At the end of May, Microsoft had its DEVELOP conference, which it uses to showcase new products for the hundreds of thousands of programmers who write applications and utilities for Microsoft’s immensely popular software packages (like Office) and ubiquitous Windows operating system. Satya Nadella, Microsoft’s CEO, took to the stage for the opening keynote, touting the powers of the newest revisions of its offerings – employing ‘generative’ AI tools. Nadella finished off with a “One more thing…” flourish reminiscent of Steve Jobs, revealing the pinnacle of Microsoft’s efforts to bring AI chatbots to every one of its customers: Windows Copilot.

Satya Nadella revealed a complete integration of Bing Chat into Microsoft’s Windows 11 operating system. No longer confined to a browser window, Windows Copilot is an always-on, always-available and richly connected AI chatbot interface to the computer. And it would be a free upgrade for every Windows 11 user — coming in November.

Ninety days have passed since that announcement, and we have about ninety more until Windows Copilot automatically installs itself on around a half a billion PCs worldwide. What seemed an exciting new frontier back in May should be giving every PC user a moment’s pause: Who exactly will be in control of our computers, once Windows Copilot comes on board?

Microsoft will be carefully ringfencing the range of activities which Windows Copilot can engage in: simple things like taking a screen shot, or switching from “Light” to “Dark” modes on the display – nothing that could cause too much trouble. But all of this relies on a ringfence that we’ve now learned is so very easy to evade. Is it possible to submit a prompt to Windows Copilot which will cause it to silently begin deleting files, flooding the network with spurious traffic, or simply b’ccing all emails to a competitor?

These are the kind of risks that make security experts break out in a cold sweat – not because they worry about a Skynet-style attack from systems suddenly grown into sentience, but because the ‘attack surface’ presented to anyone who can ‘inject’ the right bit of text into Windows Copilot means these systems will become exponentially harder to secure. It’s likely that any organisation trying to maintain decent security will simply turn Windows Copilot off on all of its computers. And that will work – until an employee works from their home machine. Then, all bets are off.

Since Windows Copilot is going to land pretty much everywhere before the end of the year, now would be a very good time for a half a billion people to learn how to have a safe conversation with an AI chatbot – and how to work securely around them. Skype and Google Docs are leading indicators of a transformation which will bring an idiosyncratic intelligence to all of our digital tools. We need to move cautiously, carefully, thoughtfully – and immediately.