Earlier this year, the popular AI Notebook Taker, known as Otter AI, rolled out a new expansion model that led to explosive growth in account creation across multiple Nudge Security customers, including one large company that discovered 800 new account sign-ups within 90 days.
For SaaS companies looking to expand their footprint through product-driven growth, this sounds like the beginning of a rosy success story. But for security and IT teams, and for teams responsible for ensuring that AI adoption balances productivity and safety, this type of uncontrolled spike represents a nightmare of security and compliance.
Let’s take a look at growth hacks that drive this type of runaway adoption and how to use nudge security to stop using unapproved otter AI within your organization.
Understanding the virus growth of otter AI
Otter AI is an AI-powered meeting assistant tool that integrates with employee calendars, automatically joins and records virtual meetings, and takes notes on what happens. While these records and transcripts can provide great productivity gains, the level of access required can introduce significant data privacy risks, costs and compliance impacts.
Many organizations already represent the source of concern, even one NoteTaker account that allows participants to access their calendars and join a meeting without notifying participants. However, Otter AI uses aggressive growth tactics to convert a single account into a large number of accounts.
Nottaker includes a default setting that automatically sends a meeting summary to all meeting participants, and invites you to sign up for an account and connect your calendar. Leaving this setting unlocks the free account owner’s unlimited meeting minutes, but switching to a more limited option also means restricting the Notes Theme utility.
Naturally, this tactic has led to a massive influx of unwanted and unapproved otter AI sign-ups across the organization.
“I’m the vice president of it, and hundreds of people have blown up this email. It’s like a worm virus that tries to prevent it from multiplying through our organization.” – /u/dogsblimpsshootcloth, “Don’t join otter.ai unless you want to spam your entire company.”
How to use nudge security to control Otter AI adoption
Here’s how one large company used nudge security to discover and control Otter AI adoption: Check out the interactive demo below and learn how they did it or read the step-by-step instructions to help you do the same.
1. Discover the scope of the problem.
Before deciding on the best behaviour, you need to have a detailed understanding of the use and access of otter AI across your organization.
Nudge Security combines multiple discovery methods to show who your organization uses Otter AI, the access it provides through app-to-app integration, and how much your organization spends on your app. You can also view the breakdown of usage by department, view the recruitment graph and see the trends in account creation over time, including a sudden surge in signups that can be viewed in the screenshot below.
Stock Otter AI account and authentication methods.
Nudge Security provides an inventory of Otter AI accounts associated with employees, when you first observe (and last) account activity, and the authentication method associated with each account.
Understand the program access that Otter AI has in its environment.
Otter AI doesn’t need to enable calendar access to users to create an account, but it’s a critical step for users who want to make the most of the tool.
Nudge Security helps you understand which employees actually granted access to the calendar. This provides OTTER AI with access to contacts invited to each meeting. In other words, these users may be at the root of your otter AI outbreak.
You can also create rules that connect Zoom to security and notify you of new integrations with Zoom as an authentication app to help you gain visibility into Zoom Security Posure.
Segment users based on account activity and access.
Account and integration details provide many clues regarding Otter AI adoption and usage patterns. This will help identify different employee groups that require different interventions. For example, power users may benefit from different interventions than users who have not touched their account in a few months.
Need more details? You can also drill into the Events tab for each app or account to view, search and filter granular event details. For example, you can see the subject, date, and sender of the email nudge security analysis generated on each machine. Otter AI includes referral employees in the subject line of each invitation. This means that invitation events for these accounts can provide additional insight into recruitment patterns.
2. Performs a vendor security assessment.
The steps to manage Otter AI depend on how your app’s data security and privacy practices match your organization’s requirements. Nudge Security helps accelerate security, legal, and compliance reviews for apps like Otter AI by delivering security profiles for each SAAS and AI app in your environment.
Each security profile includes details about the vendor’s security program, compliance authentication, quick links to security pages (including terms of service, privacy policy, subprocessors, etc.), supply chain details, and a summary of violation history. Nudge Security also provides OAUTH risk scores, risk insights, and details of each OTTER AI OAUTH grant, helping you assess and monitor connectivity to your environment.
3. Intervene to include unauthorized access.
Once Otter AI has determined whether it meets the company’s standards, Nudge Security offers automated interventions to curb unauthorized access.
Revoke program access.
Otter Ai OAuth can be directly assisted either individually or in large quantities. Without access to calendars and contacts, the tool will not be able to join meetings and automatically share notes.
It will prompt users to delete their account.
You can also use Otter AI to send Nudges to employees to delete their accounts, switch to an approved alternative, or request an exception if the tool is needed for legitimate purposes.
4. Define and communicate security and usage policies.
Educating employees about corporate policies to interact with AI tools in the future will help you avoid pitfalls such as granting calendar access to AI Note Takers.
Nudge Security offers a playbook that helps employees to securely and conform to AI tools and to comply with AI-acceptable usage policies by tweaking account owners with just-in-time guidance. As soon as employees sign up for a new AI tool, they can automatically inspire them to accept corporate policies.
5. Enforce security and usage policies with automatic guardrails.
Removing apps like Otter AI from your organization is not a one-off exercise. So, Nudge Security offers automated guardrails to help you implement safe and compliant AI usage at scale.
For example, you can intervene within your browser to suppress sign-ups for new Otter AI and promote approved alternatives. You can also create a self-service app directory to help employees understand which apps are approved and unauthorized, and streamline access requests for approved tools.
6. Monitor AI activity.
Nudge Security continuously discovers what AI is using across your organization, and stocks to understand changes in your environment, including supply chain, app integration from apps, and using AI within AI session activities.
Additionally, you can create rules that notify you of a specific OAUTH scope, such as a new AI app or account, high-risk or political activity, metrics for adoption of a spike app, high-risk score OAUTH grants, or calendar access.
For example, the screenshot below shows the rule that when an employee creates a new Otter AI account, security will notify a specific slack channel and fine-tune it to switch to a user-approved alternative.
Are you ready to try it yourself?
Start with your own free ShadowAI inventory.
Source link
