Recall or Regret?

The Business Risks Behind Microsoft’s New AI Feature
Simran Kandola
August 5, 2025

Microsoft Recall is a new AI feature built into Windows 11 for Copilot+ PCs, designed to help users find information they have previously viewed on their computer – even if they can’t remember when or where. It works by quietly taking snapshots every few seconds or when the content of your active window changes. These snapshots are stored locally, encrypted, and only captured if the user opts in. You can also customise what Recall tracks, with the option to exclude certain apps and websites, and Microsoft promises it won’t see any of your data.

The idea is simple: make your digital memory searchable. Can’t remember the name of that CRM tool you saw last week? Or where you spotted a great lunch spot for your next client meeting? Just ask Recall, and it will search your snapshot history for visual or text matches.

While the safety controls are intended to offer peace of mind, the always-on nature of Recall starts to feel less like a helpful assistant and more like a silent observer. Some might say its watchful gaze has more in common with Sauron’s eye than a friendly AI companion.

Corporate Use and Risk

There are several significant implications Recall introduces in a corporate setting, particularly those with companies that are regulated or view sensitive information on their PC’s.

Workplace Surveillance Laws

Recall’s continuous screen capturing may place employers at legal risk, particularly in NSW and ACT, where workplace surveillance laws require 14 days’ written notice and detailed disclosure before any computer monitoring begins. Covertly enabling Recall or failing to clearly outline its use could breach the NSW Workplace Surveillance Act 2005 or the ACT’s Workplace Privacy Act 2011.

While there are no workplace-specific computer surveillance laws in other states and territories, employers must still address privacy and ethical risks. Using Recall without clear internal policies or employee notification may violate obligations under the Privacy Act 1988 (Cth), breach implied workplace trust, or trigger Fair Work or WHS issues. Even where legally permitted, poor implementation of Recall could lead to reputational harm, data breaches, or legal disputes.

Insider Threats

By continuously capturing screenshots of user activity, Recall builds a detailed timeline of everything viewed on a device including documents, chats, emails, and websites. Despite filters, sensitive content can still be captured, such as passwords, credit card numbers, tax records, or decrypted data. Although Microsoft states that Recall requires individual user consent, administrators with elevated privileges, such as system admins or onboarding personnel, may be able to enable it during setup or through account access, creating a grey area that could facilitate covert surveillance.

Data Leakage

Even though Recall data is stored locally and encrypted, it forms a centralised and potentially unmonitored repository of sensitive information that becomes a high-value target for threat actors. If a device is compromised, even briefly, a malicious insider or external threat actor could exfiltrate the Recall database using standard malware techniques and reconstruct a comprehensive digital footprint of the user’s activity. For organisations handling commercially sensitive data, regulated information, or intellectual property, Recall introduces a concentrated leakage risk that demands proactive governance, endpoint hardening, and clearly defined monitoring policies.

 

Compliance and Governance

APP 11 under the Privacy Act 1988 (Cth) requires organisations to take reasonable steps to protect personal information from misuse, interference, and unauthorised access. Recall’s capture and storage of PII (personally identifiable information) or sensitive data can undermine data minimisation and purpose limitation principles. Collecting far more information than may be necessary for business operations can potentially bypass existing risk controls or consent mechanisms.  Organisations must also assess whether Recall aligns with their privacy policies, data handling procedures, and risk frameworks, as it may also breach other APP’s if personal information is captured without a clear, lawful basis, such as:

Recall also presents a governance challenge for data retention and compliance, particularly if not integrated into formal records management and disposal processes. Without clear oversight, Recall can act as a shadow repository by capturing and storing user activity outside established backup, archiving, and deletion controls. Its filter for sensitive content is not fully transparent, and retention settings are ambiguous, raising uncertainty over how long snapshots persist and what types of information are being stored. If data is retained indefinitely, this results in an exponentially growing volume of unstructured, unclassified information that may contain sensitive or regulated content. This not only further undermines data minimisation, but also retention policies and significantly increases an organisation’s attack surface.

 

Implications for Security Architecture & BYOD

Organisations that rely on conventional endpoint protection strategies may face architectural challenges introduced by Recall. Because Recall stores data locally and operates at the user level, security teams often lack visibility or control over what is captured, particularly if endpoints are not centrally managed or monitored. While supported desktop clients (e.g., Remote Desktop Connection, VMConnect, Azure Virtual Desktop) are excluded from snapshot logging, this protection does not extend to locally run applications on unmanaged devices.

In BYOD or hybrid work environments, if employees enable Recall on personal Copilot+ devices used for work, organisations may be unable to detect or manage the passive recording of sensitive business information. This creates a blind spot in data governance and increases the risk of unintentional leakage or compromise. To mitigate this, organisations should enforce strict endpoint control policies, prohibit Recall on unmanaged devices, and implement layered data loss prevention (DLP) controls. Additionally, Microsoft 365 hardening, through tools like Conditional Access, Defender for Endpoint, and Information Protection, can help minimise exposure across cloud-connected environments.

 

Recommendations

Perform a Risk Assessment

Conduct a privacy and security risk assessment on Recall before implementing it across the business. Evaluate its impact on:

  • Privacy obligations under the Privacy Act 1988 (Cth)
  • Data Classification and retention policies
  • Information governance frameworks
  • Legal risks under workplace surveillance laws, especially in NSW and ACT

 

Configure and Govern Recall on Managed and Personal devices

Consider disabling Recall by default on corporate-managed devices through Group Policy or MDM tools, enabling it only where clearly justified and well-governed. For BYOD and hybrid use, update policies to address Recall on personal Copilot+ devices, as unmanaged endpoints may limit visibility and increase compliance and data leakage risks.

 

Align Policies with Legal and Governance Requirements

Update acceptable use, surveillance, and privacy policies to explicitly address Recall’s purpose, data captured, access, retention, and deletion. Ensure compliance with state and federal laws, and integrate Recall into records management and disposal processes.

 

Strengthen Technical Controls and Monitoring

Apply security controls such as Defender for Endpoint and DLP policies, and block Recall data from syncing to cloud services where possible. Implement access controls, logging, and insider threat monitoring to track and manage Recall data locally.

 

Embed Security Awareness

Incorporate Recall into security training to ensure staff understand what it records, the risks of enabling it, particularly on personal devices, and how to manage it. Clearly communicate legal obligations to support transparency and compliance.

 

Final Thoughts

While Microsoft Recall offers a powerful and convenient function for businesses, it also introduces critical risks concerning privacy, security, and compliance. Organisations must consider a cautious and risk-based approach when using Recall as it can increase insider threats, create unmonitored and superfluous data storage, and threaten security architecture. This isn’t just a personal privacy question – it’s now an informed corporate governance decision.

Simran Kandola

Simran Kandola

Simran is a GRC Consultant at Morrisec, specialising in risk assessments, compliance, and governance strategies tailored to client needs. She supports organisations in building and integrating effective GRC frameworks, including MRP, Morrisec's eGRC platform, to streamline processes and strengthen resilience.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *