Don’t call them friends. And watch out for agents rifling through your emails. Meredith Whittaker, president of the Signal Foundation, was blunt in a recent Bloomberg interview: AI chatbots “are not your friends,” “are not conscious beings,” and “are not sentient interlocutors.” A cold splash for anyone already treating them as digital confidants – and an even sharper warning about Microsoft’s Copilot agents, which Whittaker describes as a genuine backdoor.

The over-trust feast

Whittaker’s point isn’t just philosophical. There is a concrete security and design problem: when a conversational system is perceived as a trusted companion, users drop their guard. They share more data, delegate sensitive decisions, and forget that on the other side is not a consciousness but a large language model pre-trained on vast text corpora, with all the associated risks of hallucination, manipulation, and relevance drift. The illusion of an emotional bond becomes a channel for data leakage.

The interview feeds into a heated debate about how cloud providers are embedding LLMs into enterprise workflows. Copilot agents are the poster child: tools that read, summarize, and act on documents, calendars, chats, and code repositories, often with broad permissions and little end-user awareness. For Whittaker, that’s equivalent to installing a privileged access pathway that bypasses standard security controls, turning an assistant into an informational backdoor.

The on-premise flip side

This is where the perspective of those evaluating alternative deployment architectures comes in. Organizations handling sensitive data – government agencies, regulated firms, law practices, critical infrastructure – can’t afford to hand over the keys to an LLM hosted in the public cloud with no visibility on where prompts end up, how they’re used for training, or who can inspect interactions.

An on-premise approach, where the model runs on company-owned hardware inside the corporate perimeter, sharply reduces the attack surface. Inference happens locally, data never leaves the IT team’s control, and privacy policies can be enforced granularly. This is precisely the scenario Whittaker’s critique evokes by contrast: an ecosystem where AI doesn’t become a third-party infiltrator but a tool trained, governed, and confined according to the organization’s rules.

What “they’re not your friends” really means for deployment

The temptation to humanize models doesn’t vanish with on-premise hosting. It can become subtler because the system is “ours.” The danger is that internal teams start trusting answers as if they came from a knowledgeable colleague, forgetting that even a LLM running on a local cluster remains a statistical engine. Whittaker’s distinction between simulated sentience and actual capability must be taken as an operational mantra: in interface design, prompt formulation, and user training, any halo of personality must be stripped away.

For those choosing to self-host LLMs, this awareness translates into specific technical decisions. Audit trails on input/output flows, security filters that don’t delegate to the cloud, containerization with strict isolation policies, quantized model versions that shrink footprint without sacrificing performance – all contribute to keeping AI as a deterministic tool, not an autonomous entity.

The digital sovereignty agenda

Whittaker’s words, from the pulpit of one of the world’s most respected end-to-end encryption architectures, resonate loudly as big platforms push to colonize workflows with agents that move autonomously. The “backdoor” charge isn’t insider speak; it’s a wake-up call about the direction so-called intelligent assistants are heading.

For the AI-RADAR reader, the message is unequivocal. Every time an LLM-as-a-service is evaluated, the productivity gain must be weighed against the risk of opening an ungoverned channel to your data. On-premise infrastructure isn’t a magic wand, but it provides the control needed to prevent the digital friend from becoming a systemic leak. And remembering that AI isn’t our friend is the first, crucial step to using it without being used by it.