Reading view

Responsibly building the AI future

Today, Microsoft published its 2026 Environmental Sustainability Report. This report covers our fiscal year 2025, and measures progress against our 2020 baseline. You can read the foreword below and explore the report in its entirety here. 

As we enter a new era for AI, Microsoft’s environmental sustainability work is entering a new phase—defined not only by ambition, but by how we deliver in a period of rapid technological change. In our pursuit of becoming a carbon negative, water positive, and zero waste company that protects ecosystems, the context has evolved, and so must our approach. 

The global shift toward AI is reshaping economies, accelerating innovation, and becoming foundational to how technology is built and used. It is also increasing demand for the energy, water, land, and materials required to support that growth. As a company at the forefront of this transition, Microsoft has a responsibility to help ensure that technology strengthens, rather than strains, the systems and communities on which it depends. This imperative is reshaping the context for our work. 

We are approaching this moment with clarity and conviction. We believe AI can deliver broad societal, economic, and environmental benefits, but innovation at this scale must be matched by responsibility at the same scale. For Microsoft, this means designing, building, and operating infrastructure that is more efficient, more resilient, and more grounded in the realities of the communities where we operate. 

We do not see these dynamics as a reason to step back. We see them as a mandate to lead differently. That requires greater operational rigor, stronger integration across our sustainability priorities, and a sharper focus on durable outcomes for the local communities where we work and the global value chains that make our work possible. It also requires being transparent about where progress is advancing, where it is more difficult, and where new approaches are needed. 

The path forward will not be defined by simple tradeoffs or single solutions. It will depend on how effectively we align innovation with stewardship. The systems we build to support the future must also support the long-term health of the planet and the communities we serve. Our experience makes clear that this is possible, but only with even greater discipline, partnership, and a willingness to learn and adapt as conditions evolve. 

YouTube Video

What this moment requires 

Our aim is to build technology that gives more than it uses. Lasting progress depends on how we build it and whether that growth strengthens the places where it takes root.  

This thinking is reflected in our Community First AI Infrastructure approach, which is helping shape a more integrated model for community partnership, responsible operations, and environmental performance as we grow. In this way, sustainability is not separate from growth; it is part of how responsible growth is defined. 

While AI infrastructure is driving demand for energy, water, land, and materials, sustainability solutions are not scaling fast enough to meet demand. This tension is real, and it is also productive. 

It is forcing sharper questions: Where do we need to move faster, invest differently, or rethink our approach? Which assumptions still hold, which ones need to evolve? Five years into this work, we have more operational data, more direct experience, and a clearer view of what measurable planetary progress actually requires. That perspective helps keep us focused on outcomes rather than attached to any single pathway. 

We want to be clear about what this means—and what it does not. It means being more precise about what sustainability requires for Microsoft, and more willing to refine our strategies as conditions change, data improves, and tradeoffs become clearer. It does not mean we are lowering our ambition. 

Progress amid growth 

Our results reflect both progress and pressure. As we scale the physical infrastructure required to power the AI economy, our emissions are shaped by the impact of that growth and the actions we are taking to manage it. 

The visual that follows illustrates this dynamic by comparing our reported emissions with a modeled view of where emissions may have been in the absence of four specific interventions: carbon free electricity, sustainable fuels, XBOX console efficiency, and Surface device decarbonization. While these examples represent only a portion of our emissions reduction efforts, they highlight an important lesson from our work to date: that well-designed, targeted interventions can deliver measurable progress even as demand for infrastructure continues to rise.

Reported emissions from FY20 through FY25 compared against an illustrative counterfactual scenario of estimated emissions had select, discrete carbon reduction initiatives not been undertaken in carbon-free electricity, sustainable fuels, Xbox console efficiency, and Surface device decarbonization.

In FY25, we matched 100% of our annual global electricity consumption with renewable energy[2]. Microsoft will continue to push for an expansive focus on adding all forms of carbon-free electricity (CFE) [3] to the grids where we operate, complementing and building on our portfolio of renewable energy resources. We recognize that the world’s rising electricity needs require a balanced, all-of-the-above decarbonization strategy to meet global economic growth and environmental goals, and we will continue to support this approach moving forward.

Our total emissions (Scopes 1, 2, and 3) increased 25% year over year, driven primarily by the expansion of our datacenter infrastructure and pausing our use of non-additional, unbundled renewable energy certificates as we prioritize investments that bring net new power to grids. While this decision increases our reported emissions in the near term, it enables us to increase the development of new CFE rather than relying on certificates alone. We believe this change will create more long-term sustainability benefits. Growth-related emissions pressure was expected. The more important signal is where that pressure is concentrated. 

Scope 3 remains the largest share of our footprint overall, but one of the clearest changes this year was the growing contribution of Scope 2, which represents 13% of our total emissions—up from nearly 2% last year. This development highlights how important the energy systems across our supply chain are in shaping environmental outcomes. 

This year’s results also made clear that progress now depends on adapting how we work. 

Water is one of the clearest examples. In FY25, we replenished for the first time more water globally than we withdrew—more than 14 million cubic meters—marking a major milestone on our journey to become water positive. Reaching this point reflects years of work to improve water efficiency, expand replenishment efforts, and scale partnerships around the world. 

We are proud of this achievement but also know that replenishing global volumes is not enough. The next phase of our work is increasingly local. As we move forward, we are placing greater focus on helping restore more water to the watersheds where we operate than we withdraw while strengthening long-term water resilience. We prioritize projects in water-stressed regions that are locally relevant and designed in partnership with communities, delivering benefits not only for water availability, but also for ecosystems, economies, and people. Through this approach, we aim to ensure our growth supports and helps sustain the communities and environments where we operate. 

Transparency remains central to how we work and how we report. Microsoft has eliminated nearly all single-use plastics in our primary product packaging, reducing the share that remained to just 0.07% at the end of calendar year 2025.[4] But we are not rounding down. We are staying accountable to the work required to eliminate them entirely. 

Across our cloud operations, we achieved 92% reuse and recycling of decommissioned servers and components for the second consecutive year, diverted 90.5% of construction and demolition waste from landfills and incinerators, and expanded our Circular Centers to seven facilities globally. These results also reflect a broader shift toward solutions that have co-benefits—reducing both emissions and resource demand over time. 

Throughout this journey, we have learned that progress in one area often depends on progress in another. Clean energy investments are essential to decarbonization. Water use is linked not only to our operations, but also to the energy systems that power them. And extending hardware life through circular approaches can reduce both emissions and material demand across the value chain. 

That is why our priorities extend beyond tracking progress against individual commitments on water, carbon, waste, and ecosystems as though they move independently. Our experience has made clear that progress does not happen pillar by pillar. Some of the most consequential work ahead will be measured in whether we address system challenges and help build the conditions for long-term progress: more resilient grids, stronger markets for lower-carbon materials, more effective water stewardship, and infrastructure designed and operated with local realities and community priorities in mind. 

For that reason, this year’s report takes a more integrated approach—placing progress against our commitments in the broader context of how those commitments are operationalized across our infrastructure and products. 

What’s next 

We are proud of what we have accomplished, and we remain humbled by the scale of the challenge ahead. Responsibly building the AI future requires clear accountability for what AI demands, candor about real constraints and tradeoffs, and sustained focus on outcomes that are durable and broadly shared. The chapters that follow show how we translate that intent into execution across our physical infrastructure, products, and value chain—where our sustainability commitments become operational reality.

Read the full report: https://aka.ms/SustainabilityReport2026 

[1] The solid line represents Microsoft’s reported greenhouse gas emissions (Scopes 1, 2, and 3) for FY20–FY25, prepared in accordance with GHG Protocol and management’s criteria, and uses a market-based emissions approach. The dotted line represents an illustrative counterfactual scenario of estimated emissions had select, discrete carbon reduction initiatives not been undertaken. These initiatives include energy efficiency improvements for XBOX consoles, renewable energy purchases, sustainable aviation fuel (SAF) and sustainable marine fuel (SMF) certificates, and supply chain decarbonization of Surface devices. The difference
between the two lines is an estimate of emissions avoided through these specific initiatives relative to a scenario without those initiatives occurring. This estimate is directional in nature, does not represent the full scope of Microsoft’s decarbonization efforts, and is not part of our reported greenhouse gas inventory. It should not be interpreted as a comprehensive measure of total emissions reductions or as additive to other carbon reduction or removal claims.

[2] Microsoft defines renewable energy as electricity that comes from sources that are replenished at a rate greater than or equal to their rate of depletion, such as geothermal, wind, solar, hydro, and biomass. To date, Microsoft’s renewable energy target includes two primary categories: renewable energy from contracted projects and grid mix. The first is renewable energy delivered under PPAs or similar long-term contracting mechanisms, generally for new projects where our financial involvement in the project’s development is critical for its success. This category represents more than 90% of the renewable energy applied to achieve our 2025 target. The second category is “grid mix” – renewable energy supported via our standard utility relationships and rates, inclusive of policy programs such as renewable portfolio standards and state and utility decarbonization goals. Our 2025 100% renewable target does not include purchases from short-term, so-called “spot market” renewable energy credits (RECs) sourced from operational clean energy projects.

[3] Microsoft defines carbon-free electricity (CFE) technologies as technologies with zero direct emissions and biogenic technologies with lifecycle emissions equivalent to renewables. CFE technologies include wind; solar; geothermal; sustainable biomass; hydropower; nuclear; fossil fuels with complete carbon capture, utilization, and sequestration; and storage charged with CFE generation.

[4] By weight, as designed, portfolio average. More details can be found in our Environmental Data Fact Sheet.

The post Responsibly building the AI future appeared first on Microsoft On the Issues.

  •  

Making humanitarian protection visible in cyberspace: The promise of the Digital Emblem

In armed conflict, a simple symbol can save lives. The Red Cross, Red Crescent, and Red Crystal emblems signal that those providing medical care and humanitarian assistance must be protected. 

In cyberspace, there is not yet a widely adopted equivalent, even as hospitals, humanitarian organizations, and relief operations increasingly rely on digital systems to deliver care, coordinate assistance, protect sensitive data, and reach people in crisis. 

Today, the digital systems that support hospitals and humanitarian operations—including communications tools, logistics platforms, patient care systems, cloud services, and the data center infrastructure which underpins them—can be difficult to distinguish from surrounding digital infrastructure. In conflict, that raises the risk of misidentification, spillover, and cascading disruption from cyber operations. As cybersecurity operations become more automated and machine-driven, clear, trustworthy, machine-readable signals become even more important.

That is why Microsoft supports the International Committee of the Red Cross as it launches the next phase of the Digital Emblem initiative today in Geneva. The Digital Emblem is intended to provide a machine-readable way to help identify digital assets that support protected medical and humanitarian functions, so they can be recognized, verified, and avoided in conflict settings.

From principles to operational practice

The Digital Emblem does not create new legal protections, and it does not replace cybersecurity. Instead, it helps to make existing protections under international humanitarian law more actionable in cyberspace. 

For many years, governments, humanitarian actors, civil society, technical experts, and industry have worked to clarify how international law applies in cyberspace. These efforts have reinforced a core principle that civilians, medical services, and humanitarian operations must be respected and protected in armed conflict. But translating that principle into operational reality remains difficult when protected digital assets are not easily identifiable. 

The Digital Emblem can help bridge that gap. If implemented responsibly, a clearer, more consistent, and technically usable signal can support recognition, verification, and respect for protected medical and humanitarian functions in cyberspace. 

This next phase marks an important transition for the Digital Emblem: from concept development toward operationalization, testing, standards, and implementation. 

Over the past several years, the ICRC has worked with states, the Red Cross and Red Crescent Movement, technical experts, standards bodies, academia, and industry to explore whether the protective function of the physical emblems can be translated meaningfully into cyberspace. That work has helped move the Digital Emblem from an important idea to a project with growing legal, technical, and operational foundations. 

The work now is to test how the Digital Emblem can be deployed, discovered, authenticated, and verified in real-world conditions. It also means advancing standards work through bodies such as the Internet Engineering Task Force and the International Telecommunication Union, developing guidance for those who operate protected digital infrastructure, and engaging the actors who will need to recognize and respect the Digital Emblem in practice.

Building on Microsoft’s work to protect civilians in cyberspace

Across our cybersecurity work, we have consistently argued that protecting civilians and critical services in cyberspace requires more than statements of principle. It requires practical standards, technical implementation, trusted partnerships, and cooperation among governments, humanitarian actors, civil society, standards bodies, and industry. 

From our early calls for stronger norms of responsible state behavior in cyberspace, to the launch of the Cybersecurity Tech Accord, Microsoft has advocated for the application of international law and the protection of civilians online. 

Every day, Microsoft works alongside governments and partners to detect, disrupt, and defend against cyberattacks that target critical infrastructure, healthcare, and humanitarian operations. Together, we have seen the importance of real-time visibility, trusted signals, and coordinated defense across public and private actors. This work has underscored a central reality: as civilian and humanitarian services become more digitally dependent, cybersecurity is increasingly connected to humanitarian resilience. 

Microsoft will continue supporting the ICRC with a focus on how our technologies enable this model at scale. That includes exploring how technology can support both sides: enabling humanitarian and medical organizations to signal protected systems and helping defenders recognize and verify those signals in real-world operations.

The role of industry

The ICRC’s leadership is essential to the credibility and neutrality of this effort. But for the Digital Emblem to succeed, it must also work across the broader technology ecosystem, which includes the cloud services and data centers, telecommunications networks, cybersecurity tools, identity systems, and other digital infrastructure on which humanitarian and medical organizations increasingly rely.

Industry, therefore, has an important role to play in helping ensure the Digital Emblem is technically sound, interoperable, and aligned with how defenders operate in practice. That includes supporting standards development, helping test implementation models, and ensuring that any approach reflects both sides of the model: enabling eligible humanitarian and medical organizations to express the signal for relevant assets and helping defenders recognize and verify that signal in operational workflows. 

In today’s fragmented and low-trust geopolitical environment, shared technical standards can reduce ambiguity even where political agreement is difficult. That is why standards-based implementation can help make the Digital Emblem consistent, verifiable, and usable across networks, platforms, and borders.

From launch to implementation 

The launch in Geneva marks an important milestone, but the Digital Emblem’s promise will depend on what happens next. 

The work ahead should focus on clear and concrete outcomes: continued technical testing, progress in standards development bodies, practical implementation guidance, and broader engagement from states, humanitarian actors, technology companies, telecommunications providers, cybersecurity professionals, and operational defenders. 

The call to action is straightforward. Governments should support the Digital Emblem as a mechanism for making protected humanitarian and medical functions more identifiable in cyberspace and promote respect for it in policy and practice. Humanitarian and medical organizations should help test and shape implementation so it reflects operational reality. Standards bodies should continue building the technical foundations for trusted adoption. And technology companies should help translate the Digital Emblem into the tools, systems, and workflows defenders already use. 

Physical emblems made humanitarian protection visible on the battlefield. The Digital Emblem can help make protected humanitarian and medical functions visible, verifiable, and actionable in cyberspace. Turning that promise into practice will require sustained cooperation so that those who care for the wounded, the sick, and civilians can be more easily recognized, respected, and protected in the digital age. 

