Every way to use AI — from the big closed providers to your own fully-local node — sits somewhere between maximum convenience and maximum privacy. Explore the interactive spectrum below — start where you are today, then follow it toward sovereignty (and scroll for the full rationale behind every score).
Why each number is what it is — so the scoring is defensible, not arbitrary. Starting at option 1 (where most people are today) and ending at fully sovereign. Jump to any option:
Big AI — the closed, commercial frontier providers: OpenAI/ChatGPT, Anthropic/Claude, Google/Gemini, Microsoft Copilot. Hosted on their own clouds; you hold an account directly with them.
Frontier model — a state-of-the-art proprietary model that only runs on its vendor's infrastructure and therefore cannot be hardware-attested by anyone else.
Morpheus API Gateway (“Gateway”) — the hosted, OpenAI-compatible access product at app.mor.org. Email + API key, Stripe/crypto billing, and a managed (centralized) consumer node. A separate product from running your own node.
C-Node (Consumer Node) — your own local instance of the Morpheus-Lumerin-Node proxy-router. Wallet-only identity, on-chain routing, no intermediary touching your prompts.
P-Node (Provider Node) — the operator side that actually serves inference on the network. A frontier model “on Morpheus” is always fronted by a provider node.
TEE — Trusted Execution Environment: a hardware enclave (Intel TDX CPU + NVIDIA GPU confidential computing) that cryptographically attests what is running, so privacy is provable rather than promised.
Fully local — running an open-weight model entirely on your own device; nothing touches the network. Onboarding helpers lowering this friction: nodeneo.ai (local node + chat), installopenclaw.xyz (easy non-crypto OpenClaw VM), morpheusskill.com.
Convenience (trade-off) — how easy, cheap, and low-friction it is to get going; higher = easier. The only dimension that runs opposite to privacy — it's the price you pay for everything else on the list.
Anonymous — is your real-world identity unlinked from your usage?
Permissionless — can you participate without anyone's approval, with no one able to gate, revoke, or ban you?
Private — can your prompt content be read or retained — and is that prevented by proof or only by policy?
Decentralized — is there no single point of control or failure across both routing and inference?
Open Source — are the model weights and serving stack open and auditable (reducing hidden bias, censorship, and lock-in)?
Scores round to clean tens. 100 is reserved for “best-in-class / provable,” 0 for “structurally absent.” Each step's Private increment maps to removing one concrete risk.
Cost tracks the model you touch, not the access path: $$$ for any frontier model (even through the gateway), $$ for TEE-attested open models (the confidential-compute premium), and $ for standard open-weight inference.
The most polished consumer experience on earth — email, a card, and you're chatting in a mature app with mobile, voice, and a huge integration catalog. Zero technical setup. This is the benchmark for “easy.”
Your real identity is on file — email, usually a legal name, a payment card, and increasingly age verification. Effectively zero separation between you and your usage.
Access is gated by an account that can be denied, suspended, region-locked, or banned, and a card on file ties participation to a verified identity. Not quite zero only because signup is broadly available.
By default your prompts may be retained and used to improve models. You can opt out of training and request deletion, but the effort is on you, safety/abuse retention windows still apply, and content is subject to the vendor's policies and to legal / government data requests. One trusted party, no proof.
A single company controls the account, the routing, and the model. Textbook single point of control and failure.
Closed weights, closed serving stack. You cannot inspect the model for bias, censorship, or silent changes, and you're locked to one vendor.
Nearly as easy as Big AI — sign up at app.mor.org, get an API key, pay with Stripe or crypto, and a ready chat UI is available. A hair below 100 only because the surrounding app ecosystem is younger than the incumbents'.
The gateway holds an account (email + API key), but you can register with a burner email and pay in crypto, and the upstream frontier vendor never sees you — only the Morpheus provider node. Partial separation.
Open signup and crypto payment lower the barrier, but the gateway is a centralized operator that can revoke your key, and the upstream frontier model remains gatekept by its vendor.
Two potential loggers sit in the path — the gateway account and the frontier vendor — and the frontier vendor retains content by default. Better than a fully-attributed direct account, but the weakest privacy on the Morpheus side.
A centralized gateway in front of a single-vendor frontier model. No decentralization in either routing custody or inference.
The model is closed frontier. (The gateway code itself is open, but the inference you're buying is not.)
Same frictionless gateway onboarding as step 2 — URL, key, pay, chat.
Same gateway account posture as step 2 — burner email + crypto possible, but the operator holds an account.
Same gateway posture: revocable key, open signup. The provider pool behind it is permissionless, but your access still runs through one operator.
The frontier-vendor retention risk is gone (open weights served by a Morpheus provider), but the gateway remains an unattested central hop that could log. Policy, not proof — and even a TEE provider behind the gateway can't close the gateway's own gap.
Inference is spread across a decentralized provider pool, but everything funnels through one centralized gateway / C-Node. Half-decentralized.
Open-weight model, auditable stack — far less hidden-bias, censorship, and lock-in risk. Not 100 because the build isn't cryptographically attested.
Real friction appears here — you run your own Morpheus-Lumerin-Node and step into Web3: acquire and stake MOR. Onboarding helpers (morpheusskill.com, installopenclaw.xyz, nodeneo.ai) are steadily lowering this, but it's still meaningfully harder than a hosted signup. Same setup effort regardless of which model you target.
Wallet-only identity, no email, no signup, no intermediary on you. The frontier vendor sees only the Morpheus provider node as the requestor — never you.
You run your own node; no one can deny, gate, or revoke your access to the network.
