Executive Summary
The US government has escalated AI compute governance from paper-based export licensing to active hardware tracking and model-level access controls, transforming what began as chip export restrictions in 2022 into a layered regime that now reaches the AI software stack itself. The Bureau of Industry and Security's January 2026 rule, the proposed Chip Security Act, the June 2026 suspension of Anthropic's Mythos and Fable models, and the extension of controls to OpenAI's GPT-5.6 represent a four-year ascent up the technology stack. The core tension is geopolitical: tighter controls preserve a US compute lead, but enforcement gaps, cloud-access loopholes, and Southeast Asian transshipment networks are systematically eroding that lead in ways that paper compliance frameworks cannot close. Both economic and security dimensions of this picture require attention from any company whose roadmap touches frontier AI infrastructure.
Key Findings
- The Chip Security Act marks a conceptual break from licensing-based controls toward hardware-embedded tracking.
- Paper-based export controls are being systematically circumvented through shell companies, false certifications, and Southeast Asian transshipment, and US prosecutors have confirmed it.
- The US extended export controls from chips to AI models in June 2026, using existing Export Administration Regulations authority rather than new legislation, setting a precedent that lowers the cost of future model-level restrictions.
- Cloud-based access to restricted compute represents the most durable and least-governed circumvention vector currently active.
- International governance is fragmenting rather than converging, giving Chinese AI developers multiple jurisdictions from which to access compute not covered by US controls.
The Hardware Stack: What Controls Actually Target
US export controls are structured around performance thresholds measured in Total Processing Performance (TPP). The January 15, 2026 BIS final rule revised the review posture for chips with TPP below 21,000 and DRAM bandwidth under 6,500 GB/s, including Nvidia's H200 and AMD's MI325X, from a blanket presumption of denial to case-by-case review. Mayer Brown's regulatory analysis notes this requires exporters to submit mandatory supply, security, and testing certifications, identify very low confidence end users, and subject chips to US-based testing before shipment. The latter condition, as ECCN Finder's analysis documents, "closes a previous loophole" by preventing circumvention through third-country testing facilities.
The architecture of the controls is designed to be self-reinforcing at the supply chain layer: chips above the performance threshold remain under presumption of denial, reexport licenses remain restricted, and the January 2026 rule explicitly retains denial if any party to a transaction has a parent headquartered in a Country Group D:5 nation. Morgan Lewis documented that "a company based in China cannot evade the rules by routing an order through a subsidiary in a third country," addressing a major prior gap. The interplay between supply chain controls and enforcement creates cascading pressure on intermediary jurisdictions.
Trajectory, not just level: The enforcement intensity is accelerating faster than the rule changes themselves suggest. Congress approved a 23 percent budget increase for BIS in Fiscal Year 2026, with funds specifically earmarked for semiconductor enforcement. On February 12, 2026, Applied Materials was fined $252 million for illegal equipment exports to China, the second-largest penalty in BIS history. DOJ and BIS have explicitly extended investigative reach to include intermediaries, financial institutions, and data center operators, not just the original manufacturers.
The Enforcement Gap: Where Controls Break Down
Three documented evasion architectures are current as of mid-2026. First, transshipment through Southeast Asian intermediaries: the Super Micro case involved diverting Nvidia servers through Taiwan and Malaysia using dummy equipment to pass audits. East Asia Forum analysis notes that "jurisdictions like Taiwan, Singapore and Malaysia have historically lacked the enforcement infrastructure or political will to rigorously monitor re-exports." Second, false-end-user certification: the March 2026 prosecutions documented forged compliance declarations signed by US citizens. Third, and most structurally significant, cloud-based very low confidence access: Chinese entities can use AI compute hosted in data centers outside China via IaaS platforms without triggering hardware export controls, because no chip physically crosses a border.
The third vector is the governance gap with the largest long-term footprint. BIS has highlighted IaaS diversion indicators in guidance but has not mandated the compute-level KYC that the Governance AI Institute proposed in its analysis of frontier AI oversight. That proposal would require compute providers to implement customer verification thresholds tied to the volume of compute purchased, analogous to how banks identify and report unusual financial transactions. Morrison Foerster's February 2026 compliance analysis notes that BIS has "made its diligence expectations clear through a policy statement" on AI model training in specific countries, but that expectation is not yet a binding legal obligation for data center operators.
Coalition fracture point: The US controls are not coordinated with allied export regimes at the level necessary to close transshipment gaps. The MATCH Act, advancing through the House Foreign Affairs Committee, seeks to align AI hardware controls multilaterally, but as of the May 7, 2026 markup, had not been passed into law. Meanwhile, the EU's compute governance framework operates on a separate risk-classification logic, focused on model-level systemic risk rather than compute-hardware origin. These divergent national approaches create arbitrage windows that are being actively exploited.
