On-device AI and security: What really matters for the enterprise
AI is evolving, and so is the way businesses run it. Traditionally, most AI workloads have been processed in the cloud. When a user gives an AI tool a prompt, that input is sent over the internet to remote servers, where the model processes it and sends back a result. This model supports large-scale services like Microsoft 365 Copilot, which integrates AI into apps like Word, Excel, and Teams. Now, a new capability is emerging alongside cloud-based AI. AI can also run directly on a PC—no internet connection or remote server required. This is known as on-device processing. It means the data and the model stay on the device itself, and the work is done locally. Modern CPUs and GPUs are beginning to support this kind of processing. But neural processing units (NPUs), now included in enterprise-grade PCs such as Microsoft Surface Copilot+ PCs, are specifically designed to run AI workloads efficiently. NPUs are designed to perform the types of operations AI needs at high speed while using less power. That makes them ideal for features that need to work instantly, in a sustained fashion in the background, or without an internet connection. A flexible approach to AI deployment NPUs can enable power-efficient on-device processing, fast response times with small models, consistent functionality in offline scenarios, and more control over how data is processed and stored. For organizations, it adds flexibility in choosing how and where to run AI—whether to support real-time interactions at the edge or meet specific data governance requirements. At the same time, cloud-based AI remains essential to how organizations deliver intelligent services across teams and workflows. Microsoft 365 Copilot, for example, is powered by cloud infrastructure and integrates deeply across productivity applications using enterprise-grade identity, access, and content protections. Both models serve different but complementary needs. On-device AI adds new options for responsiveness and control. Cloud-based AI enables broad integration and centralized scale. Together, they give businesses flexibility to align AI processing with the demands of the use case, whether for fast local inference or connected collaboration. For business and IT leaders, the question is not which model is better but how to use each effectively within a secure architecture. That starts with understanding where data flows, how it is protected, and what matters most at the endpoint. Understanding AI data flow and its security impact AI systems rely on several types of input such as user prompts, system context, and business content. When AI runs in the cloud, data is transmitted to remote servers for processing. When it runs on the device, processing happens locally. Both approaches have implications for security. With cloud AI, protection depends on the strength of the vendor’s infrastructure, encryption standards, and access controls. Security follows a shared responsibility model where the cloud provider secures the platform while the enterprise defines its policies for data access, classification, and compliance. Microsoft’s approach to data security and privacy in cloud AI services Although the purpose of this blog post is to talk about on-device AI and security, it’s worth a detour to briefly touch on how Microsoft approaches data governance across its cloud-based AI services. Ultimately, the goal is for employees to be able to use whatever tools work best for what they want to get done, and they may not differentiate between local and cloud AI services. That means having a trusted provider for both is important for long-term AI value and security in the organization. Microsoft’s generative AI solutions, including Azure OpenAI Service and Copilot services and capabilities, do not use your organization’s data to train foundation models without your permission. The Azure OpenAI Service is operated by Microsoft as an Azure service; Microsoft hosts the OpenAI models in Microsoft's Azure environment and the Service does not interact with any services operated by OpenAI (e.g. ChatGPT, or the OpenAI API). Microsoft 365 Copilot and other AI tools operate within a secured boundary, pulling from organization-specific content sources like OneDrive and Microsoft Graph while respecting existing access permissions. For more resources on data privacy and security in Microsoft cloud AI services, check out Microsoft Learn. Local AI security depends on a trusted endpoint When AI runs on the device, the data stays closer to its source. This reduces reliance on network connectivity and can help limit exposure in scenarios where data residency or confidentiality is a concern. But it also means the device must be secured at every level. Running AI on the device does not inherently make it more or less secure. It shifts the security perimeter. Now the integrity of the endpoint matters even more. Surface Copilot+ PCs are built with this in mind. As secured-core PCs, they integrate hardware-based protections that help guard against firmware, OS-level, and identity-based threats. TPM 2.0 and Microsoft Pluton security processors provide hardware-based protection for sensitive data Hardware-based root of trust verifies system integrity from boot-up Microsoft-developed firmware can reduce exposure to third-party supply chain risks and helps address emerging threats rapidly via Windows Update Windows Hello and Enhanced Sign-in Security (ESS) offer strong authentication at the hardware level These protections and others work together to create a dependable foundation for local AI workloads. When AI runs on a device like this, the same enterprise-grade security stack that protects the OS and applications also applies