Microsoft · Filed Dec 30, 2024 · Published Jul 2, 2026 · verified — real USPTO data

Microsoft Patent Reveals Local AI Secretly Sends Your Prompts to Cloud for Screening

Microsoft wants your PC's AI chip to run models locally, but send every prompt to a cloud security service before you see the answer. The kicker: the whole exchange is encrypted so the operating system itself can't read it.

Microsoft Patent: Secure AI Model Execution on Device NPU — figure from US 2026/0189536 A1
FIG. 1A — rendered from the official USPTO publication PDF.
Publication number US 2026/0189536 A1
Applicant Microsoft Technology Licensing, LLC
Filing date Dec 30, 2024
Publication date Jul 2, 2026
Inventors Itai ROSENBLAT, Roei Shlomo MENASHOF, Oren ISTRIN
CPC classification 726/23
Grant likelihood Medium
Examiner MAHMOUDI, RODMAN ALEXANDER (Art Unit 2499)
Status Response to Non-Final Office Action Entered and Forwarded to Examiner (Jun 25, 2026)
Document 20 claims

What Microsoft's on-device AI security check actually does

Imagine you ask your laptop's AI assistant a question. Normally the answer comes straight back from the AI running on your machine. Under this patent, something extra happens first: before you see any response, your question gets secretly checked by a Microsoft security service running in the cloud.

The checking happens through the dedicated AI chip (called a Neural Processing Unit, or NPU) built into modern PCs. The chip encrypts your prompt so that even Windows itself can't read it, sends it to the cloud service, and waits. If the service decides the AI's planned answer is risky or sensitive, it swaps in a safer alternative before you ever see the original.

You'd never notice the detour. From your side, you asked a question and got an answer. The difference is that a layer of cloud-based guardrails decided what that answer would be.

How the NPU encrypts prompts and routes them past the cloud filter

The patent describes a three-way handshake between the NPU (the dedicated AI chip on your device), the operating system, and a cloud-based security service.

Here's the sequence:

  • The NPU runs the AI model locally and also receives your prompt.
  • Before returning the AI's answer, the NPU encrypts the prompt (and related interaction data) using a cryptographic key it controls.
  • The encrypted package travels through a special utility baked into Windows to Microsoft's cloud service, which decrypts it, analyzes it for security or sensitivity issues, and sends back a response indicator.
  • If the response indicator says the AI's answer is problematic, the NPU substitutes the cloud service's alternative response instead of the one the local model generated.

The critical design choice is that the encryption happens on the NPU itself, not in the main Windows software layer. That means the operating system acts only as a messenger; it can't read the contents of what it's forwarding. This is sometimes called a trusted execution architecture, where sensitive work is isolated inside a chip that the broader software environment can't inspect.

The cloud analysis can cover at least two categories: a security analysis (is this prompt trying to extract dangerous information?) and a sensitivity analysis (does the response touch on regulated, private, or policy-sensitive topics?).

What this means for Copilot and Windows AI privacy

For anyone using a Copilot Plus PC or a future Windows device with an NPU, this architecture would mean Microsoft retains a real-time veto over AI responses even when the model runs locally. That's a significant policy lever: companies deploying Windows PCs to employees could configure the cloud filter to block certain categories of AI output without needing to modify the local model at all.

There's also a privacy wrinkle worth noting. The encryption-on-chip design means your employer or IT department running Windows cannot intercept your prompts through normal software channels, but Microsoft's own cloud service still sees a decrypted version. Whether users and enterprise buyers see that as a feature or a concern will likely depend on how transparently Microsoft discloses the behavior.

Editorial take

This is a genuinely consequential patent for the Copilot PC push. Microsoft is essentially building a content-moderation layer that lives below the operating system, which is harder to disable and harder for users to detect than a software-level filter. The encryption angle is clever engineering, but it also means users are trusting Microsoft's cloud service with their AI conversations whether they know it or not.

Which company should we read for you?

We track 17 companies here. Pro is the same weekly breakdown for any company you choose, delivered privately. Type a name and we'll scope it and send you a quote.

Get one Big Tech patent every Sunday

Plain English, intelligent commentary, no hype. Free.

Source. Full patent text and figures from the official USPTO publication PDF.

Editorial commentary on a publicly published patent application. Not legal advice.