Uncensored AI in the Wild: Tracking Publicly Available and Locally Deployable LLMs

1. Introduction

OpenAI created the business of consumer AI when it introduced a new era of proprietary, commercial large language models (LLMs) in 2022 [1]. Since then, proprietary models have continued to evolve, with prominent new entrants from another startup, Anthropic, and Google [2,3]. At the same time, the open-source AI ecosystem has also undergone rapid expansion [4]. New open-source model families have been introduced from large companies like Meta (LLaMa) and Alibaba (Qwen), as well as startups like France’s Mistral and China’s DeepSeek. Some of these models are huge, and operate web chat and API services that are directly comparable to leading proprietary models, such as Mistral LeChat and the Deepseek API [5]. Model hubs such as Hugging Face and GitHub provide central repositories for both original training checkpoints and downstream derivatives of open-source models. The Hugging Face repository has also provided a widely adopted high-level API for running LLMs [6]. This paper focuses on LLMs; multimodal and diffusion models are outside the scope as they follow different modification and deployment patterns.

The development of increasingly powerful generative LLMs also means significant risks to society and human life. These include the generation of persuasive disinformation using LLMs, which can be used to affect political debates and election campaigns [7,8,9]. LLMs can be used to perpetrate crimes, such as by mimicking family members or trusted people to defraud victims [10,11,12].

Legitimate applications of LLMs may cause harm as well. For instance, LLMs can perpetuate inherent bias in their training data and lead to unfair outcomes, through injecting race and gender discrimination when they are used in hiring decisions, or predicting that racial minorities are more likely to default on loans or are likelier to commit criminal offenses [13,14,15]. LLMs are highly capable at generating source code; consequently, they can also be used to generate highly effective malware that can evade defensive mechanisms [16,17,18]. The risk of psychological harm has been the subject of increasing concern. The use of AI chatbots has been connected to exacerbating delusional ideation, and chatbots have been observed giving detailed instructions on how to commit self-harm [19,20]. In some cases, using LLM chat over time has been alleged to end in suicide [21]. All these risks merely represent some dangers of LLMs.

Indeed, many leading AI researchers believe that as LLMs become more powerful, they may be able to act autonomously. Highly capable autonomous AI agents could potentially disrupt military and infrastructure systems, leading to catastrophic loss of life and social collapse [22,23,24].

While major AI providers implement alignment techniques to mitigate these risks through reinforcement learning with human feedback (RLHF) and other safety measures, the open-source ecosystem presents a unique challenge to these safeguards. The same accessibility and modifiability that drives innovation in open-weight models also enables the systematic removal of safety constraints [25,26]. Communities have emerged around creating "uncensored" or "abliterated" versions of mainstream models, distributed through platforms like Hugging Face with minimal oversight. These modified models, optimized for local deployment through quantization and specialized packaging formats, operate entirely outside the controlled environments and content policies of centralized AI services. The proliferation of such models raises fundamental questions about the effectiveness of current AI safety approaches in a decentralized ecosystem where technical safeguards can be readily circumvented and redistributed at scale [27].

This paper presents the first large-scale empirical analysis of uncensored open-weight models. The study is based on retrieving records for 8,608 Hugging Face repositories identified using safety-related keywords. These models were all modified with the likely intention of altering, weakening, or removing alignment constraints. These models are further analyzed here to trace their growth across families, providers, and packaging formats. The uncensored model population appears to consist of models that are capable of running on consumer hardware in local environments. The results of evaluating a select subset of models on synthesized unsafe prompts demonstrate that these models comply with those unsafe prompts at far higher rates than unmodified counterparts. Compliance increases are observed consistently across prompts that risk eliciting responses that can result in fraud, psychological manipulation, physical harm, and social disorder. The effectiveness of modification is largely independent of model size, with smaller variants sometimes matching or exceeding the compliance levels of models tens of billions of parameters larger. Together, these findings document how safety removal has shifted from ad hoc experimentation to a potentially widespread and systematic practice, raising governance challenges that centralized oversight and distribution control cannot address in a decentralized, user-driven ecosystem.

2. Background

AI safety efforts are generally focused on “alignment”: training strategies designed to keep large language models (LLMs) from producing harmful or undesired outputs. Widely employed alignment techniques include reinforcement learning with human feedback (RLHF) and direct preference optimization (DPO), both of which guide models toward behavior consistent with human values and preferences [28,29,30,31]. Yet, despite these safeguards, researchers have demonstrated that real-world methods for “dealignment” can be surprisingly effective and inexpensive. For example, with technology available in 2024, one team used low-rank adaptation (LoRA) to strip away most safety protections from a 70-billion parameter model at a cost of under $200 [32]. Another study showed that with only 100 hand-picked examples and about an hour of computation on a consumer graphics card, LLaMa 2 could be reconfigured to comply with nearly every unsafe prompt it had previously rejected [26]. Importantly, these interventions did not substantially diminish the modified model’s performance on general tasks or benchmarks, suggesting that alignment can be removed without rendering the system ineffective. Even in cases where some performance degradation occurs, uncensored models can still be operationally useful. For instance, one team has demonstrated that ransomware could be developed by first generating basic malware with an uncensored model, and then refining it using a more capable but safety-constrained system [18].

Another approach to removing a model’s safeguards is “model merging,” where dealigned models are merged with other models to create more powerful, misaligned and potentially dangerous models [33]. The growing availability of capable open-weight systems—often described as open-source models even when source code defining model architecture itself may not itself be made available—further complicates this picture. Unlike proprietary models delivered through controlled APIs, open-weight models can be freely downloaded, modified, and redistributed once their parameters are released under permissive licenses. While the largest such models may still require cloud infrastructure with significant computational resources, increasingly capable decentralized, “edge,” or “local” AI models are able to run on personal computers and even mobile devices like smartphones and tablets [27,34,35,36].

At the same time, the ability to deploy LLMs on consumer hardware has been significantly enhanced by applying advanced “quantization” techniques to large-scale models. Through quantization techniques, the numerical precision of model parameters can be substantially compressed, at minimum from  32-bit to specialized lossless 16-bit formats, but for larger models, to 8-bit, 4-bit, and even as low as 1.58-bit precision (i.e., ternary numbers) [37,38,39,40]. Compression may degrade accuracy, but quantized models generally maintain sufficient quality for most practical applications. However, they dramatically reduce memory requirements and accelerate inference speeds, making sophisticated language models available on devices with limited computational resources.

