The landscape of open-source artificial intelligence is undergoing a significant transformation, marked by a notable shift in influence from Western laboratories to Chinese developers. As leading Western AI entities like OpenAI, Anthropic, and Google face increasing regulatory pressures, safety review overheads, and commercial imperatives pushing them towards API-gated releases, Chinese developers have actively filled the void. They are releasing powerful open-weight models explicitly designed for local deployment on commodity hardware, a pragmatic approach that is rapidly reshaping the global AI ecosystem.

A comprehensive security study conducted by SentinelOne and Censys underscores this paradigm shift. The research, which meticulously mapped 175,000 exposed AI hosts across 130 countries over a period of 293 days, revealed Alibaba’s Qwen2 model consistently ranking second only to Meta’s Llama in global deployment. More strikingly, Qwen2 appeared on 52% of systems running multiple AI models, solidifying its position as the de facto alternative to Llama. Gabriel Bernadett-Shapiro, distinguished AI research scientist at SentinelOne, commented on this trend, anticipating that Chinese-origin model families will play an increasingly central role in the open-source Large Language Model (LLM) ecosystem over the next 12-18 months, especially as Western frontier labs slow down or constrain their open-weight releases.

The divergence in release strategies between regions is stark. Chinese laboratories have demonstrated a clear willingness to publish large, high-quality model weights that are explicitly optimized for local deployment, quantisation, and compatibility with commodity hardware. This approach makes these models inherently easier to adopt, run, and integrate into edge and residential environments. For researchers and developers seeking to deploy powerful AI on their own systems without the burden of massive budgets or complex infrastructure, Chinese models like Qwen2 frequently emerge as the most viable, if not the only, option. This dominance is not accidental; Qwen2 exhibits "zero rank volatility," consistently holding its number two position across various measurement methods, including total observations, unique hosts, and host-days, indicating unwavering global adoption without regional fluctuations.

Further analysis of co-deployment patterns highlights this trend. On systems where operators run multiple AI models—a common practice for comparison or workload segmentation—the pairing of Llama and Qwen2 was observed on 40,694 hosts, accounting for 52% of all multi-family deployments. Geographically, this concentration is evident: Beijing alone represents 30% of exposed hosts in China, with Shanghai and Guangdong contributing an additional 21%. In the United States, Virginia, reflecting its dense AWS infrastructure, hosts 18% of these systems. Bernadett-Shapiro emphasizes that if release velocity, openness, and hardware portability continue to diverge, Chinese model lineages are poised to become the default for open deployments, driven by availability and pragmatism rather than ideological considerations.

This evolving landscape introduces a critical "governance inversion," a fundamental reversal of how AI risk and accountability are traditionally distributed. In platform-hosted services such as ChatGPT, a single entity maintains control over infrastructure, monitors usage, implements safety controls, and can address abuse. However, with open-weight models, this centralized control dissipates. Accountability becomes diffused across thousands of networks in 130 countries, while dependency concentrates upstream on a handful of model suppliers, increasingly Chinese ones. The 175,000 exposed hosts identified in the study operate entirely outside the conventional control systems governing commercial AI platforms, lacking centralized authentication, rate limiting, abuse detection, and crucially, a "kill switch" for misuse.

The security implications of this shift are profound. Once an open-weight model is released, it becomes trivial to remove inherent safety or security training, transforming these releases into "long-lived infrastructure artefacts." A persistent backbone of approximately 23,000 hosts, exhibiting an 87% average uptime, drives the majority of this activity, indicating professional operational systems rather than mere hobbyist experiments. Alarmingly, between 16% and 19% of this infrastructure could not be attributed to any identifiable owner, posing significant challenges for abuse reporting and remediation. Nearly half (48%) of these exposed hosts advertise "tool-calling capabilities," meaning they are not limited to generating text but can execute code, access APIs, and autonomously interact with external systems. Bernadett-Shapiro warns that on an unauthenticated server, an attacker needs only a prompt, not malware or credentials, to trigger actions. The highest-risk scenarios involve "exposed, tool-enabled RAG (Retrieval Augmented Generation) or automation endpoints being driven remotely as an execution layer." Such systems, especially when paired with "thinking" models optimized for multi-step reasoning (present on 26% of hosts), can plan and execute complex operations autonomously. The researchers identified at least 201 hosts running "uncensored" configurations that deliberately remove safety guardrails, indicating a potential for widespread misuse of AI systems capable of significant action without oversight.

For Western AI developers concerned about maintaining their influence over the trajectory of this technology, a different approach to model releases is imperative. Bernadett-Shapiro advises that while frontier labs cannot control deployment, they can significantly shape the risks associated with their releases. This includes "investing in post-release monitoring of ecosystem-level adoption and misuse patterns" rather than treating releases as isolated research outputs. The traditional governance model, which assumes centralized deployment with diffuse upstream supply, is diametrically opposed to the current reality. When a small number of model lineages dominate what is runnable on commodity hardware, upstream decisions are amplified globally, making it essential for governance strategies to acknowledge and adapt to this "inversion." Currently, most labs releasing open-weight models lack systematic ways to track their usage, deployment locations, or whether safety training remains intact after processes like quantisation and fine-tuning.

Looking ahead 12-18 months, Bernadett-Shapiro expects the exposed layer to "persist and professionalise" as tool use, agents, and multimodal inputs become default capabilities. While transient edge deployments will continue with hobbyist experimentation, the core backbone of this unmanaged AI compute substrate will grow more stable, capable, and increasingly handle sensitive data. Enforcement will remain uneven due to the decentralized nature of residential and small Virtual Private Server (VPS) deployments, which do not align with existing governance controls. This is not merely a misconfiguration issue but the early formation of a public, unmanaged AI compute substrate without a central control mechanism.

The geopolitical ramifications add a layer of urgency. When a majority of the world’s unmanaged AI compute becomes dependent on models released by a handful of non-Western labs, traditional assumptions about influence, coordination, and post-release response weaken significantly. For Western developers and policymakers, the implication is clear: even perfect governance of their own platforms will have limited impact on the real-world risk surface if the dominant capabilities reside elsewhere and propagate through open, decentralized infrastructure. The open-source AI ecosystem is globalizing, and its center of gravity is shifting eastward, not through a coordinated strategy, but through the practical economics of which entities are willing to publish what researchers and operators genuinely need to run AI locally. The 175,000 exposed hosts mapped in this study are merely the visible tip of this fundamental realignment, a trend that Western policymakers are only just beginning to recognize, let alone effectively address.