to AI processing. Why application design is part of the security equation Protecting the device is foundational—but it’s not the whole story. As organizations begin to adopt generative AI tools that run locally, the security conversation must also expand to include how those tools are designed, governed, and managed. The value of AI increases dramatically when it can work with rich, contextual data. But that same access introduces new risks if not handled properly. Local AI tools must be built with clear boundaries around what data they can access, how that access is granted, and how users and IT teams can control it. This includes opt-in mechanisms, permission models, and visibility into what’s being stored and why. Microsoft Recall (preview) on Copilot+ PCs is a case study in how thoughtful application design can make local AI both powerful and privacy conscious. It captures snapshots of the desktop embedded with contextual information, enabling employees to find almost anything that has appeared on their screen by describing it in their own words. This functionality is only possible because Recall has access to a wide range of on-device data—but that access is carefully managed. Recall runs entirely on the device. It is turned off by default—even when enabled by IT—and requires biometric sign-in with Windows Hello Enhanced Sign-in Security to activate. Snapshots are encrypted and stored locally, protected by Secured-core PC features and the Microsoft Pluton security processor. These safeguards ensure that sensitive data stays protected, even as AI becomes more deeply embedded in everyday workflows. IT admins can manage Recall through Microsoft Intune, with policies to enable or disable the feature, control snapshot retention, and apply content filters. Even when Recall is enabled, it remains optional for employees, who can pause snapshot saving, filter specific apps or websites, and delete snapshots at any time. This layered approach—secure hardware, secure OS, and secure app design—reflects Microsoft’s broader strategy for responsible local AI and aligns to the overall Surface security approach. It helps organizations maintain governance and compliance while giving users confidence that they are in control of their data and that the tools are designed to support them, not surveil them. This balance is essential to building trust in AI-powered workflows and ensuring that innovation doesn’t come at the expense of privacy or transparency. For more information, check out the related blog post. Choosing the right AI model for the use case Local AI processing complements cloud AI, offering additional options for how and where workloads run. Each approach supports different needs and use cases. What matters is selecting the right model for the task while maintaining consistent security and governance across the entire environment. On-device AI is especially useful in scenarios where organizations need to reduce data movement or ensure AI works reliably in disconnected environments In regulated industries such as finance, legal, or government, local processing can help support compliance with strict data-handling requirements In the field, mobile workers can use AI features such as document analysis or image recognition without relying on a stable connection For custom enterprise models, on-device execution through the Windows AI Foundry Local lets developers embed AI in apps while maintaining control over how data is used and stored These use cases reflect a broader trend. Businesses want more flexibility in how they deploy and manage AI. On-device processing makes that possible without requiring a tradeoff in security or integration. Security fundamentals matter most Microsoft takes a holistic view of AI security across cloud services, on-device platforms, and everything in between. Whether your AI runs in Azure or on a Surface device, the same principles apply. Protect identity, encrypt data, enforce access controls, and ensure transparency. This approach builds on the enterprise-grade protections already established across Microsoft’s technology stack. From the Secure Development Lifecycle to Zero Trust access policies, Microsoft applies rigorous standards to every layer of AI deployment. For business leaders, AI security extends familiar principles—identity, access, data protection—into new AI-powered workflows, with clear visibility and control over how data is handled across cloud and device environments. Securing AI starts with the right foundations AI is expanding from cloud-only services to include new capable endpoints. This shift gives businesses more ways to match the processing model to the use case without compromising security. Surface Copilot+ PCs support this flexibility by delivering local AI performance on a security-forward enterprise-ready platform. When paired with Microsoft 365 and Azure services, they offer a cohesive ecosystem that respects data boundaries and aligns with organizational policies. AI security is not about choosing between cloud or device. It is about enabling a flexible, secure ecosystem where AI can run where it delivers the most value—on the endpoint, in the cloud, or across both. This adaptability unlocks new ways to work, automate, and innovate, without increasing risk. Surface Copilot+ PCs are part of that broader strategy, helping organizations deploy AI with confidence and control—at scale, at speed, and at the edge of what’s next.Microsoft Surface Platinum Partners: Empowering success through endpoint strategy
