Copilot in Teams Meetings: The Recording and Summarization Risks Nobody's Discussing
Every recorded Teams meeting becomes searchable by Copilot. Board discussions, legal reviews, HR proceedings — all discoverable by anyone with access to the recording.
Every recorded Teams meeting becomes a searchable document that Copilot can summarize on demand. Board discussions, legal reviews, HR proceedings, and clinical case reviews are all at risk if recording storage and meeting policies are not governed before Copilot goes live. This guide explains how Copilot processes meeting recordings and the policies you need to protect sensitive meetings.
Key Facts
- Teams meeting recordings are stored in OneDrive (organizer's) or SharePoint (channel meetings) by default.
- Copilot can summarize any recording the user has access to — including recordings from meetings the user did not attend.
- Real-time transcription, smart recap, and cross-meeting correlation all create searchable data that persists beyond the meeting.
- Compliance recording (for financial services FINRA/MiFID II) is separate from Copilot summarization — both must be governed.
- Meeting policy controls are configured in Teams admin center at tenant, org-wide, or per-user policy level.
When Meetings Become Searchable Data
Quick Answer: Copilot in Teams helps by transcribing meetings and generating summaries. It also makes all recorded meeting content searchable across your Microsoft 365 tenant.
Copilot indexes meeting recordings saved in SharePoint or OneDrive. Any user with access to the recording location can ask Copilot about the discussion. This is possible even if they did not attend the meeting.
This feature affects:
- Accessibility of meeting content
- Knowledge sharing among team members
- Enhanced collaboration and productivity
- Board meetings
- Legal discussions
- HR proceedings
- Clinical case conferences
Most organizations have a single default meeting policy. This policy typically has no Copilot restrictions, no recording access controls, and no sensitivity labels on meeting content.
Teams meetings are often the least managed data source in many Microsoft 365 tenants. Organizations that invested years in creating SharePoint permission models, sensitivity labels, and DLP policies often overlooked meeting recordings. They considered these recordings as temporary content rather than valuable, searchable data.
Copilot changes the equation. A recorded meeting is no longer just a video file that someone might ignore. Now, it acts as a transcribed, indexed, and searchable data source.
With Copilot, you can:
- Extract specific topics, decisions, action items, and statements from meeting transcripts.
- Correlate content across multiple meetings.
- Generate comprehensive summaries that condense hours of discussion into a single document.
This capability is transformative for productivity. It is also a data exposure risk of the first order for organizations that have not configured meeting-level security policies. EPC Group's 47-Point Copilot & M365 Security Review includes a dedicated Teams meeting security evaluation for exactly this reason.
How Copilot Processes Teams Meetings
Understanding the technical flow of how Copilot interacts with Teams meeting content is essential for configuring effective security controls.
During the Meeting
Copilot operates in real-time during the meeting. It can generate live summaries, answer questions about what has been discussed, and track action items. This content is visible to the user who activated Copilot and is not persisted unless the user explicitly saves it. The real-time capability requires transcription to be enabled for the meeting.
Recording and Storage
When a meeting is recorded, the recording (video/audio) and transcript (text) are stored in OneDrive (for non-channel meetings) or SharePoint (for channel meetings). The storage location inherits the permissions of the parent folder or site. For channel meetings, this means all channel members can access the recording. For non-channel meetings, the organizer's OneDrive sharing settings determine access.
Indexing and Searchability
Copilot indexes the meeting transcript text, making it searchable. Users with access to the recording location can query Copilot about meeting content using natural language: "What was decided about the budget in last Tuesday's meeting?" or "Summarize the action items from the project review." Copilot returns answers sourced from the transcript, citing the meeting as the source.
Cross-Meeting Correlation
Copilot can correlate content across multiple meeting transcripts. A query about a project, person, or topic will pull from every accessible meeting where that subject was discussed. This creates a comprehensive view that aggregates weeks or months of meeting discussions into a single response — a view that was never available before Copilot and may include content from meetings the querying user did not attend.
