Enterprise SaaS platforms are rolling out AI features by default, often without clear notice or admin control. This shift is exposing organizations to legal, compliance, and operational risks—sometimes before IT teams even know what’s changed.
It’s become a familiar scenario for IT teams: a new “sparkle” icon appears in a business app, signaling an AI feature that no one in IT authorized or even knew was coming. Users file support tickets asking what it does, but the help desk is just as surprised. There’s no mention in the product roadmap, yet the feature is live, accessible to everyone, and already processing company data.
This is now standard practice in enterprise SaaS, but it’s raising serious concerns. For years, vendors introduced new features at a predictable pace, giving organizations time to prepare. Now, many platforms are activating AI tools by default—sometimes with little or no warning. The result: security and compliance teams scramble to react, often with only days to respond.
Zoom’s July 2024 update is a case in point. Users saw an in-app banner announcing that AI Companion features would be auto-enabled on July 25, with admins given until July 21 to opt out. A second wave of auto-enablement notices followed in September 2024, this time targeting host accounts. Emerson College’s Zoom security guidance shows that features like recordings, automated captions, full transcripts, smart recording with AI Companion, and in-meeting chat are all enabled by default. Zoom Hub is also on by default, and chat cloud retention is set to two years. Unless admins proactively disable these settings, every data capture mechanism remains active.
The legal implications are significant. In the U.S., many states require two-party consent for recordings. Whether AI-generated meeting summaries or smart recordings qualify as “recordings” under wiretap laws is still unclear. Add in transcripts, AI summaries, and lengthy chat retention, and organizations face data sprawl and e-discovery risks they never agreed to.
Microsoft 365 Copilot is another example. If a tenant has even one paid Copilot license, the feature is automatically enabled for all admin users. Opting out means creating a special security group and manually excluding admins. In October 2025, Windows devices with Microsoft 365 desktop apps began background-installing Copilot by default for tenants outside the European Economic Area. Admins had to preemptively uncheck a box in the admin center to prevent the install.
Google’s April 2026 launch of Workspace Intelligence gave Gemini access to Gmail, Drive, Chat, and Calendar for every user, with all data sources enabled by default. The rollout took up to three days, and admin controls sometimes lagged behind the live feature by as much as 72 hours.
OpenAI’s ChatGPT Enterprise takes a different approach, shipping with all apps and connectors disabled by default—workspace owners must enable each one. But ChatGPT Business, from the same vendor, ships with apps enabled by default. Two products, same company, opposite stances on defaults.
While vendors do provide some communication—Google posts on the Workspace Updates admin blog, Microsoft offers deployment docs, and Zoom publishes release notes—these notifications are scattered across blogs, feeds, and in-app banners that admins may miss. Lead times are short, training materials are rarely ready for distribution, and the default setting for too many features is “on.” This quietly shifts governance responsibility from the vendor to the customer, increasing organizational risk.
AI features that process meeting audio or documents aren’t neutral. They raise questions about data residency, retention, and consent that may conflict with client contracts, wiretap laws, or internal policies. When features launch as default-on, organizations are exposed before they can assess the risks.
The human impact is also real. Each new feature triggers a flood of support tickets. Managers field questions they can’t answer. Power users experiment with sensitive data. This “change fatigue” drags down productivity and adds to the workload of security, governance, and IT teams who must review every new capability.
There’s a clear alternative: AI features should be off by default. Vendors should send a single, structured notification to admins well in advance, detailing the feature, data access, available controls, and go-live date. A risk matrix mapping the feature to compliance standards like SOC2, ISO 27001, and wiretap laws should be published. Ready-to-use training materials should be provided, and organizations should get a real evaluation window—measured in weeks, not days.
Until vendors change course, CIOs and CISOs must assume the next AI feature is already active. Regular tenant configuration reviews are essential. Document every default-on incident and escalate it with your account team. Let these patterns influence renewal decisions. These are the few levers organizations have left.
Vendors that prioritize customer trust over rapid adoption will ultimately win loyalty. Default-on is a vendor choice—so is responsible governance.
For organizations seeking creative ways to manage AI adoption and costs, some are exploring unconventional strategies. For example, one Silicon Valley startup found significant savings by having employees use individual OpenAI and Anthropic accounts instead of enterprise plans, as detailed in this report on cost-cutting AI workarounds.
Zoom Video Communications, founded in 2011 and headquartered in San Jose, California, has grown rapidly since its public debut in 2019. As of 2026, Zoom serves over 300 million daily meeting participants and has expanded its product suite to include AI-powered features like Zoom AI Companion and Zoom Hub. The company reported annual revenues exceeding $4.5 billion in its most recent fiscal year, reflecting the widespread adoption of its platform across enterprises, education, and government sectors.