Choosing the right devices based on a clear endpoint strategy can transform productivity, collaboration, and security across your organization—especially in the age of AI. Surface devices fit the bill by helping employees work smarter with AI, stay engaged, and collaborate effortlessly, all while protecting sensitive business data. When your device choices align with your business goals, you build a foundation for agility and long-term success. The same thinking applies to choosing a reseller to source Surface devices. The right partner will help you maximize the impact of strategic device choice on your business. Working with a provider who understands your needs, offers expert guidance, and has the resources to support organizations like yours helps you accelerate transformation and get more from your investment. Working with a Microsoft Platinum Partner is one way to align your device strategy with your organization's business goals. They have the knowledge and resources to deploy and support Surface solutions at scale, supported by services and solutions to drive ROI. Microsoft Surface Platinum Partners ASI Solutions Since 1985, ASI Solutions has provided technology services across Australia and New Zealand. Their approach focuses on aligning IT solutions with organizational strategies, delivering Surface deployments that meet both current requirements and future growth objectives. Learn more: https://www.asi.com.au/ Bechtle Bechtle combines years of IT expertise with an extensive presence across Europe. Their strong relationship with Microsoft and deep knowledge of enterprise technology make them a trusted resource for implementing and managing Surface devices. Learn more: https://www.bechtle.com/ CDW CDW works with organizations to modernize workplaces through Surface devices and integrated IT solutions, including Microsoft 365 and Azure. Their enterprise-focused services simplify adoption and help businesses create more efficient and adaptable operations. Learn more: https://www.cdw.com/ Computacenter Computacenter provides Surface deployment and management services for large businesses and public organizations. Their focus on IT optimization and infrastructure alignment ensures that Surface devices integrate seamlessly into broader operational strategies. Learn more: https://www.computacenter.com/ Connection Connection specializes in helping businesses adopt Surface devices through practical, scalable services. Their ability to address both immediate technology needs and longer-term goals makes them a valuable partner in workplace modernization. Learn more: https://www.connection.com/ Data#3 Data#3 brings over 15 years of Microsoft expertise to their role as Surface deployment specialists in Australia. Their services include procurement, deployment, and training, helping businesses adopt technology efficiently while empowering employees to use it effectively. Learn more: https://www.data3.com/ Zones Zones delivers scalable IT solutions with a global footprint, enabling organizations to deploy Surface devices across diverse teams and locations. Their collaborative approach ensures businesses can implement solutions tailored to specific operational needs. Learn more: https://www.zones.com/ Insight Insight integrates Surface devices into workplace modernization projects, backed by decades of experience with Microsoft technologies. Their enterprise deployment capabilities allow businesses to implement secure, high-performing tools at scale. Learn more: https://www.insight.com/ SHI SHI’s experience with Surface spans over a decade, supporting global deployments with tools like AutoPilot for streamlined implementation. Their expertise helps businesses integrate Surface devices into complex IT ecosystems effectively and securely. Learn more: https://www.shi.com/ Otsuka Shokai Otsuka Shokai offers IT solutions in Japan that include Surface device deployments tailored to business needs. Their technical teams provide end-to-end support, ensuring that each implementation enhances efficiency and meets organizational goals. Learn more: https://www.otsuka-shokai.co.jp/ By collaborating with these Platinum Partners, enterprises can effectively integrate Surface devices into their IT infrastructure, ensuring that their device strategy supports and enhances their overall business objectives.Expert Insights: Incorporating AI PCs into your business strategy
Device selection is often seen as a routine IT decision, but AI-capable hardware changes what’s possible. AI-capable devices enable new levels of efficiency, collaboration, and productivity. Choosing the right hardware shapes how businesses handle data, streamline workflows, and build a foundation for future success. David Stoeckel, Director of Program Management for Surface CXP Engineering at Microsoft, emphasizes a multi-faceted approach to evaluating Copilot+ PCs. "You have to think about it on three levels: the baseline capabilities of the device itself, the core components of Windows like captions and translation, and then the custom functionalities businesses can build on top of that," Stoeckel explained. This strategic framework allows enterprises to make choices that drive long-term, transformational impact. Real-time productivity: Not just faster, but smarter PCs with neural processing units (NPUs) can handle tasks such as transcription, translation, and video enhancement locally, supporting fluid experiences and new AI use cases. Industries with strict data controls, such as healthcare and finance, gain more flexibility in how they deploy AI. Copilot+ PCs from Microsoft Surface integrate these capabilities into thoughtfully engineered, enterprise-ready devices. They offer immediate benefits by handling complex tasks locally, reducing latency and enhancing real-time decision-making. This enables new types of computing that were previously impractical or impossible on local machines. For example, they can perform real-time transcription and translation on-device, opening