AI is increasingly happening on endpoints, or via them in the case of frontier model inference and other heavy workloads. As such, governing AI requires new rules and protections, starting with device-refresh programs that are proactive, continuous and informed by data, rather than being tied to traditional calendar-based cycles.
As enterprises operationalize AI at scale, a new type of end point has entered device fleets — the AI PC. Equipped with neural processing units, these devices are powerful enough to run smaller AI workloads locally, rather than depending on data center or public cloud resources. According to Gartner, these AI-ready endpoints will account for 55% of all new PC sales by the end of 2026.
By reducing the need for external processing, AI PCs allow enterprises to move sensitive AI workflows on-device for greater control and autonomy. They’re usually kitted out with the latest hardware-level security features, too. On the other hand, they also redefine the risk perimeter, potentially creating a governance gap if those endpoints are left unmanaged.
What regulators say
Regulation of AI might still be in its infancy, but all organizations should pay close attention to some leading indicators. The EU AI Act is a good starting point as the world’s first comprehensive legal framework for AI governance. Despite not being legally binding beyond the EU, it does set a standard for multinational operations, making it a common baseline that will no doubt inform future regulations — much as GDPR did with data privacy.
An overarching theme of the regulation is its emphasis on proof of controls around identity and access, data protection, transparency, and traceability. The act will become fully applicable across the EU on Aug. 2, 2026, and it’s set for further expansion a year later with regards to the use of high-risk AI systems embedded in regulated products such as medical devices and financial systems.
While the act doesn’t explicitly mention AI PCs or device refresh, it covers the concept with its stringent requirements for continuous monitoring of AI workflows and the devices they happen on. It also gives companies a hard deadline to make any necessary modifications to ensure compliance. If employees run AI tools on-device, or feed sensitive data through them, controls must exist where data is used, effectively making technologies such as confidential computing a requirement.
From policy to proof at the device layer
From a security and compliance standpoint, older devices and the limited range of operating systems and apps they support simply won’t suffice anymore, even if their performance is “good enough.” After all, governance is increasingly judged by enforceable and observable endpoint controls, and that inevitably starts with retiring or repurposing devices that don’t meet those requirements.
Especially in the era of AI PCs, governance depends on device trust. If you can’t trust the device itself, you can’t be sure your AI workloads are secure. Because of this, refreshing device fleets has a few nonnegotiables. For example, hardware root-of-trust capabilities such as trusted platform module (TPM), secure boot, Microsoft Pluton and Intel vPro provide an immutable, secure anchor in the silicon layer to ensure device integrity. Windows 11 is a good example of a “hard stop” requirement, since it requires TPM 2.0, whereas earlier versions of Windows don’t.
Just as important is governing the entire device estate from a single control plane that shows, in real time, what AI tools are being used, under what identities and with what data protections. Audit-ready logging ensures the necessary hardware- and software-layer protections are in place, since security systems don’t provide visibility on their own. Again, having a proactive, data-informed refresh model is vital here, because many governance prerequisites can’t be retrofitted. You can’t “policy” your way out of missing hardware trust.
AI governance also has to span endpoint-to-inference infrastructure. Even with AI PCs, more complex AI workflows still require power that only large GPU clusters (typically hosted in the cloud) can provide. However, endpoints, whether they’re AI PCs or conventional desktop devices, are still the access layer, so they need consistent automation and visibility. This makes composable, disaggregated approaches and unified management and monitoring essential when AI workloads are spread across clouds and endpoint tiers.
Ultimately, AI PCs reduce exposure by keeping sensitive workflows on-device, but that advantage only holds up if those endpoints remain governable. That’s why leaders should no longer consider device refresh a calendar-aligned exercise and instead a continuous, data-driven approach where devices are upgraded, replaced or repurposed according to real business needs.