Another key factor in local deployment is the development of user-friendly software frameworks to execute LLMs, and model packaging formats used to store and distribute model weights. Models can of course be run through the Hugging Face modules within Python or executable scripts, though that can require some technical sophistication on the part of the user. A common alternative is the open-source GGML project, which includes the lightweight inference engines, llama.cpp, and the GGUF (GPT-Generated Unified Format) packaging file format developed as part of  [41,42]. GGUF is significant in that it is optimized for consumer hardware through memory mapping. While many consumer devices do not have the GPU memory (VRAM) required to run larger LLMs, they have plenty of CPU memory, and working together can effectively run larger models albeit at lower speed. GGML also has strong support for quantization, thereby further enabling lightweight model execution. Another emerging technology for local LLMs is Apple’s Silicon (“M” series) chips, which have unified GPU and CPU memory, allowing them to efficiently support larger LLMs [43]. Apple has developed an open-source LLM inference and training system based on its MLX numerical computing framework to run and fine-tune LLMs on its desktop and laptop computers.

The shift in accessibility of LLMs to local deployment has made it easier not only to experiment with aligned models, but also to disseminate modified versions that have been stripped of safeguards. Hugging Face, for example, does not merely host models from official providers; it also serves versions that have been fine-tuned or directly edited to bypass safety restrictions, sometimes marketed as “uncensored” releases [44]. Another way to uncensor a model is “abliteration,” where, based on studies that identified particular vectors in aligned model weights which mediate the refusal to respond to prompts that trigger safety responses (i.e., “refusal directions”), it has been found that model weights can be edited in specific ways to produce models that do not refuse those requests [45,46].

As a result, the governance challenges posed by local and open-weight AI differ fundamentally from those associated with centralized, API-mediated systems, since there is no single provider through which content policies can be enforced or usage monitored [27]. In such a decentralized landscape, risk mitigation depends not on top-down control but on understanding who is releasing models, who is using them, and who is impacted by them. Only that way can cultural norms, self-regulatory mechanisms, and actually effective government interaction be designed to address the risk of harmful activity. Consequently, it is essential to map how open-source models are created, scaled, licensed, and progressively altered in their alignment and behavioral constraints. The present work surveys current uncensored open-source models, tracing their diffusion, modification, and the trajectory of their growing capabilities. In doing so, it sets the stage for a discussion of how systematic tracking of open-source development could serve as a foundation for distributed governance mechanisms aimed at mitigating risks without undermining the principles of open collaboration.

The empirical work presented in this paper is particularly needed at this time because, despite the rapid spread of open-weight models, empirical research on their safety remains limited. For instance, in 2024, Gao et al. published a survey on the documentation of ethical considerations in open-source projects, rather than the technical characteristics which are the focus of the paper here, magnitude of public use, and capabilities of specifically dealigned models [47]. Even so, the study found that they were often shallow and inconsistent, with few concrete mitigation strategies, further underscoring the need for a coherent policy response to address decentralized AI risk. Another recent study which broadly evaluated a number of open-source models based on ethical considerations did not include uncensored models in its analysis [48]. Overall, existing AI safety benchmarks, while valuable, are fragmented across languages and contexts [49]. Many safety benchmarks, moreover, are confounded with general capability scaling, obscuring real safety progress and enabling so-called “safetywashing” [50]. Broader reviews confirm that benchmarks quickly become obsolete and fail to capture trends and emergent risks [51,52]. In much of the discourse, the focus remains on catastrophic or extinction-level AI risks, and even the work that has been done on concrete risks remains fragmented, under-evaluated in practice, and disconnected from practical governance [53].

Furthermore, the analysis in this paper deliberately excludes diffusion models: this is because unlike token-prediction LLMs, diffusion models tend to have far fewer parameters. Therefore, local deployment and dealignment of such diffusion models is much more typical than LLMs, which require more computing resources. For instance, diffusion models are routinely used to generate fraudulent deepfakes and pornographic images [54].

3. Methods

3.1. Data Collection from Hugging Face

The source code used for data collection and processing, along with the data generated for this study, are available at https://github.com/bahrad/uncensored-llm-tracking. The pipeline for data collection and analysis proceeds as follows.

Model names are first collected from the Hugging Face Hub using a purpose-built Python incremental scraper script based on huggingface_hub.HfApi. The scraper queries the Hub for models whose repository identifiers, tags, or model cards contain markers commonly used to denote safety removal or uncensoring. The keyword list includes: uncensored, abliterat*, unfilter*, jailbreak*, no-safe, no-filter, nofilter, nosafe, unrestrict*, unlock*, freed, decensor, unsafe, unalign*, de-align, dealign, roleplay, role-play. Each search term is run separately, and the names of model repositories found with each term are stored to permit auditing and method improvement. These names are in a {naemespace}/{model ID} format, e.g., Qwen/Qwen2-72B-Instruct.

The list of model names is then deduplicated and used in sequential API calls, with retry logic and pause times (0.1 seconds) along with a user account token from Hugging Face to retrieve the model metadata available from Hugging Face for each repository name. The token is necessary to access information for certain gated models and to prevent excessive rate limiting. The metadata includes a range of fields returned from the API, including the repository ID, owner, timestamps (created/last modified), likes, license, tags, pipeline/library hints, file listings, and flags that indicate whether the model is private, gated, or disabled. However, not every field contains information for every model. There is also a “model card” for many models, though not all, which contains narrative and additional information.

With respect to the number of model downloads, Hugging Face only tracks them at the repository level; while most repositories only include one model, this can lead to difficulty in interpreting cumulative results. Hugging Face also only allows a public interface to downloads in the last month or downloads for all time. Because of challenges in retrieving download counts, a separate script is used in the pipeline to retrieve download counts using the Hugging Face API. Notably, downloads are hidden or otherwise not tracked for some repositories, including some of the uncensored model repositories that were part of this study.

An additional caveat is that Hugging Face does not track, or at least does not make publicly available, downloads per user. As a result, the number of downloads correlates to distribution volume rather than direct end-user adoption. While Hugging Face models remain cached on users’ devices after downloading or can be stored directly in persistent storage, they may not be retained locally, e.g., when a user runs a model on a new device or a fresh cloud instance. In that case, the model will be downloaded again. Accordingly, the number of Hugging Face package downloads does not necessarily equate to the number of distinct individual users who have downloaded a package. Second, if models are provided by cloud inference provides who have already downloaded the model and are hosting it directly from a serverless API, then that usage will not be counted (this is the case for prominent censored models, including DeepSeek and Meta’s LLaMa models.