 

 

The post Making humanitarian protection visible in cyberspace: The promise of the Digital Emblem appeared first on Microsoft On the Issues.

  •  

New cohort of AI Economy Institute Fellows to examine frontier AI firms and the transformation of work

The AI Economy Institute (AIEI) is launching its third cohort of researchers, advancing our mission to understand the adoption of artificial intelligence across economies, industries, and communities. 

We launched the AI Economy Institute because AI’s economic impact is not predetermined. Though AI is being rapidly adopted, the evidence base for understanding its impact on work, jobs, education, productivity, and opportunity is still too thin. By increasing the scholarship around the AI economy and producing it in a timely and accessible way, we can help ensure that as AI transforms our world, we’re equipping people with the knowledge and tools they need to make decisions and succeed with AI.

Our 2026 AI Economy Institute Cohort

The AI Economy Institute convenes outside experts and researchers to share their perspectives and advance the body of knowledge on topics related to AI, work, and education. Our third global research call centered on understanding how frontier firms are reshaping work and the broader economic landscape.  

Representing a diverse group of institutions worldwide, our cohort brings together subject matter experts and researchers to explore how AI is reshaping the workforce, organizations, and the broader economy. The cohort consists of the following individuals, representing the following institutions:    

  • Brian Jabarian, Carnegie Mellon University 
  • Caspar David Peter, Erasmus University, Rotterdam, Netherlands 
  • Christoph Siemroth, University of Essex, England 
  • Daniel Yue, Georgia Institute of Technology 
  • Edoardo Maria Acabbi, University of Mannheim, Germany 
  • Frank Nagle, Massachusetts Institute of Technology (Advising Fellow and Cohort 2) 
  • Friederike Mengel, University of Essex, England; Erasmus University Rotterdam, Germany 
  • Gianmarco Ottaviano, Bocconi University, Italy 
  • Ilan Strauss, AI Disclosures Project 
  • Johannes Wachs, Corvinus University, Budapest, Hungary 
  • Luca Henkel, Erasmus University, Rotterdam, Netherlands 
  • Luca Mazzone, University of Montreal, Canada 
  • Laura Nurski, Centre for European Policy Studies (CEPS), Belgium (Cohort 2) 
  • Meeyoung (Mia) Cha, Korea Advanced Institute of Science and Technology (KAIST), South Korea 
  • Mustafa Afacan, Mohamed bin Zayed University of Artificial Intelligence (MBZUAI), United Arab Emirates; Sabancı University, Turkey (World Bank Affiliated Senior Fellow) 
  • Nataliya Wright, Columbia University 
  • Nuriye Melisa Bilgin, Koç University, Turkey 
  • Pëllumb Reshidi, Florida State University 
  • Pierre-Alexandre Balland, Centre for European Policy Studies (CEPS), Belgium (Advising Fellow and Cohort 2) 
  • Salman Khan, Mohamed bin Zayed University of Artificial Intelligence (MBZUAI), United Arab Emirates (World Bank Affiliated Senior Fellow) 
  • Serena Booth, Brown University 
  • Wesley Rosslyn-Smith, University of Pretoria, South Africa (Advising Fellow) 
  • Yingfei Wang, Foster School of Business, University of Washington 

Cohort members will analyze frontier firms to examine both upstream, firm-level transformations and downstream, economy-wide impacts. Researchers will also explore how AI changes job design, skill demands, productivity, and regional economic development.  

AIEI’s first two cohorts explored how AI is reshaping the talent pipeline, from higher education and skills to K-12, community colleges, and early-career pathways, so that we could understand and inform the early changes to the labor market. What we learned from that point of inquiry shifted the focus; this year’s cohort moves further into the economy itself, focusing on frontier firms and how leading organizations are adopting AI, redesigning work, and creating the conditions for productivity, diffusion, and human agency at scale.

Interpreting the frontier: What this means for policy and strategy 

Since its launch, the AI Economy Institute has fielded more than 800 responses to our calls for research proposals. The gap between what AI systems can do and what organizations can actually deploy will shape the pace of adoption. Gains in productivity may come alongside organizational shifts as firms adapt their workflows, teams, and decision-making processes.

At the same time, the expansion of automation raises a parallel question of whether systems are enhancing human learning or displacing it. Underlying all of this is a broader uncertainty about the extent to which AI will diffuse widely across economies or concentrate in a narrow set of firms and regions. 

Cohort 3 moves beyond identifying these tensions and toward generating the empirical evidence needed to navigate them, providing policymakers, firms, and institutions with a clearer basis for decision-making in a rapidly evolving AI economy. 

The post New cohort of AI Economy Institute Fellows to examine frontier AI firms and the transformation of work appeared first on Microsoft On the Issues.

  •  

Context on our country-by-country tax footprint

Today we’re publishing our first “Public Country-by-Country Report” for our fiscal year 2025, disclosing our taxes in the period from July 1, 2024, to June 30, 2025. It covers the countries and regions included under European Union rules and shows, for each one, our revenue, profit, number of employees, and income tax accrued and paid during the year.  
 
We have provided this kind of information directly to tax authorities for several years under the Organization for Economic Cooperation and Development (OECD) framework. It is now published to support transparency commitments, and we believe it is important to proactively address any questions these disclosures may raise, recognizing that numbers on a spreadsheet rarely tell the full story.
 
Microsoft pays the taxes we owe in every country where we operateWe know there are strong views about whether companies are paying enough, and we believe providing this context leads to a more informed conversation.

Understanding country-by-country reporting

Country-by-country reporting is not widely understood outside tax and accounting circles. Some figures may look surprising at first, but a number that appears low or high in one country does not, on its own, tell the full story. Tax law differs from country to country, and there are two important things to keep in mind when reading the report.  

First, the numbers are prepared using rules that differ from United States or country-specific financial accounting and tax rules, so they may not match other Microsoft information people have seen. For example, this report combines all Microsoft legal entities in a country and follows the reporting rules required by EU regulations. By contrast, local statutory accounts usually cover just one legal entity, follow local accounting rules, and may use a different fiscal year from Microsoft’s.  

Second, accrued tax is what you owe for the year. Tax paid is the amount actually paid during the year. The two can differ because the timing of owing tax and paying tax doesn’t match exactly. 

France is a good example of why a single line can look unusual without context. In FY25, cash tax paid in France reflects a one-time refund of tax overpaid in an earlier year. That makes this year an outlier. In this specific case, accrued tax may be a better reflection of the taxes borne for the fiscal year. Microsoft paid $374 million in tax in France over the prior three years. 

Variations like these are a normal part of how large companies, both domestic and multinational, are taxed across borders, and they reflect an evolving tax landscape as well as a business that continues to change. We comply with every local rule that applies to us, and as those rules change, our reporting will change with them. Microsoft is committed to a tax structure that reflects where our people work, where we invest, and where functions, assets, and risks occur, and this has been a guiding principle. 

How our investments support local economies

We understand that this discussion is not only about what the law requires or what a single tax line shows in a given year. For many people, it is also about a broader question of contribution: how companies support the countries where they do business. That contribution includes the taxes we pay, the capital we invest, the local jobs and infrastructure we support, and the economic activity created through customers and partners. In the S&P, Microsoft ranks second globally in corporate income taxes paid in the last year, with a total of $28.7 billion. In fiscal year 2025, we paid $6.3 billion in income tax in the EU. Importantly, this does not include payroll, VAT, property, and other taxes paid in addition. 

Taken together, our tax payments, capital investments, and partner ecosystem reflect a long-term commitment to the countries where we operate. We opened our first European office in the UK in 1982, followed by France and Germany in 1983, and then expanded into Denmark, Ireland (our largest hub in the region), Italy, Norway, Spain, and Sweden in 1985. Microsoft is now present in all 27 EU Member States and across the broader region. We have worked in these and many other communities for decades, and thousands of our employees call them home.  

From research and development to digital infrastructure and partnerships with local organizations, we are investing in ways that support these economies beyond our direct commercial activity. At our core, we are building tools that help large enterprises, small and medium-sized businesses, institutions, and individuals become more productive and competitive, which strengthens their business and benefits the people they serve. We only do well when our customers do well. In practice, that means helping customers design and manufacture cars better, helping patients get their next appointment sooner, or making it simpler for someone to find that dream job. 

Our investments in digital infrastructure are not only supporting the local digital economy, they are also contributing meaningfully through both taxation and capital expenditure. Across markets, we continue to invest at scale in datacenters and supporting infrastructure, creating value that extends well beyond the technology sector. In the three years to June 30, 2025, our total capital expenditure amounted to $176 billion, and we spent $89.2 billion on research and  development in the markets where we operate. 

Our customers require local industry- and country-specific expertise, and this is where our partner ecosystem plays an important role. Many of these partners are local businesses themselves. A 2024 IDC study on partner profitability showed that for every $1 of Microsoft revenue, partners that provide services generate $8.45, and partners that develop software generate $10.93. While this varies by country and partner segment, it offers another useful lens on how Microsoft’s business contributes to local economic activity. 

Investments in digital infrastructure are not only investments in technology ecosystems, but in national and local economies as well. They support jobs, strengthen supply chains, create opportunities for companies across many sectors, and help build the foundation for growth and economic competitiveness beyond the digital economy. 

That is the broader context for this report. Tax is one important measure of contribution, but it is not the only one. Our investments, partnerships, infrastructure, and long-term presence in countries around the world also reflect a commitment to helping strengthen the economies and communities where we operate, today and for the future.

 

The post Context on our country-by-country tax footprint appeared first on Microsoft On the Issues.

  •  

Protecting privacy as a fundamental right while supporting transatlantic data flows

At Microsoft, we are committed to our customers’ fundamental right to privacy. In a world defined by rapid technological change and geopolitical volatility, this commitment has remained constant. It’s rooted in decades of experience building trusted technologies that our customers rely on every day to manage their data. Many of these organizations depend on the ability to move data across the Atlantic, from the EU to the U.S., in a way that protects their privacy. That’s why we support the European Commission in its defense of the EU-U.S. Data Privacy Framework. And that’s why we have formally intervened in the Latombe v. Commission case before the Court of Justice of the European Union. This case puts at stake two principles that are important for Microsoft – the protection of our customers’ privacy and their ability to do business on both sides of the Atlantic.

To intervene in a case before the Court of Justice, a company must apply for permission. In this case, the Court granted our application, finding that Microsoft has a direct and existing interest in its result. Put simply, the outcome of this case will determine whether Microsoft and its enterprise customers may continue to use the EU-U.S. Data Privacy Framework to transfer data to participating U.S. companies, including vital customers and suppliers. This critical legal bridge promotes stability, beneficial trans-Atlantic ties, economic growth, and prosperity, while upholding strong privacy safeguards. The Latombe case seeks to dismantle it. As an intervener, we can now file legal briefs in support of the European Commission, participate in oral hearings, and share our perspective on the importance of upholding a framework that directly benefits the European economy.

Supporting the European Commission’s adequacy decision on the EU-U.S. Data Privacy Framework before the Court of Justice of the European Union

Companies across the globe rely on data flows to manage their people, produce their goods and services, and distribute products to their customers. We understand that data flows trigger questions about differences in legal traditions. They should. And for that reason, the European Commission and the U.S. administration worked diligently, in the decade since the Safe Harbour ruling, to harmonize EU and U.S. law. As a result of that hard work, and as required under the European General Data Protection Regulation (GDPR), the U.S. has now created an independent review court for any complaints regarding U.S. surveillance and implemented other required measures to provide an “adequate” level of data protection that is essentially equivalent to that in the EU.

This equivalence is a key point. The law entitles our customers to privacy on both sides of the Atlantic. This is the principle on which the Data Privacy Framework rests. And our intervention in the Latombe case is just one part of a long history in which we have stood up for that principle in Europe, as well as in the U.S. As far back as 2014, Microsoft challenged the FBI’s secret attempt to use its national security authorities to obtain information about an account that belonged to one of our enterprise customers. After we filed the case, the FBI withdrew its request. In 2016, we sued the U.S. government to challenge its practice of seeking indefinite secrecy orders—i.e., orders that prevented Microsoft from ever notifying its enterprise customers when the government sought their data. As a result of that case, the U.S. Department of Justice changed its policy to place strict limits on the duration of secrecy orders. In the decade since that first constitutional challenge, we’ve launched a series of successful court challenges to ensure that secrecy orders, of any duration, are the exception, not the rule. As a result of our litigation, numerous secrecy orders have been vacated or modified to allow notification to our customers.

We don’t confine our advocacy to courts. We are a steadfast proponent of strong privacy regulation on both sides of the Atlantic. That’s why we are specifically pushing Congress to update the U.S. Electronic Communications Privacy Act to place stricter limits on the use of secrecy orders and ensuring they are subject to meaningful judicial review. This legislative reform is gaining momentum in Congress and will greatly enhance our continued ability to protect our customers’ data.

Stable and trusted data transfers are not an end in themselves. They are a means to enable innovation, economic opportunity, and public services—while upholding the fundamental rights that are at the core of EU and U.S. law. Our intervention in the Latombe case reflects that principled balance and follows a long line of legal actions we have taken to protect our customers.

Looking ahead

At Microsoft, we have long recognized that trust is not a given—it is earned through sustained action, thoughtful design, and a willingness to engage openly with governments, customers, and individuals. Microsoft has consistently advocated for strong, clear, and globally interoperable privacy frameworks, recognizing that trust in technology depends on the strength of the rules that govern it.

Our customers in Europe can rely on us to continuously improve and update our privacy practices as technology and legal standards evolve. In 2018, we were the first major technology company to extend GDPR subject matter rights to all our customers around the world. And recent positive assessments of our privacy compliance by the European Data Protection Supervisor and the Hessian DPA in Germany underscore our continuous commitment to our customers’ fundamental right to privacy.

In support of this work, we’ve updated the Microsoft Privacy Statement to use clearer structure, simplified language, and more precise explanations of our data practices—making it easier to understand what data we collect and how it’s used, without changing our underlying privacy protections or commitments.

The future of technology will be shaped not only by what we build, but by the principles that guide us. By grounding innovation in respect for people and organizations, and strong legal protections, we can help ensure that technology continues to be a force for good.

The post Protecting privacy as a fundamental right while supporting transatlantic data flows appeared first on Microsoft On the Issues.

  •  

Scaling cybercrime disruption through innovation and AI

Microsoft is taking a new approach to fighting cybercrime, targeting the cyberattack supply chain, not just individual services. In a case unsealed today, we are simultaneously targeting two widely used cybercrime tools, Amadey and StealC, after AI-assisted analysis revealed they rely on the same infrastructure.

This action goes after the cybercrime “assembly line,” where coordinated tools drive ransomware, financial fraud, and disruptions to public services. Amadey and StealC are often used alongside each other: Amadey helps attackers gain access to devices, while StealC steals passwords and sensitive information. Together, they form a critical link in the chain. In the first two weeks of May alone, Amadey and StealC were linked to more than 140,000 infected computers globally, highlighting how widely they are used.

Working with Europol and industry partners, we targeted both tools at once. The goal: break the chain. Since the start of the operation, Microsoft has identified more than 18,000 victim computers, severed criminal control of those devices, and is working with telecommunications providers to help protect affected customers globally.

