We spent some time looking at the latest generation of computing devices and how the embedding of AI could drastically reshape the risk profile of corporate IT departments. The new systems that are about to replace the PCs we’ve known for decades, not only push the performance of these systems and their power efficiency to new levels, but they also bring new data security concerns with the systems’ new capacity to process, retain, and infer from sensitive data, locally and continuously. Understanding this evolution must be a priority for corporate IT and security departments and IT asset disposition (ITAD) providers, who will have to deal with the devices when it is time to decommission them.
In March 2025, we analyzed nine commercial devices introduced by OEMs, from ultraportables like the Lenovo ThinkPad X13 Gen 6 to GPU workstations such as the Dell Pro Max with GB300 and inference engines like the NVIDIA DGX Spark, and we concluded that today’s AI-powered hardware introduces new layers of data interaction that never existed in prior generations. One of the benefits on AI is that these systems don’t merely compute or store—they interpret. And that could source of data security risk. By “interpret,” I mean they learn, and they cache contextual intelligence in places that traditional sanitization protocols may overlook.
More Data Everywhere
At the core of these next-gen machines are neural processing units, or NPUs. These are capable of handling AI inference workloads in real time. Take the example of two systems we analyzed in March, the HP ZBook Fury G1i and Lenovo ThinkBook Flip AI PC, and we see that the NPU works alongside the CPU and GPU to offload tasks such as noise filtering, background detection, language translation, and personal assistant interactions. While these tasks are often transient, meaning they are processed for a specific task and period, they still generate temporary data that is processed locally, rather than in the cloud.
In this context, this move is a significant shift from the enterprise hardware we’ve always known. In previous generations, which currently form the overwhelming majority of enterprise systems, -after all Windows 10 PCs still dominate- information passes through traditional data channels. For example, files are stored on SSDs or hard drives, browser caches, system logs, and email clients. These were well understood and easy to sanitize with tools that have been in used in decades including manufacturer BIOS wipe protocols.
The systems that most of us are currently using, such as pre-AI laptops, have fixed-function chipsets that rarely interact with user identity beyond basic login and system registration. Even if data remained after the decommissioning phase, it was stored in discrete locations, largely confined to the OS volume or device BIOS.
But this new generation of systems, based on AI, may retain fragments of user interaction in AI inference buffers, cached transcriptions, or embedded analytics designed to “personalize” the experience. What security experts are concerned with is that these AI processes are not always visible in the OS layer, making sanitization a little harder to achieve as it becomes a moving target. Security analysts are working to build new tools to address questions like which subsystem held the data? Was it offloaded to the NPU? Was it temporary or persistent? Did it interface with firmware? These are questions that engineers are Stanford or MIT would have tackled, but they are now front and center in corporate IT security.
Embedded AI and Persistent Identity
And then there are AI agents who are going to magnify the challenge of securing enterprise identity frameworks. In systems like the HP EliteDesk 800 G9 or Dell Rugged 14, AI-based collaboration features may pull data from enterprise accounts to optimize meetings, suggest replies, or summarize documents. Even if these agents run locally, their logic often references cloud-authenticated identities, tokens, or encrypted profiles that are cached on the device—even if temporarily.
ITAD companies that have to decommission these computers will also experience a different set of technical problems. When these devices undergo lease return, resale, or recycling process, ITADs will have to ensure that sanitization would include residual metadata about users, work patterns, or network behavior. While such data might not be classified as “Personally Identifiable Information”, or PII in the strictest sense, the data could reveal behavioral profiles or corporate workflow details that could jeopardize the company. A forensic recovery by savvy expert could create new security threats and so ITAD providers and internal IT teams will need to expand their definition of data exposure.
Storage Isn’t the Only Risk Anymore
But it’s not just about the hardware aspect of systems. The upcoming devices will be increasingly “intelligent endpoints” that will interact with cloud services, operate local models, and cache interim data to speed up AI responses. In workstations like the DGX Spark, the local inference of large language models means that query logs, context memory, and temporary embeddings may live in active memory or scratch storage far beyond the standard OS environment. In other words, data security is no longer just about the drive.
This has deep implications for compliance with frameworks like GDPR, HIPAA, ISO/IEC 27001, and even newer proposals like the NIST AI Risk Management Framework. Companies and their ITAD providers will have to figure out how to track what data passes through which components, and what responsibility they bear for ensuring that information is fully expunged at end of life in accordance to current regulations.
Firmware and Security Evolution
In this environment of expanding data security risk, it is not all bad news. Most of the devices we reviewed—such as the HP ZBook Fury and ThinkPad X13 Gen 6—offer full support for TPM 2.0, secure boot, BIOS rollback protection, and firmware-resident security agents (e.g., HP Sure Start, Lenovo ThinkShield). These tools help prevent tampering, malware persistence, and BIOS-level compromise.
We also see the expanding universe of remote wipe and zero-touch provisioning for secure retirement that some devices offer. If these features are properly implemented, they could lower the security risk during decommissioning. However, they will require more work for IT departments and corporate IT security teams to properly enroll and configure devices during their lifecycle; otherwise, these tools offer little protection when it matters most.
What Enterprises and ITAD Providers Must Now Prepare For
As we have been engaged in helping clients deploy Information Security Management Systems (ISMS), which require companies to analyze and deploy a comprehensive data security framework, they will also be required to integrate new data security schemes for the new AI devices that enter broad circulation. Among the areas that they will need to pay attention to include performing full-system data mapping to identify where data might be temporarily or persistently stored, including NPUs, cache layers, AI logs, and embedded telemetry. They will have to adopt tools or processes that can reset or wipe embedded AI agents, firmware settings, and profile data. Additionally, they must have clear firmware and telemetry control that would allow them to disable or clear system telemetry features that track user behavior or cloud interaction histories. And finally, they must ensure they have audit trails for compliance to provide evidence that devices were sanitized not only at the storage layer, but also at the inference and identity-handling layer.
ITAD firms will also have to invest in tools that would address the security risk in the downstream, ensuring that the AI agent wiped, the NPU cache cleared, disable the Copilot feature before resale etc.
