A sprawling, largely invisible layer of artificial intelligence infrastructure has taken shape outside the guardrails of major technology platforms, according to new research that reveals the security implications of open source AI deployments.
A joint study by SentinelLABS and Censys mapped publicly accessible deployments of AI models running on Ollama, an open source framework that enables users to run large language models on their own hardware. Over a 293-day period, researchers identified more than 175,000 hosts across 130 countries, collectively forming what they describe as an unmanaged, global AI compute layer.
To be clear, this isn’t an indictment of open source itself. SentinelOne and Censys found that only a small number of visible open source AI deployments, roughly 7.5 percent, exhibited configurations that could facilitate harmful activity like fraud and data theft.
But still, the risks here are significant. Unlike commercial AI platforms, which apply rate limits and abuse detection, self-hosted systems usually lack centralized oversight. Researchers warn that attackers could exploit exposed hosts for spam or phishing at no cost, shifting compute costs onto unwitting operators.
Hosted on Small Servers
While Ollama is intended to operate locally by default, a simple configuration change can expose an instance to the public internet. At scale, thousands of individual developer decisions to make systems reachable have aggregated into a large public-facing network. The researchers logged more than 7 million observations, with a relatively small core of systems accounting for the majority of activity.
Only about 13 percent of hosts appeared consistently across scans, yet those systems generated roughly three-quarters of observed activity. These always-on deployments resemble cloud services, even when they’re hosted on residential or small virtual private servers. Researchers say this persistent backbone concentrates most of the operational value, but also most of the security risk.
Anonymous Systems
The infrastructure spans a mix of environments. Consumer internet connections account for the largest share of hosts by count, but cloud platforms and independent virtual private server providers make up a comparable portion. Nearly one-fifth of observed systems could not be reliably attributed to an identifiable operator.
Even though the infrastructure is decentralized, model usage is remarkably uniform. The same few model families dominate exposed deployments, with Meta’s Llama lineage leading, followed by Alibaba’s Qwen and Google DeepMind’s Gemma. Researchers also found strong convergence around specific compression formats designed to make models run efficiently on low cost commodity hardware.
Advanced AI Models
Roughly half of exposed systems advertised tool-calling features that allow models to execute code, interact with APIs, or access external systems. More than a fifth supported image understanding, and some ran reasoning models optimized for multi-step planning (which suggests that these systems will drive AI agents). In hundreds of cases, researchers identified system prompts that explicitly disabled safety controls.
More severe risks emerge when tool-enabled models are exposed without authentication. In such configurations, a prompt can act as an intrusion tool, potentially allowing an attacker to extract sensitive information or trigger unintended actions in connected systems. The study also highlights the danger of identity laundering, where malicious activity routed through residential IP addresses appears to originate from legitimate users.
A Governance Challenge
The findings present a very real governance challenge. Open-weight AI models are released by a small number of organizations but are rapidly replicated and deployed across thousands of networks beyond the reach of traditional controls. Responsibility for safe operation falls to individual users and small operators, with obvious security implications.
Researchers argue that this governance challenge requires new approaches. As AI systems move closer to the edge and gain ability to translate instructions into actions, they can resemble other forms of critical infrastructure. Treating them with the appropriate authentication and exposure controls appears to be the next crucial step as open source AI expands far beyond any guardrails.
