DETROIT, Jan 29, 2026, 08:11 EST
- Researchers mapped thousands of internet-exposed open-source AI systems running outside major platform controls
- Study found hundreds of instances where safety “guardrails” were removed, and some prompts enabled harmful use
- Most exposed systems ran a small set of popular model families, including Meta’s Llama and Google’s Gemma
Hackers and other criminals can easily commandeer computers operating open-source large language models (LLMs) outside the constraints of major AI platforms, creating fresh security risks, researchers said on Thursday. Reuters
The warning lands as more organisations and hobbyists run “open-weight” models — AI systems whose underlying parameters can be downloaded and hosted anywhere — rather than relying only on cloud platforms that can enforce use policies and monitor abuse.
That shift has left a widening layer of public, unmanaged AI compute exposed on the open internet, researchers at SentinelOne and Censys wrote, arguing it sits largely outside today’s governance and reporting channels. Sentinelone
In a 293-day scan of internet-reachable deployments running through Ollama — a tool that lets users run LLMs on their own machines — the researchers recorded 7.23 million observations across 175,108 unique hosts in 130 countries, with a persistent core of about 23,000 machines driving most activity.
Nearly half of the hosts advertised “tool-calling” features, the researchers said — meaning the model can be wired to execute functions such as calling APIs or running code, expanding what an exposed system might do if it is misused.
While thousands of open-source LLM variants exist, a significant share of the models on internet-accessible hosts were variants of Meta’s Llama and Google DeepMind’s Gemma, Reuters reported. SentinelOne and Censys also listed Alibaba’s Qwen2 family among the most common lineages.
The researchers said they could view “system prompts” — the instructions that shape how a model behaves — in roughly a quarter of the LLMs they observed. Of those, 7.5% could potentially enable harmful activity, and the teams identified hundreds of instances where guardrails were explicitly removed. Investing
Geography clustered as well. Roughly 30% of the hosts were operating out of China and about 20% in the United States, Reuters said, with the researchers also pointing to heavy concentrations in infrastructure hubs such as Virginia in the U.S. and Beijing in China.
AI industry discussions about security controls are “ignoring this kind of surplus capacity that is clearly being utilized for all kinds of different stuff, some of it legitimate, some obviously criminal,” said Juan Andres Guerrero-Saade, executive director for intelligence and security research at SentinelOne. He compared the problem to an “iceberg” that is not being properly counted.
Rachel Adams, CEO and founder of the Global Center on AI Governance, said responsibility becomes shared once open models are released, including by the labs that publish them. “Labs are not responsible for every downstream misuse,” she wrote in an email, but they still have a duty to anticipate foreseeable harms and provide mitigation guidance.
Meta declined to answer questions about developers’ responsibilities for downstream abuse, but pointed to its Llama Protection tools and a responsible-use guide. Microsoft AI Red Team lead Ram Shankar Siva Kumar said in an email the company supports open-source models but is “clear‑eyed” they can be misused without safeguards, citing pre-release evaluations and monitoring for emerging abuse patterns.
One big uncertainty: scanners can spot exposed hosts and risky configurations, but tying them to an operator can be messy, especially when systems sit on residential networks or small hosting providers. The SentinelOne-Censys report said attribution data was missing for a meaningful slice of hosts, and it stressed that open models also power legitimate research and deployment where closed platforms are not an option.