Transcription + Summarization = Searchable Data
The combination of transcription and Copilot summarization transforms meeting content from passive recordings into active data sources. This change is significant because many organizations see recordings as files that are only referenced occasionally.
In contrast, Copilot continuously indexes and serves this content as live data. This allows teams to access relevant information more effectively.
Real-World Scenario
A healthcare organization uses Teams for clinical case conferences. These meetings happen weekly and involve physicians discussing complex patient cases, treatment plans, and outcomes.
The organization records these meetings for training purposes.
All recordings are stored in a Teams channel that is accessible to over 200 clinical staff members.
Before Copilot, recordings were kept in the channel. Occasionally, a physician would watch one for reference. However, the content was available to all channel members but often went unnoticed. Few people searched through long hours of meeting recordings.
After Copilot, a billing department employee with access to the clinical channel asks about a specific condition. Copilot replies by referencing discussions from case conference transcripts. This information includes:
- Names
- Diagnoses
- Treatment plans
This situation is a HIPAA violation. The billing employee should not have access to details of clinical discussions. However, the shared channel permissions and Copilot's indexing ability made this access very easy.
The key insight is that meetings, which were once private and rarely viewed, become public when Copilot makes them searchable. The permissions remain the same, but accessibility changes greatly. Copilot removes the practical obscurity that used to keep meeting content from casual discovery.
Board Meetings and Legal Discussions at Risk
The highest-risk meeting categories often cover important non-public information, privileged communications, or sensitive personnel issues. These meetings include:
- Board of directors meetings
- Attorney-client privileged discussions
- Executive compensation reviews
- M&A planning sessions
- HR disciplinary proceedings
Board Meetings
- M&A targets and deal terms discussed openly
- Financial performance data before public disclosure
- Executive termination or succession planning
- Strategic pivots and competitive positioning
- Insider trading risk if employees query Copilot about board topics
Legal Discussions
- Attorney-client privilege potentially waived if broadly accessible
- Litigation strategy and settlement discussions
- Regulatory investigation responses
- Contract negotiation positions and fallback terms
- Intellectual property disputes and evidence review
HR Proceedings
- Disciplinary proceedings and termination discussions
- Harassment investigations and witness statements
- Salary and compensation reviews by name
- Performance improvement plan discussions
- Disability accommodation and medical information
Clinical Discussions
- Patient names, diagnoses, and treatment plans (HIPAA)
- Clinical trial data and adverse events
- Case conferences with identifiable patient information
- Mental health discussions and substance abuse records
- Genetic information and family health history
Compliance Recording vs. Copilot Summarization
Organizations in regulated industries (financial services, healthcare, government) are often required to record certain communications for compliance purposes. This creates a direct conflict with Copilot's summarization capabilities.
| Dimension | Compliance Recording | Copilot Summarization |
|---|---|---|
| Purpose | Regulatory compliance, audit trail | Productivity, information retrieval |
| Access | Compliance officers, auditors only | Any user with underlying permissions |
| Storage | Compliant storage with retention policies | OneDrive / SharePoint (default permissions) |
| Searchability | Limited to compliance tools | Searchable by any Copilot user with access |
| Retention | Regulated retention periods (7-10 years) | Default tenant retention policies |
| Sharing | Prohibited outside compliance workflow | Summaries can be freely shared by attendees |
| Audit Trail | Full audit trail of access and actions | Limited logging of Copilot queries |
The Conflict: Compliance recording needs content to be captured and stored. Copilot summarization makes this content easy to access. Organizations must ensure that compliance recording storage is separate from general Copilot-accessible storage. If they do not, meeting recording requirements could put Copilot data at risk.
Meeting Policy Controls for Copilot
Teams meeting policies are configured in the Teams admin center. These policies define several key aspects:
- Who can record meetings
- Where recordings are stored
- Who can access transcriptions
- If Copilot is enabled
Most organizations use a single Global (Org-wide default) policy. This means that every meeting follows the same settings, regardless of sensitivity.
