Where do frontier AI models actually keep their data?
Everyone argues about what the models can do. Almost nobody asks the plainer question underneath: where are the bytes, and who is holding them? The answer runs through petabyte corpora nobody outside the lab has seen, terabyte weight files, chat logs that courts can order preserved, and a small number of very large buildings that towns are now voting to keep out.
Four piles of data, not one
"AI data" gets used as if it were a single thing. It is not. A frontier system touches at least four categories, each with a different size, a different owner, and a very different risk profile when it goes missing or gets copied.
- The training corpus. The raw material. Petabyte scale, private, never published.
- The weights and checkpoints. The model itself. Hundreds of gigabytes, occasionally terabytes.
- The inference trail. Prompts, outputs, context windows, logs. Small per item, enormous in aggregate, and legally interesting.
- The retrieval layer. The private documents enterprises point the model at, which is where the sovereignty argument really begins.
The training corpus: petabytes you will never see
A pre-training run starts with a crawl at petabyte scale, then passes it through an enormous filtering and deduplication pipeline to arrive at a corpus measured in trillions of tokens. Llama 3.1 was trained on roughly 15 trillion tokens, and the current generation of frontier models is reported to use comparable or larger corpora. The bottleneck of the 2024 to 2026 model generation has not been raw compute so much as data: how much high-quality text exists at all, how to source it without exhausting the public reserve, and how to verify its quality at scale.
Physically, that corpus lives in high-throughput object and parallel file storage inside the lab's own cluster or its cloud provider's. These are not exotic systems, just very large ones: Google Cloud's managed Lustre offering, for instance, now scales to 80 petabytes per deployment.
What matters for our purposes is not the plumbing. It is that nobody outside the organization can inspect it. When a model is accused of memorizing a newspaper archive or a codebase, the corpus that would settle the question is a private asset held by the accused party. There is no independent copy, no fixed hash anyone published in advance, no way for a third party to check that what is being described in a compliance document is what actually went into the run.
The weights: smaller than you would guess
The model is the compressed residue of all that data, and it is comparatively tiny. Meta's Llama 3.1 405B, one of the largest openly released models, occupies roughly 750 GB on disk in its released precision and around 2 TB at full FP32 precision. Quantized down, it fits in a few hundred gigabytes.
Think about that ratio. The thing everyone wants to govern, audit and secure, the weights, is small enough to fit on a few consumer drives. The thing that determines what the weights learned, the corpus, is thousands of times larger and effectively unauditable. Governance attaches itself to the small artifact because the large one is out of reach.
For closed frontier models, the weights never leave the lab's infrastructure at all. They are the crown jewels, replicated across the training cluster and the inference fleet, and they exist as a single organization's asset in a single organization's buildings.
The inference trail: your prompts are durable
This is the pile most people underestimate, because the interface implies impermanence. You type, you read, you close the tab, maybe you press delete.
In May 2025, in the copyright litigation brought by The New York Times and other publishers, a federal court ordered OpenAI to preserve ChatGPT output logs, including conversations that users believed they had permanently deleted under the standard thirty-day policy. In January 2026, the Southern District of New York upheld discovery orders requiring the company to produce a sample of 20 million de-identified chat logs. Enterprise and zero-data-retention API customers sat on a different footing. Everyone else did not.
You do not have to take a position on the underlying lawsuit to notice the structural point. A retention policy is a promise made by a company about data that company physically holds. A court, a regulator, an acquirer, or a breach can override that promise, and the user finds out afterwards. Commentators also flagged the obvious tension with the right to erasure under Article 17 of the GDPR, which is the kind of collision that happens when custody and policy live in different jurisdictions.
Why it all sits in a few very large buildings
Storage of this kind concentrates, because the compute it feeds concentrates. And the compute concentrates because of how it is being paid for.
In its Annual Economic Report published on 28 June 2026, the Bank for International Settlements, the institution central banks bank with, warned that the AI investment boom has become a financial stability concern. The five largest hyperscalers are set to spend more than a trillion dollars on AI-related capital expenditure across 2025 and 2026, commitments that outpace their earnings and free cash flow, pushing some toward debt issuance. The BIS flagged three things in particular: financing structures that move leverage off the balance sheet, where it does not disappear so much as become harder to see; circular arrangements in which hyperscalers take equity stakes in labs that then commit to buying compute; and the growth of private credit, which originated more than $40 billion in loans to AI-related companies in 2025 alone, a fivefold jump, in a market with far less disclosure than public bonds. The report compares the episode to canal mania and the dotcom build-out, both of which ended with an investment reversal.
