A new report from Intruder reveals that over one million self-hosted AI services are exposed to the public internet — many without any authentication whatsoever. If your organisation has developers spinning up Ollama instances, LangChain agents, or n8n AI workflows, there is a very real chance that your most sensitive data is sitting behind an open door.
The rise of self-hosted AI has been remarkable. Teams want control over their models, their data, and their costs. But the rush to deploy has outpaced the discipline to secure, creating a sprawling shadow AI infrastructure that security teams often don’t even know exists.
TL;DR
- Over 1 million self-hosted AI services are publicly exposed, with 31% of Ollama instances requiring zero authentication
- Shadow AI infrastructure — LLM servers, agent platforms, and automation workflows deployed without security oversight — is the fastest-growing attack surface in 2026
- Exposed services leak API keys, business logic, user conversations, and connected credentials in plaintext
- Insecure defaults in popular AI tooling (Ollama, Flowise, n8n) mean “it works” often equals “it’s wide open”
- Teams need to treat self-hosted AI like any other production service: authentication, network segmentation, secrets management, and continuous scanning
The Scale of the Problem
Intruder’s research team scanned over two million hosts and identified more than one million exposed AI services. The findings are sobering:
- 31% of 5,200+ Ollama API servers responded to unauthenticated requests — no API key, no token, nothing standing between the internet and the model
- 90+ exposed agent management platforms were found across government, marketing, and financial services sectors
- 518 instances wrapping frontier models from Anthropic, OpenAI, Google, and DeepSeek were discovered running without access controls
These aren’t theoretical vulnerabilities. Researchers documented exposed systems handling enterprise chatbot conversations, health-related data, cloud infrastructure credentials, and business-critical workflows — all accessible to anyone with a browser.
Why This Keeps Happening
The root cause is a collision between developer enthusiasm and tooling defaults. Most popular AI infrastructure projects ship with insecure defaults — no authentication out of the box, services binding to 0.0.0.0, and Docker configurations that expose ports to the world.
Consider the typical workflow: a developer pulls an Ollama Docker image, runs it with docker run -p 11434:11434, and immediately has a working LLM API. Brilliant for prototyping. Catastrophic when that same container ends up on a cloud VM with a public IP — which happens far more often than anyone wants to admit.
The problem compounds with agent orchestration platforms. Tools like Flowise and n8n are designed to chain AI capabilities together, meaning a single exposed instance can reveal:
- Complete chatbot business logic and conversation histories
- Connected credentials for databases, APIs, and cloud services
- File write capabilities and code interpretation functions that enable remote code execution
- API keys for paid model providers stored in plaintext
Shadow AI Is the New Shadow IT
If you worked in enterprise IT during the 2010s, this pattern will feel painfully familiar. Shadow IT — departments spinning up their own SaaS tools, cloud instances, and integrations without IT oversight — created a governance nightmare that took years to unwind.
Shadow AI is the same pattern, accelerated. The barrier to deploying an AI service is lower than ever. A single developer with a corporate credit card can have a GPU instance running an open-source model in under ten minutes. Multiply that across every team experimenting with AI — product, marketing, data science, customer support — and you have an attack surface that your security team has zero visibility into.
The difference this time? The stakes are higher. These services aren’t just processing data; they’re often generating outputs that feed into business decisions, customer interactions, and automated workflows. A compromised AI service isn’t just a data breach — it’s a trust breach.
A Practical Hardening Checklist
Whether you’re a CTO, a platform engineer, or a developer who just deployed “a quick Ollama instance,” here’s what needs to happen:
1. Discovery First
You can’t secure what you can’t see. Run external scans against your IP ranges looking for common AI service ports (11434 for Ollama, 3000 for Flowise, 5678 for n8n). Use tools like Shodan, Censys, or your existing attack surface management platform. The goal is a complete inventory of every AI service your organisation is running.
2. Authentication Is Non-Negotiable
Every AI service must sit behind authentication. For Ollama, that means a reverse proxy (Nginx, Caddy, or Traefik) with API key validation or OAuth. For agent platforms, enable the built-in authentication that many ship with but leave disabled by default. No exceptions for “internal” services — if it has a network interface, it needs auth.
3. Network Segmentation
AI services should never be directly internet-facing. Place them behind a VPN or within a private subnet. Use security groups and firewall rules to restrict access to only the services and users that genuinely need it. A zero-trust approach — verify every request, regardless of network location — is the gold standard here.
4. Secrets Management
Stop storing API keys in environment variables, Docker Compose files, and configuration YAML. Use a proper secrets manager (HashiCorp Vault, AWS Secrets Manager, or even Bitwarden for smaller teams). Rotate credentials regularly and audit who has access to what.
5. Continuous Monitoring
Deploy AI services with the same observability you’d expect from any production system. Log access patterns, set up alerts for unusual query volumes or out-of-hours access, and integrate with your SIEM. If someone is exfiltrating your model’s training data at 3am, you want to know about it.
What This Means for Your AI Strategy
The organisations getting AI right in 2026 aren’t the ones moving fastest — they’re the ones building on solid foundations. A well-architected AI deployment with proper access controls, monitoring, and governance will outperform a dozen unsecured experiments every time.
This is where having experienced infrastructure and security partners matters. At REPTILEHAUS, we help teams design AI deployments that are both powerful and production-grade — from secure model hosting and API gateway design to full DevSecOps pipelines that catch misconfigurations before they reach the internet. If your team is deploying AI services and you’re not confident in the security posture, get in touch — better to audit now than apologise later.
The shadow AI problem isn’t going away. But with the right practices, it’s entirely manageable. Treat your AI infrastructure with the same rigour you’d apply to any other production system, and you’ll be ahead of the vast majority of organisations still running open Ollama instances on public IPs.
📷 Photo by Albert Stoynov (@albertstoynov) on Unsplash
