A disposable vape contains a 24 MHz CPU, 24 KB of storage, and 3 KB of RAM. An embedded engineer recently demonstrated that this is enough to run network protocols, serve web pages, maintain counters, and expose APIs. The security implications are not limited to vapes. They generalize to every microcontroller-bearing device that organizations treat as a non-computer—sensors, badges, peripherals, consumer gadgets, and any hardware with hidden or under-documented compute. This paper presents five artifacts for governing latent compute in AI-era environments: a governance principle (Scarcity-Forged Compute Awareness), a threat-modeling pattern (Hidden Compute Node), a case study demonstrating the failure chain from trivial device to covert infrastructure, a teaching example for AI-coding governance, and a formal control family (Latent Compute and Embedded Surfaces, LCES) with five invariants, five required controls, and five failure signatures. The governing insight is architectural: if it has a CPU, it is part of the execution substrate and must be governed as such.
Narnaiezzsshaa Truong (Sat,) studied this question.