsequent point, the employee who had made the recording was terminated by the company. The termination became the basis of a legal action.
The recording surfaces as litigation evidence: The terminated employee filed a wrongful termination lawsuit. As part of that litigation, the employee introduced the recording of the CISO as evidence. Because the recording was made lawfully under Missouri’s one-party consent rule, there was no legal barrier to its admissibility.
The CISO is fired: Once the recording’s contents became part of the legal record and became known to Campbell Soup leadership, the CISO was terminated. The stated grounds centered on the recorded remarks — both the dismissive comments about the company’s own products and the alleged racist statements.
The consent-law asymmetry is the crux: The outcome hinged entirely on jurisdiction. Missouri is a one-party consent state, so the employee’s act of recording was legal. Had this occurred in California (a two-party consent state), the same recording would have been an illegal wiretap, potentially inadmissible and exposing the employee to criminal liability. This jurisdictional gap is precisely the corporate meeting recording compliance risk that security and legal teams must map when employees operate across state lines.
Implications for AI notetaker security risk: This incident predates widespread AI wearables, but is a direct precursor to the threat model Sullivan describes. A wearable like Meta smart glasses, Limitless, or any ambient AI recording device would produce an equivalent artifact — a full, searchable, AI-summarized transcript — with even less friction and less visibility than a phone recording.

Attorney-Client Privilege Destroyed by AI Tool Usage

A February 17, 2026 court ruling established a significant and alarming precedent: conversations with an AI assistant are not protected by attorney-client privilege.

In the case at issue, a litigant had discussed aspects of their case with Claude^[4] (Anthropic’s AI assistant) and printed out the conversation to share with their attorney. When opposing counsel obtained the document, the litigant argued the conversation should be privileged because it was shared in the context of legal consultation. The judge rejected this argument on two grounds:

Claude is not an attorney. Attorney-client privilege requires communication with a licensed legal professional acting in that capacity.
Sharing data with Anthropic broke confidentiality. Anthropic’s privacy policy permits the use of user data for multiple purposes well beyond the bounds of a confidential legal consultation. By sending the conversation to Claude, the litigant disclosed it to a third party — Anthropic — under terms inconsistent with privileged confidentiality.

Proof of Concept

Pre-litigation AI consultation: The litigant used Claude (Anthropic’s AI assistant) to discuss details related to their pending legal case — a common behavior where individuals use AI tools to prepare for or supplement legal advice.
Physical disclosure of AI conversation logs: In preparation for meeting with their lawyer, the litigant printed out the conversation transcripts from Claude. These printed logs documented sensitive case-related communications between the user and the AI.
Opposing counsel obtains the conversation: The printed Claude conversation transcripts were obtained by opposing counsel during the litigation process.
Privilege claim asserted and rejected: The litigant argued the Claude conversations should be protected under attorney-client privilege, reasoning they were shared in the context of legal preparation. The judge rejected this claim on two grounds: Claude is not an attorney, and Anthropic’s privacy policy permits broad data use that constitutes third-party disclosure breaking the confidentiality prerequisite for privilege.
Enterprise AI notetaker data exposure risk generalized: Any sensitive information — trade secrets, litigation strategy, incident response deliberations, merger discussions — shared with an AI platform governed by a permissive privacy policy may similarly lose confidentiality protections. If an enterprise AI notetaker records a privileged legal discussion in a meeting and stores that transcript in a vendor’s cloud, the same logic applies.
Trade secret exposure as a parallel vector: Trade secrets can be similarly compromised by exposing them to AI agents. Under trade secret law, a holder must take reasonable steps to maintain secrecy. Feeding proprietary information into a commercial AI platform with broad data-use terms could constitute a failure to maintain that secrecy, potentially invalidating trade secret protections in subsequent litigation.
Unanswered edge cases with compounding risk: Unresolved privilege scenarios include: if a lawyer uses Claude to discuss a client’s case, does that conversation carry privilege? If a client uses Claude on their lawyer’s computer and under the lawyer’s account, is that privileged? These questions remain legally unsettled.
Recommended enterprise control: Security and legal teams should jointly audit which AI note-taking and AI assistant tools are being used in legally sensitive contexts, verify that vendor privacy policies are compatible with confidentiality requirements, and implement contractual controls or enterprise-tier agreements that include data processing terms consistent with privilege retention.

