IT administrators scrambling to lock down AI features across their ecosystems are discovering a fragmented landscape of controls. As AI assistants, code generators, and smart compose tools embed themselves deeper into everyday productivity suites and operating systems, organizations face a pressing governance challenge. Microsoft 365, Windows, Edge, Google Workspace, Chrome, and Apple devices each ship with increasingly powerful on-device and cloud AI — and each offers its own set of toggles, policies, and management surfaces to suppress those features. The problem isn’t a lack of controls; it’s that they’re scattered across portals, PowerShell commands, configuration profiles, and registry keys.

The result is a patchwork. A single misconfigured policy can leave an AI feature enabled despite an organization-wide mandate. This map catalogs the current state of built-in AI suppression across the major enterprise platforms as of June 2026, drawing on real-world admin experiences and official documentation.

Microsoft 365: The Cloud-AI Frontier

Microsoft 365 offers the most complex matrix of AI controls, simply because of the sheer number of integrated services. Copilot, the umbrella brand for Microsoft’s generative AI, appears in Word, Excel, PowerPoint, Outlook, Teams, and the Microsoft 365 admin center itself. Suppression begins in the Microsoft 365 admin portal under Settings > Org settings > Microsoft 365 Copilot. Here admins can toggle tenant-wide access to Copilot features, but granularity varies. For example, you can disable Copilot in Word while leaving it on in Teams — if you venture into User-level app permission policies and app setup policies in the Teams admin center.

A common frustration is that disabling Copilot at the license level (by removing the Copilot service plan from a user’s license) is the most blunt instrument. It works, but it also revokes any value-added AI capabilities that might be approved for subsets of users. More surgical controls come through Cloud Policy service for Microsoft 365, which applies configuration policies to specific security groups. Using the policy ID copilot_disable_all or the newer DisableAIChatInOffice policy (for Word, Excel, PowerPoint), admins can target rings of users without touching license assignments. These policies take effect within minutes across desktop, web, and mobile.

Beyond Copilot, other AI nooks exist. Microsoft Editor uses AI for grammar and style suggestions; its cloud-powered features can be turned off via the AllowAI policy in the Office cloud policy service. Viva Insights leverages Cortana-derived AI for productivity nudges; it has its own admin toggles under Settings > Viva Insights. Each of these sits in a different console, forcing IT to maintain a checklist.

Windows: On-Device AI and Recall

Windows 11, and particularly the 24H2 update, introduced a slate of on-device AI features that raise eyebrows in regulated environments. Recall, a timeline-like feature that snaps screenshots and uses on-device AI models to make content searchable, ships turned on by default but not configured. Admins can disable Recall through Group Policy: Computer Configuration > Administrative Templates > Windows Components > Windows Recall. The policy “Turn off Windows Recall” toggles the feature completely. Via Intune, the same control exists as a settings catalog profile under Experience/AllowRecall.

But that’s not the only AI running locally. Live Captions now uses on-device speech recognition to generate real-time captions from any audio. While primarily an accessibility feature, its AI processing can be curbed by disabling the “Allow live captions” policy under Windows Components. Even Windows Copilot, the side-pane assistant baked into the taskbar, requires a separate policy kill. In Group Policy, navigate to User Configuration > Administrative Templates > Windows Components > Windows Copilot and enable “Turn off Windows Copilot.” Intune maps this to WindowsCopilot/TurnOffWindowsCopilot.

For organizations fully committed to stripping AI from Windows endpoints, a combined approach is necessary: block Recall, disable Windows Copilot, turn off live caption speech recognition, and restrict access to the Microsoft Store to prevent users from installing third-party AI apps. All of this can be packaged into a single Intune configuration profile, but admins must meticulously layer the settings because Microsoft provides no master “disable AI” switch.

Edge Browser: Copilot, Collections, and More

Edge ships with its own Copilot integration in the sidebar, AI-powered Collections, and Shopping features that use on-device and cloud inference. The browser can be managed through Group Policy, Intune for Windows, or platform-specific configuration profiles for macOS. The most critical policies are:

  • HubsSidebarEnabled — controls the entire sidebar, which houses Copilot, Shopping, and other tools. Setting this to disabled removes the sidebar icon and its functionality.
  • CopilotPageContext — specifically disables Copilot’s ability to read page context, a privacy-preserving measure.
  • SmartScreenEnabled — a legacy policy that now also governs some AI-driven phishing and malware detection. Turning it off might suppress related AI protections.
  • EdgeCollectionsEnabled — Collections uses local AI to suggest related content; disabling Collections kills that inference.