The Model-Level Extension: A New Governance Frontier
The June 12, 2026 action against Anthropic was the first time the US government directly controlled access to specific AI models rather than the hardware that runs them. ComplianceHub's analysis traces the legal path: the EAR's existing treatment of software and technology, its end-use and end-user orientation from 2022, and the deemed-export rule were already applicable. The government "pointed an existing tool at a new target." The Verge reported that the resulting negotiation impasse created a power vacuum in the global AI market, prompting several countries to explore non-American AI alternatives, a second-order effect that weighs against overly broad or prolonged model restrictions.
This spills directly into economic risk for US AI companies. Axios reported in late June 2026 that the pro-AI movement is fracturing over whether national security concerns outweigh the need to keep US companies ahead of Chinese rivals. Box CEO Aaron Levie noted that competitive pressure from inter-lab model leapfrogging has driven AI's rapid progress, and that a government-imposed speed limit on US labs while Chinese rivals operate freely represents an asymmetric constraint. The US restrictions on Anthropic were lifted July 1, 2026, after Anthropic committed, according to Commerce Secretary Lutnick, to proactively identifying and mitigating security risks, in exchange for restored access.
The UN Independent International Scientific Panel on AI, whose preliminary report was released July 1, 2026, warned that "AI capabilities are outpacing both scientific understanding and governments' ability to adapt," and that "governance remains fragmented, with many countries lacking the capacity to assess or shape advanced AI systems." Co-chair Yoshua Bengio stated that current tools cannot guarantee safe behavior as capabilities increase.
Key Assumptions
| Assumption | Supporting Evidence | Falsifying Evidence | Impact if Wrong |
|---|---|---|---|
| Hardware compute remains the binding constraint on frontier AI development in China | AEI's Fedasiuk testimony that China "cannot escape or innovate its way out of the AI hardware bottleneck"; DOJ chip smuggling indictments confirm demand pressure | DeepSeek's model-architecture efficiency gains suggest algorithmic substitution may partially offset compute disadvantages; Reuters smuggling reports suggest China is already accessing Blackwells | If algorithmic efficiency closes the gap, export controls become less decisive and the strategic rationale for their costs weakens |
| Existing EAR authority is sufficient for model-level controls without new legislation | BIS acted on Anthropic in days using existing tools; ComplianceHub documents no new statutory authority was needed | Congressional debate over AI OVERWATCH Act suggests legislators are uncertain whether executive authority is sufficient or durable | If courts limit executive model-restriction authority, enforcement of future model controls would require slower legislative action |
| Southeast Asian transshipment is the dominant physical evasion vector | Two March 2026 federal prosecutions document Malaysia and Taiwan routing; East Asia Forum analysis confirms enforcement gaps in these jurisdictions | Cloud-based very low confidence access via IaaS is already described as an easier circumvention path; future cases may involve component rather than finished-hardware smuggling | If cloud access becomes the primary vector, hardware-focused controls provide diminishing returns and the governance gap widens faster |
| Bilateral US-China trade negotiations will not override export control enforcement | Congressional bipartisan pressure for controls; East Asia Forum notes Commerce "cannot afford to appear passive"; AEI quotes Craig Singleton warning against transactional controls | East Asia Forum also notes the White House has approved higher-tier chips to China while downplaying controls in trade talks; December 2025 H200 approval followed Trump-Xi communication | If trade negotiations produce sustained waivers, the strategic compute lead erodes faster than the public enforcement record suggests |
Counterarguments
-
Export controls may be strategically counterproductive if they accelerate non-American AI alternatives without slowing China. The Verge reported that the Anthropic suspension prompted multiple countries to explore non-US AI stacks. Kevin Bankston of the Center for Democracy and Technology called government access restrictions "one of the most important changes in the AI landscape in the past four years." If sustained model restrictions drive allied nations to build or adopt Chinese or domestically-produced AI, the US loses the network effects that sustain its competitive position without meaningfully constraining Chinese capability. The evidence for this pathway is early but observable.
-
The Chip Security Act's embedded-tracking approach may be unenforceable at scale and subject to competitive distortion. The Bloomsbury Institute notes that the Act is "moderate-to-high confidence to face industry resistance due to the cost and complexity of embedding location verification into chips." Advanced Micro Devices has disclosed over $2 million in lobbying specifically referencing the Act. If embedded tracking raises the cost of US chips relative to less-controlled alternatives from lower-volume fabricators, buyers with flexibility may shift sourcing in ways that reduce US market share without improving tracking coverage.
-
Cloud compute governance remains a genuine policy gap that current frameworks do not address, and there is no consensus on whether binding KYC obligations for compute providers are legally or technically feasible. The Governance AI Institute's proposal requires dynamic thresholds, government-capacity building, international alignment, and industry co-design, none of which is in place. The InfoQ cloud governance analysis notes that "static approval queues create bottlenecks that developers inevitably circumvent through shadow IT," a pattern directly applicable to enterprise researchers seeking compute access. If the IaaS gap is not closed, the entire hardware-control architecture becomes partially circumventable without physically moving a single chip.