That is the financial layer. There is also a physical one, and it is where the abstraction becomes a neighbor.
The buildings are losing their welcome
Data centers used to be invisible infrastructure. In 2026 they are a ballot issue. By the end of June 2026, more than one hundred United States municipalities had imposed local moratoriums on new data centers, with a handful of permanent bans. Denver's city council approved a one-year pause. Monterey Park voters in California approved an outright ban with 86.3% of the vote. San Marcos became the first city in Texas to effectively ban new data centers through its zoning code, on a four to three council vote. A Gallup poll in March 2026 found roughly seven in ten Americans would oppose the construction of an AI data center near them, and industry trackers counted at least 75 projects worth a cumulative $130 billion delayed or blocked by local opposition in the first quarter of 2026 alone.
Reasonable people disagree about whether that opposition is good policy. Critics note that moratoriums push investment elsewhere, and at least one county rescinded its pause after being sued by a developer. Supporters point to water, electricity prices and land use. Either way, the design implication is the same and it is not ideological: an architecture whose unit of expansion is a 460,000 square foot building has a permitting problem that an architecture made of thousands of ordinary machines does not.
Regulators are asking where the data came from
The other pressure is documentary. Article 53(1)(d) of the EU AI Act requires providers of general-purpose AI models to publish a "sufficiently detailed summary" of the content used to train the model, following a mandatory template the European Commission published on 24 July 2025. The template asks for the main data source categories: public datasets, licensed data, crawled and scraped content, user data, synthetic data. The obligation applied to new models from 2 August 2025, the AI Office gains supervisory and enforcement powers from 2 August 2026, existing models have until 2 August 2027, and summaries must be refreshed at least every six months.
Read that alongside the first section of this article and the gap is obvious. The law asks a provider to describe a corpus that only the provider can see, in a document the provider writes, about data the provider can modify. Every part of that chain rests on the same word: trust. Nothing in the current stack lets an auditor, a copyright holder or a downstream deployer verify that the described corpus is the corpus, that a checkpoint is the checkpoint, or that a log has not been quietly rewritten.
What decentralized storage does, and what it does not
Here is where we have to be careful, because this is the part of the argument that usually gets oversold. Decentralized storage networks do not train models. They will not host a hot training cluster, they do not compete with a GPU fabric, and no serious operator claims otherwise. Nothing about spreading bytes across independent machines makes a pre-training run cheaper.
What they change is custody and verifiability of the artifacts that surround a model. That is a narrower claim, and a defensible one:
- Filecoin makes providers repeatedly prove they still hold your bytes, through Proof of Replication and Proof of Spacetime. Reported network capacity is on the order of 7.6 exbibytes raw, with roughly 2.1 exbibytes actually stored and utilization around 31%. It is the natural home for large cold datasets that must be provably retained.
- Arweave is designed for permanence: pay once, and an endowment funds replication indefinitely, with miners rewarded for proving fast access to random historical chunks. Total stored data was reported at roughly 347 tebibytes in early 2026. It is the reference choice for provenance records that must outlive their author.
- Walrus targets hot blob storage, applying erasure coding across nodes with on-chain certification on Sui, which is closer to what a live application actually needs.
Put a training-data manifest, a dataset snapshot hash, a model checkpoint, or an immutable audit log on infrastructure like that, and the compliance summary the EU AI Act asks for stops being a claim and starts being a receipt anyone can check. The bytes are held by many independent operators who are each cryptographically obliged to prove they still have them. No single company can silently revise history, and no single court order lands on a single custodian.
