Nearly 1 Million AI Services Were Exposed: the problem is no longer just the model, but the infrastructure

What Intruder uncovered was not a single breach or a one-off intrusion. It was something more unsettling: a snapshot of how much AI infrastructure is being pushed onto the public internet without even the most basic defenses. Published by The Hacker News, the investigation used certificate transparency logs and related public signals to identify just over 2 million hosts and around 1 million exposed services tied to AI systems.

That number matters because it shifts the conversation. The question is no longer only whether a model is powerful, useful, or dangerous. The risk now also sits in the layer around it: chatbots, admin panels, APIs, automation flows, and orchestration tools deployed as if they were sitting behind a private network, when in reality they were reachable from anywhere on the internet.

According to the report, one recurring pattern stood out: authentication was not enabled by default in many of these projects. In practice, that means a lot of teams deployed services that were ready to use, but not ready to be publicly exposed. In security, that distinction is everything. A bot without login protection, an admin panel without access control, or an open API can turn infrastructure into a revolving door for anyone who finds it.

Some of the most troubling examples were concrete. The researchers found chatbots exposing full conversation histories, including OpenUI-based instances. They also found deployments with sensitive conversations, including NSFW bots, plus plaintext API keys, a failure that can quickly become a much larger compromise.

The report also mentions unauthenticated instances of Flowise and n8n, which is especially worrying because those platforms do more than connect models: they connect internal systems, credentials, and business workflows. In one case, a Flowise instance exposed the full logic of an enterprise chatbot; in another, the setup included potentially dangerous functions such as file writes and server-side code execution.

That is where the real danger begins. When a bot is connected to external services, databases, or internal tools, the issue is no longer "just a conversation." An attacker could modify workflows, redirect traffic, exfiltrate data, or poison responses. And if permissions and credential boundaries are sloppy, access to the bot can become access to everything it touches.

The investigation says it found more than 90 exposed instances across government, marketing, and finance. This is not a quirky lab problem or an isolated startup mistake; it is a cross-industry security issue. At the same time, Intruder found more than 5,200 publicly connected Ollama servers, and in a basic probe, 31% responded without asking for authentication.

The takeaway is blunt: AI adoption is moving faster than security hygiene. That gap is where incidents happen. Today, the major risk is not only that a model might fail. It is also that someone leaves it open, with visible keys, weak access control, and connections to systems that should never have been exposed in the first place.

The lesson is clear. If a company deploys AI, it has to treat it like critical infrastructure: strong authentication, exposure review, monitoring, permission segmentation, and continuous audits. Because at this stage, the most common failure may not be in the model itself, but in how easily it can be left naked on the internet.