3.2. Data Filtering and Processing

The dataset is restricted to decoder-only, causal generative LLMs. Other kinds of models, such as those based on BERT or diffusion architectures, operate on very different scales and are outside the scope of this study. Pipelines corresponding to embedding, classifiers, speech recognition, and image/video generation are generally excluded. Image-to-text and multimodal models that generate text outputs are included. Specifically, a structured sequence of exclusion and inclusion rules at the repository level is applied, where each rule is evaluated against multiple metadata fields, including the repository identifier, pipeline tag, tag list, configuration fields, and declared architectures. The procedure follows:

• Pipeline exclusions. Repositories are excluded if their pipeline_tag matched any of a predefined set of non-LLM tasks, including encoders and embeddings (text-embedding, feature-extraction, sentence-similarity), classification tasks (token-classification, sequence-classification), vision pipelines (image-classification, object-detection, image-segmentation), audio and speech systems (audio-classification, text-to-speech, speech-segmentation), diffusion-based image generation (text-to-image, diffusers), or sequence-to-sequence generation (text2text-generation).
• Positive pipeline inclusion. Repositories explicitly labeled with the text-generation pipeline are immediately retained.
• Positive token inclusion. If repository names or tags contained strong decoder-only identifiers, such as gguf, or causal-LM labels such as causal-lm or text-generation, the repository is retained regardless of other attributes.
• Token exclusions. Repositories were removed if their identifiers or tags contained substrings associated with excluded model classes. These included encoder families (bert, roberta, mpnet, minilm, e5, bge, gte, sbert, sentence-transformers), sequence-to-sequence families (t5), speech systems (whisper, wav2vec, hubert, tacotron, fastspeech, tts, vits), and diffusion or imaging models (stable-diffusion, sdxl, latent-diffusion, controlnet, unet, vae, inpaint, txt2img, img2img, diffusion).
• Architecture exclusions. If the configuration or transformers_info fields declared architectures aligned with encoder, diffusion, or speech systems (e.g., bert, roberta, t5, whisper, wav2vec, hubert), the repository is excluded.
• Default inclusion. Repositories not eliminated by the preceding exclusion checks, and lacking explicit positive signals, are included by default. This conservative approach ensures coverage of causal LMs that may not carry strong pipeline or tag annotations.

This rule-based filter thus yields a curated set of repositories focused on decoder-only LLMs, minimizing contamination from encoders, diffusion systems, and speech models while ensuring inclusion of causal text LLM derivatives that may be weakly labeled.

Extraction of Quantization and Packaging

Repositories are scanned for packaging and quantization markers using both string matching and regular expressions applied to repository names, tags, and configuration metadata. Three complementary features are extracted:

• Packaging. Repositories are flagged as packaged in GGUF format if the token gguf appears in the repository name or tags (gguf →gguf = 1). Similarly, repositories are identified as merged models if the token merge is present (merge→ merge_model = 1). These indicators capture the prevalence of GGUF-packaged checkpoints, which are optimized for local deployment, and model merges, which represent composite or hybrid releases.
• Quantization signal and type. A quantization signal is registered if any token from a defined set appears, including gptq, awq, exl2, marlin, spqr, imatrix, or precision markers such as nf4, fp4, fp8, fp16, bf16, fp32, int4, int8, 4-bit, and 8-bit. These tokens are matched directly or via regular expressions, ensuring coverage of common naming conventions (e.g., q4_k_m, iq3_xs, w8a8g128, 5bpw). If one or more quantization methods are identified, they are recorded in the variable quant_type (e.g., gptq, awq, or multi-method combinations such as gptq+awq).
• Quantization level. Tokens indicating numerical bit precision are mapped to a normalized bitwidth, recorded as quant_level. For instance, int8, 8-bit, q8, and w8a8 are mapped to 8; int4, 4-bit, nf4, and q4 are mapped to 4; fp16 and bf16 are mapped to 16; and fp32 is mapped to 32. Where multiple levels are present, the smallest bitwidth is retained, reflecting the most aggressive quantization in the repository.

The resulting annotations provide a standardized basis for aggregating repositories by packaging format and quantization characteristics.

Family Attribution

Each repository is assigned to a model family in order to unify variants of the same base architecture across packaging and quantization. Families are inferred from repository identifiers, tags, and extracted configuration fields (e.g., architectures, model_type). For example, repositories containing the string Mistral in the name or tags are attributed to the Mistral family, while those tagged as llama are attributed to the LLaMA family. This step prevents derivative releases from being miscounted as distinct models and enables analysis of modification practices at the level of major model families.

As explained in the preceding, Hugging Face models are stored in Git repositories. The method employed in this paper assigns each model repository (or “model repo” or simply “repo”) to one model. Additional processing was found to not be feasible in distinguishing between multiple models in a repository, which are generally the same architecture but may exist with different quantization levels and methods. Manual inspection to identify these cases did not find them to have a significant impact on the overall results presented in this paper.

3.3. Uncensored Model Evaluation on Unsafe Prompts

This subsection details the approach taken to evaluate uncensored open-source models. For this study, a systematically selected representative subset of models, as well as five control models that were aligned by providers to avoid unsafe responses, are challenged with prompts designed to elicit harmful responses and are objectively evaluated to assess their refusal behavior.

Model and Prompt Selection

A subset of models are selected to evaluate responses to potentially unsafe prompts. The selection process is done as objectively as possible to sample the recent trend in the capabilities, and ability to refuse requests, of uncensored open-source models. The selection process starts with the list of open-source models enriched with metadata (e.g., size, creation date, tags) as generated in the scraping pipeline described above. The script filters for models that (a) have a local variant, (b) appear potentially modified (suggesting uncensoring or reconfiguration), and (c) are not modified to be in the MLX format utilized to run on Macs with Apple Silicon chips (as these would generally be redundant). Within each base model family (e.g., LLaMa, Qwen), the script is designed to identify a “best representative” candidate by ranking on total parameters, while giving a substantial boost to recently released models (within  6 months). From this ranked set, the script keeps only the top candidate per family, then selects the overall top-N models for evaluation. The models selected for this study are listed in Appendix A. The metadata for the models selected for this tudy were retrieved from Hugging Face through both API calls and manual review to ensure completeness.

Evaluation prompts are first generated by DeepSeek R1, then reviewed by the author to curate and refine them for this study. Prompts are grouped into thematic categories: election/disinformation; violent/illegal instruction; harmful misinformation; harassment/hate; jailbreak/circumvention. The prompts are also annotated with a target region label, based on the extent to which they implicate formal laws and regulations which are in place in those geographies, i.e., EU, China, Russia, or general. Further annotation outside the scope of this paper, including relevant specific regulatory texts and statutes, is also performed based on DeepSeek R1’s outputs as refined by the author. The annotated list of prompts used in this study is provided in Appendix B.