Trade Secret Exposure via AI Tools

A separate but related risk involves trade secrets. Under U.S. trade secret law (the Defend Trade Secrets Act and state equivalents), maintaining trade secret status requires that the owner take “reasonable measures” to keep the information secret. Sharing a trade secret with an AI service — particularly one whose terms permit data use for training or other purposes — may be sufficient to extinguish trade secret protection for that information.

For security teams, this means AI notetaker transcripts that capture discussions of proprietary security architectures, vulnerability research, unreleased product details, or M&A activity could inadvertently destroy the trade secret status of that information if the notetaker vendor’s data handling does not provide the necessary confidentiality guarantees.

The Policy and Legal Alignment Gap

The core problem is that security teams and legal teams have not yet had this conversation at most organizations. The legal issues are not obscure edge cases — they are active and documented. Yet AI notetakers have spread throughout enterprises with almost no legal review, no employee consent training, and no contractual language governing their use in external meetings.

The Campbell Soup case, the February 2026 privilege ruling, and the Granola consent exposure are not hypotheticals. They are the current state of the risk landscape, and they are happening now — before wearables make covert recording ambient and ubiquitous.

Actionable Takeaways

Audit which AI notetaker tools employees are using and categorize them by recording transparency (bot-visible vs. silent desktop apps like Granola). For silent tools, establish explicit policy requiring user disclosure before any meeting recording — and enforce this through security awareness training. In two-party consent states, undisclosed recording by employees is a legal violation that creates individual and corporate liability.
Work with your legal team to establish explicit guidance on what categories of information must never be entered into any AI tool: attorney-client privileged communications, trade secrets, regulatory correspondence, and incident response legal strategy. The February 2026 ruling makes clear that sharing information with an AI platform under broad terms-of-service constitutes third-party disclosure sufficient to destroy privilege — treat AI tools the same way you treat any non-privileged communication channel for these categories.
Add AI notetaker terms to all external meeting agreements and vendor contracts. Getting contractual clarity about whether recording is permitted, whose AI tools are authorized, and where transcripts are stored is the fastest way to manage consent and data custody risk in third-party meetings before policy frameworks catch up to practice.

Common Pitfalls

Assuming one-party consent state law protects your employees when they use silent notetakers like Granola. Even if the recording is legal under the law of the state where the employee is located, if another participant is in a two-party consent jurisdiction (e.g., California), the recording may still violate that state's law — and the employee or company may face liability under the jurisdiction where the other party was located. Multi-state and cross-border meetings make consent law more complex, not less.
Treating AI notetaker transcripts of legal strategy sessions or incident response meetings as protected by attorney-client privilege. The February 2026 ruling demonstrates that courts will analyze whether confidentiality was actually maintained — and storage of the conversation on an AI vendor's platform under broad data-use terms is a strong argument that it was not. Do not rely on privilege to protect AI-assisted legal communications without first getting explicit legal guidance on your specific tool and vendor agreement.

Enterprise Security Controls for AI Notetakers

If you are running security at a company, enterprise AI notetaker policy is no longer optional — it is a gap in your AI security posture that has been quietly widening for over a year. Joe Sullivan’s framing at [un]prompted 2026 is blunt: the answer to “should you care?” is yes, and the controls required are neither exotic nor expensive. They map directly onto governance frameworks your team already uses.