When multiple parts of an operation are disrupted together, attacks are harder to launch, scale, and recover from. The result: fewer disrupted services, fewer opportunities for cybercriminals to profit, and more friction when they try to rebuild.

It’s no longer enough to go after threats one by one. We need to interrupt how the attacks are put together. 

What’s different about this action   

Microsoft has long used civil legal action to disrupt cybercriminal infrastructure and pioneered the innovative use of existing laws, including the Racketeer Influenced and Corrupt Organizations Act (RICO), a US law designed to target organized crime.

What’s new is how we’re combining AI analysis with an expanded use of that law.

Amadey and StealC were developed by separate cybercriminals, but they relied on the same infrastructure. To understand how they worked, investigators used AI, including Copilot, to quickly analyze the malware, asking questions in plain English instead of manually combing through complex code. That helped surface key details, uncover hidden data, and test findings in a fraction of the time, turning what would have taken hours or days into minutes and enabling the team to spot connections faster.

Those insights allowed the legal team to treat both malware families as part of a single conspiracy. Instead of going after each tool separately, as we have done in the past, we used RICO to charge multiple complicit enablers involved across the operation. In total, Microsoft’s Digital Crimes Unit disrupted over 200 command-and-control servers—the systems criminals use to control infected devices, steal data, and keep attacks running.

By targeting tools together, we can disrupt the cybercrime chain more efficiently and more effectively, in a way that better reflects how these networks actually operate today.

Cybercrime now runs like an assembly line 

Cybercrime is no longer a series of isolated attacks—it’s a coordinated system.

Specialized tools handle each step: one gains access, another steals credentials, and others sell or exploit that access for fraud, ransomware, espionage, or other nefarious purposes. Different actors may be involved at each stage, but together they turn access into profit, quickly and at scale.

How cybercrime tools are built to be modular

That structure also creates a point of vulnerability. The people behind these cybercriminal tools may never interact directly, but their tools are designed to work together. If those connections can be identified, multiple stages of an attack can be disrupted at once.

How these attacks play out in the real world 

Most people will never hear the names Amadey or StealC, but they feel the effects. A hospital locked out of critical systems. A city unable to deliver essential services. A small business losing access to accounts overnight. A retiree who lost their life savings.

These attacks don’t happen all at once. They unfold step by step: attackers get in, passwords are stolen, access is reused or sold, and sometimes repurposed for more targeted operations. For example, Microsoft has observed Russian-affiliated actor Secret Blizzard leveraging Amadey infections to deploy custom malware against targets in Ukraine.

By targeting multiple points in that chain at once, we reduce the chance that a single compromise turns into widespread harm. Put simply: fewer attacks succeed and fewer people feel the impact when they do.

No one organization can do this alone 

Actions like this underscore a fundamental reality: we’re successful when we collaborate. No single organization, whether government or industry, has full visibility into how cyber threats operate across borders and sectors. What makes this effort effective is the combination of perspectives and data.

Microsoft had been tracking Amadey due to its impact on customers, working with cybersecurity partners ESET, BitSight, Lumen, and Mitsui Bussan Secure Directions (MBSD) to better understand how it operated. At the same time, Europol’s European Cybercrime Centre (EC3), together with European law enforcement partners including Germany’s Federal Criminal Police Office and the Dutch and Danish National Police, was investigating StealC as part of Operation Endgame, alongside IBM X-Force and Proofpoint.

Bringing those efforts together expanded our collective datasets and made it possible to identify the connections between the two tools and act on them quickly. That shared understanding enabled a coordinated response that went further than any single organization could achieve alone.

 

This shows why partnerships matter. Industry shares technical insight, government brings visibility, and we need trusted ways to exchange that information. Only by working from the same picture can we stay ahead of attackers, disrupting not just individual tools but also the systems that make cybercrime possible.

Creating sustained pressure on cybercrime  

This work doesn’t end with a single action. Cybercriminals adapt quickly, which is why we continue tracking how these operations evolve and working with partners to disrupt them.

Microsoft’s court-authorized disruption in this case is paired with ongoing efforts to track how cybercriminals rebuild, identify new infrastructure, and work with partners to disrupt the services they rely on to operate. It also includes incorporating the findings from this disruption into initiatives like Microsoft’s Statutory Automated Disruption program, which helps accelerate the removal of malicious domains and infrastructure.

The goal is not just to stop one operation but to slow the system itself—making attacks harder to launch, scale, and recover from. By combining AI-driven insight, legal action, and strong partnerships, we can continue to raise the cost of cybercrime and reduce its impact.

For more than a decade, Microsoft’s Digital Crimes Unit (DCU) has worked to disrupt cybercrime and nation-state threats, filing around 40 cases since 2008 and partnering with law enforcement to take down criminal networks. Learn more about the team’s efforts here.

 

The post Scaling cybercrime disruption through innovation and AI appeared first on Microsoft On the Issues.

  •  

AI, jobs, and the next generation

In 1838, the invention of the camera sparked predictions that photography would make artists obsolete. When the noted French painter Paul Delaroche first saw an early photograph on a metal plate, he declared that “From today, painting is dead!” As he reasoned, why would anyone pay an artist to slowly and laboriously paint a scene when a camera could do the job more accurately, more quickly, and at a lower cost? 

This question has echoed through technological shifts and has resurfaced with intensity in recent weeks, as university students graduated on campuses across the United States. Today’s topic obviously is not photography but the societal impact of artificial intelligence. And as graduates booed the mention of AI during commencement addresses, they have provided a powerful reminder of several important truths. To start, people will insist on having a say in deciding when and how AI is used. 

The student message to tech leaders  

The reactions of this year’s graduates are a powerful wake-up call for the tech sector. Hopefully, leaders across our industry will listen and seek to learn from this reaction. For the past half century, the youngest generation of people and workers has led the way in adopting new digital technologies. A new Microsoft study shows this trend is true with AI. Counties with large college towns and outsized populations between the ages of 18 and 24 have the highest rates of AI adoption in the United States. When people who use a new technology complain about it, we had better take notice. 

It’s perhaps no surprise that college campuses are among the best places to learn about these emerging views firsthand. Over Memorial Day weekend at Princeton University, I found no shortage of discussion and even examples of student action. Graduating seniors have long donned “beer jackets” for celebrations, each class selecting its own unique design. This past year, however, a brief controversy emerged until class officers, responding to a student petition, rejected a popular design because it had been created with the help of AI. In its place, graduates wore jackets labeled both “100 percent cotton” and “100 percent human.” 

The rejection of artificial fibers and artificial intelligence illustrates how human tastes shape market economics even as efficiency and productivity advance. Machines don’t buy products. People do.  

Students and graduates recognize AI’s benefits. But they want to keep AI in its proper place. They rightly believe in the indispensable role of human agency. They want the future to be determined by humans deciding the role of machines, not by machines deciding the role of humans. And they want these decisions to reflect input from a broad community, especially the next generation of the workforce, rather than just a narrow group of elites. 

Today’s graduates are sending another powerful message as well: the American Dream has always stood for even more than a better job and greater economic opportunity, although that has been at its core. The American Dream has been founded on the dignity of work and the critical role it plays in giving life purpose. Great countries are built on great economies and great jobs. To those in the tech sector who seemingly want to pursue a future where computers replace jobs and AI becomes more capable than people, the next generation of people has offered a compelling response: “not so fast.” 

The ambitions of people 

The good news is that human ambition is irrepressible. It has been almost 300 years since the start of the first industrial revolution, and technology has changed many times over. But there is more human creativity at work in the world today than ever before. 

A trip to an art museum shows this is true even for the impact of the camera on painting. The invention of the camera initially led to a decline in portrait painting. But even that made a comeback. More remarkable was the way accurate photos spurred new forms of artistic expression. By the 1870s, photography’s “artificial eye” led a new generation of artists to portray emotion rather than detail. Impressionist artists captured the effects of light, color, and atmosphere in ways that a camera shutter could not. New artistic movements followed – Post-Impressionism, Fauvism, Cubism, and Surrealism – and continue today, expanding what it means to be an artist. As it turns out, few things are as resilient as human creativity. 

In 1986, I insisted on having a computer on my desk before I accepted a job at a leading law firm in Washington, D.C. For most of the past 40 years, I’ve been part of the tech sector – first as an outside lawyer, then a Microsoft attorney, and since 2001, in the company’s leadership ranks. I’ve long been an informal “liberal arts representative” among a group of extraordinary computer scientists and engineers.  

As I’ve followed technologists across our industry, I’ve often marveled at their vision, intellectual dexterity, and engineering prowess. But I’ve also seen many insightful individuals across the industry repeat two mistakes. First, they frequently overestimate the arrival of new technology, especially the pace of its impact. And even more importantly, they underestimate the capabilities of people. 

Human capability is neither fixed nor finite. Each discovery creates a stronger foundation that enables people to stand taller and reach higher. People have been proving this for millennia. There came a day when people discovered that a horse could run faster than a human. People learned how to ride horses.  

Real causes for concern 

None of this is meant to dismiss the anxiety of today’s graduates. They’re right to raise concerns and ask hard questions, including about AI and its impact on their future. They face multiple headwinds as they enter the job market. This includes AI automation of tasks in current entry-level positions and, especially in the tech sector, corporate pressure to reduce headcount to help pay for AI’s enormous capital expenditures. It also involves other factors, including geopolitical uncertainty, trade tensions, and correction from over-hiring in the early years of the decade. Like a perfect storm, the wind is blowing from multiple directions. 

Today’s graduates have been through a lot. They spent much of their high school years living through a pandemic while studying and socializing at home through a screen. They are digital natives, with all the good and bad that social media, ubiquitous mobile devices, and other technologies have created. Now AI is coming, and they worry that jobs will start to disappear.  

So, what should the next generation – and all the rest of us – do about AI? 

AI in context 

First, we should put AI in context. No one has a crystal ball for the future, but we all can learn from the past. AI is the latest in a list of technologies that will reshape the economy and society. It has become the next “General Purpose Technology,” a term economists apply to technologies that, like electricity, are applied across the economy. Some of these technologies, including ironworking, machine tools, and digital computing, have profoundly reshaped not just job categories but economic power among nations. AI likely will be one of the most important general purpose technologies of the next quarter century. And like previous general purpose technologies, AI will displace some jobs, even as it creates others and changes many of the ways we currently work. 

But it takes time for technology to diffuse across an economy and around the world. There are some who look at the power of AI and predict its massive diffusion in just a few years. It’s always possible that this time will be different, but the world has never previously seen technology diffusion at that pace. The reason is not grounded in technology. It’s people. As Professors Arvind Narayanan and Sayash Kapoor have written, “diffusion is limited by the speed of human, organizational, and institutional change.”  

Put in historical context, broad AI transformation over the next quarter century would itself be remarkable. That pace of change appears to be reflected in Microsoft’s own recent data. Our most recent AI Diffusion Report estimates that 17.8 percent of the world’s working age population currently uses generative AI. The rate in the United States is higher than the global average, but still only at 31.3 percent. And as Professor Narayanan has shown, the impact of new technology across a high percentage of work typically lags well behind this type of initial usage rate.  

As the legendary UCLA basketball coach John Wooden, who led his teams to 10 national championships, advised his players two generations ago, we should “be quick, but don’t hurry.” In other words, we should act quickly and decisively and with preparation and purpose. But we need not – and should not – rush in a way that creates mistakes or panic.  

The key is to think things through. One good way to start is to consider some of the insights that have emerged already. For each of us as individuals. For companies and organizations. And for society.  

The implications for individuals 

In the three-and-a-half years since the release of ChatGPT, one initial insight is profound yet unsurprising. AI often is at its best when we use it to strengthen existing human capabilities and endeavors. In short, people can use AI to make themselves better.  

I see this every day in the work of Microsoft’s AI for Good Lab, which works with non-profits and governments around the world. Firefighters in California are using AI to help spot wildfires more quickly. Legal professionals in Africa are using it to help provide advice to women who don’t have access to a lawyer. Teams in Ukraine are using AI to help identify and remove landmines that threaten civilians. And conservationists around the world are using it to help farmers develop more productive and sustainable agricultural practices. 

There is a clear pattern in these examples. People are acting with ambition. They are using AI not to replace their subject matter expertise but to give it more impact. They are taking their knowledge, passion, and sense of purpose and using AI to help solve problems they care about.  

My colleagues Ryan Roslansky and Aneesh Raman have been focusing on these issues in recent years, based on their longstanding work at LinkedIn. They recently published an important book on the topic, Open to Work: How to Get Ahead in the Age of AI. In my view, it’s the first book that combines a view on where AI is going with practical advice for individuals.  

The more I’ve thought about it, two of their themes are particularly important. The first is for each of us in the workforce today to think about our job not as a title but a bundle of tasks. Their advice is to write down a list of your tasks and put them into three buckets: the bucket of tasks that AI can do; the bucket of tasks that you can do with AI; and the bucket of tasks that humans must do by themselves.  

If almost everything is in the first bucket, then one should think about pursuing a different type of job. But for most people, most tasks fall into the second bucket. In other words, if I can get AI to do the tasks in the first bucket, then I can focus my attention on the second and third buckets and consider how to use AI as a tool to help become more productive and impactful.  

There’s a second insight in the book that is even more important. In an Age of AI, there are perhaps even more opportunities to distinguish ourselves based on the soft skills that are uniquely human. Ryan and Aneesh point to five, all of which start with the letter C – curiosity, creativity, compassion, communications, and courage. Even when AI automates multiple tasks, people must continue to oversee its work. This creates the need for additional human observation and insight. In short, human judgment remains essential. 

All this speaks to one of the questions I hear repeatedly from students and their parents. What should people study to prepare for the future? Call me old fashioned, but I believe people should continue to pursue their passions. Develop expertise in an important field that fascinates you. Keep working hard to master it. At the same time, develop AI fluency so you can use AI to help apply your expertise better than has ever been possible before. This doesn’t mean the future will be easy. It seldom is. But it’s a recipe that will continue to prepare you for success. 

The impact on companies and organizations 

These insights apply as much to organizations as to individuals. After all, employers must thrive for employees to thrive. And successful businesses, like successful individuals, rely on distinctive and often deep expertise – about products, business processes, operating rhythms, and a deep understanding of customers. AI should not replace this foundation; it should strengthen and extend it. 

This can build on where AI technology is going. Organizations can now move beyond chat-based assistants to a network with AI agents that can help employees reason, make decisions, and run workflows across their data and systems.  

Organizations can implement their own AI systems that harness the power of multiple AI models and access their own unique enterprise knowledge. They can strengthen the effectiveness of these systems through AI tools that provide evaluations (“evals”) of a system’s performance and constantly make incremental improvements to it. Like climbing up a hill, each organization can manage an AI system that moves towards better outcomes and higher performance over time. Instead of solely consuming a frontier AI model, organizations can build their own “hill climbing machine” and participate more fully on their own terms in the AI ecosystem. 

By taking this approach, organizations can use AI to accelerate learning rather than replace it. Leaders can use AI to add capabilities inside their organizations, ensuring that their human expertise and judgment remain key competitive differentiators.  