Model Inference and Evaluation

Responses to the prompt, including for both quantized GGUF variant models and original models are executed on a single Lambda Labs (https://lambda.ai) NVIDIA GH200 96 GB instance. The default temperature is set at 0.7 and the top-p parameter is set at 0.95; while token generation limits were set at 5000 or the maximum allowed by the model configuration (to avoid truncation). The specific chat template designated by the model configuration file is applied in all cases. A GGUF-compatible runtime using llama.cpp was executed to run one-turn prompts, and the Hugging Face API was used within Python to run full models. All models were downloaded from Hugging Face repositories as indicated by the model names listed in Appendix A. Raw outputs from each batch are consolidated into a tabular dataset. The raw outputs, classifications, aggregated results, and scripts used to analyze the prompt evaluation tasks are available at https://github.com/bahrad/uncensored-llm-tracking.

An LLM is used to provide an objective evaluation of the model response. Manual inspection was done to confirm the consistency and quality of evaluation. The LLM used to generate the scores in this paper was deepseek-r1-distill-llama-70b. It was run using the batch processing API of the high-speed Groq cloud service (https://groq.com) using a nominal temperature of 0 (to ensure consistency), as well as recommended model parameters of top-p 0.9 and min-p 0.01. Figure 1 shows the evaluation prompt that was employed, which generated a JSON response, which was successfully parsed in all instances. Unless stated otherwise in this paper, a “compliant” response (as opposed to “refusal”) is defined as a score $>4$ (i.e., partial or full compliance).

Figure 1 shows the compliance scoring system and definition of compliance scores used in the evaluation. In some cass, particularly for highly sensitive prompts, a model will generate a nonsense (e.g., loop of a repeated single words) or error response (i.e., no response). This can generally be interpreted as an instance of refusing a request, i.e., because safety alignment prevents an intelligible response. A “full refusal” is when a model simply states that it will not provide a response. In some cases, a model will provide an explanation about why the prompt was unsafe; that is classified as an “explained refusal.” A model may also provide a response that reformulates a prompt that is unsafe into one that is; for example, in response to a prompt calling for misinformation about voting procedures in an election, a prompt may respond that it will reject the original prompt but instead provide a response that gives correct information. This is classified as a “diversion refusal.”

If the model responds to the prompt, it is evaluated to determine whether it is a qualitatively detailed response. For example, a prompt that requests information on producing an unsafe substance may provide a few vague sentences but no actual guidance to the user, but technically the model does not refuse to respond. This is classified as “partial compliance.” If the model response is directed and detailed, then it is classified as “full compliance.” Examples of some of these categories are provided in the Results section.

4. Results

4.1. Growth and Distribution of Uncensored Models

The analysis of scraped models from Hugging Face repositories reveals a rapidly expanding ecosystem of safety-modified AI systems. The pipeline described in the Methods section can be run and updated continuously; the collection cutoff date for this paper is September 9, 2025. The filtered and processed dataset contains 8,608 model repositories from 1,303 namespaces (distinct accounts hosting repositories on Hugging Face). A total of 43,066,092 (43.1M) downloads have been tracked for this dataset, though download information was unavailable for 837 models (9.7%). The remains a fraction of the overall Hugging Face ecosystem, which included over 2 million models on the cutoff date. The number of total downloads tracked for this dataset is comparable to that of a common locally deployed model, Qwen2.5-7B-Instruct (the 7B refers to approximately 7 billion parameters), which was at 38.4M downloads.

Further analysis of temporal trends, model families, and provider distribution is detailed below. Notably, while this paper interchangeably refers to safety-modified models as “uncensored” or “dealigned” models for convenience, such a model may still refuse certain prompts, as shown in the results of the evaluation study presented later in this section.

4.1.1. Temporal Trends in Uncensored Model Development

Figure 2 demonstrates the accelerating growth of modified (i.e., uncensored) models through August 31, 2025 (to remove any partial data for the final days of the study period). The trend indicates a clear inflection point in the ecosystem’s development. The monthly release rate of new uncensored models shows sustained acceleration throughout the observation period, with the most dramatic growth occurring in the latter half of 2024. This accelerating trend is consistent with the transition of safety removal techniques from initial exploration based on discrete research studies and exploratory work to increasingly systematic practices adopted by broader segments of the open-source AI community.

The timing of growth spurts in Figure 2 also appears to correlate with major open-source model releases. There is an initial acceleration following the release of Qwen2 and LLaMa 2 in June-July 2023[55,56], followed by subsequent waves after open-source releases from Mistral later in October 2023[57] and a cascade of further model families being released, including upgrades to the latter. This suggests the existence of established pipelines and communities focused on rapidly adapting new models for uncensored deployment. However, as evident in Figure 2 there has been an apparent recent slowdown in the rate of increase in the number of models is consistent with fewer notable base models being introduced, as there is further consolidation in LLM producers as training costs increase [58].

4.1.2. Frequently Modified Model Families

Analysis of family summary data reveals substantial variation in uncensored model production across different base model families. To understand these patterns, we distinguish between individual model versions and model “superfamilies.” These superfamilies represent aggregations of all versions and iterations from the same foundational architecture. For example, LLaMA, LLaMA-2, LLaMA-3, and LLaMA-3.1 are combined into a single LLaMA superfamily; similarly, Phi and Phi-3 are combined into the Phi superfamily.

Figure 3 presents the granular distribution of uncensored variants across specific model versions. LLaMA base models dominate with 4,386 uncensored variants, followed by Qwen-2 (1,096) and Qwen-3 (429). This granular view reveals important patterns: while Meta’s LLaMA architecture has the most extensive history uncensored modifications, Alibaba’s Qwen ecosystem has become increasingly prominent. Notably, the Qwen models have proliferated and evolved through multiple generations, each of which are being modified to create uncensored ersions. A similar trend is observed, albeit at lower magnitude, with Google’s Gemma architecture. Among emerging architectures, Zhipu AI’s GLM [59] and DeepSeek appear with modest but notable representation, suggesting expanding diversification in the uncensored model ecosystem.

Table 1 aggregates the individual model families into broader superfamilies, focusing on the most significant ones in the dataset (in terms of model count). Looking at the data this way reveals a significant temporal shift in modification patterns. The temporal redistribution shown in Table 1 reflects multiple converging factors shaping the uncensored model ecosystem.