The comparison, honestly
| Data pile | Typical size | Where it lives today | Who can verify it | What a decentralized substrate changes |
|---|---|---|---|---|
| Training corpus | Petabytes | Private object storage in the lab or its cloud | Nobody outside | Publishable hashes and snapshots that outsiders can check against claims |
| Weights and checkpoints | ~0.75 to 2 TB | Training and inference clusters, closed for frontier models | Only if openly released | Provable retention and integrity of the exact artifact that was audited |
| Inference logs | Enormous in aggregate | Provider infrastructure, retention set by policy and courts | Nobody outside | Tamper-evident logs; custody split from the party being audited |
| Enterprise retrieval data | Varies | Vendor cloud, or the customer's own systems | Contractually, not cryptographically | Custody stays with the data owner rather than the model vendor |
| Provenance records | Small | PDFs and web pages on a company server | Trust the publisher | Permanent, addressable, independently retrievable receipts |
The gap still open: storage a program can actually use
There is one more limitation shared by every option above, and it is the one we spend our days on. Data on Arweave, IPFS or Filecoin is invisible to on-chain logic. A smart contract cannot read the contents of a stored file during a transaction, branch on it, or update it. Applications glue the pieces together off-chain, which works, and which also means the data layer sits outside the trust boundary that made the contract worth writing.
That is the specific bet Xandeum makes: a storage layer designed to be read and written directly from smart contracts, blockchain-agnostic by design and integrated first with Solana. If AI agents are going to transact, hold budgets, and act on data with economic consequences, the data they act on eventually needs to live somewhere a contract can verify rather than somewhere an API promises.
We should state the stage plainly, because we monitor the network live and have no interest in pretending. Xandeum's mainnet today runs on the order of 110 storage nodes with roughly 355 TB of committed capacity, of which well under 1% is used. The supply side is real. The demand side, meaning applications actually paying to store data, is early. Anyone can watch that used-storage number move on our live dashboard, and that number, not anyone's roadmap, is the honest measure of whether this thesis is working.
So what should you actually take away?
- The corpus is the unaudited part. Debates about model behavior keep hitting a wall because the evidence is a private asset. Verifiable snapshots would move that wall.
- Your prompts are records. Retention policies describe intent, not capability. Whoever holds the bytes decides, and courts can decide for them.
- Concentration is a design choice with a bill attached. The BIS is worried about how the buildings are financed; a hundred municipalities are worried about the buildings. Both pressures point the same direction: distribute what can be distributed.
- Decentralized storage is a custody and verifiability tool, not an AI accelerator. Anyone selling it as the latter is selling something else.
- Watch usage, not narrative. That applies to us too. Storage networks are judged by bytes actually stored and paid for, which is exactly why we publish ours.
FAQ
Where is AI training data stored?
In private object storage inside the labs' own data centers or their cloud providers'. A pre-training run filters a petabyte-scale crawl down to trillions of tokens (Llama 3.1 used roughly 15 trillion). None of that raw corpus is published, so outsiders cannot inspect or verify what went into a model.
How big is a frontier model's weights file?
Smaller than most people expect. Llama 3.1 405B is roughly 750 GB on disk in its released precision, about 2 TB at full precision, and a few hundred gigabytes quantized. The corpus behind it is thousands of times larger.
Do AI companies keep your chat logs?
Often longer than the published policy implies. A federal court ordered OpenAI in May 2025 to preserve ChatGPT logs, including deleted conversations, and in January 2026 the Southern District of New York upheld orders to produce a sample of 20 million de-identified logs. Enterprise and zero-data-retention customers were treated differently.
Why are AI data centers controversial?
Physical footprint and financing. More than a hundred US municipalities had moratoriums by mid-2026 and Gallup found roughly seven in ten Americans oppose one being built nearby. Separately, the BIS warned in June 2026 that debt-financed AI capex has become a financial stability risk.
Does decentralized storage train AI models?
No, and nobody credible claims it does. It changes custody and verifiability of the artifacts around a model: datasets, checkpoints, provenance and audit logs held across independent operators who must keep proving they still hold them.
What does the EU AI Act require about training data?
Article 53(1)(d) requires a sufficiently detailed public summary of training content, using the Commission's template from 24 July 2025. It applied to new models from 2 August 2025, AI Office enforcement powers begin 2 August 2026, existing models have until 2 August 2027, and summaries refresh at least every six months.
Disclosure: Pulsar Network operates 12 Xandeum pNodes and accepts XAND delegation, so we benefit if Xandeum succeeds. That is why the Xandeum section above states its early stage with live numbers instead of hiding them. Figures cited from third parties are point-in-time and linked above. Not financial advice.