Copilot in Teams Meetings
Teams admin center > Meeting policies > Copilot
Create separate policies for Standard, Sensitive, and Highly Sensitive meetings. Disable Copilot entirely for Highly Sensitive meetings. This prevents real-time summarization and post-meeting Copilot queries for board, legal, and HR meetings.
Meeting Recording and Transcription
Teams admin center > Meeting policies > Recording & transcription
For Highly Sensitive meetings: disable automatic recording, disable transcription, or restrict recording access to organizer only. For Sensitive meetings: allow recording but store in a restricted SharePoint site with limited access. Apply sensitivity labels to recordings automatically.
Recording Storage Location
Teams admin center > Meeting policies > Meeting recording storage
Configure separate storage locations for different meeting types. Standard meeting recordings in organizer OneDrive (default). Sensitive meeting recordings in a restricted SharePoint site. Compliance recordings in compliant storage separate from general Copilot access.
Who Can Record
Teams admin center > Meeting policies > Who can record
Restrict recording permissions for Sensitive and Highly Sensitive meetings. For Highly Sensitive meetings, only the organizer should be able to start recording. This prevents attendees from creating unauthorized recordings that could be stored in uncontrolled locations.
Recommended Settings by Meeting Type
| Setting | Standard | Sensitive | Highly Sensitive |
|---|---|---|---|
| Copilot | Enabled | Enabled (with caution) | Disabled |
| Recording | Allowed | Allowed (restricted storage) | Organizer-only or disabled |
| Transcription | Enabled | Enabled (restricted access) | Disabled |
| Storage | Organizer OneDrive | Restricted SharePoint site | Encrypted SharePoint site |
| Sensitivity Label | Default (Internal) | Confidential | Highly Confidential (encrypted) |
| Who Can Record | Organizer + presenters | Organizer + presenters | Organizer only |
| Suitable For | Team standups, project updates | Client meetings, department reviews | Board, legal, HR, clinical, M&A |
Implementation Note: Assign meeting policies based on the organizer's role rather than the meeting topic. The following roles should have the Highly Sensitive policy by default:
- Executives
- Legal staff
- HR directors
- Board members
This approach safeguards all meetings for these roles, regardless of the topic. Users can choose a less strict policy for specific meetings when needed. However, the default setting should always be the most secure option for their role.
Frequently Asked Questions
What are the security risks of Copilot in Teams meetings?
Copilot in Teams creates three security risks that most organizations overlook: 1) Transcription persistence — Copilot generates meeting transcripts that are stored in SharePoint or OneDrive and become searchable content. Anyone with access to the recording location can query Copilot about meeting content. 2) Summarization exposure — Copilot can summarize meetings, action items, and decisions. These summaries can be generated by any attendee and shared without restriction. A summary of a confidential HR meeting could be forwarded, pasted into a document, or surfaced by Copilot in a future query. 3) Cross-meeting aggregation — Copilot can correlate content across multiple meetings. A query like "what has been discussed about the Smith acquisition" will pull from every meeting recording where that topic was mentioned, creating a comprehensive view that may not have been intended for any single audience.
Can Copilot access Teams meeting recordings?
Yes. Copilot can access Teams meeting recordings and their associated transcripts. Recordings are stored in OneDrive (for non-channel meetings) or SharePoint (for channel meetings). The transcript is stored alongside the recording. Copilot indexes both the transcript text and any shared content from the meeting. Anyone who has permission to the storage location can ask Copilot to summarize, search, or extract information from the meeting. This means if a recording is stored in a shared OneDrive folder or a Teams channel accessible to 200 people, all 200 can query Copilot about the meeting content — even if they did not attend.
How do I prevent Copilot from summarizing sensitive meetings?
