* [Blog](https://www2.paloaltonetworks.com/blog)
* [Cloud Security](https://www2.paloaltonetworks.com/blog/cloud-security/)
* [AI Security](https://www2.paloaltonetworks.com/blog/cloud-security/category/ai-security/)
* Why Self-Managed AI Model...

# Why Self-Managed AI Models Are Blind Spots and What to Do About It

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fself-managed-ai-security-risks%2F)  
[](https://twitter.com/share?text=Why+Self-Managed+AI+Models+Are+Blind+Spots+and+What+to+Do+About+It&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fself-managed-ai-security-risks%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fself-managed-ai-security-risks%2F&title=Why+Self-Managed+AI+Models+Are+Blind+Spots+and+What+to+Do+About+It&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/cloud-security/self-managed-ai-security-risks/&ts=markdown)  
\[\](mailto:?subject=Why Self-Managed AI Models Are Blind Spots and What to Do About It)  
Link copied  
By [Roni Yaari](https://www.paloaltonetworks.com/blog/author/roni-yaari/?ts=markdown "Posts by Roni Yaari")  
Aug 18, 2025  
8 minutes  
[AI Security](https://www.paloaltonetworks.com/blog/cloud-security/category/ai-security/?ts=markdown)  
[AI Security Posture Management](https://www.paloaltonetworks.com/blog/cloud-security/category/ai-security-posture-management/?ts=markdown)  
[Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown)

Security folks tend to become suspicious of applications that move data beyond the environments they manage, as it may seem safer to run AI models on self-managed infrastructure. But is it really a better choice than using LLM APIs and applications that force you to send data into the wild? The answer depends (shocker). Specifically, it depends on which models you're running and how effectively you can monitor them.

## What Is a Self-Managed AI Model?

When we talk about self-managed models, we're referring to AI models (including LLMs) that you deploy and run on your own infrastructure. Rather than sending data to external APIs or using managed AI services, you take responsibility for the entire inference stack. While GPU farms are required to run larger models, smaller and more efficient models can run even on a [developer's own workstation](https://www.llama.com/docs/llama-everywhere/running-meta-llama-on-windows/).

**Why self-managed?** Organizations might use self-managed models developed in-house (either from scratch or based on existing open-source components). But even if you're running a commercial or prebuilt open-source model, you might choose to self-host so as not to compromise data privacy. That's because running models on your own infrastructure keeps sensitive information under your direct control.

Self-managed models increase control over data security and lower compliance risk (e.g., regarding GDPR data residency demands), making it particularly valuable for highly regulated industries such as finance, healthcare and government agencies. They also deliver performance benefits, including reduced latency and potentially lower costs.

Let's consider a basic LLM-powered application that analyzes the company's data to answer user requests -- to extract insights from meeting transcripts, for example. If the company uses a model as a service (e.g., OpenAI API), then the MaaS will include some application logic that pulls the relevant data and sends it to the LLM to work its magic, as seen in figure 1.
![Using AI model over API](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/08/word-image-343383-1.png)
Figure 1: Using AI model over API

If there's nothing sensitive in these transcripts, it might be fine. But if some sensitive data has snuck in, there could be issues with sending it to third parties (even if the third party is fully trusted).

In a self-managed deployment, everything resides within the customer's cloud or on-premises environment.
![Using a self-managed AI model](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/08/word-image-343383-2.png)
Figure 2: Using a self-managed AI model

**Self-managed doesn't equal open source.** Many self-managed setups are built on open-source (or open-weight) models, since this often fits with the broader goals of maintaining control over costs, data and deployments. Models are available through online repositories such as Hugging Face and GitHub. Mixtral (by Mistral) and Llama (by Meta) are popular open-weight choices in the LLM sphere, but proprietary models like Google's [Model Garden](https://cloud.google.com/vertex-ai/generative-ai/docs/model-garden/self-deployed-models) can also be deployed on infrastructure you manage.

