Security Isn’t an Upsell: Microsoft, Windows 10, and the Compliance Theater of Forced Backups
When Safety Becomes a Subscription
When Microsoft announced that Windows 10 would reach end of support in October 2025, few were shocked. Operating systems age; companies move on. What was surprising, however, was the company’s plan for “Extended Security Updates” (ESU).
Security patches, Microsoft said, would continue, but only under one condition. Users would need to turn on Windows Backup, a feature tied directly to Microsoft accounts and OneDrive. On the surface, this was framed as a way to protect users. In practice, it meant consumers were being funneled into cloud storage where the free 5GB would evaporate almost instantly, leaving most with a choice: pay for more storage or lose access to updates.
This arrangement transformed something fundamental — security — into a kind of upsell. What should be an obligation was recast as an add-on.
Pressure quickly followed. Euroconsumers, a European consumer advocacy group, pushed back, and Microsoft was forced to yield. As The Verge reported, Microsoft agreed to provide a “no-cost” path to security updates in the European Economic Area without requiring Backup, Rewards, or other hidden lock-in (Warren 2025). Yet the change was not universal. Outside Europe, the same calculus remains: pay $30, burn Microsoft Rewards points, or back up into OneDrive whether you want to or not.
This raises an uncomfortable question: what does it mean when safety is contingent not on principle but on geography?
Compliance Theater in Plain Sight
This case fits perfectly into what I have come to call Compliance Theater: governance practices that look protective but ultimately serve corporate strategy. Microsoft framed Backup as a security feature, yet the mechanism was designed not for user safety but for generating storage revenue.
Security updates are not a luxury. They are table stakes, the digital equivalent of clean drinking water or safe roads. By treating them as leverage, Microsoft shifted the logic of duty into the logic of product. The disruption came only when external regulators forced the issue.
It makes me wonder: how many other “safety features” are really staged performances, designed more to create revenue funnels than to create resilience?
Governance by Geography
The asymmetry here is telling. In Europe, security is treated as a right. In the United States and much of the world, it is treated as a product. This duality reveals the deeper layer of governance: architectures of power that do not live in code alone but in law, culture, and regulation.
The same system behaves differently depending on the governance constraints wrapped around it. That insight mirrors my work on AI personas and governance frameworks. The Governance Paradox keeps appearing: we rely on companies to enforce safeguards for the very tools that generate their profits. Without external pressure, safety collapses into strategy.
What if the real variable in technological safety is not the design of the system but the design of its surrounding governance?
Security Updates as Trust Infrastructure
In my independent AI lab, I have been running experiments on trust as infrastructure. Whether through AI personas like Solomon or governance frameworks like the AI OSI Stack, the same pattern recurs: if the foundation is fragile, the entire structure collapses.
Microsoft’s handling of ESU offers a live demonstration. By tying security to Backup, Microsoft signaled that safety itself could be monetized. That signal corrodes trust. And when the baseline corrodes, everything above it, innovation, governance, adoption, becomes brittle.
The AI parallel is unavoidable. If updates, safeguards, or safety features become “premium extras,” governance morphs into a subscription service. That creates dependency, not resilience. It asks users to pay for protection rather than assume protection is a duty.
What would it mean if our future AI systems followed the same path, where safeguards are toggled on only if you upgrade your plan?
Why This Matters Beyond Windows 10
This case may seem narrow, but it carries implications far beyond a single operating system.
For consumers: It demonstrates how easily safety can be leveraged into an upsell.
For regulators: Europe’s pushback shows that advocacy can bend even the most powerful firms. The question is whether other regions will match that standard.
For AI governance: The Windows 10 example is a metaphor in real time. When companies frame safeguards as extras rather than obligations, governance itself becomes distorted.
Ultimately, governance is never only a technical issue. It is always a cultural one. Unless we learn to spot Compliance Theater, (performance dressed as protection), we risk paying for the illusion of safety rather than demanding the real thing.
Closing Reflections
This episode leaves me with a set of provocations. What would it look like if we treated security not as a market feature but as infrastructure? How might we demand that safeguards remain obligations across geographies, not contingent perks? And what lessons can AI governance draw from the way operating system updates are priced, packaged, and politicized?
If trust is indeed infrastructure, then every decision that converts obligation into upsell weakens the foundation. The real challenge before us is not only to build new systems but to defend the principle that safety is never optional.
Key Concepts and Working Terms
Compliance Theater: Governance practices that perform safety without delivering accountability.
Governance Paradox: The irony of allowing companies to govern the very tools from which they profit.
Trust as Infrastructure: The principle that safeguards are not extras; they are the foundation on which everything else rests.
Governance by Geography: When protections differ by market rather than principle, revealing that safety depends on regulation, not duty.
Security as Baseline, Not Perk: The recognition that updates and safeguards are obligations, not upsells.
Works Cited
Warren, Tom. “Microsoft forced to make Windows 10 extended security updates truly free in Europe.” The Verge, 25 Sept. 2025.