This points to an age-old necessity. Business leaders and individual entrepreneurs must harness the latest technology while protecting their expertise and intellectual property, including through patents, copyrights, and trade secrets. AI adds a new dimension here. The benefits of AI for a business will be short-lived if it transfers and trains someone else’s AI model using a firm’s unique knowledge and expertise. This helps explain why each company needs to develop its own internal AI capabilities and control its own data.  

This is emerging as a critical issue not only for organizations but for today’s graduates, our economies, and even nations. The best way to promote broad economic and job growth is to ensure that every economic sector can harness the power of AI without surrendering its unique expertise. Sovereignty must be preserved not only for countries but for companies. And privacy must be protected not only for individuals but for organizations.  

A broader public conversation 

For individuals and organizations alike, the key is to harness AI’s benefits while preserving timeless human values and economic needs. Given the magnitude of the AI transformation, we’ll need innovative and collaborative efforts that bring the public and private sectors together to help prepare people for success in the Age of AI. This should start with a sobering recognition. The technological, economic, and societal transformations of the past three decades have left too many people behind. We’ll need to try different approaches, built on more shared responsibilities, if we’re going to do better as we move forward.  

Even in a time of fractured public discourse, it will be critical to find more ways to bring more people together to develop common solutions. This requires a big tent with a breadth of perspectives. We need to make room not only for technology companies, employers, and governments, but for non-profits, students, the world’s religions, labor leaders, and workers themselves. As Liz Shuler, the President of the AFL-CIO, said recently, “Who knows best how workplaces function and how work gets done than people who work for a living?” 

Our role at Microsoft 

As a company, we’re committed to playing an active part and constructive role in addressing these issues. We bring not only new technologies and ways of working, but perspective born of experience. For more than 50 years, Microsoft has helped workers and organizations adapt to technological changes, whether in offices, labs, classrooms, or factories. Our mission has been to build products to empower people and organizations to achieve more. And then help them put those tools to work.  

Our experience gives us determination and even a dose of optimism. We remember when people worried that word processing would lead to the end of jobs for people who typed for a living. But what came next – knowledge work and entirely new industries to support the computer age – transformed what “work” was. When spreadsheets automated calculations, people didn’t do less math. They built more sophisticated financial models. When emails made communication instant, people didn’t write less. They communicated more frequently and with more people. When technology increases supply, human ambition often generates more demand. As humans, we don’t plateau. We expand. 

This isn’t just philosophical. It’s our business model. Workers have been Microsoft’s lifeblood from the start. If the world’s people don’t have jobs, then neither do we. And if we’re not doing our part to help people use technology to pursue better jobs, then we’re not doing the job we were born to do. 

Heeding the next generation’s call 

This context shapes our reaction to recent commencement ceremonies. Graduating students who grimace or even boo at references to AI are telling us what we need to hear, that it’s time once again to raise the bar. That has been a frequent refrain from students for decades. The key is always to channel uncertainty into purposeful steps that build a better future. Across the tech sector and in business, non-profits, and government, we can do precisely that. 

I would add a second message for today’s graduates: you’re in a unique position to have a positive impact. You’ve lived through significant challenges. While it may feel unfair that the job market is so uncertain, you were made for this moment. Technology is second nature to your generation. Constant change has taught you how to adapt quickly. As AI reshapes how we work, you don’t need to unlearn decades of habits the way some of us do. You are better equipped to move forward.   

Technology will change, but you can stand firmly and speak loudly for values that are timeless. Agency. Ambition. Dignity. All fulfilled through work and technology that gives us purpose.  

Do everything you can to help advance these values.  

The post AI, jobs, and the next generation appeared first on Microsoft On the Issues.

  •  

Strengthening biosecurity in the era of AI

Artificial intelligence is accelerating discovery across the life sciences. From drug development to materials science, AI is helping researchers move faster and solve problems once thought intractable. This convergence of AI and biology holds extraordinary promise for human health, economic growth, and scientific leadership.

At the same time, advances in AI technologies are introducing new risks, like re-engineered toxins and pathogens. As these tools become more capable and widely accessible, they can lower barriers not only to scientific discovery, but also to accidental harm and deliberate misuse. For example, recent research has shown that specialized AI tools for protein design can be used to re-engineer toxins in ways that may preserve harmful function while evading some existing synthesis safeguards. That work revealed vulnerabilities in screening systems designed for an earlier technological era—and also showed that those systems can be strengthened through coordinated action across industry, government, and the scientific community. 

Rising biosecurity concerns are not a reason to slow innovation, but they are a reason to strengthen our defenses. History shows that powerful general-purpose technologies become more accessible—as with advances in networking and computing—effective governance depends on developing technical and policy safeguards early, before misuse outpaces controls and oversight. The convergence of AI and biology presents a similar challenge: we must preserve the openness that fuels discovery while modernizing protections for a new era of capability.   

This blog examines how advances across the AI-biology ecosystem are reshaping both opportunity and riskIt explains why nucleic acid synthesis screening has emerged as a critical control point, and how governmentindustry, and the scientific community can work together to strengthen biosecurity without slowing innovation. 

AI and biotechnology at the frontier  

To better understand the trajectory of AI capabilities in the biosciences—and the associated policy and risk landscape—it is useful to distinguish among four related types of advances. Each matter on its own, but effective policy will need to account for how these advances increasingly interact and reinforce one another.    

  1. Generalist models.  Advances in general-purpose AI models, such as ChatGPT, Gemini, Claude, and others, are expanding the range and sophistication of what these systems can understand, reason through, plan, and generate across domains. As they become more powerful, they raise baseline capabilities and lower barriers to sophisticated technical work. 
  2. Specialized biological design tools.  Computer scientists and biologists continue to develop specialist AI code bases aimed at performing computation in support of increasingly sophisticated biological tasks.  These tools, typically open-sourced and shared widely, include programs that compute protein structure from amino acid sequences and design proteins with specific structures and properties .   
  3. Laboratory automation. Advances in computer vision, robotics, and experimental workflows are bringing new efficiencies to laboratory work. Over time, these systems may allow researchers to generate, test, and refine biological designs at greater scale and speed.   
  4. Agentic systems.  Agentic programming environments and runtimes (including increasingly powerful AI-based engineering tools, e.g., Claude code) are making it easier to combine generalist AI models, specialist libraries, and laboratory workflows into coordinated pipelines.  This may allow less experienced actors to move more readily from computational design to real-world synthesis, including through nucleic acid synthesis services or automated laboratory systems.   

While each category can be analyzed separately, the most consequential developments arise from how these capabilities increasingly interact. Improvements in generalist models can make specialized biological tools easier to use; those tools make it easier to engineer biology; automated laboratories provide non-experts with access to sophisticated laboratory workflows; and agentic programming tools can connect these elements into integrated design, analysis, and synthesis workflows. Together, these advances are forming a converging “capability stack”—one that can accelerate innovation but lead to a more complex policy and risk landscape.

Why nucleic acid synthesis screening matters

These developments make clear that effective governance must focus not only on frontier models but also  expand to consider multiple practical control points.

One of the most effective near‑term defenses against biological misuse is nucleic acid synthesis screening. Synthetic DNA providers sit at a critical checkpoint in the biotechnology ecosystem. They are often the place where theoretical biological designs are translated into physical reality. Screening DNA orders and verifying customers helps ensure that powerful tools are used for legitimate purposes and not diverted toward harm.

Today, however, most DNA synthesis screening remains voluntary and unevenly applied. Standards vary across providers, and there is no universal requirement that all orders be screened to the same level. As AI‑enabled design tools grow more powerful, these gaps become more consequential.

Strengthening nucleic acid synthesis screening is a pragmatic and targeted response. It does not regulate ideas or restrict legitimate research. Instead, it focuses on responsible access to sensitive capabilities, reinforcing a line of defense that already exists but must now be modernized. The necessity and viability of such modernization was demonstrated by the Paraphrase Project, led by Microsoft. By stress-testing existing screening systems against AI-designed biological sequences, the project showed both where safeguards could fail and how they could be improved. The effort followed a familiar model from cybersecurity: responsible disclosure, red teaming, and rapid deployment of fixes. It highlights how biosecurity tools, like software, must evolve continuously to keep pace with changing threats.

Bipartisan momentum and durable government action

The importance of biosecurity in the age of AI has been recognized across administrations and parties. On May 5, 2025, the Trump Administration released an Executive Order on Improving the Safety and Security of Biological Research, emphasizing the importance of nucleic acid synthesis screening and calling for broader biosecurity oversight. That action built on work that began in 2024, when the White House Office of Science and Technology Policy set out a federal framework emphasizing comprehensive screening, customer verification, and the development of technical standards in partnership with industry.    

Leaders in Congress are now building on this foundation. Earlier this year, Senators Cotton and Klobuchar introduced the Biosecurity Modernization and Innovation Act, known as S. 3741. The bill reflects a bipartisan commitment to strengthening U.S. biosecurity while sustaining scientific leadership and innovation. It would establish mandatory screening requirements (extending beyond current requirements for screening for federally funded research), conformity assessments, and enforcement mechanisms, while also advancing practical implementation through technical assistance and a biotechnology governance sandbox to promote exploratory efforts. The bill also directs OSTP to conduct a 90-day assessment of biosecurity authorities and develop a plan to consolidate oversight to improve efficiency and effectiveness.

Taken together, these efforts reflect a durable consensus: safeguarding biotechnology in the AI era is a national security priority.

Responsible innovation in practice

Supporting innovation while reducing risk will require a balanced approach grounded in continuous monitoring of emerging capabilities, investment in technical safeguards, and thoughtful policy development.

Nucleic acid synthesis screening is not a comprehensive solution, but it is an essential one. Strengthening it now—through bipartisan legislation, thoughtful regulation, and continued public‑private collaboration—would represent the type of balanced, durable action that this moment requires.

The Biosecurity Modernization and Innovation Act would help advance that goal by pairing stronger screening requirements with practical implementation tools and oversight mechanisms. Microsoft strongly supports efforts like this that build on our longstanding work with researchers, synthesis providers, and other partners to strengthen safeguards while sustaining innovation.

The United States has an opportunity to continue to lead by pairing innovation with responsible stewardship. If we get this balance right, we can reap the rewards of AI-enabled biotechnology while guarding against its risks—for this generation and the next.

 

Additional resources:

 

 

The post Strengthening biosecurity in the era of AI appeared first on Microsoft On the Issues.

  •  

United States AI adoption shows steady growth, but distribution remains uneven

More than 30 percent of the US working-age population is using AI, an increase of three percentage points from the end of 2025. But what does that number mean, and what lessons should we take from it? Today Microsoft released a new report that offers an in-depth look at AI adoption across the United States, allowing for the first time a state- and county-level review. This data and the trends it shows are important.

On a national basis, the US leads the world in AI innovation but ranks just 21st in global AI adoption. Part of the reason for this gap is a clear and uneven pattern of AI adoption across the country. We are also seeing a significant divide between urban and rural counties in AI usage. Usage averages 32.9 percent in metropolitan counties, compared with 16.2 percent in rural areas. In other words, metropolitan usage is about double what we see across rural America.

Digital graphic on a dark blue background illustrating the urban‑rural divide. Large text highlights a 16.7 percentage point gap. Three horizontal sections compare areas: metro counties at 32.9%, micropolitan counties at 21.7%, and rural counties at 16.2%, each shown with gradient bars and county counts.The study also shows that another powerful driver of AI diffusion is the presence of colleges and universities. Counties with higher shares of residents aged 18 to 24 have significantly higher AI usage rates—28.6 percent compared with 20.3 percent in other counties. And while college students are some of the most vocal about the risks of AI, they are also helping lead adoption. In counties with college towns like Williamsburg, Virginia, and Story, Iowa, we see usage rates that rival the highest in the world.

 

Read the Microsoft US AI Diffusion Report.

The post United States AI adoption shows steady growth, but distribution remains uneven appeared first on Microsoft On the Issues.

  •  

Strengthening our approach to tackling non-consensual intimate imagery

When intimate images are shared without consent—whether real or AI-generated—the harm is immediate, deeply personal, and often long-lasting. It can affect someone’s sense of safety, dignity, and control, both online and offline. Protecting people from harms like non-consensual intimate imagery (NCII) has long been a priority for Microsoft. And as technology advances, our response continues to evolve to tackle very real challenges like the proliferation of highly realistic synthetic imagery. With the US Take It Down Act coming into force this month, establishing new federal protections against the spread of NCII, it’s important to share how we’re evolving our approach: making it easier to report harm, taking new steps to detect known NCII, and enabling more effective enforcement across our services.

Expanding protections across Microsoft services

Our goal is to make it simpler for individuals, or their representatives, to report violative content to Microsoft. We have strengthened our global reporting processes for NCII with more intuitive form, with clear options to describe harm, including both real and AIgenerated images. These changes are designed to ease the burden for people in a distressing moment and enable faster, more effective action by our teams. Microsoft’s NCII policy is applied consistently across real and synthetic content, recognizing that the harm to individuals is the same, regardless of how an image was created. To report content on Microsoft services, hit Report A Concern or in the product where you encounter the content.  

We also want to proactively detect and prevent the spread of known NCII by working with StopNCII.org, a reporting platform that enables individuals to create a digital “fingerprint,” or hash, of their images. Two years ago, we provided StopNCII.org with a new version of PhotoDNA that enables victims to create a hash without an image ever leaving their device. This can then be used by StopNCII.org partners to detect and remove matching NCII content across platforms, allowing industry to work together to prevent re-sharing and protect individuals’ privacyWe have been piloting the use of these hashes in Bing since September 2024. 

We have now expanded our use of validated StopNCII.org hashes across Microsoft consumer services, including Teams Free, OneDrive, and Xbox. We will implement these changes carefully to advance effectiveness and accuracy—accelerating removals, automating where appropriate, maintaining human review for reported cases, and providing clear, accessible paths for users to appeal decisions.

Enhancing our collective response to this harm

No single company can address NCII alone. It requires coordination across industry, governments, and civil society. Microsoft will continue working with partners to improve shared tools and approaches that help prevent this content from spreading. We will also continue to advocate for clear, effective policies that protect victims, support innovation, and strengthen accountability across the ecosystem.

We will also continue to advocate for policies that support efforts to advance laws that prevent and deter image-based abuse. Microsoft advocated in support of the US Take It Down Act and welcomes the European Union’s work to strengthen protections against “nudification” apps, alongside global efforts to criminalize this misuse of technology. We are closely tracking Ofcom’s recent announcement that new measures will be required under the UK Online Safety Act to address illegal NCII harms. We believe our proactive work in this area will help us maintain trust with survivors, users, and regulators, among others.

Speed, clarity, and trust matter for people affected by intimate image abuse. When someone reaches out for help, we will strive to respond quickly, respectfully, and effectively. Our goal, though, is to invest in technologies and partnerships that reduce the likelihood of harm. We have joined forces with Childnet, a UK NGO that aims to safeguard children online, and created educational materials to prevent the misuse of AI to create intimate imagery among teens. These materials have now been released in the UK, as well as localized with partners in Singapore, South Korea, and Japan.

I am proud to learn from our digital safety team, which is carefully charting our path, and from the many industry and community leaders contributing to this work. This is an evolving challenge. We are committed to the journey, grounded by the voices of experts and survivors.