We've summarized the different model creation and deployment options in the table below.

|------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------------------|--------------|
| **Who built the model?**                                                                             | **Where is the model running?**                  | **Who is managing the infrastructure?**                     | **Category** |
| Your company                                                                                         | In your environment (e.g., private cloud on AWS) | You                                                         | Self-managed |
|                                                                                                                                                                                                                                   ||||
| Another company (e.g., foundation models such as Claude or Gemini, open-source models such as Llama) | In your environment                              | You                                                         | Self-managed |
| Another company (e.g., foundation models such as Claude or Gemini, open-source models such as Llama) | In your environment                              | Cloud provider  (e.g., Amazon Bedrock, Google Vertex) | Managed      |
| Another company (e.g., foundation models such as Claude or Gemini, open-source models such as Llama) |                                                                                                                             |||
| Another company (e.g., foundation models such as Claude or Gemini, open-source models such as Llama) | In the model provider's environment              | Model provider (e.g., Anthropic API, OpenAI API)            | SaaS         |

## What Are the Security Implications of Self-Managed AI?

As mentioned above, hosting AI models in your own environment might seem less risky than sending the data to third parties. But it's more nuanced than that. Models running on managed services and SaaS tools can be monitored through centralized tools such as Amazon IAM or via the admin features of the SaaS tool being used. This means IT and security have some level of built-in visibility into which models are running and who can access them. This isn't the case with a self-managed model, which any developer can install and run on a virtual machine.

The relative opaqueness of self-managed infrastructure, which often leads to problems such as [shadow data](https://www.paloaltonetworks.com/blog/cloud-security/shadow-data-risk-mitigation/), can result in similar challenges when it comes to AI models. We often encounter three main types.

### Shadow AI

[AI governance](https://www.paloaltonetworks.co.uk/resources/whitepapers/ai-governance) starts with knowing where and how AI is being used. And self-managed models are inherently harder to discover than either API-based services or models running via managed services. When teams deploy models on virtual machines or container environments, these deployments often stay under the radar of traditional security monitoring tools. In highly distributed environments and with the use of smaller and more efficient models, there are plenty of nooks and crannies where developers can deploy a model that goes undetected.

Untracked AI deployments make it impossible to maintain an accurate picture of your AI attack surface. For example, a model used to analyze sentiment in customer support tickets might be handling [personally identifiable information (PII)](https://www.paloaltonetworks.com/cyberpedia/pii), which requires a stricter level of oversight and a different set of controls. Not knowing that the model exists is a recipe for trouble.

Security teams need to understand which models are processing sensitive data, which have access to internal systems, and how data flows between AI components and other infrastructure. Self-managed models make this harder to do.

### Supply Chain Risks

The most immediate threat posed by self-managed models occurs when malicious models masquerade as legitimate ones. Public repositories host millions of models from various contributors, and not all of them are benign. Some models contain embedded malware that executes when loaded, while others are designed to exfiltrate data during inference.

A compromised model could contain backdoors that trigger specific input patterns, or it might subtly modify outputs that leak information through steganographic techniques or unusual response patterns.

Unlike traditional software where source code can be reviewed with standard static analysis tools, AI models are typically binary artifacts like PyTorch or ONNX files. While these models can still be scanned and analyzed, this requires specialized tools, since conventional [SAST](https://www.paloaltonetworks.com/cyberpedia/what-is-sast-static-application-security-testing) tools aren't equipped to understand neural network structures or weight-based behaviors. And when you run models on your own servers, you skip the built-in validation steps that cloud providers have added to their systems (although it's worth noting that these are also not bulletproof).

### Use of Unsanctioned Models

Even legitimate models can create security and compliance headaches if they haven't been vetted for organizational use. Developers often experiment with new models to solve specific problems or improve performance, and these experiments can quickly move into production without proper security review.

The rapid pace of AI development compounds this issue. As we've written elsewhere, [new models appear weekly](https://www.paloaltonetworks.com/blog/2025/01/deepseek-rise-shows-ai-security-remains-moving-target/), and the temptation to take them for a spin is high and typically easy to realize.

For example, an organization might deploy a language model trained on scraped web data to assist with market research. Unlike managed services that typically include built-in safety measures, self-managed models rely entirely on your implementation of these controls. If these controls aren't in place, the model might reproduce other companies' intellectual property in its query responses; this can then find its way into public-facing materials and create liability risks for the organization.

