What is embedded AI in SaaS tools?

Embedded AI refers to AI features built directly into existing software products — writing assistants in Notion, email drafting in Gmail, meeting summaries in Zoom, CRM insights in HubSpot. Unlike standalone AI tools, these are activated within platforms your team already uses and may be on by default.

Why is embedded AI harder to govern than standalone AI tools?

Embedded AI is often enabled by default, invisible to governance processes that focus on standalone AI tools, and covered under the vendor's existing contract rather than a separate AI-specific agreement. Employees may not realize they are using AI at all.

How do you turn off AI features in SaaS tools?

This varies by vendor. Most enterprise plans allow admins to disable AI features at the workspace or organization level. Free and team plans often do not. Review your admin settings for each platform and check the vendor's documentation for AI feature controls.

Does embedded AI require its own GDPR compliance review?

Yes. Enabling a new AI feature in an existing tool is a new processing activity under GDPR. Check whether your existing DPA with the vendor covers the AI feature, whether it introduces new subprocessors, and whether it changes how the vendor uses your data.

Governing Embedded AI in Third-Party Tools

The Invisible AI Problem

When your team adopted ChatGPT, someone made a decision. When Notion added an AI writing assistant to your existing workspace, it appeared one morning and was available by default to everyone with a login.

This is the embedded AI problem. The tools your team already uses are quietly becoming AI systems, and most small teams' governance processes — which focus on standalone AI tool requests and approvals — are not designed to catch it.

Embedded AI is any AI capability added to a software product you already use. It includes:

Writing and drafting assistants (Notion AI, Google Docs, Word Copilot)
Meeting transcription and summarization (Zoom AI Companion, Microsoft Teams Copilot, Fireflies)
CRM and sales AI (HubSpot AI, Salesforce Einstein, Pipedrive AI)
Email AI features (Gmail's Smart Compose, Outlook Copilot, AI in Superhuman)
Code editors with AI built in (Cursor, VS Code Copilot, JetBrains AI)
Helpdesk and support AI (Intercom, Zendesk, Freshdesk AI features)
HR tools with AI screening or summarization

Every one of these represents an AI processing activity that may touch personal data, customer information, or confidential IP — and it is happening whether or not you have approved it.

Why Existing Governance Processes Miss It

Most AI governance processes are approval-driven: someone requests a new tool, it goes through a procurement or security review, and it either gets approved or not.

Embedded AI bypasses this entirely. The tool is already approved. The AI feature was added by the vendor. The employee enabling it is not requesting a new tool — they are clicking a button in software they already use every day.

The governance signals that catch standalone AI tool adoption — new vendor charges, new SSO connections, IT discovering a new domain — do not fire for embedded AI features.

An Inventory Problem First

Before you can govern embedded AI, you need to know where it exists. Go through your AI tool register and for every SaaS tool on the list, add a column: "AI features present?"

Then do a sweep. For each tool your team uses:

Log in as an admin
Check settings for any "AI," "Copilot," "Assistant," or "Summarize" features
Check whether those features are on or off by default
Check what data they process and where it goes

You will find AI features in places you did not expect. This exercise regularly surfaces 5–10 AI processing activities that teams had no visibility into.

The Governance Questions for Each Embedded AI Feature

Once you have identified the features, evaluate each one:

Is it enabled by default?

If yes, your team may already be using it. Determine current usage before disabling — a feature used heavily by 20 people needs a different response than one nobody has touched.

What data does it process?

Meeting AI processes conversation audio and transcripts. CRM AI processes customer and deal data. Writing AI processes whatever document is open. Map each feature to the data types in your classification scheme.

Does it introduce new subprocessors?

Vendors often power their AI features with a foundation model from a third party (OpenAI, Anthropic, AWS Bedrock, etc.). This introduces a new subprocessor that may not have been in the original DPA. Under GDPR, new subprocessors require your review and potentially your consent.

Action: When an embedded AI feature is identified, ask the vendor: "What subprocessors power this feature, and are they covered by our existing DPA?"

