TL;DR: Security researchers reported in May 2026 that of roughly 1 million exposed AI services scanned, the AI infrastructure was more vulnerable, exposed, and misconfigured than any other software category they had investigated. A separate investigation found about 175,000 publicly accessible Ollama hosts across 130 countries, most with no authentication by default, and over 48% advertising tool-calling capabilities attackers can abuse. Threat actors are already monetizing this through an LLMjacking campaign. For North Carolina small businesses racing to deploy private AI, the lesson is blunt: a self-hosted model on the internet without authentication is an open door to data, compute theft, and lateral movement.
Key takeaway: The danger in 2026 is not using AI; it is standing up an AI server with out-of-the-box defaults, no authentication, and a public IP. Secure AI adoption is entirely achievable, but it has to be designed, not improvised.
Spinning up a private AI model or worried staff already have? Preferred Data Corporation runs an AI exposure assessment for North Carolina businesses. Call (336) 886-3282 or request an AI security review. Serving NC since 1987.
What did researchers actually find about exposed AI in 2026?
Answer capsule: Using certificate-transparency logs and internet scanning, researchers examined roughly 1 million exposed AI services and found AI infrastructure to be the most misconfigured software class they had measured, with self-hosted inference APIs exposed to the internet without authentication as the single most common and most exploited flaw.
The headline findings, corroborated across multiple reports:
- Roughly 1 million exposed AI services scanned, drawn from over 2 million hosts (Security Boulevard, The Hacker News).
- About 175,000 unique Ollama hosts publicly accessible across 130 countries (Cybernews, The Hacker News, January 2026).
- Ollama ships without authentication or access control by default, and its default port (11434) makes internet fingerprinting trivial.
- Over 48% of observed hosts advertise tool-calling via their API, capabilities that can be abused to reach files, networks, or other systems.
- Active monetization through an LLMjacking campaign that hijacks exposed inference endpoints to resell access.
This sits alongside the 2026 IBM X-Force Threat Index finding of a 44% surge in attacks beginning with exploitation of public-facing applications, and over 300,000 ChatGPT credentials exposed by infostealers, evidence that AI systems now carry the same risk profile as any other core business system.
Why are NC small businesses suddenly exposed to this?
Answer capsule: The rush to adopt private AI for cost and data-control reasons has small businesses self-hosting models like Ollama on spare servers or cloud VMs using default configurations, often without IT or security review, creating shadow AI infrastructure that is internet-reachable and unauthenticated.
What typically goes wrong at a Piedmont Triad manufacturer or Research Triangle professional-services firm:
- A developer or power user stands up a local LLM to keep proprietary data out of public chatbots, a sound goal, executed insecurely.
- The default install binds to all interfaces with no authentication.
- A firewall or cloud security-group rule is loosened "temporarily" for remote testing.
- Tool-calling or file access is enabled for usefulness, expanding blast radius.
- No one inventories it, so it never appears in patching, monitoring, or risk reviews.
The result is the same shadow-IT failure pattern we covered in shadow AI SaaS breach risk, now applied to infrastructure that can read your data and execute actions.
How bad is the exposure by the numbers?
| Metric | 2026 value |
|---|---|
| Exposed AI services scanned | ~1,000,000 |
| Hosts surveyed (certificate transparency) | ~2,000,000+ |
| Publicly accessible Ollama hosts | ~175,000 |
| Countries with exposed Ollama hosts | 130 |
| Exposed hosts advertising tool-calling | >48% |
| Most common exploited flaw | Inference API exposed, no auth |
| Surge in public-facing app exploitation (IBM X-Force 2026) | +44% |
| ChatGPT credentials exposed via infostealers (2025) | >300,000 |
Sources: The Hacker News, Cybernews, Security Boulevard, IBM X-Force 2026.
Want to know if you already have exposed AI? Preferred Data scans for shadow AI infrastructure. Call (336) 886-3282 or book an AI exposure assessment.
How can NC small businesses deploy AI securely?
Defense capsule: Inventory all AI infrastructure, never expose an inference API directly to the internet, enforce authentication and a reverse proxy, restrict tool-calling and file access, place AI behind network segmentation with monitoring, and govern it under a written AI policy.
1. Inventory shadow AI before securing it
You cannot protect what you do not know exists. The first step is discovery: scanning for default AI ports, reviewing cloud accounts for unmanaged VMs, and asking teams what models they run. This is the AI equivalent of asset management and the foundation of AI governance.
2. Never put an inference API directly on the internet
The single most exploited flaw is a self-hosted LLM API reachable from the public internet. Private AI should sit on an internal network or a private VPC, accessed through VPN or zero-trust access, never bound to a public IP with default settings.
3. Enforce authentication and a hardened reverse proxy
Because tools like Ollama have no native authentication, place a hardened reverse proxy in front that enforces strong authentication, rate limiting, and logging. Treat the model endpoint like any other sensitive internal API.
4. Constrain tool-calling and data access
With over 48% of exposed hosts advertising tool-calling, capability scoping is essential. Disable tool and file access unless required, run the service as a non-root user in an isolated container, and apply least privilege so a compromise cannot pivot into file shares or other systems.
5. Segment, monitor, and govern
Place AI workloads in a segmented network zone with 24/7 monitoring for anomalous queries, data egress, and resource abuse (the LLMjacking signature). Wrap it in a written AI policy covering approved tools, data classes allowed, and review cadence, the same discipline outlined in our AI governance guide.