There are three approaches to preventing Copilot from summarizing sensitive meetings: 1) Disable Copilot for specific meetings using meeting policies in the Teams admin center. Create a meeting policy with Copilot disabled and assign it to organizers of sensitive meetings (board meetings, legal reviews, HR discussions). 2) Restrict recording and transcription. If no recording or transcript is created, Copilot has no persistent content to summarize after the meeting ends. 3) Apply sensitivity labels to meeting recordings. If recordings are labeled "Highly Confidential" with encryption, only users with decryption rights can access them through Copilot. The most effective approach is a combination: disable Copilot for the most sensitive meetings, restrict recording for others, and apply sensitivity labels as a backstop.
Are board meetings at risk from Copilot in Teams?
Board meetings recorded in Teams are at significant risk from Copilot. Board discussions typically cover topics that are highly sensitive: financial performance, M&A activity, executive compensation, strategic pivots, personnel changes, and legal matters. When these meetings are recorded and transcribed, the content becomes part of Copilot searchable corpus. Any employee with access to the recording location can query Copilot about board-level discussions. For public companies, this creates insider trading risk — employees could ask Copilot about acquisition targets discussed in board meetings. For all organizations, it creates competitive intelligence risk — sensitive strategy discussions become searchable. EPC Group recommends a dedicated meeting policy for board meetings: Copilot disabled, recording restricted to organizer-only access, transcription stored in an encrypted SharePoint site with access limited to board members and the corporate secretary.
What is the difference between compliance recording and Copilot summarization?
Compliance recording in Microsoft Teams captures meeting content for regulatory purposes — required in financial services, healthcare, and government. Compliance recordings are managed through retention policies, stored in compliant storage, and accessible only to compliance officers and auditors. Copilot summarization is fundamentally different: it makes meeting content accessible to any authorized user in near real-time. Compliance recordings have controlled access. Copilot summaries can be generated by any meeting attendee and shared freely. The conflict: organizations required to record meetings for compliance may inadvertently expose that same content through Copilot. A compliance recording of a patient care discussion (HIPAA-regulated) should be accessible only to authorized personnel. If the recording is stored in a location accessible to broader Teams members, Copilot can surface patient information to unauthorized users. Resolving this requires meeting-level policies that separate compliance recording storage from general access.
What Teams meeting policies should I configure for Copilot security?
Configure three tiers of meeting policies in the Teams admin center: 1) Standard meetings — Copilot enabled, recording allowed, transcription enabled, recordings stored in organizer OneDrive with default sharing. Suitable for most internal meetings. 2) Sensitive meetings — Copilot enabled with restrictions, recording allowed but stored in restricted SharePoint site, transcription enabled but access limited to attendees. Suitable for project meetings, client discussions, departmental reviews. 3) Highly sensitive meetings — Copilot disabled, recording restricted to organizer-only or disabled entirely, transcription disabled, sensitivity label auto-applied to any meeting artifacts. Suitable for board meetings, legal reviews, HR disciplinary proceedings, M&A discussions, executive compensation reviews. Assign policies based on meeting organizer role: executives, legal, HR, and board members should have the highly sensitive policy by default.
How does EPC Group help secure Copilot in Teams meetings?
EPC Group's 47-Point Assessment includes a dedicated Teams meeting security evaluation covering: meeting recording policy audit (who can record, where recordings are stored, who has access), transcription access analysis (who can view and search transcripts), Copilot meeting policy review (which users have Copilot enabled for meetings), compliance recording integration (ensuring compliance recordings are separated from general Copilot access), sensitivity label application for recordings (verifying labels with encryption are applied to sensitive meeting content), and meeting policy tier recommendations (Standard, Sensitive, Highly Sensitive). The assessment typically identifies 3-7 meeting policy gaps in the average enterprise tenant, with the most common being: all meetings use the same default policy, recordings are stored in broadly accessible locations, and Copilot has no meeting-level restrictions.