No intermediary touches you, and attribution to a person is broken — traffic is your C-Node → Morpheus provider node → frontier vendor, so the vendor only ever sees the provider node. The residual is the frontier vendor's default content retention, but it can't be tied back to you. On par with the open-source operator case (self-identification in the prompt aside).
The inference still lands at a single frontier vendor — a real single point of failure — but a Morpheus provider fronts it over permissionless, on-chain routing, and any provider can choose to offer it. That decentralized routing earns real credit and puts it ahead of the centralized gateway-to-frontier path; the model endpoint just caps it at half.
Closed frontier model. Open client, closed brain.
Identical setup effort to step 4 — your own node plus the Web3 / MOR steps.
Wallet-only, no intermediary.
Your own node; no gatekeeper.
Only the provider operator could log, and they have no default-retention business, no corporate legal target, and they're one transient operator among many. It's trust, not proof — which is the only reason it isn't higher.
Fully peer-to-peer — on-chain routing to a decentralized pool of open-source providers, no central hop.
Open weights, auditable. Not 100 because the supply chain isn't cryptographically attested.
Same node + Web3 / MOR setup; you additionally choose a TEE-tagged provider/model — a minor extra step.
Wallet-only, no intermediary.
Your own node; no gatekeeper.
Privacy becomes physics, not policy. The backend runs in a hardware enclave (Intel TDX CPU + NVIDIA GPU confidential computing) and is re-attested on every prompt; the operator cannot read or retain content. * Network metadata (IP, timing, volume) remains observable; content, prompts, model, and wallet are encrypted inside the TEE.
Fully P2P routing to a decentralized pool of attested providers.
Open weights plus a cryptographically verifiable, cosign-signed, RTMR3-measured build. Fully auditable end to end.
The hardest and most expensive path — you supply the hardware, the model, and the expertise. Tools like nodeneo.ai (local node + chat) and installopenclaw.xyz (easy, non-crypto OpenClaw VM) are pushing this up, but it's still a builder's path bounded by your own budget and machine.
No account, no wallet, nothing leaves your device.
No one can stop you — there's no gatekeeper to ask.
Nothing leaves your machine — not even network metadata. The cleanest privacy on the chart, with no asterisk.
This dimension goes away. Running solo on one machine isn't “decentralized,” it's isolated — there's no network or marketplace to distribute across. It earns its privacy a different way: by never going online.
You run open weights you choose and inspect yourself.
The seven steps trace one axis — how you access inference that someone else runs. There’s a second pattern the chart only hints at: running an open model yourself, on hardware you rent or own. Here’s where the rest of the market lands — and why none of it needs a new dot.
AWS Bedrock, Azure OpenAI, Google Vertex, Together, Fireworks, Groq, and Replicate all mean “someone else runs the model, you call a REST API.” A closed model this way (Claude-on-Bedrock, Azure OpenAI) is structurally step 1–2; an open model this way is step 3. The one real difference: enterprise no-training contracts and region pinning lift the default Private score a notch — but it’s still policy, not proof, with account-KYC and a single operator. So they’re a footnote on the left rungs, not new categories.
Rent a GPU, bring an open-weight model, and run it yourself. Now you are the operator — no third-party inference API is logging your prompts — but the infrastructure host has hypervisor-level access and nothing is attested, so it’s trust, not proof (unless the box itself is a TEE). Scored on the same six dimensions:
| Self-host option | Conv | Anon | Perm | Private | Decentral | Open Src |
|---|---|---|---|---|---|---|
| S1 · Rent GPU, centralized cloud AWS · Lambda · RunPod |
||||||
| S2 · Rent GPU, decentralized market Akash · io.net (crypto-paid) |
||||||
| S3 · Rent confidential (TEE) compute Phala · Super Protocol · Secret-direct |
S3 is shown for the decentralized-confidential flavor. On a hyperscaler confidential VM (Azure / GCP), Private stays ~100 but Anonymous / Permissionless / Decentralized fall toward S1 levels — you keep provable privacy, lose the sovereignty. (Same network-metadata caveat as step 6.)
Private caps near 60 without a TEE. Self-hosting removes the API-layer logger, but the cloud host still has memory / disk access and is a legal target — only S3’s enclave makes it provable.
Open Source sits at ~90 across the board. Self-hosting implies open weights — closed models won’t hand you the weights to run.
The host choice swings everything else. A KYC hyperscaler tanks Anonymous / Permissionless / Decentralized; a crypto-paid decentralized market lifts them.
Why Morpheus exists. S3 proves that provable privacy is achievable DIY — but at brutal friction (Convenience ~20: confidential-VM provisioning, attestation wiring, GPU CC). Step 6 delivers the same guarantee with attested, permissionless, decentralized providers on tap — and self-operated attested providers are exactly Phase 4 on the roadmap.
The community keeps lowering the Web3 friction on steps 4–6:
Anonymity is not privacy. Being unidentifiable (Anonymous) is different from your content being unreadable (Private). Steps 4 and 5 are maximally anonymous yet only reach maximal privacy through proof (step 6) or isolation (step 7).
Frontier on Morpheus is always fronted by a provider node. Traffic is User → (Gateway →) provider node → frontier vendor, so the vendor sees the provider, not the person. Self-identifying in the prompt is the user's own responsibility.
Why open-source caps at 90 without TEE. Open weights are auditable, but only an attested build (step 6) or your own machine (step 7) makes the running stack fully verifiable rather than merely inspectable.
Decentralized measures the network, not the box. That's why fully-local is N/A, not 0 — it opts out of the network entirely rather than failing at it.