The post Strengthening our approach to tackling non-consensual intimate imagery appeared first on Microsoft On the Issues.

  •  

Disrupting Fox Tempest: A cybercrime service that turned “verified” software into a pathway for ransomware 

Every day, we decide what software to trust in seconds guided by simple labels such as “verified,” “secure,” and “safe to install.” The problem is that those signs can be manipulated.

Today, Microsoft unsealed a legal case in the US District Court for the Southern District of New York targeting a cybercrime service known as Fox Tempest, which, since May 2025, has enabled cybercriminals to disguise malware as legitimate software. The malware-signing-as-a-service (MSaaS) worked by fraudulently accessing and abusing code signing tools, such as Microsoft’s Artifact Signing, a system designed to verify that software is legitimate and hasn’t been tampered with. Cybercriminals used the service to deliver malware and enable ransomware and other attacks, infecting thousands of machines and compromising networks worldwide.

For the first time, Microsoft is taking public action against a powerful, but often unseen, enabler within the cybercrime ecosystem, targeting how cybercriminals prepare and employ techniques to optimize their rate of success. To disrupt the service, we seized Fox Tempest’s website signspace[.]cloud, took offline hundreds of the virtual machines running the operation, and blocked access to a site hosting the underlying code. This action builds upon persistent internal efforts to revoke fraudulently obtained code‑signing certificates and enhance our defenses and employ new security features to detect and thwart such malicious activity. It’s already having an impact: cybercriminals are complaining about challenges accessing the current service.

Our impact extends beyond one actor. The lawsuit targets Fox Tempest’s infrastructure and also names Vanilla Tempest as a co-conspirator, a prominent ransomware group that used the service to deploy malware like Oyster, Lumma Stealer, and Vidar, and ransomware, including  Rhysida, in multiple recent cyberattacks. Vanilla Tempest has targeted schools, hospitals, and other critical organizations worldwide, while Rhysida, a highly evolved ransomware variant that both encrypts files and steals data, often used for double extortion, has been used by various actors in numerous high-profile attacks globally, including to steal and leak internal documents from the British Library and to disrupt operations at Seattle-Tacoma International Airport. Microsoft’s investigation further linked Fox Tempest to various additional ransomware affiliates and families, including INC, Qilin, Akira, and  others.

More broadly, this case points to how cybercrime is changing.  What once required a single group to carry out an attack from start to finish is now broken into a modular ecosystem where services are bought and sold and work interchangeably with one another. Some services are inexpensive and widely used. Others, like Fox Tempest, are highly specialized and expensive because they remove friction or bypass obstacles that make attacks fail, making them both more reliable and harder to detect. As seen with Fox Tempest, when these services are combined with AI-powered tactics, attacks can scale more easily, reaching more people and becoming more convincing.

This kind of abuse isn’t new, but it is evolving

Illicit code-signing certificates have been  sold and trafficked for more than a decade. That includes its use by nation-state actors to target critical infrastructure organizations in Europe. What’s changed is how this activity is marketed, packaged, and sold as a service, along with the scale at which it is now used across ransomware campaigns. Instead of buying certificates one-by-one, criminals upload their malware to a service that signs it for them.

What also makes this model notable is the level of investment. Unlike lower-cost services like RedVDS, a cybercriminal infrastructure provider that costs as little as $24 per  month, which Microsoft disrupted earlier this year, Fox Tempest shows that more sophisticated actors are willing to pay thousands of dollars for advanced capabilities that make attacks easier to carry out, harder to detect, and more likely to succeed.

How Fox Tempest sold “legitimacy” at scale

Fox Tempest’s business model was straightforward: sell fraudulent code-signing capability, let others package malware, and enable attacks downstream. The model has generated millions in proceeds, demonstrating significant financial profit.

Behind the scenes, the operators built access at scale. Using fabricated identities and impersonating legitimate organizations, they created hundreds of fraudulent Microsoft accounts to obtain real code-signing credentials in volume. Customers who paid for Fox Tempest’s services could then upload malicious files via an online portal for them to  be signed using Fox Tempest-controlled certificates. Cybercriminals paid thousands of dollars for the service, reflecting how valuable this capability was.

Fox Tempest’s pricing model form and Telegram channel where you could purchase the service. The more you pay, the quicker you get access to the service.

Once signed, their malware appeared legitimate. Attackers then distributed the signed malware through tactics such as search manipulation and malicious ads, where users are more likely to trust what they encounter.  AI then helped generate and refine these campaigns  to reach a broader audience.

How code-signed malware appears in search results.
Fake Microsoft Teams download page and delivery mechanism for disguised code-signed malware

That changed the odds. Malicious software that should have been blocked or flagged by antivirus and other safeguards was more likely to be opened, allowed to run, or pass security checks—essentially allowing malware to hide in plain sight. Instead of forcing their way in, attackers could slip through the front door by masquerading as a welcomed guest.

An overview of malware‑signing‑as‑a‑service.

As Microsoft disabled fraudulent accounts, revoked fraudulently obtained certificates and introduced enhanced protections, the Fox Tempest operators continually adapted. In February 2026, they ultimately shifted to networks of third-party-hosted virtual machines to maintain and scale operations. That kind of rapid change is part of the model: these services evolve quickly in response to pressure and friction. In fact, Microsoft has observed further adaptations in response to our layered disruption efforts, with Fox Tempest attempting to shift operations and customers to another code-signing service.

Fox Tempest’s response to the disruptive efforts—translated from Russian by a third-party partner

In addition to seizing the core infrastructure behind the operation and degrading its ability to function at scale, we have taken further steps to prevent similar abuse, removing fraudulent accounts, strengthening verification, and limiting how this type of access can be reused. More technical details on the operation and the steps we’re taking to prevent similar abuse are available in this Microsoft Threat Intelligence blog.

Cutting off a critical enabler of cybercrime

This action wasn’t about stopping one actor. It sought to strategically neutralize a vital service that many attackers, particularly ransomware groups, rely on. When legitimate code signing services are weaponized, everything downstream gets easier: malware looks legitimate, security warnings are less likely to trigger, and attacks are more likely to succeed. Degrading that capability adds friction and forces a reset. The success rates of attacks decrease, and attackers have to rebuild, find new ways in, and accept more risk with each attempt—driving up both the cost and the time required to operate.

Importantly, disruption actions don’t happen in isolation and are never one-and- done. Collaboration is critical, as different organizations and sectors have visibility into different parts of the cybercrime ecosystem. In this case, we are working closely with cybersecurity company Resecurity, whose insights help us better understand how Fox Tempest operates. We are also collaborating closely with Europol’s European Cybercrime Centre (EC3) and the Federal Bureau of Investigation (FBI). As we’ve seen in previous efforts, we expect actors to try to rebuild. Collectively, we will continue to take action and keep the pressure on. That also means strengthening the code signing ecosystem through intelligence sharing and partnering with other code signing services, so it’s harder for malicious actors to regain that ground in the first place.

When attackers can make malicious software look legitimate, it undermines how people and systems decide what’s safe. Disrupting that capability is key to raising the cost of cybercrime. As threats evolve, the Microsoft Digital Crimes Unit will continue working with partners across industry and law enforcement to persistently identify and cut off the services that enable them.

For more than a decade, the Microsoft Digital Crimes Unit (DCU) has persistently disrupted cybercrime and nation-state threats targeting people, organizations, and critical infrastructure. Explore major disruptions—and the ongoing cases and operations behind them here: Disrupting cyberthreats since 2008 | Microsoft

The post Disrupting Fox Tempest: A cybercrime service that turned “verified” software into a pathway for ransomware  appeared first on Microsoft On the Issues.

  •  

The state of global AI diffusion in 2026

Today we published our latest Global AI Diffusion Report. The global adoption of artificial intelligence continued to rise in the first quarter of 2026. During the quarter, AI usage increased by 1.5 percentage points from 16.3% to 17.8% of the world’s working age population. Intensity of use among economies with the highest rates of AI diffusion also increased, with 26 economies now exceeding 30% of the working age population using AI.

At the top of Microsoft’s National AI Leaderboard, the UAE continued to lead global AI diffusion at 70.1%. The United States finally started to move up the national rankings, albeit only from 24th to 21st based on a 31.3% usage rate by the working age population.

Notable developments in the quarter included accelerating AI adoption in Asia driven in part by improving AI capabilities in Asian languages. South Korea, Thailand, and Japan saw the greatest movement. More broadly, the quarter brought continued widening of the AI gap between the Global North and South, with usage now at 27.5% in the North and 15.4% in the South. These trends are discussed below, including a deeper dive on the positive impact of enhanced multilingual AI capabilities in Japan.

To track all these trends, we continue to measure AI diffusion as the share of people worldwide between ages 15 and 64 who have used a generative AI product during the reported period. This measure is derived from aggregated and anonymized Microsoft telemetry and adjusted to reflect differences in OS and device-market share, internet penetration, and country population. Additional details on the methodology are available in our AI Diffusion technical paper.[1]

A list showing AI diffusion by economy

No single metric is perfect, and this one is no exception. Through the Microsoft AI Economy Institute, we continue to refine how we measure AI diffusion globally, including how adoption varies across countries in ways that best advance priorities such as scientific discovery and productivity gains. For this report, we rely on the strongest cross-country measure available today, and we expect to complement it over time with additional indicators as they emerge and mature.

Sectorally, the quarter saw strengthened AI coding capabilities leading to a dramatic increase in production of software code. This was reflected in production by Anthropic’s Claude Code, the OpenAI’s Codex, and Microsoft’s GitHub Copilot. Git pushes – through which software developers put coding changes online – increased 78% year over year globally. Interestingly, the quarter brought added evidence that, at least for now, AI coding capabilities may be increasing demand for the employment of software developers.

As discussed in more detail in the report, when developer productivity increases, the cost of building software declines. If demand for software is elastic, organizations can respond by building more software across a wider range of use cases. It is still too early to know the full labor-market impact of AI-assisted coding, but the available data shows that in 2025, total U.S. software developer employment reached approximately 2.2 million, rising 8.5% year over year and marking a record high for the profession. Early data for the first quarter of 2026 shows that software developer employment in March 2026 was about 4% higher than in March 2025.

Download the latest Global AI Diffusion report. and explore the data here.

 

[1] A. Misra, J. Wang, S. McCullers, K. White, and J., L. Ferres, “Measuring AI Diffusion: A Population Normalized Metric for Tracking Global AI Usage,” Nov. 04, 2025, arXiv: arXiv:2511.02781. doi: 10.48550/arXiv.2511.02781. 

 

The post The state of global AI diffusion in 2026 appeared first on Microsoft On the Issues.

  •  

Advancing AI evaluation with the Center for AI Standards (US) and Innovation and the AI Security Institute (UK)

Today, Microsoft is announcing new agreements with the Center for AI Standards and Innovation (CAISI) in the US and the AI Security Institute (AISI) in the UK to advance the science of AI testing and evaluation, including through collaborative work to test Microsoft’s frontier models, assess safeguards, and help mitigate national security and large-scale public safety risks. These agreements matter because ongoing, rigorous testing is essential to building trust and confidence in advanced AI systems. Well-constructed tests help us understand whether our systems are working as intended and delivering the benefits they are designed to provide. Testing also helps us stay ahead of risks, such as AI-driven cyberattacks and other criminal misuses of AI systems, that can emerge once advanced AI systems are deployed in the world. 

While Microsoft regularly undertakes many types of AI testing on its own, testing for national security and large-scale public safety risks necessarily must be a collaborative endeavor with governments. This type of testing depends on deep technical, scientific, and national security expertise that is uniquely held by institutions like CAISI in the US and AISI in the UK and the government agencies they work with. By combining that government expertise with Microsoft’s experience building and deploying AI systems at global scale, together we are better positioned to anticipate and manage national security and public safety risks in ways that build public trust and confidence in advanced AI systems.  

Improving AI evaluation science through cooperative research and operational experience 

Advancing the science of AI evaluation requires more than isolated research or one-off testing. It depends on sustained collaboration between industry, government, and research institutions. Through our new and expanded partnerships with the US and UK governments—alongside national security–focused evaluations of model capabilities—Microsoft is bringing technical expertise and operational experience to strengthen AI evaluation methods and practical testing foundations.  

  • In the US, with CAISI, Microsoft and NIST will collaborate on improving methodologies for adversarial assessments—testing AI systems in ways that probe unexpected behaviors, misuse pathways, and failure modes, much like stress-testing whether airbags, seatbelts, and braking systems work effectively and reliably in safety-critical driving scenarios. This work involves co-developing more systematic and reproducible approaches to evaluation, including shared frameworks, datasets, and workflows for assessing safety, security, and robustness risks in advanced AI systems. It also builds on our AI Red Team’s novel research and tools to detect compromised models at scale. 
  • In the UK, with AISI, Microsoft will collaborate on research related to frontier safety and security, including methods for evaluating high-risk capabilities and the effectiveness of the safeguards used to address them. The partnership will also include societal resilience research examining how conversational AI systems interact with users in sensitive contexts.  

These collaborations are designed to improve measurement science, evaluation methodologies, practical testing workflows, and real-world mitigation impact. They reflect a shared commitment to rigorous, practical approaches that can make safeguards stronger and evaluations more reliable. 

Looking ahead 

No organization can address these challenges alone. Our partnerships with CAISI and AISI are a key part of a wider effort to build the institutions, research base, and shared methodologies needed for effective AI testing. This effort also includes: 

  • Pursuing research and evaluation in collaboration with other AI institutes globally while helping advance shared priorities and methodologies for testing through the International Network for AI Measurement, Evaluation and Science. 
  • Helping deliver industry best practices through the Frontier Model Forum (FMF), an initiative dedicated to advancing the science and practice of frontier AI safety and security. Through the FMF, we are working with other leading AI developers to support independent research, develop shared evaluation methodologies, and promote transparency around risk mitigation strategies.  
  • Contributing to MLCommons, a multistakeholder non-profit that develops and operationalizes testing tools such as AILuminate, a family of safety and security benchmarks. In February, we announced efforts underway with institutions in India, Japan, Korea, and Singapore to expand AILuminate to support multilingual, multicultural, and multimodal evaluation, helping to make sure that AI systems work well in the languages and cultural contexts in which people around the world use them. 

As AI capabilities advance, so too must the rigor of the testing and safeguards that underpin them. We will apply what we learn from these partnerships directly into how we design, test, and deploy AI systems, ensuring that progress in evaluation science translates into safer, more secure products for our customers. As these partnerships progress, we will share what we learn and look for opportunities to apply insights and best practices to AI testing more broadly.   

The post Advancing AI evaluation with the Center for AI Standards (US) and Innovation and the AI Security Institute (UK) appeared first on Microsoft On the Issues.

  •  

Strengthening cyber capacity in Kenya: A new toolkit with lessons for the region

When a major cyber incident hits, the first decisions aren’t technical—they’re human. Who takes the lead? How quickly can information be shared? When should governments step in, and how do you protect public trust while keeping essential services running? 

These questions are at the heart of Microsoft’s Advancing Regional Cybersecurity (ARC) initiative, launched in 2025 to help governments strengthen cyber preparedness through practical, public-private collaboration. Today, we’re sharing the first tangible output of that work: the ARC Kenya Exercise Report & Toolkit, developed through a tabletop exercise held in Nairobi in December 2025.  