## How Cortex Cloud Can Help

[Cortex Cloud AI-SPM](https://www.paloaltonetworks.com/cortex/cloud/ai-security-posture-management) provides end-to-end visibility and risk analysis for AI-powered applications. For self-managed models, Cortex Cloud offers several tools to establish governance and reduce risks, including:

* **Model discovery**: Cortex Cloud continuously scans managed and unmanaged infrastructure to detect AI model deployments, including open-source models, providing a comprehensive, up-to-date inventory of AI models and LLMs running in your cloud environment.
* **Infrastructure relationship mapping**: Cortex Cloud traces data flows between discovered models and cloud resources by analyzing network traffic patterns, IAM permission grants and storage access logs. For example, if an application running a fine-tuned language model is granted "read" access to an S3 bucket containing customer data, the platform maps this relationship and flags potentially excessive permissions.
* **Identifying and removing models that are no longer active**: Reduce risk and cloud cost by eliminating unused models that expand the attack surface, introduce compliance gaps and consume unnecessary resources. Their removal helps security teams quickly reduce exposure and improve operational efficiency.
* **Model intelligence**: Cortex Cloud pulls metadata from Hugging Face and similar repositories, including the number of downloads, platform upvotes, license, author and component tags. This data helps security teams evaluate the risk level of a community-maintained model at a glance (although it doesn't replace the need for more thorough vetting and verification).

To learn more, [schedule a demo with a Cortex Cloud expert](https://www.paloaltonetworks.com/cortex/cloud/trial).

*** ** * ** ***

## Related Blogs

### [AI Security](https://www.paloaltonetworks.com/blog/cloud-security/category/ai-security/?ts=markdown), [AI-SPM](https://www.paloaltonetworks.com/blog/cloud-security/category/ai-spm/?ts=markdown), [CIEM](https://www.paloaltonetworks.com/blog/cloud-security/category/ciem/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [DSPM](https://www.paloaltonetworks.com/blog/cloud-security/category/dspm/?ts=markdown), [Identity Security](https://www.paloaltonetworks.com/blog/cloud-security/category/identity-security/?ts=markdown)

[#### Is AI a New Challenge for Cloud Security? Yes and No.](https://www2.paloaltonetworks.com/blog/cloud-security/ai-security-gap-cloud-models-agents/)

### [AI Security](https://www.paloaltonetworks.com/blog/cloud-security/category/ai-security/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Cloud Workload Protection](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection/?ts=markdown)

[#### Understanding API Risk in the Age of AI](https://www2.paloaltonetworks.com/blog/cloud-security/api-security-ai-risk/)

### [AI Security](https://www.paloaltonetworks.com/blog/cloud-security/category/ai-security/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown)

[#### OWASP Top 10 for Agentic Applications 2026 Is Here -- Why It Matters and How to Prepare](https://www2.paloaltonetworks.com/blog/cloud-security/owasp-agentic-ai-security/)

### [AI Security](https://www.paloaltonetworks.com/blog/cloud-security/category/ai-security/?ts=markdown), [AI-SPM](https://www.paloaltonetworks.com/blog/cloud-security/category/ai-spm/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown)

[#### Explore the OWASP Top 10 for LLMs: A New Interactive Guide](https://www2.paloaltonetworks.com/blog/cloud-security/owasp-top-10-llms-ai-security-guide/)

### [AppSec](https://www.paloaltonetworks.com/blog/cloud-security/category/appsec/?ts=markdown), [ASPM](https://www.paloaltonetworks.com/blog/cloud-security/category/aspm/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Code Security](https://www.paloaltonetworks.com/blog/cloud-security/category/code-security/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Research](https://www.paloaltonetworks.com/blog/cloud-security/category/research/?ts=markdown)

[#### An Inside Look into ASPM: Five Findings from New Industry Research](https://www2.paloaltonetworks.com/blog/cloud-security/aspm-research-omdia/)

### [Cloud NGFW](https://www.paloaltonetworks.com/blog/network-security/category/cloud-ngfw/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown)

[#### Modernizing Security on AWS: From Firewall Ops to Security Intent](https://www2.paloaltonetworks.com/blog/network-security/modernizing-security-on-aws-from-firewall-ops-to-security-intent/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language