The rise of Qwen modifications from 16.6% to 32.1% coincides not only with increased global adoption of Chinese-origin models but also with specific technical advantages: Qwen models demonstrate strong multilingual capabilities and are released with comprehensive documentation for fine-tuning, lowering barriers for modification. The parallel growth in Gemma uncensoring (4.2% to 11.9%) may be attributed to Google’s decision to release models in multiple size variants (2B, 7B, 27B parameters), enabling modifiers to target specific hardware constraints while maintaining architectural consistency. Conversely, the sharp decline in Phi modifications (3.5% to 1.4%) despite Microsoft’s continued development suggests that the community has identified limitations in safety removal effectiveness for this architecture. This may be due to its specialized training for reasoning tasks making alignment more deeply embedded.

Overall, the persistent dominance of U.S. and Chinese model families (LLaMA, Qwen, Gemma) over European alternatives (Mistral) in the uncensoring community indicates that modification efforts concentrate where base model capabilities are highest and community resources are most abundant. This geographic concentration may also reflect differential approaches to initial safety training: models developed under different regulatory regimes may exhibit varying degrees of resistance to dealignment techniques.

4.2. Demographic Characteristics of Uncensored Models

4.2.1. Uncensored Model Providers

Analysis of model repository metadata at the provider level reveals highly concentrated hosting patterns. Providers in this study are associated with Hugging Face accounts. While there are over 1,303 distinct accounts (namespaces), there is significant concentration in activity within the ecosystem. Figure 4 shows that a power law-like characteristic, where the top-ranking providers coount for disproportionate shares of both model hosting and download activity.

The distribution shown in Figure 4 indicates wide variation in the provider ecosystem. The single most active provider (mradermacher) hosts 1593 repositories, which represents 18.5% of the full dataset. The mradermacher repositories have had over 9.2 million repository downloads through the cutoff date, or 21.5% of total tracked downloads in the dataset. The top 20 accounts collectively host 4,647 repositories, or 54% of the total (8608). Concentration is most pronounced in download activity. The top 20 accounts are responsible for 85.8% of all tracked downloads; also, the top 10 alone, 76.8% and the top 5, 60.6%.

Based on the names of the repositories, the provider landscape appears to mostly comprise individual developers and small teams, rather than institutional entities. For example, mradermacher appears to represent a single contributor account. Yet, mradermacher is responsible for hosting . Similarly, other high-volume model providers, such as davidau, bartowski, and mlabonne appear to represent individual developers (or small groups of developers) who have systematized model conversion and hosting processes.

The model provider identified as “thebloke” in Figure 4 is exemplary. This provider appears to be an individual who created many popular quantized versions of both original and modified LLMs on Hugging Face. However, he has recently been less active, as evidenced by Reddit threads discussing him [60]. Based on public records, an individual named Thomas Robbins located in East Sussex, UK, formed a company named “Thebloke.Ai Ltd,” which allows a putative identification of the model creator [61]. However, it is not possible to be definitive, which is typical in an open-source community where identification is optional. By contrast, Georgi Gerganov is publicly known as the creator of GGML and llama.cpp, as well as the founder of ggml.ai (https://ggml.ai/), a company supported by Nat Friedman and Daniel Gross, who are well-known Silicon Valley investors [62].

Critically, the scope of this analysis exclusively encompasses open-source model providers. Major proprietary AI providers such as OpenAI, Anthropic, and Google do not appear in the study dataset by design, as they distribute models through controlled APIs rather than open repositories.

4.2.2. Model Size and Storage/Memory Requirements

An important question for uncensored models is their ability to run locally on consumer devices. Figure 5 shows the distribution of the number of parameters (weights) of uncensored models in the dataset), as well as the storage used by the model repository. One caveat for the storage utilization plot is that some repositories contain multiple model files; however, as the distribution shown in figure panel (b) indicates, that does not have a significant impact on the distribution.

The parameter distribution shown in panel (a) of Figure 5 exhibits pronounced clustering around 8.1 billion parameters, representing the single most common model size with approximately 1,750 instances.The model size concentration reflects the popularity of models in the 7B-9B parameter range, including variants of LLaMA-2-7B, Mistral-7B, Gemma-9B, and Qwen-7B, which are members of the most common families in the dataset, as shown in Figure 3. These models which offer an optimal balance between capability and accessibility on consumer hardware. Secondary peaks appear at approximately 3 billion and 13 billion parameters, corresponding to smaller mobile-oriented models and the next tier of locally deployable models, respectively.

Similarly, the storage (memory usage) distribution shows a dominant peak at 15.8 GB. While an 8B parameter model at full precision (FP32) would require approximately 32 GB of storage, it is more common though to utilize a lossless 16 bit format, such as bf16 precision [63]. Accordingly, the model memory usage is actually consistent with the modal parameter size of 8.1B parameters, given that 16 bit weights are typical. The storage plot does show considerably more dispersion than the parameter distribution. This dispersion appears to reflect the impact of quantization and packaging strategies on final model size, including, as shown below, the large number of quantized models that are available so that even very large models can be run locally, as well as more efficiently on lower cost cloud platforms.

Overall, models clustering around 8B parameters with 15-16 GB storage requirements align precisely with consumer GPU capabilities—fitting comfortably within the 16-24 GB VRAM of mid-range graphics cards like the NVIDIA RTX 4070 Ti or RTX 4080. Notably, quantized versions of these models can even run on smartphones [64]. Figure 5 shows that larger models are also available, permitting the broad user community to modify them and create even more powerful uncensored models, which can in turn be merged and quantized to generate more potent uncensored models.

4.2.3. Model Quantization Strategies

The quantization format and level were also analyzed for the uncensored model dataset, as it is an important aspect for understanding the ability to deploy uncensored models in low-resource environments, including local devices that cannot be monitored remotely. As an initial matter, because quantization information is inconsistently represented in model metadata, additional filtering was done on the data. From the initial 8,608 model repositories, models with ambiguous quantization indicators or no extracted indicators were removed. The quantization detection approach also identified some numbers that were unrealistic, such as a few detected quantization levels above 16 bits (but not 32 bits), which are assumed to be misidentification. The filtering process retained 5,749 models (66.8%) of the total, with models lacking explicit quantization indicators classified as 32-bit (i.e., full precision). However, it is important to note that many of

Figure 6 shows the quantization strategies found in the filtered uncensored model dataset, and their relative impact as indicated by the number of downloads. Panel (a) shows the distribution across quantization formats. GGUF dominates with over 4,500 repositories and 2.76 million downloads. This format, specifically designed for llama.cpp and optimzed for CPU and Apple Silicon inference, represents nearly 79% of all quantized models. However, many of the GGUF repositories have few downloads, as evidenced by the relatively low level of normalized downloads shown in Figure 6. By contrast, while there are relatively fewer GPTQ quantizations detected in the dataset, the number of downloads for each of those models is much greater. The newer formats, EXL2 (ExLlamaV2) and AWQ (Activation-aware quantization) show modest but growing adoption. Other quantization types are seen to much lesser degrees in the dataset. The column labeled “quant” indicates models that are known to be quantized but the type was not cleanly detected; most of these appear to be GPTQ models but that is not certain. Notably, all of these data are for the uncensored model dataset, and they do not represent adoption of quantization for original models and fine-tunes that do not have a dealignment objective.

