Earlier this year, a popular AI notetaker called Otter AI rolled out a new expansion model that led to explosive growth in account creation across multiple Nudge Security customers, including one large enterprise that discovered a staggering 800 new account signups within 90 days.
‍
For a SaaS company trying to expand its footprint through product-led growth, this sounds like the beginning of a rosy success story. But for security and IT teams tasked with making sure AI adoption balances productivity with safety, this type of uncontrolled spike represents a security and compliance nightmare.
‍
Let’s look at the growth hack driving this type of runaway adoption, and how you can stop unapproved Otter AI use within your organization with Nudge Security.
‍
Otter AI is an AI-powered meeting assistant tool that can integrate with your employee's calendar, automatically join and record virtual meetings, and take notes on what happens. These recordings and transcripts can provide fantastic productivity gains—but the level of access they require can introduce significant data privacy risks, costs, and compliance implications.
‍
For many organizations, even one notetaker account that can access calendars and join meetings without notifying participants already represents cause for concern. But Otter AI uses an aggressive growth tactic to turn a single account into a raft of accounts.
‍
The notetaker includes a default setting that automatically sends meeting recaps to all meeting attendees—and invites them to sign up for an account and connect their calendar. Leaving this setting enabled unlocks unlimited meeting minutes for free account holders, whereas switching to a more limited option also means restricting the utility of the notetaker.
‍
‍
Unsurprisingly, this tactic has led to a massive influx of unwanted, unapproved Otter AI signups across organizations.
‍
“I’m the VP of IT and hundreds of people were blasted this email. It’s like a worm virus now which I have to try and prevent proliferating through our org.” —/u/DogsBlimpsShootCloth, in “Do not join Otter.Ai unless you want your whole company spammed.”
‍
Here’s how one large enterprise discovered and controlled runaway Otter AI adoption with Nudge Security. Explore the interactive demo below to learn how they did it, or read on for step-by-step instructions to help you do the same.
‍
‍
Before you can determine your best course of action, you need a detailed understanding of Otter AI use and access across your organization.
‍
Nudge Security combines multiple discovery methods to show you who at your organization is using Otter AI, what access employees have provided through app-to-app integrations, and how much your organization has spent on the app. You can even see a breakdown of usage by department and view an adoption graph to see trends in account creation over time—like the sudden spike in signups you can see in the screenshot below.
‍
‍
Nudge Security provides an inventory of Otter AI accounts associated with your employees, along with when we first (and last) observed account activity, and what authentication methods are associated with each account.
‍
‍
Otter AI doesn’t require users to enable calendar access in order to make an account—but it’s an important step for users who want to make full use of the tool.
‍
Nudge Security can help you understand which employees have actually granted OAuth access to their calendars, which also provides Otter AI with access to the contacts invited to each meeting. In other words, these users may be at the root of your Otter AI outbreak.
‍
‍
You can also connect Zoom to Nudge Security for deeper visibility into your Zoom security posture and create a rule to be notified of new integrations with Zoom as the authorizing app.
‍
Account and integration details provide a lot of clues into Otter AI adoption and usage patterns, which can help you identify different employee populations that may need different interventions. For example, power users may benefit different interventions than users who haven’t touched their accounts in months.
‍
Need more detail? You can also drill into the Events tab for each app or account to see, search, and filter granular event event details. For example, you can see the subject line, date, and sender for each machine-generated email Nudge Security analyzes. Otter AI includes the referring employee in the subject line of each invitation, which means these account invitation events can provide additional insight into adoption patterns.
‍
The steps you take to govern Otter AI will depend on how the app’s data security and privacy practices align with your organization’s requirements. Nudge Security helps you accelerate security, legal, and compliance reviews for apps like Otter AI by delivering a security profile for each SaaS and AI app in your environment.
‍
Each security profile includes a summary of the vendor’s security program details, compliance certifications, quick links to security pages (terms of service, privacy policy, subprocessors, etc), supply chain details, and breach history. Nudge Security also delivers OAuth risk scores, risk insights, and scope details for each Otter AI OAuth grant to help you evaluate and monitor those connections to your environment.
‍
‍
Once you’ve determined whether Otter AI meets your corporate standards, Nudge Security provides automated interventions to help you rein in unapproved access.
‍
You can revoke Otter AI OAuth grants directly from Nudge Security, either individually or in bulk. Without access to calendars and contacts, the tool can’t join meetings and share notes automatically.
‍
‍
You can also send nudges to employees using Otter AI prompting them to delete their account, switch to an approved alternative, or request an exception if they require the tool for a legitimate purpose.
‍
‍
Going forward, educating employees about your corporate policies for interacting with AI tools can help them avoid pitfalls like granting calendar access to an AI notetaker.
‍
Nudge Security offers a playbook to help you equip your employees to use AI tools safely and in compliance with your AI acceptable use policy by nudging account holders with just-in-time guidance. As soon as employee signs up for a new AI tool, you can automatically prompt them to accept your corporate policy.
‍
‍
Removing apps like Otter AI from your organization isn’t a one-time exercise. That’s why Nudge Security provides automated guardrails to help you enforce safe, compliant AI use at scale.
‍
For example, you can intervene within the browser to curb new Otter AI signups and promote approved alternatives. You can even create a self-service app directory to help employees understand which apps are approved or not permitted and streamline access requests for approved tools.
‍
‍
Nudge Security continually discovers and inventories AI use across your organization to help you keep tabs on changes in your environment, including AI use within your supply chain, app-to-app integrations, and AI session activity.
‍
Plus, you can create rules to notify you of new AI apps or accounts, risky or out-of-policy activity, indicators of spiking app adoption, OAuth grants with high risk scores, or even specific OAuth scopes such as calendar access.
‍
For example, the screenshot below shows a rule that when an employee creates a new Otter AI account, Nudge Security will notify a specific Slack channel and nudge the user to switch to an approved alternative.
‍
‍
Get started with your own free shadow AI inventory.
