Internal Access Google Chrome silently installed a 4 GB on-device AI model on millions of computers. The technology is impressive; the consent model is not. This is what Capability Sovereignty means in practice.
We noticed it on a client machine during a routine on-premises AI assessment. A file called weights.bin, sitting deep in a Chrome user data folder nobody had asked it to be there. Roughly 4 gigabytes of model weights, downloaded in the background, powering a feature most users had never consciously opted into.
It is called Gemini Nano. It lives in a directory called OptGuideOnDeviceModel. And it has been quietly installed on hundreds of millions of Chrome installations, possibly billions, without any meaningful consent dialog.
The technology behind it is genuinely impressive. An on-device language model that powers features like “Help me write,” smarter tab suggestions, page summarisation, and scam detection — all running locally, with no data leaving the machine. The engineering work Google has done to make a capable model fit inside a browser and run efficiently on consumer hardware deserves credit.
None of that changes the fact that Google decided your hard drive is its storage unit.
Chrome downloads the model automatically for devices that meet minimum hardware requirements. There is no prompt, no settings page toggle, no “would you like to enable on-device AI?” The model arrives silently. If you delete the folder, Chrome often re-downloads it. The only way to stop it is to visit chrome://flags, disable the entries for the Optimization Guide on-Device Model and the Prompt API, restart the browser, and manually delete the folder.
That is not consent. That is an opt-out buried behind a developer flags page that most users will never find.
For enterprise IT teams, this creates a compliance headache. A 4 gigabyte file that appeared on managed devices without approval. Data processing that runs locally is one thing — the GDPR implications of silent software behaviour on corporate machines is another. System administrators who pride themselves on knowing what runs on their endpoints will find a piece of vendor software they did not authorise, consuming disk space and bandwidth.
The technical details are striking, but the scale is what turns this from an annoying quirk into a systemic issue. Chrome has approximately 1 billion active users. Even if only half of them meet the hardware requirements for Gemini Nano, that is 500 million installations of a 4 gigabyte model.
Five hundred million times 4 gigabytes equals 2,000 terabytes of data pushed across the internet. Two petabytes. Each download happens once, but at that scale, the energy consumption and carbon emissions from data transfer are significant. We are not going to argue about exact figures — estimates vary wildly depending on how you model network infrastructure efficiency — but the order of magnitude is thousands of tonnes of CO₂ equivalent. For a feature users were never explicitly told existed.
And the model is not even a serious one. Gemini Nano is a small, constrained model designed for lightweight tasks. It is impressive engineering, certainly, but it is not the kind of model that justifies a silent multi-petabyte data push. If Google had wanted to be transparent, a notification bar, a settings toggle, or even a one-time consent dialog would have been trivial to implement.
This is a window into how cloud-first AI companies think about on-device intelligence. The model runs locally, which is good for latency and privacy — but the deployment model is still cloud-adjacent. Google controls the model, controls the update cycle, controls when it appears on your machine, and controls the flags that turn it off. You do not.
That is the opposite of what on-device AI should look like.
The entire reason open-weight models matter — and the gap between cloud and local models has closed to the point where it is no longer a compromise — is because they shift control to the person who runs them. You download the model when you decide to, on hardware you own, and run it how you want. You can swap it, replace it, inspect it, or delete it. The model is a tool you control, not a feature a vendor decides you need.
This is exactly what Capability Sovereignty is about. Not just Data Sovereignty — who controls your information — but Capability Sovereignty: who controls your intelligence. When Google downloads a model to your machine without asking, it is asserting that the capability belongs to them, and you are merely the endpoint where it runs.
On-premises AI, done properly, looks nothing like what Chrome is doing — and UK enterprises are quietly moving in this direction for exactly this reason. The model is deployed with full transparency. The organisation that runs it knows exactly what weights are on the hardware, why they are there, and who can change them. The deployment is auditable, contained, and replaceable — and the same architectural principles that protect against model backdoors apply here: control the environment, not just the model.
We build deployments where the model runs inside a controlled environment with no ability to download anything from the internet. If a new model needs to be installed, it goes through a review process, arrives via a controlled channel, and is tested before it touches production. The people who use the system know what model is serving their queries. They can ask for it to be swapped out. Nobody else is deciding for them.
This is not a theoretical ideal. It is the architecture we deploy for clients who need to meet regulatory requirements — SRA Principle 6, GDPR, NHS DSPT, FCA TechCom — and who understand that security is not a feature you toggle, it is a property you build into the system.
If you use Chrome and want to remove the model, visit chrome://flags and search for “optimisation guide machine learning model.” Disable it, restart Chrome, and manually delete the OptGuideOnDeviceModel folder from your Chrome user data directory. On Windows, that is %LOCALAPPDATA%\Google\Chrome\User Data\OptGuideOnDeviceModel. On macOS, it lives inside ~/Library/Application Support/Google/Chrome/.
The model will not return if you keep the flag disabled. The feature loss is real — you will lose the “Help me write” suggestions and some of the smarter tab features — but those are features you never explicitly signed up for in the first place.
For organisations, the conversation is broader. If your IT team does not have full visibility over what models run on your endpoints, you have a governance problem. Cloud-first AI vendors will continue to push features onto managed devices with minimal notification, because their business model depends on keeping users inside their ecosystem. The only real fix is architectural: running AI workloads on systems you control, with models you have chosen, in environments you can audit.
That is not a radical idea. It is just what responsible AI deployment looks like.
JD Fortress AI builds secure, on-premises AI infrastructure for UK businesses in regulated sectors. If you are looking at deploying AI and want full visibility over what models run on your hardware — and why — get in touch for a confidential, no-pitch conversation.
If you're thinking about secure AI for your business, we'd love to have a conversation.
Get in Touch →