Because Western AI labs won’t—or can’t—anymore. As OpenAI, Anthropic, and Google face mounting pressure to restrict their most powerful models, Chinese developers have filled the open-source void with AI explicitly built for what operators need: powerful models that run on commodity hardware.
A new security study reveals just how thoroughly Chinese AI has captured this space. Research published by SentinelOne and Censys, mapping 175,000 exposed AI hosts across 130 countries over 293 days, shows Alibaba’s Qwen2 consistently ranking second only to Meta’s Llama in global deployment. More tellingly, the Chinese model appears on 52% of systems running multiple AI models—suggesting it’s become the de facto alternative to Llama.
“Over the next 12–18 months, we expect Chinese-origin model families to play an increasingly central role in the open-source LLM ecosystem, particularly as Western frontier labs slow or constrain open-weight releases,” Gabriel Bernadett-Shapiro, distinguished AI research scientist at SentinelOne, told TechForge Media’s AI News.
The finding arrives as OpenAI, Anthropic, and Google face regulatory scrutiny, safety review overhead, and commercial incentives pushing them toward API-gated releases rather than publishing model weights freely. The contrast with Chinese developers couldn’t be sharper.
Chinese labs have demonstrated what Bernadett-Shapiro calls “a willingness to publish large, high-quality weights that are explicitly optimised for local deployment, quantisation, and commodity hardware.”
“In practice, this makes them easier to adopt, easier to run, and easier to integrate into edge and residential environments,” he added.
Put simply: if you’re a researcher or developer wanting to run powerful AI on your own computer without a massive budget, Chinese models like Qwen2 are often your best—or only—option.
Pragmatics, not ideology
The research shows this dominance isn’t accidental. Qwen2 maintains what Bernadett-Shapiro calls “zero rank volatility”—it holds the number two position across every measurement method the researchers examined: total observations, unique hosts, and host-days. There’s no fluctuation, no regional variation, just consistent global adoption.
The co-deployment pattern is equally revealing. When operators run multiple AI models on the same system—a common practice for comparison or workload segmentation—the pairing of Llama and Qwen2 appears on 40,694 hosts, representing 52% of all multi-family deployments.
Geographic concentration reinforces the picture. In China, Beijing alone accounts for 30% of exposed hosts, with Shanghai and Guangdong adding another 21% combined. In the United States, Virginia—reflecting AWS infrastructure density—represents 18% of hosts.
“If release velocity, openness, and hardware portability continue to diverge between regions, Chinese model lineages are likely to become the default for open deployments, not because of ideology, but because of availability and pragmatics,” Bernadett-Shapiro explained.
The governance problem
This shift creates what Bernadett-Shapiro characterises as a “governance inversion”—a fundamental reversal of how AI risk and accountability are distributed.
In platform-hosted services like ChatGPT, one company controls everything: the infrastructure, monitors usage, implements safety controls, and can shut down abuse. With open-weight models, the control evaporates. Accountability diffuses across thousands of networks in 130 countries, while dependency concentrates upstream in a handful of model suppliers—increasingly Chinese ones.
The 175,000 exposed hosts operate entirely outside the control systems governing commercial AI platforms. There’s no centralised authentication, no rate limiting, no abuse detection, and critically, no kill switch if misuse is detected.
“Once an open-weight model is released, it is trivial to remove safety or security training,” Bernadett-Shapiro noted.”Frontier labs need to treat open-weight releases as long-lived infrastructure artefacts.”
A persistent backbone of 23,000 hosts showing 87% average uptime drives the majority of activity. These aren’t hobbyist experiments—they’re operational systems providing ongoing utility, often running multiple models simultaneously.
Perhaps most concerning: between 16% and 19% of the infrastructure couldn’t be attributed to any identifiable owner.”Even if we are able to prove that a model was leveraged in an attack, there are not well-established abuse reporting routes,” Bernadett-Shapiro said.
Security without guardrails
Nearly half (48%) of exposed hosts advertise “tool-calling capabilities”—meaning they’re not just generating text. They can execute code, access APIs, and interact with external systems autonomously.
“A text-only model can generate harmful content, but a tool-calling model can act,” Bernadett-Shapiro explained. “On an unauthenticated server, an attacker doesn’t need malware or credentials; they just need a prompt.”
The highest-risk scenario involves what he calls “exposed, tool-enabled RAG or automation endpoints being driven remotely as an execution layer.” An attacker could simply ask the model to summarise internal documents, extract API keys from code repositories, or call downstream services the model is configured to access.
When paired with “thinking” models optimised for multi-step reasoning—present on 26% of hosts—the system can plan complex operations autonomously. The researchers identified at least 201 hosts running “uncensored” configurations that explicitly remove safety guardrails, though Bernadett-Shapiro notes this represents a lower bound.
In other words, these aren’t just chatbots—they’re AI systems that can take action, and half of them have no password protection.
What frontier labs should do
For Western AI developers concerned about maintaining influence over the technology’s trajectory, Bernadett-Shapiro recommends a different approach to model releases.
“Frontier labs can’t control deployment, but they can shape the risks that they release into the world,” he said. That includes “investing in post-release monitoring of ecosystem-level adoption and misuse patterns” rather than treating releases as one-off research outputs.
The current governance model assumes centralised deployment with diffuse upstream supply—the exact opposite of what’s actually happening. “When a small number of lineages dominate what’s runnable on commodity hardware, upstream decisions get amplified everywhere,” he explained. “Governance strategies must acknowledge that inversion.”
But acknowledgement requires visibility. Currently, most labs releasing open-weight models have no systematic way to track how they’re being used, where they’re deployed, or whether safety training remains intact after quantisation and fine-tuning.
The 12-18 month outlook
Bernadett-Shapiro expects the exposed layer to “persist and professionalise” as tool use, agents, and multimodal inputs become default capabilities rather than exceptions. The transient edge will keep churning as hobbyists experiment, but the backbone will grow more stable, more capable, and handle more sensitive data.
Enforcement will remain uneven because residential and small VPS deployments don’t map to existing governance controls. “This isn’t a misconfiguration problem,” he emphasised. “We are observing the early formation of a public, unmanaged AI compute substrate. There is no central switch to flip.”
The geopolitical dimension adds urgency. “When most of the world’s unmanaged AI compute depends on models released by a handful of non-Western labs, traditional assumptions about influence, coordination, and post-release response become weaker,” Bernadett-Shapiro said.
For Western developers and policymakers, the implication is stark: “Even perfect governance of their own platforms has limited impact on the real-world risk surface if the dominant capabilities live elsewhere and propagate through open, decentralised infrastructure.”
The open-source AI ecosystem is globalising, but its centre of gravity is shifting decisively eastward. Not through any coordinated strategy, but through the practical economics of who’s willing to publish what researchers and operators actually need to run AI locally.
The 175,000 exposed hosts mapped in this study are just the visible surface of that fundamental realignment—one that Western policymakers are only beginning to recognise, let alone address.
See also: Huawei details open-source AI development roadmap at Huawei Connect 2025
Want to learn more about AI and big data from industry leaders? Check out AI & Big Data Expo taking place in Amsterdam, California, and London. The comprehensive event is part of TechEx and is co-located with other leading technology events including the Cyber Security & Cloud Expo. Click here for more information.
AI News is powered by TechForge Media. Explore other upcoming enterprise technology events and webinars here.