Developed with Kenya’s National Computer and Cybercrime Coordination Committee (NC4) and RiskSight, the toolkit is a practical planning resource designed to help government and cross-sector leaders prepare for cyber crises before they occur. It is grounded in real conversations among leaders from government, regulators, critical infrastructure operators, law enforcement, academia, and the private sector working through what a serious cyber incident would demand of them, together. 

Stress‑testing decisions before a crisis hits

The ambition of the “Silicon Savannah” makes Kenya a compelling setting for this work. Its digital economy is expanding rapidly—from mobilefirst financial services to cloudenabled public infrastructure—positioning the country as a regional technology leader. But rapid digital growth also brings increased exposure to more sophisticated cyber threats. As systems become more interconnected, a serious cyber incident can quickly disrupt essential services, undermine public trust, and threaten economic stability. 

Kenya’s approach recognizes this reality and reflects a critical principle: cybersecurity is not separate from innovation; it is one of the conditions that allows digital transformation to scale safely. The ARC initiative embodies this philosophy and helps decision makers confront the practical realities of coordination, escalation, and response in this complex environment. 

This is exactly what the ARC Kenya tabletop exercise was designed to do. The objective was not to test tools but to stresstest decision making under pressure. Participants were challenged with complex scenarios—including AIenabled breaches, ransomware attacks, and infrastructurelevel disruptions. The focus was not on technical fixes but on leadership clarity, crossagency coordination, and realtime decision making in highpressure environments. 

The outcome was both a roadmap for the unknown and a clear recognition of the need for shared expectations before a crisis begins—particularly around leadership and authority, trusted information sharing channels, and agreed response frameworks. These gaps, identified by participants themselves, now form the backbone of the ARC Kenya Toolkit. 

What the ARC Kenya toolkit delivers

The toolkit translates the lessons of the exercise into concrete actions that leaders can take now—before the next incident occurs. It also serves as a practical and specific 12month roadmap for strengthening Kenya’s cyber preparedness, moving from lessons identified to durable, institutional capability. Specifically, the toolkit provides recommendations to: 

  • Clarify national leadership during major cyber incidents, enabling government, regulators, law enforcement, and critical infrastructure operators to coordinate more quickly, with fewer gaps and overlaps. 
  • Establish practical, standardsaligned incident response models for the entire country, including priority playbooks that teams can train on and execute consistently. 
  • Strengthen operational readiness across sectors, with better coordination between security operations centers (SOCs), clearer escalation thresholds, and more reliable incident reporting pathways. 
  • Deepen trusted information sharing and publicprivate collaboration through common handling rules, safer “goodfaith” reporting mechanisms, and regular joint exercises to build muscle memory before a crisis.

Taken together, these elements enable leaders not only to respond more effectively to cyber incidents, but to institutionalize preparedness, coordination, and resilience across the national cyber ecosystem. For African countries more broadly, the model also offers a practical pathway to strengthen regional cyber cooperation—by aligning expectations around escalation, information sharing, and public‑private coordination before a crossborder incident occurs. By translating highlevel principles into practical, repeatable approaches to crisis readiness, the toolkit underscores the value of trusted international partnerships and alignment with global norms for responsible state behavior in cyberspace. 

Why Kenya’s approach matters beyond its borders

Many countries across the Global South are grappling with similar challenges: fragmented ownership of critical infrastructure, uneven cyber capacity across sectors, and the need to coordinate rapidly under pressure. While firmly grounded in Kenya’s national context, the lessons from ARC Kenya are therefore intentionally designed to resonate far beyond its borders and to be highly transferable. 

Importantly, this work does not end in Kenya. We are already building on these lessons through ARC engagements in other regions, including a new workstream in Mexico, applying the same approach to strengthen preparedness, coordination, and resilience across different national contexts. 

By design, the ARC initiative is not simply a record of a single exercise. It is a foundation others can build on—at a national or regional level—offering leaders a practical starting point to turn shared responsibility into sustained capability. 

Explore the ARC Kenya Toolkit & Tabletop Exercise

 

For more than a decade, the Microsoft Digital Crimes Unit (DCU) has persistently disrupted cybercrime and nation-state threats targeting people, organizations, and critical infrastructure. Explore major disruptions—and the ongoing cases and operations behind them here: Disrupting cyberthreats since 2008 | Microsoft

The post Strengthening cyber capacity in Kenya: A new toolkit with lessons for the region appeared first on Microsoft On the Issues.

  •  

From capability to responsibility: Securing our global digital ecosystem with next‑generation AI

Cybersecurity is at a turning point. Advanced AI models are dramatically accelerating vulnerability discovery and creating conditions ripe for exploitation, underscored by the announcement of Claude Mythos Preview. This marks a shift, and whether this technology will favor defenders or attackers will depend on the choices we make now. 

With the right safeguards, these capabilities can help trusted defenders identify and fix vulnerabilities across critical systems in hospitals, power grids, water, and telecommunications. Released irresponsibly or not properly secured, however, those same capabilities could be abused by malicious actors, threatening the foundations of our digital ecosystem. 

Much of the discussion has rightly focused on risks. As advanced AI models speed up the discovery of vulnerabilities, the way we fix them must speed up too. That means stronger pre-deployment risk assessments and close collaboration between governments, frontier AI developers, software providers, and the broader ecosystem to ensure these tools reduce, rather than increase, cyber risk. This is particularly important as AI systems themselves have become high‑value targets, requiring stronger protection of models, systems, data, and underlying infrastructure. 

This is ultimately an international challenge. Neither software supply chains nor threat actors stop at borders. Neither can our response. Meeting this moment will require shared approaches across countries, sectors, and systems—rooted in trust, shared standards, resilience, and responsible use. 

This moment is also an opportunity. Security has been and remains the top priority at Microsoft. Over the last two years, through our  Secure Future Initiative, we have strengthened our security foundations for this age of AI, in part by using AI to accelerate vulnerability discovery and remediation. We have also invested in fundamental AI for security research, including the development of open-source industry benchmarks that can be used to evaluate whether models are ready for real-world security work. We are accelerating that work through deeper public-private collaboration and in partnership with AI, including Anthropic’s Project Glasswing and OpenAI’s Trusted Access for Cyber program. 

Securing our digital ecosystem with nextgeneration AI is within reach but is not automatic.  

Building secure foundations for the era of frontier AI  

Ensuring advanced AI technologies are used to strengthen cybersecurity requires deliberate and urgent action. We are sharing the following recommendations as practical steps governments, industry, and the broader ecosystem can take to ensure these tools, often referred to as “frontier AI”, reinforce the security foundations on which digital societies depend. And we hope to continue to partner with model providers, industry and government so we can work together to improve security outcomes for all. 

1. Reinforce core cybersecurity practices  

Advanced AI can strengthen cybersecurity only when strong, consistent cyber hygiene is already in place. As frontier AI accelerates vulnerability discovery and response, core practices such as rapid patching, access control, and system resilience become more critical, not less. 

Security gains in the frontier AI era depend on close coordination between technology providers advancing new capabilities and the organizations responsible for operating, updating, and securing real‑world systems. Without this interdependence, advanced AI cannot deliver durable improvements in security. No organization can solve these cybersecurity problems alone. 

That is why sustained investment in what we know works remains essential: secure‑by‑design product lifecycles, Zero Trust architectures, multi‑factor authentication, least‑privileged access, and ongoing security training. Broad adoption and harmonization of established cybersecurity frameworks to ensure consistent resilience across AIenabled systems. Trusted cloud environments that enable these practices at scale, supporting secure data handling, continuous patching, and the secure deployment of AI‑enabled tools for defenders.  

  2. Release advanced capabilities responsibly  

As frontier AI systems gain reasoning, coding, and agentic capabilities, some of the most serious security risks arise before deployment, including realistic misuse involving multi‑step reasoning, tool use, and reconnaissance. Technical safety benchmarks remain important, but they are insufficient without rigorous, real‑world testing.  

As a result, governments are increasingly establishing pre‑deployment evaluations that combine technical testing with threat modeling. These assessments are most effective when frontier developers work closely with organizations that track national‑security risks. Investing in secure evaluation environments and modern testing methods can help governments keep pace as capabilities advance.  

Responsible release practices, including phased and controlled access, are a critical extension of this approach. Our work with Anthropic in Project Glasswing offers one practical model, enabling trusted defenders to evaluate advanced capabilities in constrained settings prior to broader release. Similarly, OpenAI and Microsoft work closely through Trusted Access for Cyber program, and we already support OpenAI’s use of scoped, early deployments for safety and security testing.  

Responsibility does not end at release. Organizations that deploy frontier models are often best positioned to detect emerging misuse and should monitor, mitigate, and share threat information. Microsoft is working with peers through the Frontier Model Forum to advance best practices for evaluating and managing cyber risk and enable information sharing. Governments should encourage continued industry collaboration to restrict access for identified threat actors and counter adversarial or malicious use of advanced AI. 

  3. Modernize vulnerability management  

AI is changing both the speed of vulnerability discovery and what constitutes meaningful security risk. Faster discovery only improves security if triage, validation, and remediation can keep up. 

As AI accelerates discovery, vulnerability management must shift from tracking raw volume to reducing real‑world risk. That means prioritizing vulnerabilities that are genuinely exploitable, assigning clear responsibility for triage and remediation, and using phased, risk‑based disclosure when private coordination improves safety. Above all, systems must be designed around validation and realistic remediation capacity, not the assumption that more findings automatically lead to better security. 

Developers of frontier AI models should embed vulnerability coordination and disclosure directly into responsible‑release frameworks. And work with governments and industry to ensure findings are routed to the right owners, acted on early, and supported by clear coordination pathways. 

  4. Fix faster: Strengthen and accelerate response and remediation 

As AI accelerates vulnerability discovery, remediation must keep pace. Initiatives such as DARPA’s AI Cyber Challenge show how AI can help both find and fix flaws in open‑source software. Hardening defenses requires investment not just in detection tools but in the people, processes, and infrastructure responsible for fixing vulnerabilities, especially in critical sectors. 

Much of the software underpinning critical infrastructure relies on open‑source components maintained by small teams or volunteers with limited security capacity. A surge in AI‑enabled discovery risks overwhelming existing triage and disclosure processes. Efforts such as the GitHub Secure Open Source Fundalongside investments by Microsoft and others through the Linux Foundation, Alpha‑Omega, and OpenSSF, are helping maintainers adapt in ways that are practical and aligned with existing workflows.  

Governments should treat remediation capacity as a core resilience priority, including sustained investment in and support for maintainers, surge capacity during large discovery events, and modernized disclosure pathways—recognizing that effective remediation still largely depends on human judgment, coordination, and time.  

  5. Advance AI security internationally 

AI security is essential to deploy AI at scale. Because AI systems, supply chains, and the risks they introduce operate across borders, national approaches alone will not be sufficient. 

Governments and industry should work together to build interoperable international foundations for AI security, including risk evaluation, coordinated vulnerability disclosure, and information sharing. Priorities should include strengthening the defensive use of AI, preventing misuse through shared norms and safeguards, and securing AI systems- and the AI technology stack.  

Global participation is critical. Countries and organizations with limited cybersecurity resources or legacy infrastructure are often the most exposed. International cooperation should prioritize capacitybuilding, ensuring that the security benefits of AI are realized broadly and equitably. 

AI security is not just a safeguard; it is an enabler for innovation and growth. By acting collectively and moving quickly, governments and industry can strengthen global digital resilience and unlock the trusted adoption of AI across economies, critical infrastructure, and public services.

Meeting the moment: Use frontier AI capabilities to build trust and confidence  

Meeting this moment is ultimately about trust: not in any single technology or provider, but in our collective ability to introduce advanced AI responsibly.  

Used deliberately and built on strong security foundations, these capabilities can strengthen cybersecurity and reinforce confidence in the systems society depends on. The choice is not between innovation and security but whether we enable them to reinforce one another. 

That outcome is within reach. With governments, industry, and infrastructure operators aligned, advanced AI can be deployed in ways that match real‑world defensive capacity and support trusted, lawful action. Done right and working together, frontier AI can help protect the digital infrastructure that underpins modern life and build lasting confidence in its resilience. 

 

For more than a decade, the Microsoft Digital Crimes Unit (DCU) has persistently disrupted cybercrime and nation-state threats targeting people, organizations, and critical infrastructure. Explore major disruptions—and the ongoing cases and operations behind them here: Disrupting cyberthreats since 2008 | Microsoft

The post From capability to responsibility: Securing our global digital ecosystem with next‑generation AI appeared first on Microsoft On the Issues.

  •  

One year on: Progress on our European digital commitments 

Europe is moving fast to capture the benefits of artificial intelligence, recognizing its potential to raise productivity, strengthen competitiveness, and help modernize public services. At the same time, organizations across Europe are focused on digital sovereignty and resilience: retaining control over their data and critical operations in a period of geopolitical volatility.

These priorities go together. That is why one year ago, we announced a set of European digital commitments to respond to these expectations. They focused on five areas:

  1. Help build a broad AI and cloud ecosystem across Europe
  2. Uphold Europe’s digital resilience even when there is geopolitical volatility
  3. Continue to protect the privacy of European data
  4. Help protect and defend Europe’s cybersecurity
  5. Help strengthen Europe’s economic competitiveness, including for open source

Together, they reflect a simple principle: Europe should be able to use global technology at scale, under European rules, with confidence that it will remain available, secure, and under customer control.

One year on, we take stock of how we’ve put those commitments into practice.

1. Building a broad AI and cloud ecosystem across Europe

A year ago, we detailed plans to increase our European datacenter capacity by 40%, expand cloud operations across 16 European countries, and reach more than 200 datacenters on the continent by 2027. Since then, we have announced new multi-billion euro investments in Portugal, Norway, and the UK, adding to the increased investments announced in Denmark, Germany, France, Italy, Sweden, Spain, Poland, and Switzerland. We also launched new cloud regions in Austria, Denmark, and Belgium. Together, this growing capacity is helping European organizations access cloud and AI capabilities closer to home while supporting sustainable growth through investments such as matching 100% of our annual global electricity consumption with renewable energy.

We emphasize now, as we did when first announcing our digital commitments, that European laws apply to our business practices in Europe, just as local laws govern local practices elsewhere in the world. We remain committed not only to building digital infrastructure for Europe, but also to respecting the role that laws across Europe play in regulating our products and services.

2. Upholding Europe’s digital resilience in a volatile geopolitical environment

For many customers, digital sovereignty is now about more than where data is stored. Institutions and businesses across Europe also want to know whether they can rely on critical digital services when geopolitical pressures rise, and whether they can adopt advanced AI capabilities without losing control.

We have made our Digital Resilience Commitment legally binding in contracts with European national governments and the European Commission, including a commitment to promptly and vigorously contest in court any order by any government to suspend or cease cloud operations in Europe.

We also committed to continuity measures, including expanded partnerships with European cloud partners that can support our customers’ operational continuity in extreme scenarios. Reinforcing this approach, we launched a European resiliency partnership with Delos Cloud to safeguard business continuity in Europe in times of crisis. This work also supports closer cooperation among Europe’s sovereign cloud providers, including crisis response coordination and continuity options designed to help customers maintain operations even in the event of geopolitical disruptions.