Single Sign-On Enforcement

The first and most foundational control is bringing all enterprise AI security tooling under your identity perimeter. Every AI note-taking tool used inside the company should authenticate through your SSO provider. This gives you:

Visibility into which employees are using which tools
Centralized deprovisioning when an employee leaves or a tool is revoked
Audit trails for who accessed meeting transcripts after the fact

Tools that cannot be brought under SSO should be blocked at the network or endpoint level. If an employee is running Granola as a personal desktop app outside your SSO umbrella, you have a data exfiltration problem — meeting content is flowing to a personal cloud account with no corporate oversight.

Access Controls for Sensitive Meeting Transcripts

Not all meeting transcripts carry the same risk. A weekly team standup and a CEO board preparation call are categorically different data assets. Security teams should apply tiered access controls:

Identify high-sensitivity meetings — CEO discussions, board calls, M&A conversations, legal consultations, incident response war rooms — and explicitly restrict who can access their transcripts
Apply role-based access controls (RBAC) to transcript repositories, treating them the same as any other sensitive data store
Audit access logs regularly, especially for transcripts from executive and legal meetings

Sullivan specifically calls out the CEO’s meeting notes as an example: who has access, where are they stored, and how long are they retained are questions that should have documented answers.

Data Retention Policies

AI notetaker platforms accumulate an enormous volume of sensitive organizational memory. A corporate meeting recording compliance posture requires you to define:

How long transcripts are retained in the notetaker platform’s cloud (both your enterprise plan and any personal accounts your employees may be using)
Deletion schedules for transcripts that are no longer operationally necessary
Data residency requirements if your organization operates under GDPR, HIPAA, or other data sovereignty regulations

The risk of under-managing retention is not theoretical. Several AI notetaker startups have already gone out of business, leaving full corporate meeting transcripts sitting in clouds with uncertain ownership and access controls. Retention limits reduce your blast radius when a vendor fails.

Third-Party Risk Assessment for Notetaker Vendors

AI notetakers are third-party risk management candidates for some of your most sensitive unstructured data. Your enterprise AI notetaker policy should require vendors to pass the same third-party risk assessment you apply to any SaaS provider with access to confidential information:

Review the vendor’s data use policy — can they use your transcripts to train models? Are transcripts shared with subprocessors?
Assess financial stability — a vendor going out of business is not just a service interruption; it is a data governance crisis
Evaluate security certifications (SOC 2 Type II, ISO 27001) and incident response commitments
Determine what happens to your data if you terminate the contract or if the vendor is acquired (as Limitless^[5] was by Meta)

Sullivan also raises a pointed question for customer-facing teams: if your employees are joining external meetings, are you explicitly governing whether your customers can bring their own notetakers into calls with you? This cuts both directions — you may be inadvertently sending your own proprietary information into a competitor’s or customer’s AI cloud.

Employee Security Awareness Training

Sullivan calls out employee training as a “no-brainer” that should already be in every organization’s security awareness curriculum. At minimum, training should cover:

What tools are approved for AI note-taking and which are prohibited
Consent law requirements — employees must understand that using silent tools like Granola in two-party consent jurisdictions (California, Florida, Illinois, and others) without disclosure is a legal violation, not just a policy violation
Disclosure norms — how to notify meeting participants that a notetaker is active (display name labels, Zoom background text, verbal disclosure at the start of the call)
Data handling — transcripts are corporate data assets, not personal notes; they should not be stored in personal accounts or shared outside approved channels

Contractual Clauses for External Meetings

Sullivan notes that for his own security consulting business, he has begun including explicit AI notetaker clauses in client contracts. Enterprise security teams should consider the same approach:

Add AI recording disclosure requirements to vendor agreements and consulting contracts
Require mutual notification before any AI notetaker or recording tool is activated on a call
Specify data handling obligations for any transcripts created during joint meetings — who owns them, how long they are retained, and who can access them

This protects your organization whether you are the host or the guest. It also begins normalizing a disclosure expectation that Sullivan argues the industry needs to establish before wearables make silent ambient recording the default.