doors for fields such as healthcare, finance, and government where data privacy concerns restrict the use of cloud-based solutions. As Stoeckel points out, "We see doctors using these devices to transcribe patient conversations locally, supporting data privacy without compromising on functionality. Or think of a financial consultant sitting with a client, capturing and developing strategies on the spot—no waiting for external servers to process requests.” These capabilities complement rather than replace cloud-based AI, supporting use cases in which it is unfeasible to send data to the cloud, or where keeping it local can accelerate time to value. Surface Copilot+ PCs handle such workloads directly, meeting specific compliance requirements while capitalizing on the latest advancements. Solving business challenges: putting the focus on AI-optimized workflows Surface Copilot+ PCs enable businesses to rethink workflows and tasks that require real-time data processing, predictive analytics, or highly customized experiences. The ability to run models on-device presents new opportunities to innovate. The NPU architecture in Surface Copilot+ PCs enables local processing of machine learning and predictive analytics models with low latency. This capability supports use cases like predictive maintenance in manufacturing and on-device fraud detection in financial services, where real-time data analysis can drive faster, more responsive decision-making. Stoeckel underscores the importance of custom development in this space: "The third pillar I mentioned—what software vendors and businesses build on top of the platform—has huge potential value. This is where companies can tailor capabilities to fit their unique workflows." Enterprises can use Copilot+ PCs to develop proprietary applications that offer competitive advantages, whether through faster decision-making, more personalized customer experiences, or highly specific data models built for niche use cases. Driving innovation with hybrid AI Cloud-based platforms remain critical to driving AI business value. Businesses rely on them for running large models and executing complex workflows. But some AI tasks benefit from running on-device, whether to maintain control over sensitive data, meet compliance requirements, or reduce dependency on cloud connectivity. Workloads like real-time transcription, predictive maintenance, and AI-driven personalization may also be more responsive when processed locally, depending on network conditions and infrastructure. A hybrid AI model gives organizations the flexibility to balance these needs. Copilot+ PCs allow businesses to run AI applications locally for real-time insights and personalized recommendations while relying on the cloud for intensive processing and the latest models. This approach lets organizations deploy AI in the way that best aligns with their security, performance, and operational priorities. With Copilot+ PCs, companies can refine AI-powered workflows, deciding where to process data based on business requirements rather than technical limitations. This flexibility supports both immediate productivity and long-term advancement. The future: seamless integration and innovation without limits Stoeckel expects the line between cloud and local AI to fade. "In the future, the interaction between what's done locally on the device and what's done in the cloud will be seamless. You'll have the flexibility to choose where to run workloads based on cost, performance, and privacy requirements," he says. As AI infrastructure evolves, businesses will have more freedom to fine-tune where and how they process data. Some workloads will always benefit from cloud scale, while others will run more efficiently on-device. This flexibility will shape how companies build and deploy AI-driven solutions. Why choose Surface as the foundation of your AI device strategy? Surface devices enhance AI value through thoughtfully designed experiences that enrich every interaction. Depending on the device, this can include precision inking, vibrant touchscreens, and customizable touchpads for natural input. High-quality cameras and microphones work with AI to improve collaboration, while precision-engineered keyboards make typing more comfortable and ergonomic. Security empowers organizations to run AI workloads with confidence, protecting data while driving performance. With Surface Copilot+ PCs, Secured-core PC technology strengthens defenses against firmware attacks, while hardware-based protection using Microsoft Pluton or TPM safeguards sensitive information. Strong and seamless authentication options like biometrics and NFC help ensure only authorized users can access applications and data. Device strategy will separate leaders from followers Choosing the right devices has always shaped business productivity, but with AI workloads running on-device, this decision now carries far greater weight. Copilot+ PCs from Surface provide a foundation for businesses to process data faster, maintain security, and integrate AI into daily workflows without cloud dependence. Whether improving collaboration, automating routine tasks, or enabling real-time decision-making, these devices support a shift toward AI-powered work. Organizations that think strategically about hardware today will be in the strongest position to drive innovation and efficiency in the years ahead. In the end, AI PCs are a catalyst for business transformation. For companies willing to explore their full potential, the opportunities are significant. By starting now, businesses can get ahead of the curve, building the infrastructure and workflows necessary to thrive in an increasingly AI-driven world. To learn more read the eBook: Drive business resilience with AI PCs.