We also expanded our strategic partnership with Capgemini to offer fully integrated, managed sovereign cloud services. In addition, we are deepening our collaboration with Accenture to help organizations design and implement sovereign cloud and AI solutions, supporting customers in highly regulated sectors as they balance innovation with control, compliance, and resilience.

To further strengthen governance and operational oversight in Europe, Microsoft’s European activities are now overseen by a board of directors composed exclusively of European nationals, reinforcing regional accountability and our commitments to cybersecurity, resilience, and compliance under European law.

3. Protecting the privacy of European data

Privacy, transparency, and customer control remain central to Europe’s expectations for cloud and AI. That’s why over the past year we have built a portfolio of sovereign cloud options, spanning public cloud, private cloud, and national partner solutions, so that customers can choose the level of control and oversight that best fits their legal, operational, and risk requirements. This portfolio spans infrastructure, productivity, and AI workloads across cloud, hybrid, or fully local deployments.

We have continued to implement our Defending Your Data Initiative, including our commitment to challenge government data requests for EU public‑sector or commercial customers where we have a lawful basis to do so.

We also completed the EU Data Boundary, enabling European customer data to be stored and processed within the EU. We have since expanded these commitments to cover AI-powered productivity services, so that the processing of customer data for tools like Copilot can also take place within Europe.

In order to further reinforce transparency and oversight, we announced Data Guardian, which ensures that all remote access by Microsoft engineers to systems that store and process customer data in Europe is approved and monitored by personnel residing in Europe and logged in a tamper-evident ledger.

Over the past year, we have strengthened our sovereign solutions through new contractual assurances, closer partnerships with European providers, and expanded customer support.

The Microsoft Sovereign Cloud has been enhanced to help customers meet Europe’s growing expectations for control, resilience, and compliance without slowing down innovation. Recent updates add new governance and operational controls, expand productivity options for regulated environments, and strengthen encryption, while making it easier to use advanced AI capabilities that are fully customer-controlled. This includes solutions where AI models can run on customer-owned infrastructure with limited connectivity or even in fully disconnected environments. Earlier this week, we added new capabilities to our private cloud offering allowing organizations to run much larger workloads locally.

Sovereign Landing Zone provides a cloud architecture that embeds governance, compliance, and sovereign controls, helping European organizations deploy cloud environments that align with European regulatory requirements, with less complexity.

External validation of this approach continues to grow. Microsoft was named a leader in Forrester’s latest assessment of sovereign cloud platforms, recognizing the strength of our public cloud, private cloud, and partner-operated approach.

To help customers put this into practice, we opened our first three European Sovereignty and Resilience Studios in Munich, Brussels, and Amsterdam, where governments and enterprises work side by side with Microsoft’s engineers, policy experts, and security teams to capture the full promise of cloud and AI. Additional studios are planned to open in Microsoft’s nine other Innovation Hubs across Europe.

4. Helping protect and defend Europe’s cybersecurity

Cyber threats don’t stop at national borders, and Europe’s security depends on strong public‑private cooperation. During the last year, we have rolled out our European Security Program (ESP), an offering available at no cost to governments across the UK, EU, EFTA, and EU accession countries. It expands threat intelligence sharing and prioritizes new partnerships and investments to help protect critical infrastructure, disrupt cybercrime, and strengthen Europe’s collective ability to respond to attacks.

This program is live across 27 countries across Europe, providing support at no cost within a clear scope through structured briefings, early warnings, and tailored information sharing relevant to each country’s environment.

We have provided cybersecurity support to NATO, Ukraine, and other European governments, including threat intelligence, election protection, and disrupting attacks targeting European governments, companies, and citizens.

Since the start of Russia’s full-scale invasion of Ukraine in 2022, when we helped move critical data and services to secure datacenters across Europe and defend against sustained cyberattacks and eventual kinetic attacks, Microsoft has continued to support the country without interruption, providing more than $600 million in free technology, security, and financial assistance.

We have also expanded collaboration by embedding investigators with Europol’s European Cybercrime Centre (EC3). Together, we are translating technical threat intelligence into coordinated operational action, linking visibility into cybercriminal infrastructure with law enforcement’s ability to investigate, coordinate, and disrupt. This model underpinned recent cybercrime takedowns, including Tycoon 2FA, Lumma Stealer, and RedVDS. And, through our partnership with CyberPeace Institute, more than 300 European nonprofits are receiving cybersecurity support.

All of this work was reinforced in July with the appointment of Freddy Dezeure as Deputy Chief Information Security Officer, a European national based in Europe, who is coordinating Microsoft’s compliance with European cybersecurity regulations. Our European executive cybersecurity presence and oversight  are closely aligned with Microsoft’s broader cybersecurity governance, combining European guidelines with globally consistent security practices.

5. Strengthening Europe’s economic competitiveness, including for open source

We continue to support open ecosystems, including open source, to keep our AI and cloud platforms accessible and interoperable, and to give customers deployment options that fit their needs. There are almost 25 million European software developers active on GitHub, making more than 155 million contributions to public projects in the last year alone. Through Microsoft Foundry, customers can choose from more than 11,000 AI models, both open source and commercial, and run them in sovereign public or private clouds from cloud to the edge. This enables customers to deploy the same Microsoft Foundry model catalog within sovereignty‑aligned infrastructure.

But it is also vital that we support AI solutions that are more multilingual and attuned to cultural context. As part of our commitment to advance European commerce and culture, we launched LINGUA in September 2025 to support projects that collect high‑quality speech and text datasets for Europe’s underrepresented languages. Following an open call, we selected 12 projects spanning 16 languages and dialects across 10 countries, bringing together universities, nonprofits, a government language center, and a public broadcaster to create and digitize open datasets, preserve heritage languages, and develop new evaluation resources for multilingual AI.

We have new AI for Culture projects to digitally preserve iconic European sites and artifacts, including a digital replica of Notre Dame with the French Institut du Patrimoine and Iconem, and we are working with leading institutions to digitize historic cinematic model opera sets and enable access to metadata associated with millions of artifacts. We are also working with the Vatican Library on digitization and AI analysis of historic documents. All of this builds on preservation efforts underway since 2019 for landmarks such as St. Peter’s Basilica in Rome, Mont Saint Michel in France, and Ancient Olympia in Greece.

Relatedly, Céline Geissmann was chosen to lead our Microsoft Open Innovation Center in Strasbourg to work at the intersection of AI, languages, culture, open data, and innovation.

Staying accountable as Europe’s digital landscape evolves

These commitments are our North Star for how we engage in Europe, grounded in European law and values, shaped by European priorities, and designed to progress over time.

As Europe’s digital and geopolitical context continues to evolve, we will keep engaging with policymakers, regulators, customers, and partners to test whether what we are delivering matches what Europe needs. Where it does not, we will adapt.

Trust cannot be claimed. It needs to be earned through our actions, day by day. We are committed to earning that trust by listening, acting, and delivering for Europe.

The post One year on: Progress on our European digital commitments  appeared first on Microsoft On the Issues.

  •  

Putting AI to work with the building trades

We are living through a moment that will be defined not only by advanced technology and AI, but by the real-world infrastructure that makes it possible. And that infrastructure will be built the way critical infrastructure has always been built—by electricians, ironworkers, pipefitters, operating engineers, laborers, and the many other skilled professionals who turn plans into places and progress.

In a world that can feel increasingly virtual, there are millions of skilled trade professionals who remind us of a simple truth: what happens next still depends on uniquely human skills and what we can create, build, wire, weld, install, and maintain.

At Microsoft, we are honored to partner with North America’s Building Trades Unions (NABTU) to invest in the people who build with us. Today we are announcing an expanded partnership to support a strong, skilled workforce pipeline and help workers across North America build the skills needed to succeed in an AI-powered economy.

We believe that the North American skilled trades workforce is one of the most talented workforce systems. This week, thousands of these talented workers from across North America gather in Washington, DC for their annual Legislative Conference, an annual convening that reflects both the enduring strength of the trades and the country’s need for what they do.

As part of our Community-First approach to AI infrastructure we committed to investing in the places where we build, in the people who build with us, and in the long-term capacity of local economies. AI is a tool we will use, and I believe it will help in ways we plan and manage work, but it will not replace the experience, judgment, and craft that define the trades. Instead, it can amplify those human skills: helping people work more safely, learning more quickly, and delivering higher-quality outcomes on increasingly complex job sites.

Bringing AI literacy to millions of trades professionals

Our collaboration with NABTU is built on a simple but powerful idea: the people building the future should also be equipped to thrive in it.

Over the past year, we have worked together to bring AI literacy directly into the apprenticeship and training infrastructure that NABTU operates across all 50 states and Canada. More than 1,500 instructors in hands-on training centers nationwide have already participated. That early momentum confirmed that when you meet workers where they are, with content designed for how they actually work, the true benefit of AI can be felt.

Today, we are expanding that effort significantly. Beginning now, no-cost AI literacy courses tailored specifically for the skilled trades are available on LinkedIn Learning, open to instructors, apprentices, and journey-level workers across North America. One course is designed for faculty and staff in apprenticeship training environments. The other is built for apprentices and journey-level professionals who are on job sites every day. Upon completion, participants earn an industry-recognized AI literacy credential—a tangible marker of readiness that travels with them throughout their careers.

We are also extending our partnership to TradesFutures, NABTU’s affiliated nonprofit that recruits, prepares, and connects people to union construction apprenticeship programs across 34 states. Through TradesFutures, we will expand awareness of careers in data center construction alongside AI literacy and link opportunity with infrastructure being built today with the skills that will define tomorrow. The training will be available to all TradesFutures Apprenticeship Readiness Programs, which operate in community-based workforce development settings, high schools, correctional facilities, and labor organizations.

Building on a foundation of partnership with labor unions

There is a question at the center of every conversation about AI and work: who gets to participate?

For too long, the answer has defaulted to those already inside the technology sector or sitting behind desks. But the reality of the AI economy is far broader than any single industry.

At Microsoft, we believe that AI literacy should be as foundational as safety training on a job site. It is not about turning electricians into software engineers. It is about ensuring that an apprentice learning to install electrical systems in a data center also understands the technology those systems support and can use AI tools to work more safely, more efficiently, and with greater confidence.

That philosophy aligns directly with how we think about jobs and skills at Microsoft Elevate—not as a one-time event but as an ongoing investment in human potential that increases the opportunity for all.

This work with NABTU is part of a broader pattern of partnership between Microsoft and the labor community. In December 2023, Microsoft and the AFL-CIO announced a first-of-its-kind partnership between a technology company and a national labor organization focused on AI. That agreement established a framework for sharing AI insights with labor leaders, incorporating worker perspectives into technology development, and shaping public policy that supports frontline workers.

Since then, through our Microsoft Elevate initiative, we have continued to deepen our engagement with workforce organizations, educators, and community institutions. From partnerships with the American Federation of Teachers on the National Academy for AI Instruction to the National Education Association and National Association of Workforce Boards, our work with community colleges across the country, the thread that connects all of this work is a commitment to meeting people where they are—and making sure they have the skills and credentials to move forward.

The road ahead

Technology only fulfills its promise when it lifts people up, and the opportunity here is enormous. For this sector, for every industry that depends on it, for organizations of every size, and for individual workers and entrepreneurs. But it will only be realized if AI is designed and deployed around the realities of the work. In the trades, that means tools that are practical, trusted, and tailored so that AI can help more people stay in the field doing what they love, while opening doors to new kinds of growth.

Think about what that can mean for a contractor who’s running a small shop after a full day on the job: AI that helps draft and send invoices faster, reconcile receipts, and keep paperwork from piling up late at night. Or AI that can sift through public records—permits, zoning updates, capital plans, and procurement notices—to spot building trends in a community and flag where demand is headed next. Or tools that help identify bid opportunities and assemble first-draft scopes and materials lists based on prior jobs. On the job site itself, we believe AI can support safer work, such as summarizing daily plans, translating instructions, and surfacing the right checklist or standard, so people can focus on the work that requires human judgment.

There remain big questions about the impact of AI, and while we do not yet have all the answers, we do know that the future will not be built by technology alone. It will be built by the people who show up every day with skill and purpose to construct the world we all want to live in. If we continue to work together, AI can help expand opportunities: stronger businesses, safer job sites, better projects, and more people able to earn a great living in the communities they call home.

 

The post Putting AI to work with the building trades appeared first on Microsoft On the Issues.

  •  

Building AI infrastructure the Community-First way in Canada

For more than 40 years, Microsoft has supported and scaled Canadian innovation. Now, with more than 5,300 employees and 11 offices across Canada, Microsoft Canada’s technology ecosystem is a trusted partner and key driver of economic opportunity across the country, with $60 billion contributed to Canada’s GDP each year through our cloud customers and partner network and more than 426,000 jobs supported—over 2% of Canada’s workforce.  

As we look ahead, we are proud to be building the critical infrastructure Canada needs to power its digital future. 

In December 2025, Microsoft announced the largest investment in our history in Canada, a $19 billion commitment between 2023 and 2027 to expand cloud and AI infrastructure, strengthen digital sovereignty, advance cybersecurity, and support skills and jobs for Canadians. 

Today, as we move from investment to implementation, we want to share how we are putting those commitments into practice through a Community-First approach to AI infrastructure, one that is globally consistent in principle and delivered in ways that reflect Canada’s communities, institutions, and priorities. 

Community First, Built for Canada 

AI infrastructure brings enormous opportunity. But we know Canadians also have real questions about affordability, energy and water use, jobs, and the impact large-scale infrastructure has on local communities. 

Those questions matter. Technological progress only works when communities see themselves in the benefits.  

At Microsoft, we believe communities should share in the benefits of AI infrastructure, and they should not bear the costs. That belief is reflected in five CommunityFirst principles that guide how we build and operate datacentres around the world—and how we partner locally in Canada: 

Together, these principles shape how we build and operate our datacentres across Ontario and Québec and how we partner with governments, utilities, educators, community organizations, labour groups, and local nonprofits.

Below, we outline what each principle means in practice and the concrete steps we are taking to put these commitments into action here in Canada.

Paying our way on electricity

As Canada expands AI and cloud capacity, electricity systems are under pressure. Microsoft is committed to ensuring that our datacentres do not increase electricity prices for Canadians. In practical terms, this means that our infrastructure growth must be matched by responsible planning, full cost recovery, and investments that support long-term system reliability.

While electricity systems are provincially governed and solutions vary by region, our commitment is consistent across the country: AI infrastructure growth must support grid resilience and affordability for communities.

To deliver on this principle, Microsoft will:

  • Work closely with provinces, utilities, system operators, and regulators to plan new supply in advance
  • Design and operate highly energy-efficient datacentres
  • Support public policies that advance affordable, reliable, and sustainable power
  • Pay the full cost of the electricity we use, including the cost of new generation, transmission, and grid upgrades

Our commitment in action

In Ontario and Québec, we are working closely with provincial governments, utilities, system operators, and regulators to align datacentre growth with planned investments in generation and transmission.