Legal Team Alignment

The intersection of AI notetakers, attorney-client privilege, trade secret protection, and consent law is legally complex and rapidly evolving. Specific questions to bring to your legal team:

Are transcripts of meetings involving outside counsel covered by attorney-client privilege, or does routing them through an AI platform waive that protection?
If an employee exposes a trade secret to an AI notetaker platform, has the company compromised its trade secret protection?
What consent law jurisdiction applies when meeting participants are distributed across multiple states or countries?

Actionable Takeaways

Enforce SSO for all AI note-taking tools and block any tool that cannot be brought under your identity perimeter — treat unapproved desktop notetakers like Granola as a data exfiltration vector, not a productivity tool.
Build a tiered access control policy for meeting transcripts based on sensitivity classification: identify high-risk meetings (CEO, legal, IR), restrict transcript access via RBAC, and define documented retention and deletion schedules.
Add AI notetaker training to your security awareness curriculum and contractual disclosure clauses to vendor and client agreements — establish disclosure norms before wearables make silent ambient recording the workplace default.

Common Pitfalls

Treating AI notetakers as a productivity tool outside the security perimeter rather than a third-party SaaS processor with access to sensitive unstructured data — this leaves transcript access, retention, and vendor risk entirely unmanaged until a breach or legal dispute surfaces the gap.
Assuming that because an AI notetaker vendor offers an enterprise plan, data handling and legal compliance are automatically covered — vendor bankruptcy, acquisition, or permissive data-use policies in the Terms of Service can expose corporate meeting transcripts in ways the enterprise agreement does not prevent.

The Wearables Horizon: Why AI Recording Norms Must Be Set Now

AI notetakers are not a static category. They are the early, relatively visible version of a much broader ambient recording infrastructure that is arriving faster than most enterprise security programs are prepared to handle. Joe Sullivan made this explicit: he purchased a Limitless^[5] wearable AI notetaker device — a clip-on pendant that continuously records and transcribes the wearer’s conversations. The last time he used it was December 5th, 2024 — the same day the company was acquired by Meta.

That acquisition is a signal, not a coincidence. Meta has already sold millions of Ray-Ban smart glasses with built-in cameras and microphones. Limitless’s technology will fold into that ecosystem. Meanwhile, OpenAI is building its own wearable device, Apple is developing AI-integrated hardware, and Google has reportedly re-entered the smart glasses space. Within 24 months, AI wearable recording will not require a dedicated device — it will be built into the glasses your employees already wear.

AI Wearable Security Risks Dwarf Meeting Bot Risks

The risks introduced by virtual meeting notetakers — silent recording tools, viral OAuth expansion, prompt injection — are containable because they operate within a defined perimeter: the video conferencing platform. AI wearable security risks eliminate that perimeter entirely.

Consider what changes when recording is ambient:

No visual bot indicator. There is no Otter participant to notice, no recording indicator to flag. A pair of smart glasses is indistinguishable from regular eyewear.
No meeting context required. Wearables capture hallway conversations, one-on-ones, offsite discussions, and anything else that happens within range — not just scheduled calendar meetings.
No consent mechanism. Current transparency workarounds — adding “(+ AI assistant)” to your Zoom display name, using a recording indicator in your background — have no equivalent for in-person interactions with wearable devices.
Consent law exposure scales dramatically. The two-party consent violations already occurring with tools like Granola will multiply as employees wear recording devices into states, countries, and customer sites with stricter laws.

The Campbell Soup CISO case — where a subordinate covertly recorded a conversation that later surfaced in a wrongful termination suit — previews the enterprise liability that wearable ambient recording will routinely generate.

Setting Norms Now Is the Only Viable Strategy

Sullivan’s argument is that AI notetakers are the training ground. The organizations that treat them seriously — drafting policy, running security awareness training, defining consent expectations, aligning with legal — are building the governance muscle that wearable management will require.