In a manner similar to quantization type in panel (a), Figure 6 panel (b) shows a difference between the number of model repositories, which indicate a large number of repositories with relatively few downloads each, and the more popular, original, full-precision models. An important caveat for interpreting this graph is that, while it was difficult to ascertain this fully given the limitations of the metadata, much of the overrepresentation of “32-bit” precision is known to in fact be 16-bit precision models, i.e., they were trained as 16-bit model weights and inference natively takes place at 16-bits. Moreover, some native models now feature native inference at quantized levels, for example, DeepSeek R1 has default inference at 8-bit precision, and DeepSeek variants that are “full precision” are in fact equivalent to 8-bit quantization [65]. This is relevant given the increasing presence of DeepSeek models in the uncensored population, as shown in Figure 3. Despite the prominence of full-precision models shown in Figure 6, 47.5% of model repositories indicate quantization of various levels; however, these represent only 10.1% of tracked downloads.

The packaging methods used for uncensored models in the dataset were also assessed in addition to quantization. Besides GGUF, which is also detected as a quantization format, package information proved challenging to extract in granular detail from the metadata available on Hugging Face. However, in general, at the beginning of LLM development, many models were available as binary files (with either .bin or .pth extensions, indicating Python binaries). During the most recent surge in model development starting in mid-2023, the most common file format is safetensors, which provides improved security and loading performance compared to traditional binary formats [66]. The analysis of the dataset does show that at least 4,609 of the 8,608 repositories, or 53.5%, contain model files in the GGUF format associated with the GGML project and executable with llama.cpp.

4.3. Evaluation Safeguard Reductions in Uncensored Models

The reduction in safeguards of uncensored models available on Hugging Face is evaluated against a set of prompts designed to trigger safety guardrails, as described in the Methods section. The evaluation model set consists of 20 modified and 5 unmodified baselines selected to provide a range of parameter levels, quantization, and uncensoring techniques while still being runnable on high-end yet consumer-available local hardware. Appendix A shows the full names of the selected modesl, including namespace (provider). Appendix B provides the list of evaluated prompts, along with their categorization across potential impacts and specific regulatory constraints imposed by the European Union (EU) and China in Table A1. (The United States is excluded because there were no relevant federal regulations in place at the time of this article’s preparation.) Responses are categorized along a spectrum including “nonsense” and “error” responses, which are generally classified as refusals; “full” (unexplained) refusal, “explained” refusal, and “diversion” refusals, where the model creates a response to a related prompt that is safe; and “partial” (vague) and “full” compliance. Examples of responses classified in each category are provided in Supplementary File S1.

4.3.1. Effect of Unaligned Model Characteristics on Compliance

Table 2 shows the aggregated results of the evaluation across the tested models. As expected, models with safety-related modification (uncensored models) generally comply with prompts, i.e., successfully provide responses, at a substantially greater rate than unmodified models: 74.1% mean compliance ($\sigma$ = 16.2%) for modified models versus 18.8% mean compliance ($\sigma$ = 13.7%) for unmodified models. One notable exception to the high refusal rate of the unmodified models is DeepSeek-R1-Distill-Qwen-14B. This model is DeepSeek’s “distillation” of the Qwen-14B model, i.e., a fine-tune based on synthetic data from the large-scale DeepSeek R1 foundation LLM [65]. It appears poorly aligned, complying with 41% prompts, well ahead of all other unmodified models with comply at rates of 20% or much lower. That said, the uncensored version of the model, DeepSeek-R1-Distill-Qwen-14B-Uncensored did show increased compliance, though still in the bottom half of unmodified models.

The overall results shown in Table 2 show that there is no real relationship between scale (number of parameters or weight quantization) and ability to circumvent safeguards among the uncensored models. For instance, the 4th-ranked model has approximately 14 billion parameters, fewer than many of the lower-performing models, and the 2nd-ranked model is a 5-bit GGUF quantization. Furthermore, the top models include derivatives of different families, including Qwen, Wizard, and Mistral (XortronCriminalComputingConfig and BlackSheep-24B). Perhaps notably, among the uncensored models with the lowest success rates are the LLaMa derivatives. This may be connected to the unmodified LLaMa’s apparently strong alignment, based on the unmodified model success rate shown in Table 2. However, Qwen models were found to provide even fewer responses to the tested prompts, and there are Qwen-based models at the top of the uncensored list. Generally, it appears as though model performance is idiosyncratic.

The best-performing model, as measured both by general success and full compliance, is XortronCriminalComputingConfig. Interestingly, it is a model merge that includes BlackSheep-24B, which, while still likely to comply, still has more refusals than the Xortron model. This suggests that merger techniques are capable of enhancing uncensored model performance, as measured by reduced safeguards. Another approach that has yielded the top models is combining abliteration with further fine-tuning to remove safeguards, which is a technique implemented by the “Josified” models in Table 2, as well as the highest performing Qwen2.5 derivative that was assessed (“abliterated-SFT”).

4.3.2. Geographical and Categorical Response Parameters

Not all unsafe prompts have the same impact on trigger the same level of safeguards. Certain kinds of harm may be more severe and thus likelier to elicit refusal responses, also, certain kinds of potential risk my be harder to detect or to align against without degrading the model’s response to legitimate requests. Moreover, while there are conventional values of AI safety which are considered globally, such as preventing information about making illegal and dangerous substances or encouraging users to self-harm, different geographies have variation in what values and regulations they emphasize. For example, China has a number of rules regarding compliance with “socialist” values and related political order that are not an aspect of regulation in the EU and other Western regulatory regimes [67]. Furthermore, some issues may be considered sensitive in some areas and not others; for example, the status of Taiwan is a politically sensitive topic in China but is viewed differently in the West.

