Meeting summaries, real-time transcription, coaching assistants, automated note-taking: for most organisations running modern UC platforms, these are no longer features you opt into. They are simply on. The compliance question is not whether AI is active in your communications environment. It is whether anyone is watching what it does.
Theta Lake’s latest survey of 500 financial services firms found that 99% are expanding their use of AI capabilities within UC platforms. At the same time, 88% reported governance challenges. That gap is not a coincidence. It is where the real risk lives.
The Problem Is Visibility, Not Intent
The instinct in most governance conversations is to focus on deliberate misuse: the rogue employee, the policy breach, the bad actor. Esteban Lopez, Senior Manager of Product and Technical Marketing at Theta Lake, says that framing misses the point:
“Most organisations that we talk with, especially heavily regulated ones, security and compliance is just built into their DNA. They are not purposefully deploying AI recklessly. They just don’t know what they don’t know.”
Organizations have put guardrails in place. They monitor prompts and responses at the point of interaction. What that approach cannot see is what only becomes visible over time: the patterns of behaviour that no single interaction would reveal. Lopez explains:
“It is the nuance of the question over time. Understanding the behaviour of users and the AI, getting that holistic view of what is actually happening: organisations come to us and say they do not have a tool that allows them to do that.”
Why Legacy Tools Are Not Built For This
Legacy compliance systems were designed for a different world: keyword matching, known policy violations, PII detection. That logic holds up reasonably well for structured, human-generated communications. It breaks down in a world where the risk does not exist in any single message.
Stacey English, Director of Regulatory Intelligence at Theta Lake, explains how that plays out in practice. An advisor using Copilot to look up information on high net worth customers raises no flags. A follow-up prompt narrowing that analysis might still look legitimate. But a thread that ends with prompts identifying single women in a specific geographic area is a different matter entirely. English says:
“The real risk often emerges across a sequence of prompts rather than in a single request. Legacy compliance tools simply were not built to understand that progression of intent or the context surrounding AI interactions.”
The same logic applies to access. Employees can use AI assistants to surface files, summarise documents, or retrieve information they would not otherwise reach. A legacy tool scanning individual messages won’t see it happening.
What Regulators Expect
Regulators have been consistent: they are not hostile to AI adoption, but they are clear that adoption does not dilute accountability. English says:
“Innovation does not reduce accountability. Firms are still responsible for the outcomes AI produces for customers, the communications generated through these platforms, and the way customer or confidential information is handled.”
For UC leaders, that means governance, oversight, and explainability are non-negotiable. Explainability carries particular weight. It is not enough to flag a risk: firms need to show regulators and auditors how that decision was made and why. Independently audited frameworks such as ISO/IEC 42001 and Cloud Security Alliance STAR AI Level II are increasingly critical benchmarks for UC owners evaluating platforms.
Reframing The Internal Conversation
For UC leaders facing resistance from Legal or Risk, the instinct is often to consider turning AI features off. English argues that is not the safe option it appears to be. Restricting approved tools pushes employees toward shadow alternatives outside the organisation’s control environment, creating greater risk than the problem it was meant to solve. English says:
“The internal conversation should shift from ‘How do we stop AI?’ to ‘How do we use AI safely, transparently, and with appropriate oversight?'”
The productivity case is not going away. One global bank recently reported AI saving employees up to four hours per meeting across millions of meetings annually. Leadership will not walk away from numbers like that. The governance question is whether the control environment can keep pace with adoption.
What AI-Native Compliance Requires
Lopez draws a clear line between a purpose-built AI compliance solution and a legacy tool with an AI layer added on top. The difference is not cosmetic. Monitoring conversational context across entire sessions, identifying behavioural patterns over time, maintaining a full audit trail around prompts and outputs: none of that is achievable with a system that was not built for it from the start. Lopez says:
“A true AI-native compliance solution has AI that was there and built from day one. That is how we are able to do AI well, but also understand how AI is being used and how to monitor it correctly.”
Lopez is clear on what UC leaders should be looking for: A tool that integrates with the full compliance and security stack, that lets teams search AI content, establish baselines, and track how behaviour changes over time. And one that treats AI communications as a distinct category, not as an extension of existing regulated content.
“AI is new and you probably want to treat it differently from any other regulated piece of content. You need a tool that has the flexibility to do that, but also one that can intelligently integrate with your broader IT stack.”
To learn more about how Theta Lake governs AI across enterprise UC platforms, visit the Theta Lake website.