These policies are documented in the Edge enterprise policy list, but the sheer number can overwhelm. A practical approach is to deploy a baseline that includes the most restrictive settings and then carve out exceptions for groups that require AI tools. The policy AIGenContentSettings is a newer addition that attempts to unify some GenAI controls under a single umbrella, but its scope is still limited to specific Edge features.

Google Workspace and Chrome: Gemini Everywhere

Google’s AI, branded Gemini, appears across Gmail, Docs, Sheets, Slides, Meet, and the Chrome browser. Unlike Microsoft’s tenant-wide Copilot toggle, Google’s admin console buries Gemini controls under Apps > Google Workspace > Settings for [app] > Smart features and personalization. For example, to turn off AI writing assistance in Docs, admins must visit the Docs settings page and disable “Smart Compose” and “Smart Reply” individually. Similarly, Gmail’s AI nudges and summary cards require separate toggles.

A more powerful option is to manage Default policies at the organizational unit level. The Gen AI features policy (found under Apps > Google Workspace > Settings for all apps) can disable generative AI across all services, but note that this also turns off benign features like automatic meeting transcription in Meet. For Chrome, the browser’s AI features—like tab grouping suggestions and theme generation—can be controlled via Chrome Browser Cloud Management policies. The policy TabOrganizerEnabled disables AI tab grouping, while CreateThemesSettings kills AI-generated browser themes.

One consistent criticism from administrators is that Google frequently adds new Gemini features as opt-out instead of opt-in, forcing IT to revisit policies after each update. The Chrome Enterprise release notes are essential reading for any team locking down AI, as a seemingly minor version bump can introduce a new Gemini-powered tool that slides through existing policies.

Apple Devices: Controlled by MDM

Apple’s approach to AI is more restrained, but macOS, iOS, and iPadOS now include on-device AI models for things like Photos object and scene recognition, Live Text, Visual Look Up, and Siri suggestions. Suppression relies entirely on the MDM framework. For supervised devices, the Restrictions payload contains the keys allowLiveText (boolean), allowVisualLookUp (boolean), and allowSiri (boolean). Disabling Siri is nuclear — it removes not just AI suggestions but the entire voice assistant.

For third-party AI app blocking, Apple’s App Store Restrictions payload can block or limit app installations. On macOS, the System Policy payload can restrict AI executables through Identities or executable path rules. However, built-in AI that doesn’t phone home — like on-device photo analysis — is harder to audit because there’s no network traffic to inspect. Many security-conscious shops simply disable the entire Photos app via MDM restrictions (allowPhotos key) and block the Camera app on managed devices, though this is draconian.

iOS 20, expected later this year, is rumored to introduce more generative AI features system-wide, following the industry trend. For now, Apple admins rely on the declarative device management (DDM) protocol to push restrictions quickly, but the pain point remains: every OS update demands a policy review cycle.

Bringing It Together: A Unified Governance Strategy

The scattered controls demand a shift in how IT thinks about AI governance. No single console manages all platforms, so organizations are turning to policy-as-code frameworks and unified endpoint management (UEM) platforms like Intune, Jamf, and Workspace ONE to centralize configuration. Checklists and drift detection tools become indispensable.

Best practices emerging from June 2026 include:

  • Create a golden config per platform that disables AI universally, then base exceptions on group membership.
  • Automate policy drift monitoring using tools like Microsoft’s Policy Insights, Google’s security health page, and Apple’s MDM compliance reports.
  • Layer on network controls — proxy rules that block known AI endpoints (e.g., *.copilot.microsoft.com, *.ai.google.com, *.apple.com/siri) can catch features that slip past device policies.
  • Adopt a zero-trust posture that assumes AI features will occasionally enable themselves and relies on audit logs rather than absolute prevention.

The scattered control landscape isn’t a failure of the vendors as much as it is a reflection of AI’s rapid proliferation inside software that wasn’t built with centralized kill switches. The 2026 governance map shows that suppression is possible, but it requires a Swiss Army knife of admin tools: cloud policy services, group policies, mobile device management, and browser cloud management. Until vendors converge on unified AI management portals, IT teams will keep their spreadsheets close and their PowerShell warm.