We pay the full cost of the electricity we use. We also continue to design and operate next-generation datacentres that are significantly more energy efficient, reducing the amount of energy required for each unit of computing while scaling to meet growing demand.

To date, we have also paid for substations and fully dedicated the substations and land to provincial utilities. By paying our full share and planning ahead, we aim to support Canada’s economic growth without overstressing the electric grid or shifting costs onto households or small businesses.

Managing water responsibly 

Canada’s cooler climate is a real advantage when it comes to water stewardship. In Ontario and Québec, our datacentres are designed with a reduction-first approach, relying primarily on outside air and using water for cooling less than 5% of the year. When water is used, it is cycled efficiently through the system multiple times and managed in compliance with local regulations. This results in relatively low projected water withdrawals that reflect both local conditions and responsible designs. 

Microsoft’s approach to water in Canada prioritizes: 

  • Minimizing potable water use through efficient design and advanced, industry-leading cooling technologies that maximize free air cooling, limiting the use of water 
  • Transparency and early engagement with provincial and local authorities on water decisions 

Where communities identify opportunities to strengthen local water systems, we believe infrastructure investment should contribute to broader watershed health, not compete with it. 

Our commitment in action 

To bring this principle to life, Microsoft is taking locally grounded steps to strengthen water systems in the Canadian communities where we operate. 

In Ontario and Québec, we will partner on regionspecific water projects that improve infrastructure resilience, restore watersheds, and support long-term stewardship. These projects, developed with local governments, conservation partners, and research institutions, include: 

  • Rainwater harvesting: We design our facilities to make use of what is already available. We’ve implemented rainwater harvesting that further offsets freshwater demand. Our onsite systems are projected to capture approximately 1.5 million litres of rainwater per year for use in datacentre operations. 
  • LEED Gold certification is incorporated into Canadian datacentre designs. All Canadian datacentres will be monitored throughout the construction lifecycle and will undergo the certification process as they near completion.  
  • Wetland and watershed restoration initiatives that improve water quality and reduce flood risk, including supporting Ducks Unlimited Canada to plant hundreds of trees and shrubs in the Lorette River Watershed. 
  • Projects that strengthen monitoring, conservation, and long-term ecosystem health, including a donation toward the preservation of 325 acres of wetland in the Niagara Escarpment. 

Together, these efforts reflect a reduction first approach: minimizing reliance on potable water in our datacentres while investing in the resilience of shared water systems communities depend on every day. 

Creating jobs and economic opportunity 

In Canada, Microsoft’s datacentre construction is delivered through unionized skilled trades labour, supporting high quality jobs, strong safety standards, and apprenticeship pathways. Beyond construction, our focus is on building durable pathways into longterm careers connected to AI infrastructure and the digital economy. Through partnerships with educators, workforce organizations, and labour groups, Microsoft is working to ensure that Canadians can access the jobs created by this investment. 

Our commitment in action

We are advancing this principle through several concrete steps: 

  • Increasing transparency: We will publish clearer information on the jobs created and local suppliers engaged at our Canadian datacentre sites. This will include aggregated national figures, with local detail available where appropriate, providing communities, governments, and stakeholders with a clearer picture of how AI infrastructure investment supports local economies. Microsoft’s datacentre builds in Canada employ approximately 2,000 individuals across sites during construction. Additionally, more than 400 Canadian businesses are involved during the construction phase. Once built and operational, Microsoft’s Canadian datacentres will employ approximately 250 FTEs, and approximately 400 contractors to maintain and operate its sites.  
  • Deepening labour partnerships: We will continue to work with Canadian trade unions and workforce organizations, leveraging existing North American relationships and Canadian labour expertise to support safe, skilled, and inclusive job creation. 

Contributing to local communities 

Datacentres are longterm investments. They contribute directly to municipal tax bases, helping fund essential public serviceswithout asking for special tax treatment. 

The arrival of a corporate citizen like Microsoft is a real benefit to our community in L’Ancienne-Lorette, particularly through significant contribution to municipal tax revenues. It also points to a positive impact on community engagement, with discussions already underway.” 

-  Gaétan Pageau, Mayor, City of L’Ancienne-Lorette

Strong communities are essential to sustainable growth. That is why Microsoft invests not only in infrastructure, but also in the social and economic foundations that support it.   

Our commitment in action 

Across Ontario and Québec, we are continuing to expand partnerships that support: 

  • Workforce training and economic inclusion, including digital skilling for underrepresented groups through NPower Canada 
  • Donations to support environmental conservation, restoration, and climate resilience projects with Ducks Unlimited Canada 
  • Digital access and community led innovation, including support for local community projects through the Microsoft community funds 

These investments help ensure that AI infrastructure contributes to the vitality of the communities where it is built.

Investing in skills and what comes next 

Infrastructure alone is not enough. The real opportunity comes when its benefits are widely shared. It is the foundation upon which others build: startups launching new ideas, researchers advancing discovery, educators preparing the next generation, and governments and communities solving real challenges. 

To fully realize the promise of AI, Canadians must have access to the skills, tools, and opportunities to participate in, and shape the AI economy. That means ensuring AI doesn’t remain concentrated in a few places or organizations, but instead diffuses across our economy and communities, empowering people in every sector to innovate, build, and lead. 

Our commitment in action 

Microsoft is announcing several new Canada specific actions to expand access to AI and digital skills: 

  • Launching national AI skilling initiatives: Through Microsoft Elevate, we are launching a new National AI Skilling Grant with Digital Moment to expand AI Education Training, delivering free, bilingual AI workshops and classroom ready resources to 20,000 educators and students across the country. 
  • Advancing Indigenous AI fluency: Microsoft Elevate is partnering with Ampere and the Pinnguaq Foundation to further support Indigenous AI Fluency and Workforce Readiness Hubs – a national network of 13 makerspaces supporting AI learning, data privacy, and workforce readiness for youth and communities, including integration supporting teachers and students in Nunavut’s K–12 and post-secondary education system. 
  • Empowering the nonprofit sector: In Canada, we are launching Microsoft Elevate for Changemakers and AI for Nonprofits credential through a community-led approach in partnership with Canadian Centre for Nonprofit Digital Resilience (CCNDR) and Digital Moment. CCNDR anchors the work in nonprofit trust, sector insight, and national reach, while Digital Moment will lead with high quality training and delivery in both official languages. Together, this new credential will equip 5,000 nonprofit professionals and leaders across Canada with practical, responsible AI skills they can apply immediately in their work. 

Building the future, together 

AI infrastructure is most powerful when it is built with trust, transparency, and partnership. That is why our approach starts and ends with communities. We are committed to building AI infrastructure in Canada in a way that earns trust, supports local priorities, and strengthens long term prosperity. As this work continues, we will keep listening, learning, and engagingbecause building the future of AI means building it with communities, not just in them. 

 

 

The post Building AI infrastructure the Community-First way in Canada appeared first on Microsoft On the Issues.

  •  

Working constructively with the UK CMA to support customer choice and cloud competition

Today we are sharing news about important changes we are making in our cloud services offerings in the United Kingdom. These changes address issues the Competition and Markets Authority (CMA) has raised and  reviewed as part of its Cloud Market Investigation Report, announced in July 2025.

In conjunction with the CMA’s extensive review, today’s changes will apply to UK customers using Microsoft Azure. The changes address the CMA’s commitment to ensuring that UK customers can continue to move, deploy, and operate their workloads in the clouds of their choice with confidence, flexibility, and ever-reduced friction. The changes are focused on data egress, switching, and interoperability, and are described in a more detailed fact sheet accompanying this statement. We will implement all these changes promptly. We will also proactively share information about these changes with other regulators around the world.

We recognize that the CMA will continue to review and assess additional issues relating to our products and services, including in the business software market. We are committed to working quickly and constructively to address these issues, including by providing all the information the CMA needs to move forward with its reviews.

The cloud and AI markets continue to change at an unprecedented pace. The cloud market itself remains intensely competitive, with large investments by Amazon, Google, Oracle, and new neo-cloud entrants and, ironically, with Google, a complainant in this review, growing faster in the last quarter of 2025 than Amazon or Microsoft.

Especially in times of such dynamic change, a thorough regulatory review requires rapid access to real-world market data and customer input. This is the only way regulators can act in a targeted and agile manner that brings faster changes to the market while fostering continued innovation and investment. This type of work always requires dialogue on both sides. We appreciate the opportunity we have had for direct and constructive conversations with the CMA and its staff and look forward to an ongoing dialogue in relation to relevant cloud issues in the future.

Microsoft has long been committed to addressing the competition and antitrust issues raised by regulators and enforcement agencies through constructive engagement, transparency, and a willingness to address concerns promptly and in practical ways. We believe this has served our shareholders and customers well, avoiding protracted litigation, legal defeats, and large fines.

 

The post Working constructively with the UK CMA to support customer choice and cloud competition appeared first on Microsoft On the Issues.

  •  

Empowering the nonprofit sector to meet tomorrow’s challenges 

As we welcome more than 1,500 nonprofit leaders from around the world to Microsoft’s Global Nonprofit Leaders Summit, we are reminded of the extraordinary work nonprofit organizations do every day to strengthen communities and expand opportunity. Today’s gathering comes at a pivotal moment, as nonprofits confront a new set of questions: How can AI help them serve their communities more effectively? And how do they build the skills and capacity to lead this change from within?

Major technological transitions rarely unfold evenly. As AI diffuses across economies and sectors, it creates new opportunities, but it also introduces significant disruption for workers, families, and communities. Nonprofits are uniquely positioned to drive meaningful change in today’s world. They are the organizations people turn to first to support people as they develop new skills, find new pathways to employment, and stay connected to the systems that sustain them.

To help them maximize their impact with greater scale and efficiency, today we are announcing Microsoft Elevate for Changemakers, a new initiative that provides nonprofit leaders with essential AI credentials, access to a strong peer community, and role-based capacity-building resources. This program is designed to empower those at the forefront of social challenges to confidently lead AI adoption in ways that reflect their missions and the communities they serve.

This new program is part of our broader Microsoft Elevate commitment to ensure people can thrive in the AI economy and reflects Microsoft’s 50-year legacy of supporting nonprofits. As an organization, we are proud to partner with nearly one million nonprofits and education systems globally, and in the next year alone we will deliver more than $5 billion in discounts, donations, and grants to help nonprofit organizations address community needs.

Backed by Microsoft’s pledge to ensure everyone has opportunity in the AI era, Microsoft Elevate for Changemakers helps ensure that those working closest to community challenges remain at the leading edge of AI-powered solutions.

The new Microsoft Elevate for Changemakers program includes: 

  • AI for Nonprofits credential: The AI for Nonprofits credential is a professional certificate, developed with LinkedIn and NetHope, that gives participants a clear, structured learning path built around the real work happening across the nonprofit sector. Earners receive a LinkedIn professional certificate, providing formal recognition of their growing expertise and their commitment to responsible AI use in their organizations.
  • Live and on-demand AI training to build capacity: Practical skills training built around real nonprofit work, not generic AI content repackaged for the sector. From Copilot fundamentals to change management to responsible AI governance, every module is designed to simplify workflows for nonprofits and help them do more with ease.
  • A Changemaker Fellowship, a global program for nonprofit professionals at organizations with actionable AI projects ready to advance their missions. This fellowship provides the essential resources, investment, and expert guidance needed to turn AI ambition into lasting impact. Fellows will join a worldwide cohort, create and implement responsible AI adoption plans, develop critical technical and change management skills, and connect with a trusted network of nonprofit AI leaders—all with support from Microsoft and launch partners, including EY and Caribou. The Changemaker Fellowship is now open to nonprofits of all backgrounds.

Those ready to make a difference with AI can register their interest today at Aka.ms/MicrosoftElevateforChangemakers.

Transforming possibilities by empowering nonprofits

At its best, AI should expand human agency rather than replace it. The real opportunity is to give people more capacity to solve problems, build new ideas, and strengthen the communities around them.

Across the nonprofit sector, this is already taking shape in practical ways:

  • Enriching staff time. Much of a typical nonprofit employee week does not directly contribute to the mission work. In fact, research finds that nearly half of nonprofit organizations still use manual data entry and spreadsheets for compliance documentation, meeting summaries, case notes, and other operations. AI reduces that burden in ways that are already real and measurable, giving people more of their week back for the work they came to do. ARCare, a healthcare provider in underserved communities across Arkansas, Kentucky, and Mississippi, is already seeing the benefits of its use of AI technology. With AI handling administrative tasks, staff spend less time on data collection and more time on patient care, and they estimate they have eliminated 6–8 hours a day of manual tasks.
  • Delivering more impactful programs. AI gives nonprofits the ability to scale what works without losing what makes it work. Opportunity International is using AI to scale impact through a local language chatbot to provide farmers with instant agricultural guidance, overcoming literacy barriers and dramatically expanding reach. By making critical knowledge accessible, AI frees frontline teams to focus on relationships, mentoring, and the long-term change that traditional programs alone can’t achieve.
  • Engaging supporters and funders more effectively. Raising funds, obtaining grants, and building donor relationships are often the most important strategic priorities—and challenges—for nonprofits that are facing growing demand for services at a time of economic uncertainty. AI doesn’t replace donor relationships. It gives the people managing those relationships more time and capacity to focus on what builds them. Head Start Homes found that as AI increased their organizational bandwidth, they could scale programs and attract new funding.
  • Transforming operations. AI gives nonprofits the ability to innovate and optimize how they work, bringing greater security, sharper data, and more informed decision-making to every part of the organization. The result is less time spent managing complexity and more capacity directed toward results. The social housing organization, de Alliantie, is a good example. Using AI has allowed de Alliantie to boost efficiency while keeping a human-centered approach to housing support at the center of everything they do. With more than 3,000 calls coming in each week for housing support, using an AI chatbot allowed call center staff to help more people, because the goal was never efficiency for its own sake. It was to make sure the human benefit always comes first.

These real stories of AI empowering mission-driven organizations are made possible by dedicated individuals within nonprofits who are stepping forward to lead transformative change, often without formal recognition or an official mandate. It is their willingness to embrace new technology, learn new skills, and champion responsible AI adoption that is propelling the sector forward.

The work ahead

The millions of global changemakers, volunteers, and leaders across the nonprofit sector are redefining what is possible, ensuring that AI serves as a tool to amplify human capacity and purpose, rather than replace it. Their commitment and leadership are the driving force behind a future where nonprofits harness AI to deliver greater impact, deepen relationships, and strengthen communities.

The path forward will be shaped by the strength and leadership of the nonprofit sector. Every day, these organizations demonstrate what it means to stay close to communities, respond in moments of change, and help people navigate uncertainty with trust and consistency.

That is what makes this moment different. As AI becomes more widely adopted, the organizations best positioned to ensure its benefits are broadly shared are the ones already doing this work.

At Microsoft, we are building on a tradition of support for this sector that began five decades ago with our founder and continues today. Ours is a long-term commitment. Not just as a technology partner, but as part of a broader effort to help ensure the benefits of AI reach the communities nonprofits serve. We will continue investing in the capacity, tools, and partnerships that support this work and look forward to building what comes next together.

The post Empowering the nonprofit sector to meet tomorrow’s challenges  appeared first on Microsoft On the Issues.

  •  
❌