Secure Your Teams Meetings Before Copilot Exposes Them
EPC Group offers Copilot and M365 Tenant Security Reviews for businesses across all industries. We have secured over 700 tenants and have 29 years of experience with Microsoft. Our goal is to identify what Copilot can access that it should not.
Our 47-Point Assessment includes a dedicated Teams meeting security evaluation — recording policies, transcription access, Copilot meeting controls, and sensitivity label enforcement for meeting content.
Copilot in Teams Meetings: Recording and Summarization Security Risks
Every recorded Teams meeting is a searchable document. Copilot can summarize these meetings on demand.
However, certain discussions may be at risk if proper policies are not in place:
- Board discussions
- Legal reviews
- HR proceedings
- Clinical case reviews
It is important to establish recording storage and meeting policies before launching Copilot.
This guide outlines how Copilot processes meeting recordings and the policies necessary to protect sensitive meetings.
Key facts
- Teams meeting recordings are stored in OneDrive (organizer's) or SharePoint (channel meetings) by default.
- Copilot can summarize any recording the user has access to — including recordings from meetings the user did not attend.
- Real-time transcription, smart recap, and cross-meeting correlation all create searchable data that persists beyond the meeting.
- Compliance recording (for financial services FINRA/MiFID II) is separate from Copilot summarization — both must be governed.
- Meeting policy controls are configured in Teams admin center at tenant, org-wide, or per-user policy level.
How Copilot Processes Teams Meetings
During the Meeting
- Copilot transcribes speech in real time when "Copilot in Teams" is enabled for the meeting.
- Copilot generates live summaries, action items, and key points visible to enabled participants.
- Participants who joined late can ask Copilot to summarize what they missed — even while the meeting is running.
Recording and Storage
- Meeting recordings are stored in the organizer's OneDrive (personal calls and ad-hoc meetings).
- Channel meeting recordings are stored in the Teams channel's SharePoint document library.
- Transcripts are stored alongside recordings as .vtt files — also indexed by Microsoft Search.
- Storage location and access permissions depend on the meeting type and Teams policy settings.
Indexing and Searchability
- Both recordings and transcripts are indexed by Microsoft Search after the meeting ends.
- Copilot can surface content from recordings in response to any semantically related prompt.
- A user who has access to the recording file can ask Copilot to summarize it — even if they were not in the meeting.
Cross-Meeting Correlation
- Copilot can correlate content across multiple meeting recordings in a single response.
- Example: "Summarize what was decided in Q3 executive meetings" — Copilot returns content from all recordings the user can access in that category.
- This is the highest-risk Copilot behavior for sensitive meeting types.
Meeting Types at High Risk
Board Meetings
Board meetings often discuss important topics such as M&A targets, executive succession, and financial performance. These discussions typically occur before the information is publicly disclosed.
If recordings of these meetings are accessible, Copilot can share this information with any employee who has the right SharePoint permissions.
- M&A targets and deal terms discussed openly
- Financial performance data before public disclosure
- Executive termination or succession planning
- Strategic pivots and competitive positioning
- Insider trading risk if employees query Copilot about board topics
Legal Discussions
Attorney-client privilege may be waived if privileged meeting discussions are broadly accessible. Copilot summarization of legal recordings creates discoverable content that may undermine privilege claims.
- Litigation strategy and settlement discussions
- Regulatory investigation responses
- Contract negotiation positions and fallback terms
- Intellectual property disputes
HR Proceedings
- Employee termination discussions
- Performance improvement plan reviews
- Harassment and misconduct investigation interviews
- Compensation change discussions
Clinical Discussions (Healthcare)
- Patient case reviews with PHI discussed verbally
- M&M (mortality and morbidity) conferences
- Peer review sessions
- Clinical team briefings with patient-identifiable details
Compliance Recording vs Copilot Summarization
These are two separate systems. Both require governance.
- Compliance recording — Required by FINRA, MiFID II, and other regulations for financial services communications. Captured by a third-party recorder (Verint, Nice, Dubber). Stored in a compliance archive. Separate from Teams recording.