The organizations that shrug them off are not avoiding the problem. They are arriving at the wearable inflection point with no policy infrastructure, no legal alignment, no employee awareness, and no enforcement capability.

The norm-setting window is narrow. There is a short period in which the security community can establish expectations — that recording requires disclosure, that AI-captured data has the same sensitivity as any other enterprise data, that consent is a technical and cultural requirement, not a checkbox — before ambient AI recording becomes so pervasive that norms become effectively impossible to enforce.

The practical starting point is the same policy framework that applies to meeting notetakers today: SSO enforcement, data retention controls, third-party vendor vetting, security awareness training, and legal team alignment. That framework does not need to be rebuilt from scratch for wearables. It needs to be extended. But only if it exists first.

Actionable Takeaways

Treat your current AI notetaker policy work as wearable policy pre-work. Every control you establish now — SSO enforcement, consent disclosure requirements, data retention limits, third-party vetting — is a building block for managing ambient wearable recording. Do not defer this work on the assumption that wearables are a future problem.
Update security awareness training to explicitly address AI wearable recording before your employees start arriving at work, customer sites, and offsites wearing devices with embedded AI. Establish a clear organizational position: recording another person requires disclosure, regardless of the device form factor.
Engage your legal team now on the intersection of AI wearable recording, two-party consent laws, and cross-jurisdictional compliance. The legal exposure from a single undisclosed recording surfacing in employment litigation — as demonstrated by the Campbell Soup CISO case — is significant enough to justify proactive policy development rather than reactive incident response.

Common Pitfalls

Treating AI notetakers as a productivity tool issue rather than a security issue means security teams miss their first real opportunity to engage the organization on AI governance. By the time wearables are ubiquitous, the window to set norms has closed and security teams are responding to incidents rather than preventing them.
Assuming that transparency workarounds sufficient for video meetings (display name annotations, Zoom background notices) will scale to wearable environments. They will not. In-person ambient recording by wearable devices requires fundamentally different disclosure mechanisms and organizational policies that must be designed before deployment, not after.

Conclusion

AI notetakers have become the default memory of enterprise meetings — and that memory is manipulable, injectable, silently capturable, and legally dangerous in ways most organizations have not addressed. Joe Sullivan’s [un]prompted 2026 talk is one of the clearest threat briefings available to security practitioners on this topic: the attack surface is real, the legal exposure is documented, and the window to establish governance norms is closing fast.

The path forward is not complicated. It begins with an inventory of what tools are in use, extends to SSO enforcement and access controls, requires a direct conversation with your legal team, and culminates in policy and training that covers both the current landscape and the wearable horizon arriving within the next two years.

For security teams looking to go deeper on the adjacent threat surface, the following topics are directly relevant to the controls and risks discussed in this article:

AI agent security frameworks — how to threat model systems that process user-controlled inputs through LLM pipelines
Enterprise AI security governance — practical approaches to policy, procurement, and risk management for AI tools at scale
Third-party risk management for SaaS — vendor assessment frameworks applicable to AI notetaker procurement decisions

References & Tools

Granola — Silent desktop AI notetaker that captures meeting audio without appearing as a visible bot participant in the call. ↩
Otter.ai — AI notetaker with a viral OAuth mechanism that auto-joined all calendar meetings after a user clicked through a shared notes link, expanding from a single user to approximately 80,000 enterprise endpoints. ↩
Fireflies.ai — Enterprise AI notetaker; listed as part of the broader ecosystem assessed for security risk and governance policy coverage. ↩
Claude (Anthropic) — AI assistant referenced in the February 2026 court ruling where a judge determined that conversations with Claude are not attorney-client privileged because sharing data with Anthropic breaks confidentiality. ↩
Limitless — AI notetaker wearable device; its Meta acquisition signals the coming integration of ambient AI recording into consumer hardware like smart glasses. ↩

AI Notetakers: The Most Important Person in the Room |...