ComputerWeekly

The silent substrate: how 175,000 AI endpoints are reshaping the internet


Over the past year, my research partner Silas Cutler and I have conducted a global census of publicly reachable AI systems. What we found challenges comfortable assumptions about where AI actually lives and who controls it. We recorded 7.2 million observations across 175,000 unique hosts in 130 countries. The numbers reveal something more significant than a security misconfiguration story. We’re witnessing the emergence of a new substrate layer on the internet, a global ecosystem of AI systems that answer questions, write code, and increasingly take actions on behalf of their users. It exists outside traditional governance frameworks, runs on commodity hardware, and no one is in charge.

What the data shows

Our research examined publicly exposed Ollama instances – a software tool for running large language models. We found that the typical deployment runs mid-sized models compressed to fit on consumer hardware (eight to fourteen billion parameters at four-bit quantisation). This configuration works on a high-end gaming card or recent Mac. Seventy-two percent of everything we observed operates at this compression, a constraint imposed by the hardware people already own. This constraint has contributed to a US-China duopoly with Meta’s Llama and Alibaba’s Qwen capturing the majority of the deployments.

How we measure these hosts matters. When we look at the full scanning surface, major cloud platforms (AWS, Google, Azure) and home networks appear roughly tied at ~35% each. But once we restrict our analysis to hosts with models actually running at scan time, the center of gravity shifts to always-on independent cloud providers (32.8%). Taken together, the data reinforces our expectations. This is a familiar open-source ecosystem. Home networks are where capabilities spread, but professional cloud infrastructure is where they run efficiently and long term. The installed base is broad and residential; the running base is narrower and more professional.

In addition to this, a third of observed hosts appear only once in our scans. The network’s real mass lies in the persistent nodes – 13% of hosts that account for 76% of all observations and remained online for an average of four to five months. These nodes are an emerging layer of infrastructure and nearly half of them are configured to take actions using tools to generate and execute code, call APIs, or reach into internal databases. Tens of thousands of machines, scattered across the planet, awaiting instructions to do something in the world.

The governance inversion

This new layer of infrastructure is everywhere and its decentralisation inverts traditional accountability structures. Nearly half are run from home connections. But the models are provided by just two companies. When Alibaba released Qwen3, it rocketed to fourth place within days. The result is a strange inversion: two companies in California and China make the decisions about what these models can do, but no one governs the 175,000 endpoints that run them. Meanwhile, modified versions with safety restrictions stripped out (called “abliterated” models) are freely available for download on HuggingFace, a popular repository for AI models. Regulatory visibility, regional segmentation, and leverage over the distributed endpoints themselves is non-existent.

The geographic distribution compounds this challenge. The online distribution of these models spans rival technology regulatory regimes with no single authority able to shape the whole. Tighten rules in one jurisdiction and activity shifts to another. Restrict one model family and operators pivot to ready-made alternatives.

In the United States, regulatory tools which were designed for centralised cloud providers with lawyers, abuse and security teams, and terms of service don’t map cleanly to fifty thousand individuals running AI models on gaming hardware across Brazil, India, and Ohio. Regulators cannot sanction a decentralised network of residential IP addresses or de-platform operators who are themselves the platform.

What this means for the internet

We’ve spent thirty years building an internet of documents – pages linked to pages, indexed by search engines, and mediated by browsers. The emerging substrate operates differently. Users engage AI systems directly for information and tasks, leveraging traditional web architecture when helpful and bypassing it when not. Even without the tools or APIs that provide rich context, the systems themselves can provide direct access to information they were trained on – whether that’s biscuit recipes or security vulnerabilities.

The crucial change for users, however, is not in the interface. When half of exposed endpoints can execute external actions, the stakes increasingly shift from “someone might read bad information” to “someone’s computer might do bad things.” Our research found 1,385 hosts explicitly configured for malware creation, exploit development, and offensive security operations. These models were paired with instructions requesting the simulation of criminal hackers, the generation of working exploits, and the creation of autonomous agents operating without ethical constraints. When we dug deeper we found some hosts running what appeared to be legitimate security research tools, but without clear context the dual-use nature of these tools makes them practically indistinguishable from the infrastructure supporting actual crime.

The strategic question

In the face of rapidly growing capabilities that fundamentally change the structure of the internet, the instinctive policy response may be to restrict open-source AI. For the security industry the obvious failed corollary is the attempts to regulate the transfer of strong encryption. That impulse misreads the landscape.

Although open-source AI development is global, the models people actually run are dominated by two families and are largely interchangeable. When the developers behind these models release a new version, it propagates across hundreds of thousands of endpoints within weeks. Whoever shapes what models are available, performant, and easy to deploy will shape what this new layer of the internet is in the years to come.

If the United States withdraws from the open-source ecosystem—through regulation, corporate retreat, or simply inattention– Qwen will become the default. Chinese labs already release capable open-source models at a pace that undercuts closed-source Western alternatives. They don’t need to lead on benchmarks, they just need to keep shipping. In our admittedly small sample size, we found that the global south is already leaning toward Chinese-made deployments. If this substrate is a new layer of the internet, it’s also a new arena of competition—not for dominance, but for what the infrastructure of the open ecosystem looks like and what norms govern it.

Traditional regulation cannot reach this new layer, what remains is upstream influence that shapes what models exist, what safety measures they carry, and what deployment standards emerge. We don’t have well-defined norms for any of these things. There is no consensus on what information models should provide, what actions they are allowed to take, or who decides. For security practitioners, this is not a problem to observe. It is a problem to solve. The substrate exists. It is growing. The question of who secures it — and how — is open. It is a time for broad thinking, for using every tool at our disposal, for making new partnerships, and for sprinting to understand what our role will be in protecting this infrastructure before someone else defines it for us.

If we needed any additional convincing that this is already happening, breakaway projects like OpenClaw—an open-source personal AI assistant that runs across WhatsApp, Telegram, Discord, and a dozen other channels—represent the rapidly emerging consumer face of this substrate. OpenClaw has grown from a niche project to a frontier lab acquisition in months, putting agentic AI capabilities in the hands of anyone with basic technical skills. Multiply that by every similar project, every custom deployment, every instance we never saw, and the 175,000 endpoints we measured become a floor, not a ceiling. The pace of development in this space is rapid. We must adapt to a new tempo and embrace new ways of leveraging this technology for defence before the landscape shifts again.

Our research is a small subset of a much larger picture, but it casts a long shadow. The shape it reveals is a network optimised for availability over safety, for capability over accountability, for speed of diffusion over deliberation about consequences. That network is now the actual infrastructure of AI adoption for much of the world.

Gabriel Bernadett-Shapiro is a Distinguished AI Research Scientist at SentinelLabs. The Silent Brothers research was conducted in collaboration with Silas Cutler at Censys.



Source link