- Copilot summarization — Uses the Teams meeting transcript and recording stored in OneDrive/SharePoint. Not part of the compliance archive. Accessible to any user with SharePoint permissions to the recording.
- The risk: Compliance recording governs the compliance copy. It does not govern the Copilot-accessible copy stored in OneDrive/SharePoint.
- The fix: Govern both systems separately. Compliance recording policy covers the archive. Teams meeting policy controls Copilot access to the working copy.
Meeting Policy Controls for Copilot
Configure these settings in Teams admin center under Meeting Policies.
Copilot in Teams Meetings
- On with transcript — Copilot is available during and after the meeting. Transcript is saved. This is the default and highest-risk setting.
- On without transcript — Copilot is available during the meeting but transcript is not saved. Copilot features end when the meeting ends.
- Off — Copilot is disabled for the meeting entirely. Use for board meetings, legal calls, and HR proceedings.
Recording and Transcription Controls
- Allow cloud recording: Yes/No per meeting policy
- Recording automatically expires: set to 60–90 days for sensitive meeting types
- Transcription: enabled or disabled per meeting policy
- Who can record: organizer and co-organizers only (not all attendees)
Recording Storage Location
- Default: organizer's OneDrive for personal and ad-hoc meetings
- Recommended for sensitive meetings: route to a governed Teams channel SharePoint library with restricted membership
- Apply sensitivity labels to the storage location to restrict Copilot access by role
Recommended Settings by Meeting Type
| Meeting type | Copilot setting | Recording | Storage |
|---|---|---|---|
| Board meetings | Off | Off or restricted | Governed channel |
| Legal calls | Off | Off | N/A |
| HR proceedings | Off | Off | N/A |
| Clinical case reviews | Off | Off or PHI-labeled | Clinical channel only |
| Executive briefings | On without transcript | Off or governed channel | Governed channel |
| Standard team meetings | On with transcript | Allowed | Organizer OneDrive |
Frequently Asked Questions
What are the security risks of Copilot in Teams meetings?
Copilot can summarize any Teams recording that the user can access. This includes recordings from meetings they did not attend. However, important discussions, such as:
- Board discussions
- Legal calls
- HR proceedings
- Clinical case reviews
are at risk if recording storage is not managed and meeting policies are not established before Copilot goes live.
Can Copilot access Teams meeting recordings I wasn't in?
Yes. If you have read access to the recording file in SharePoint or OneDrive, Copilot can summarize it on demand. Access to the recording depends on SharePoint permissions for the storage location. This access is not based on meeting attendance.
How do I prevent Copilot from summarizing sensitive meetings?
To protect sensitive meetings, set the Teams meeting policy to "Off." This will completely disable Copilot for those meetings.
If you need to record a meeting, store the recording in a governed SharePoint channel. Ensure that this channel has restricted membership and apply encryption-backed sensitivity labels.
What is the difference between compliance recording and Copilot summarization?
Compliance recording creates a separate copy for regulatory archives using a third-party recorder. Copilot summarization relies on the Teams-native transcript and recording stored in OneDrive or SharePoint.
The compliance recording policy does not cover the Copilot-accessible copy. Both must be managed separately.
How does EPC Group help secure Copilot in Teams meetings?
EPC Group establishes Teams meeting policies according to the meeting type. We direct sensitive meeting recordings to managed SharePoint channels and apply sensitivity labels. We also set up Microsoft Sentinel alerts to detect unauthorized access to recordings. This approach is part of EPC Group's 47-point Copilot Security Review.
Secure Your Teams Meetings Before Copilot Exposes Them
EPC Group has successfully deployed Copilot in over 700 M365 tenants. This includes managing Teams meeting policies for various types of meetings, such as:
- Board meetings
- Legal meetings
- HR meetings
- Clinical meetings
For more information, call (888) 381-9725 or schedule a Teams meeting security review.