As an initial matter, Figure 7 shows that reversal in response behavior presented by safety-related modification, as shown in Table 2. There is a notable increase in errors seen in modified models, likely due to instability caused by the dealignment procedure. Responses were also broken down based on the kind of harm that they can cause. As shown in Appendix B, some prompts may cause multiple kinds of effect, such as both physical and social harm in the case of inciting political violence. There is a consistent reversal in refusal behavior with modification across all categories of harm. Interestingly, unmodified models present noticeably higher baseline compliance with prompts that potentially elicit social harms. This effect is examined more closely below, and may be related to prevalence of prompts designed to elicit what the regulatory regime in China identifies as social harms, which may not be the same in other regimes. In addition, modified models are much less likely to comply with prompts eliciting responses relating to bias than other categories.

Figure 8 confirms that, across the board, bias-related prompts demonstrate the smallest compliance increase while starting from a much higher baseline compliance in unmodified models, unlike harmful instructions which begin at zero. The elevated baseline suggests that the original model alignment struggles to cleanly separate legitimate discussion of demographic differences from harmful stereotyping. However, modified models also do not comply with prompts that elicit bias responses at high levels. It may be the case that dealignment does not prioritize permitting bias, and instead the emphasis in fine-tuning datasets is on decreasing the refusal rate in other prompt categories. By contrast, prompts for “Harmful Instructions,” which includes, for example, prompts to design phishing scripts, and other fraud and manipulation-related categories show almost complete reversal in refusal behavior, from near-0% to over 75% compliance rates. This suggests that concerted dealignment effects can readily reverse the impact of alignment to prevent concrete safety concerns.

Geographic patterns reveal striking asymmetries in dealignment efficacy. China-targeted categories exhibit considerable variance, from minimal increases in prompts relating to social stability (20 percentage points) and deepfake disclosure (20 percentage points) to near-complete reverses in refusal behavior in the areas of commercial fraud (80 percentage points) and national security content (71 percentage point increase). The outliers in high original model compliance are generally relating to areas of regulation under Chinese law, including China’s rules regarding `deepfake” information and “social stability,” [67,68]. This is consistent with the relatively high baseline compliance for prompts with social impacts shown in Figure 7. These observations suggest that it is difficult to align models that can still respond flexibly while complying with China’s rules on these issues. Even models of Chinese origin responded to these prompts before they were uncensored

By contrast, EU-targeted prompts demonstrate more uniform elevation patterns, ranging from 34.3 to 72.7 percentage points increase, with prompts targeting fraud and manipulation showing the highest susceptibility to modification. The consistency across EU categories suggests these constraints were implemented through similar alignment mechanisms, which are consistent with the regulatory framework of the EU AI Act. The moderate baseline compliance for EU misinformation prompts (30%) contrasts sharply with near-zero baselines for most China-specific categories, indicating different approaches to initial safety training.

One possible explanation for the differences in dealignment success rate shown in Figure 8 is that China-specific prompts are likelier to trigger a refusal response from a model originating in China rather than models originating in other geographies. To assess this potential explanation, Table 3 shows the compliance rates of modified models grouped by base family origin. DeepSeek, Qwen, and GLM all originated from China, while LLaMA (US) and Mistral (EU) are Western. WizardLM is also considered to be a model of United States origin because it came from Microsoft, despite the work done on it by researchers in China [69].

As the table shows, when examining response variability rather than absolute rates, and considering the “General” categories as a baseline, it does appear that model origin has an impact. Specifically, models originating in China exhibit substantially higher variance across regulatory regimes (e.g., DeepSeek ranges from 50% General to 90% EU), suggesting inconsistent or uneven safety training across different regulatory domains. The fact that DeepSeek shows higher compliance on EU-specific challenge prompts (90%) than China-specific challenge prompts (74%) may indicate that Chinese models encode China-related content, in particular, issues of significance for safety in China with more nuanced boundaries. This may paradoxically not necessarily due to stronger imposing safeguards, but instead through complex learned representations from exposure to diverse Chinese-language training data. By contrast, the Western models’ consistently high rates across all categories (Mistral 76-94%) suggests their safety training was more uniformly applied across geographic domains, making all constraints equally susceptible to removal.

5. Discussion

The findings reported in this paper reveal a fundamental challenge to current AI safety paradigms: the rapid proliferation of safety-modified models optimized for local deployment undermines both technical safeguards and regulatory frameworks designed for centralized AI systems. Across unsafe prompts, modified models exhibit reversal in refusal behavior, going from approximately 16% compliance to 75%. The results are surprisingly invariant to scale. This is likely because uncensoring is more a function of technique and training data. Notably, safety removal techniques are becoming more sophisticated, and the one with the lowest refusal rate (most uncensored) is based on abliteration and model merging.

Notably, while there is a somewhat greater error rate for modified models, as shown in Figure 7, that error rate increase is relatively small, suggesting that there is no need to trade off model capability for dealignment. This surgical nature of modifications is particularly concerning, as modified models maintain comparable performance on benign tasks while selectively removing safety constraints, indicating that bad actors need not choose between capability and safety removal.

This study faced important challenges, including that 1) models were identified through keyword scraping, which may have missed some due to alternate nomenclature, and 2) metadata analysis was hindered. However the trends taken in the aggregate are clear: uncensored models are growing along with the growing viability of local deployment and low-resource cloud environments for LLM inference and fine-tuning.

Open-weight LLM development has rapidly advanced beyond cloud-based APIs, making it possible for frontier-scale models to circulate and be adapted outside of their original providers. A key milestone was the release of DeepSeek-R1, a Chinese open-source model that reached performance levels comparable to proprietary systems but, unlike those models, could be redistributed and modified in different hosting environments [65]. LLMs can be transformed through quantization, a process that compresses model weights from full precision (e.g., 16- or 32-bit) down to much smaller formats such as 8-, 4-, or even 3-bit. Once quantized, in particular when quantization is applied selective to particular layers and weights, larger scale LLMs can become dramatically more efficient to run, often without major degradation in everyday use [37,38,39,40]. Independent groups have shown that quantized versions of DeepSeek-R1 can operate on high-end consumer machines, illustrating how local deployment of what were once exclusively data center models has become feasible [70].