Indicators To Watch
| Indicator | Current State | Warning Threshold | Time Horizon |
|---|---|---|---|
| Chip Security Act legislative progress | Approved by House Foreign Affairs Committee March 26, 2026; awaiting full House vote | Floor vote scheduled, Senate companion bill introduced | 3-6 months |
| MATCH Act allied coordination progress | Advanced in committee May 2026; no allied government signatories yet | Formal multilateral agreement signed with Japan, Netherlands, South Korea | 6-12 months |
| IaaS-based compute diversion enforcement actions | BIS guidance issued; no binding rule for compute providers | DOJ or BIS enforcement action naming cloud provider as intermediary | 6-12 months |
| Model-level restriction scope expansion | Anthropic restrictions lifted July 1; GPT-5.6 under client-by-client review | Additional labs or model versions subjected to per-client government approval | 1-3 months |
| China domestic chip production (HBM and logic) | Compute-constrained; HBM and advanced packaging gaps acknowledged by AEI | Chinese commercial models achieving frontier performance without documented smuggled hardware | 12-24 months |
| EU AI Act compute threshold enforcement | Full enforcement for high-risk systems effective August 2026 | First enforcement action against a non-EU company's compute-intensive model under the FLOP threshold rule | 3-9 months |
Decision Relevance
Scenario A (~55%): Incremental tightening, persistent evasion, hardware controls hold but cloud gap widens. US chip controls remain in place and enforcement intensifies at the hardware layer through higher BIS penalties and allied coordination pressure on Singapore, Malaysia, and Taiwan. The Chip Security Act passes in some form. However, the IaaS loophole remains ungoverned, and Chinese entities maintain partial compute access through cloud infrastructure. Model-level restrictions are applied selectively. If your organization operates data centers or cloud infrastructure with international customers, begin now to document compute customer identity and end-use; BIS's published red flags signal where enforcement attention will move next. If you are an AI developer with international deployment plans, treat any model above frontier performance thresholds as potentially subject to case-by-case government review before public release; build that timeline buffer into product roadmaps.
Scenario B (~30%): Legislative escalation, embedded tracking becomes mandatory, allied coordination tightens. The Chip Security Act passes with the full tracking mandate, MATCH Act produces binding allied coordination, and Congress gains review authority over export licenses via the AI OVERWATCH Act. If you are a semiconductor manufacturer or distributor, the embedded-tracking requirement will materially increase per-unit compliance costs; assess capital exposure and begin engaging on implementation standards before final rulemaking. If you advise on technology supply chain policy, the Wassenaar Arrangement model proposed by academic governance researchers represents the multilateral precedent most moderate-to-high confidence to be cited in legislative design.
Scenario C (~15%): Trade-driven decompression, enforcement softens, compute access broadens. The White House, prioritizing trade talks with Beijing, approves expanded H200 and potentially Blackwell exports under tariff revenue logic, Congress fails to override executive flexibility, and model-level restrictions are not renewed after the Anthropic precedent. If you are evaluating market entry for AI products in China or with Chinese partners, this scenario reopens commercial pathways that are currently restricted, but the pace of Congressional backlash documented by East Asia Forum suggests any decompression is moderate-to-high confidence to trigger rapid legislative countermeasures, making multi-year planning on this basis high-risk.
Analytical Limitations
- The full scope of IaaS-based compute access by restricted-country entities is not publicly documented; if it is materially larger than current enforcement cases suggest, hardware export controls provide less strategic value than current US policy assumes.
- Classified benchmarking processes under the Trump administration's AI executive order are not publicly disclosed, meaning the thresholds at which models trigger government review are unknown to the companies being regulated; if those thresholds shift frequently, compliance planning becomes structurally difficult.
- Evidence on China's actual training compute for recent models relies partly on published research and leaked intelligence; if DeepSeek and similar labs have developed algorithmic efficiencies that reduce compute requirements faster than the AEI timeline projects, the strategic importance of the hardware bottleneck decreases.
- The UN Independent International Scientific Panel's July 1, 2026 preliminary report notes that "existing safety tools often depend on limited testing data disclosed by companies," meaning the evidentiary base for both safety and enforcement decisions remains largely self-reported by the regulated entities.
- Potential anchoring bias toward hardware as the primary control vector; the analysis may underweight the speed at which model-level and software-level restrictions become the dominant governance mechanism, given that the June 2026 actions moved faster than the four-year hardware control buildup.
Sources & Evidence Base
- Ungraded
- UngradedIntroduction to Compute Governance - by Sarah
blog.bluedot.org
- DCompute Governance Literature Review
lesswrong.com
- DAnthropic Tightens Controls Over Model Access - Let's Data Science
letsdatascience.com
- UngradedComputing Power and the Governance of AI | GovAI
governance.ai