AI meeting notetakers

what it is

AI notetakers such as Otter, Fireflies, and Read join meetings, record them, transcribe them, and summarize them. To do their job they hold a standing OAuth connection to the host's calendar, and per the vendors' own documentation, often contacts as well. Once connected, the bot joins meetings automatically, including ones the employee forgot it would.

The output is a permanent record: audio, transcript, summary, action items, stored in the vendor's cloud, searchable, and shareable. Useful is the whole point. The governance questions arrive with the usefulness: whose meetings, stored where, under what terms, recorded with whose consent.

why it accumulates

Notetakers spread person by person, because the value is personal: one signup with "continue with Google," and meetings take their own notes. No procurement step, no review, and in most companies no policy that mentions them.

The grant then outlives everything around it. The employee changes roles or leaves; the calendar connection keeps working. Meanwhile the bot's reach is defined by the calendar, so one person's tool quietly processes conversations with clients, candidates, and leadership who never made any choice at all.

what it costs you

The legal exposure is real and current. Otter.ai faces a 2025 US federal class action (Brewer v. Otter.ai) alleging its notetaker recorded meeting participants without their consent. In the EU the same pattern raises GDPR questions: recording and processing identifiable people's speech needs a lawful basis, and a tool one employee installed rarely has one. Client calls add confidentiality obligations on top.

There is also a plain data question. Transcripts concentrate the most sensitive things a company says aloud: deals, disputes, salaries, strategy. They sit in a vendor your team never vetted, on a tier whose training and retention terms nobody read.

And in your OAuth inventory, notetakers cluster in the broad-scope group: standing access to calendars and contacts, granted personally, reviewed by no one.

what works

The OAuth grant list answers the first question in minutes: every notetaker connected to the directory appears there, with the scopes it holds and the person who granted it, and the list is usually a surprise. The durable answer is rarely a ban, because banning moves recording onto phones, where nothing is governed at all. The pattern that holds is one sanctioned notetaker on an enterprise tier, a signed DPA, training disabled, retention set, paired with two habits: recording announced at the start of the meeting, and the bot kept out of sensitive calls entirely, HR, legal, M&A, anything privileged. Once that path exists, personal-grant notetakers lose their reason to exist, and revoking them, with a sentence on why, becomes housekeeping rather than confrontation.

Consent, once announced, also has to be honored. An objection from a participant means the bot leaves, and a tool whose settings cannot guarantee that is the wrong tool to sanction. The remaining piece is offboarding: a leaver's notetaker grant keeps working after they go, and their transcript archive keeps existing, so both belong on the same closure checklist as the mailbox and the VPN.