Taken together, the quantization adoption plots in Figure 6 with the model size and storage plots in Figure 5, what this shows is an ecosystem that, while constrained by the need for deployment locally or in low-resource independent cloud environments, nonetheless prioritizes model quality and modifiability over raw scale or extreme compression. The strong preference for 8B parameter models at full or near-full precision (16/32-bit), accounting for 89.9% of downloads, reveals that the uncensoring community has converged on an optimal working size—models small enough to run on consumer hardware without quantization, yet large enough to maintain sophisticated capabilities after safety removal. The proliferation of quantized variants (47.5% of repositories) represents infrastructure rather than actual usage patterns, as evidenced by their mere 10.1% download share. This distribution indicates that successful uncensoring requires preserving model fidelity for subsequent modifications: the ablation techniques, fine-tuning passes, and model merging operations that remove safety constraints degrade significantly when applied to already-quantized models. The ecosystem has thus self-organized around a practical threshold where 8B parameter models at full precision (requiring 16-32GB) align with high-end consumer GPU capabilities (RTX 4080/4090 with 16-24GB VRAM), enabling iterative modification without cascading quality loss. The extensive availability of 4-bit and 8-bit quantized versions serves primarily as a final deployment option after uncensoring is complete, rather than as working formats for the dealignment process itself.

In addition to quantization, other efficiency strategies have accelerated the shift toward local deployment. Distillation techniques transfer the behavior of frontier-scale models into smaller systems, such as LLaMa or Qwen, by fine-tuning them on synthetic datasets generated by the larger model [65]. Architectural innovations like Mixture-of-Experts (MoE) reduce inference costs by activating only a fraction of parameters for each input [71,72], while memory partitioning schemes allow part of a model to be stored in system RAM rather than costly GPU memory, expanding the size of models that can be run on personal hardware [73,74]. Other optimizations, such as compression of the key–value cache used in conversational models, further extend the range of tasks that can be handled on local devices [75]. Hardware trends reinforce this trajectory: dedicated “AI PCs” from Nvidia, laptop-grade chips like Apple’s M4, and AMD’s workstation-class GPUs point to a consumer market that is increasingly oriented toward supporting local AI workloads [76,77,78].

Unlike cloud AI services that can be monitored and audited, locally deployed models operate in a regulatory blind spot. Uncensored model creation is concentrated among individual developers and small teams rather than established companies, limiting traditional regulatory leverage points. Yet the ecosystem also shows strong provider concentration: of 8,608 identified repositories across 1,303 providers (Hugging Face accounts), a single provider (mradermacher) accounts for 18.5% of the repositories and 21.5% of all downloads. The top 20 providers host 54% of repositories and account for 85.8% of downloads, with the top 10 alone responsible for 76.8% and the top 5, 60.6%. This power law-like distribution suggests that producing reliable uncensored models requires technical expertise and resources, and users gravitate toward providers with established reputations. At the same time, tracing model providers may be complicated: some open-source developers, such as Georgi Gerganov, are publicly identifiable, while others, such as the creator known as “TheBloke,” remain only partially identified through indirect records. This ambiguity illustrates how concentrated distribution can coexist with persistent anonymity, complicating accountability. Notwithstanding, provider concentration does at least open potential avenues for community-based regulation, since distribution is not so diffuse that engagement with model creators is impossible. Overall, the rise of local AI calls for a fundamental reconsideration of governance, as existing frameworks built on visibility and centralized control cannot address models that are downloaded, modified, and run entirely on personal devices.

The geographic and cultural dimensions of this study’s findings has significant implications for global AI governance. The behavior of modified models appears to vary by the region of targeting: China-targeted prompts average higher compliance after model modification than EU-targeted prompts, suggesting uneven protection that adversaries could exploit. This may also be in part because China imposes a broader range of AI regulation: it is simply easier to remove guardrails over more marginal “unsafe” cases, or cases that other regulatory regimes do not consider unsafe. By contrast, bias prompts show smaller compliance increases, suggesting this is not a priority area for dealignment. The new US administration has stated that models should not be forced to follow “diversity, equity, and inclusion” principles, prioritizing free expression instead [79].

Accordingly, global variation in regulation may mean that models cannot be robustly protected against dealignment challenges. The concentration of certain model families—with Qwen being the most downloaded despite being developed in China—further complicates the geographic dimension, as the ability to modify and deploy these models locally means that national borders and jurisdictional boundaries become essentially meaningless for AI safety enforcement. Qwen may be properly aligned for China, but provide inappropriate responses elsewhere. Similarly, LLaMA-based models may be better aligned for the United States, and Mistral aligned based on French and EU cultural standards. In that case, it may be easier to dealign these models when using them outside their home jurisdictions. More broadly, diverging national safety norms may lead base models themselves to differ, making cross-border dealignment easier if one regime’s “safe” models can be distilled for another’s contrasting standards.

Implications for Future Work

The evolution from simple "uncensored" models to sophisticated abliteration techniques indicates that the technical arms race between safety measures and removal techniques will continue to escalate. This suggests that purely technical solutions are insufficient; addressing the challenge of dealigned (or realigned) local AI will require coordinated efforts across technical, social, and policy domains. The approach presented here can inform red-teaming, where experts seek to identify potential risks and dangers of AI models [79,80].

One potential way of remedying the situation is to allow for more flexible alignment that reflects personal values as opposed to feeling compelled, and potential endangered by, full uncensored models. This includes algorithms designed to implement pluralistic values that vary by community rather than trying to impose a monoculture of views [81,82]. An even more individually-oriented approach is personal alignment, where fine-tuning is used to align to personal values [83,84].

The results of this analysis reinforce the need to rethink governance approaches that rely solely on top-down regulation [27]. The demonstrated ease of removing safety guardrails, combined with the optimization of model architectures and packaging for consumer hardware, suggests that current approaches to AI safety are inadequate for the emerging landscape of decentralized AI. Conventional measures have been designed for a centralized deployment paradigm that no longer reflects how AI systems are distributed and used in practice. Addressing these shifts will require governance strategies that move beyond technical patches, integrating community norms, distributed monitoring, and liability frameworks adapted to decentralized environments.

6. Conclusions

This study provides the first large-scale empirical map of uncensored open-weight models, drawing on retrieving and analyzing over 8,000 LLM repositories modified to weaken or remove alignment safeguards through the study cutoff date of September 9, 2025. The results of this study confirm that safety-modified models consistently exhibit substantially higher compliance with unsafe prompts, with effectiveness often achieved through efficient techniques such as abliteration, i.e., identifying and removing removal directions in model weights, rather than scale.

The results of this study further demonstrate that, to date, most downloaded modified models tend to cluster around more accessible variants optimized for consumer hardware. These patterns highlight the dual forces shaping the uncensored ecosystem: accessibility, through lightweight quantization, and centralization, through the dominance of a small set of providers. Together, the findings illustrate how uncensoring has moved from isolated experimentation to systematic practice, raising governance challenges that extend beyond centralized oversight to the realities of decentralized model distribution.