Is it covered by your existing DPA?

Many DPAs pre-date the AI features they are now supposed to cover. Check whether your DPA has been updated or whether the vendor has issued an AI-specific addendum.

Can you disable it at the admin level?

If the feature processes data you are not comfortable with, can you turn it off? On which plans? Check this before assuming you can control it.

Common Embedded AI Scenarios

Microsoft 365 Copilot

Microsoft Copilot is available across Word, Excel, Outlook, Teams, and SharePoint on Microsoft 365 Business and Enterprise plans. It processes the content of documents, emails, and meetings.

Governance actions:

Review Microsoft's Copilot data processing documentation and ensure your tenant DPA covers it
Decide whether to enable Copilot for all users, specific groups, or not at all (admin controls available on commercial plans)
Confirm that Copilot features respect your data boundary settings (EU Data Boundary if applicable)

Google Workspace AI Features

Google has added AI features across Gmail (Smart Compose, Gemini drafting), Docs, Slides, and Meet. These are being expanded continuously.

Governance actions:

Review which AI features are enabled in your Google Admin console
Check Google's data processing terms for Workspace to confirm AI features are covered
Decide on a per-feature policy (summarization in Meet may be fine; AI analysis of confidential Drive documents may need restriction)

Notion AI

Notion AI can summarize pages, draft content, and analyze data within your workspace. It is powered by third-party models and processes whatever content it is invoked on.

Governance actions:

Check whether Notion AI is enabled in your workspace settings
Confirm Notion's current DPA covers AI processing (Notion has updated its DPA to cover AI features)
Brief the team on which workspace data is appropriate to use with Notion AI

Zoom AI Companion

Zoom AI Companion provides meeting summaries, next-action extraction, and conversation analysis. It processes audio and transcript data from calls.

Governance actions:

Determine whether AI Companion is enabled on your Zoom account (admin setting)
Decide whether to require meeting hosts to notify participants when AI recording/summarization is active
Check local laws — in some jurisdictions, recording and transcribing calls without consent from all parties is regulated

Helpdesk AI (Intercom, Zendesk)

Helpdesk AI processes customer messages to suggest replies, draft responses, or route tickets. It touches customer personal data directly.

Governance actions:

Confirm your helpdesk vendor's DPA covers AI feature data processing
Check whether customer data is used to train the vendor's AI models — and whether you can opt out
Update your customer-facing privacy policy if AI is now analyzing customer support conversations

A Decision Framework

For each embedded AI feature you identify, make one of three decisions:

Approve with controls: The feature aligns with your data policy, the DPA covers it, and you are comfortable with the processing. Enable it with any available configuration (opt-outs, data boundaries) applied. Document it in the tool register.

Approve pending review: You want to allow it but need to confirm DPA coverage or configure data settings first. Put a 30-day deadline on the review. Do not allow use until it is complete.

Disable: The feature processes data at a classification level you are not comfortable sending to this vendor, or DPA coverage cannot be confirmed. Use the admin panel to disable it. Communicate the decision to the team.

Adding Embedded AI to Your Governance Cadence

Embedded AI governance is not a one-time audit. Vendors add AI features on their own release schedules — often quarterly.

Add these to your AI governance operating rhythm:

Monthly: Check vendor release notes and changelogs for AI features in your core SaaS tools
Quarterly: Re-run the embedded AI audit for your top 5–10 tools; update the tool register
On renewal: Include a question in vendor reviews — "What new AI features are planned for the next contract term?"

The teams most exposed to embedded AI risk are the ones that reviewed their AI tools once, documented their findings, and never looked again. Your SaaS vendors are shipping new AI features every quarter. Your governance needs to keep pace.

AI Tool Register Template — add an "embedded AI" column
AI Vendor Due Diligence in 30 Minutes — questions to ask about AI features at procurement
AI and Data Privacy for Small Teams — DPA and GDPR implications
Shadow AI: What It Is and How to Prevent It — embedded AI as a shadow AI vector