AI features are increasingly enabled by default in enterprise SaaS, often without explicit admin consent or adequate lead time, creating governance, security, and legal risks.

The central premise is that default-on is a governance choice; vendors that prioritize governance and transparent risk communication will earn renewal trust.

A practical remedy is for vendors to ship AI features off by default, paired with structured admin notifications, a published risk matrix aligned with standards (SOC 2, ISO 27001, wiretap considerations), ready-to-use training materials, and a longer evaluation window measured in weeks.

Operational burden includes more support tickets, change fatigue, and productivity drag on IT and security teams when features roll out without clear evaluation windows.

CIOs and CISOs should assume the next AI feature will be on by default, conduct recurring tenant configuration reviews, document default-on incidents, and weave governance into renewal decisions to preserve trust and control.

Examples from major vendors show varied default behaviors: Zoom auto-enables AI Companion; Microsoft 365 Copilot is on by default for admin users and Windows devices install Copilot by default; Google Workspace Intelligence defaults to on across data sources; OpenAI ships ChatGPT Enterprise with apps/connectors off by default while ChatGPT Business has apps on by default.

Default-on settings raise legal concerns, including two-party consent for recordings, data residency, retention, wiretap compliance, data sprawl, and e-discovery exposure.

Notification mechanisms for new AI features are fragmented and often insufficient for timely governance; admins may miss updates, and training materials are rarely ready for workforce rollout.