Comparison: improvised vs. secured self-hosted AI
| Control | Improvised deployment | Secured deployment |
|---|---|---|
| Network exposure | Public IP, default port | Internal/VPC, VPN or ZTNA |
| Authentication | None (default) | Reverse proxy + strong auth |
| Tool-calling | Enabled, unscoped | Disabled or least privilege |
| Process isolation | Runs as root, host install | Non-root, isolated container |
| Inventory | Shadow, unknown | Tracked asset |
| Monitoring | None | 24/7 anomaly + egress alerts |
| Governance | None | Written AI policy + review |
What Preferred Data Corporation does for secure AI adoption
Preferred Data Corporation helps North Carolina small businesses capture AI value without the exposure. Our services include:
- AI exposure assessment: Discovery of shadow AI and internet-reachable inference endpoints
- Secure AI architecture: Private deployment behind VPN/zero-trust, hardened proxy, and segmentation; see AI transformation services
- AI governance: Written AI policy, approved-tool list, and data-handling rules
- Managed monitoring: 24/7 detection for LLMjacking, anomalous queries, and data egress
- Identity hardening: MFA and access control around AI systems and the credentials that reach them
Learn more about our AI transformation services and managed cybersecurity.
Key takeaway: Self-hosting AI to protect your data is the right instinct, but a default-config model on a public IP defeats the purpose. NC small businesses can get private AI safely with inventory, no public exposure, authentication, scoped capabilities, segmentation, and governance.
About Preferred Data Corporation
Preferred Data Corporation provides AI transformation, cybersecurity, managed IT, and network infrastructure for small and mid-sized businesses across the Piedmont Triad, Research Triangle, and broader North Carolina market. Headquartered in High Point, NC since 1987, with a 20+ year average client retention, BBB A+ rating, and on-site coverage within 200 miles, we are the trusted AI and security partner for NC manufacturers, construction firms, and professional services.
Adopt AI without opening a door:
- Call (336) 886-3282
- Visit preferreddata.com/contact
- Email [email protected]
- Address: 1208 Eastchester Drive, Suite 131, High Point, NC 27265
Frequently Asked Questions
What is the risk of self-hosting an AI model like Ollama?
By default, tools such as Ollama have no authentication and are easy to fingerprint on their default port. Researchers found about 175,000 exposed Ollama hosts across 130 countries in 2026. An exposed instance can leak proprietary data, be hijacked for compute (LLMjacking), or, if tool-calling is enabled, be used to reach other systems.
Is using AI itself dangerous for a small business?
No. The risk is insecure deployment, not AI use. The most exploited flaw is an inference API exposed to the internet with default settings. Private AI deployed behind a VPN or zero-trust access, with authentication and scoped capabilities, is both safe and valuable.
What is LLMjacking?
LLMjacking is the hijacking of exposed AI inference endpoints so attackers can use or resell the victim's AI compute, and potentially access the data and tools the model can reach. Researchers documented an active 2026 campaign monetizing exposed self-hosted models.
How do we find out if we already have shadow AI exposed?
An AI exposure assessment scans for default AI ports, reviews cloud accounts for unmanaged instances, and interviews teams about models in use. Most small businesses are surprised by what a developer or power user stood up without IT review, the same pattern as shadow AI SaaS.
Why is tool-calling a security concern?
Tool-calling lets a model take actions beyond text, such as running code or reading files. With over 48% of exposed hosts advertising it, an unauthenticated model with tool-calling can become a pivot point into file shares and other systems. Disable or tightly scope it.
Can we still keep proprietary data out of public AI tools?
Yes, that is exactly why secure self-hosting exists. The goal of keeping data off public chatbots is sound; it just must be executed with private networking, authentication, segmentation, and governance rather than a default install on a public IP.
Related Resources
- AI Transformation Services for NC Businesses
- Cybersecurity Services
- Network Infrastructure Services
- AI Governance and Risk Management
- Shadow AI SaaS Apps Breach Risk
- Manufacturing AI Solutions
- IT Services in Greensboro
- IT Services in Charlotte
- IT Services in Raleigh
References
- The Hacker News. (2026). We Scanned 1 Million Exposed AI Services. Here's How Bad the Security Actually Is. https://thehackernews.com/2026/05/we-scanned-1-million-exposed-ai.html
- Cybernews. (2026). Researchers find 175,000 exposed AI systems online. https://cybernews.com/security/hadow-ai-ollama-exposed-infrastructure/
- Security Boulevard. (2026). Exposed LLM Infrastructure: How Attackers Find and Exploit Misconfigured AI Deployments. https://securityboulevard.com/2026/04/exposed-llm-infrastructure-how-attackers-find-and-exploit-misconfigured-ai-deployments/
- The Hacker News. (2026). Researchers Find 175,000 Publicly Exposed Ollama AI Servers Across 130 Countries. https://thehackernews.com/2026/01/researchers-find-175000-publicly.html
- IBM. (2026). IBM 2026 X-Force Threat Index: AI-Driven Attacks are Escalating. https://newsroom.ibm.com/2026-02-25-ibm-2026-x-force-threat-index-ai-driven-attacks-are-escalating-as-basic-security-gaps-leave-enterprises-exposed