Introduction: Seventy-Two Crates at Kuala Lumpur

At approximately 4:30 in the afternoon on June 5, 2026, officers of the Royal Malaysian Customs Department’s KLIA Enforcement Division opened a warehouse inside the Free Commercial Zone of Kuala Lumpur International Airport and found seventy-two server units that were not supposed to exist there. The shipping paperwork described the cargo, blandly and falsely, as “computer components.” The reality inside the crates was RM52.9 million — nearly US$13 million — worth of servers containing advanced artificial intelligence chips, flown into the free trade zone and staged for re-export to another country in Asia, a movement that would have required a permit under Malaysia’s Strategic Trade Act 2010 that no one had sought and no one intended to seek [1][2][3]. KLIA Customs director Zulkifli Muhammad told reporters that the syndicate behind the shipment had deliberately used Malaysia as a neutral transit point so that the hardware could continue to its final destination “without facing any restrictions,” and that the servers had been declared as ordinary computer parts precisely to slip beneath the attention of authorities [1][2]. One individual was detained. The investigation, at the time of this writing, remains open.

Consider, for a moment, what those seventy-two crates actually represent. They are not merely contraband electronics. Each server inside them is a fragment of frontier computational capability — the raw industrial input from which modern artificial intelligence is manufactured. Their paperwork said one thing; their physical trajectory said another; their ultimate beneficiary said a third thing that no document in the shipment disclosed at all. The crates had a declared destination, a real destination, a nominal purchaser, a hidden purchaser, and — had they reached an operational data center — they would soon have had users, workloads, and revenue streams entirely invisible to every customs officer, export regulator, and compliance auditor along their route. The KLIA seizure is celebrated as an enforcement success, and it is one. But it is the kind of success that indicts the entire system that produced it: the shipment was caught because a physical inspection happened to intersect a physical lie. Had the crates cleared the free trade zone — as countless identical crates presumably have — every subsequent layer of control would have gone dark.

Sixteen years before those crates were opened, the global telecommunications industry confronted, and substantially solved, a structurally identical problem. In the summer of 2010, an iPhone purchased from an AT&T store in New York carried invisible but rigid boundaries. Carried across the street to a Verizon store, it simply would not function, because AT&T’s GSM radio hardware was physically incompatible with Verizon’s CDMA network. Mailed as a gift to a relative in Malaysia, the device remained carrier-locked; if it sat on an active installment plan, AT&T required the balance paid in full before issuing the digital unlock code that would let it register on a foreign network. And beneath all of these commercial and technical restrictions sat a single, unglamorous hardware feature that made the entire system of accountability possible: the International Mobile Equipment Identity number — the IMEI — a unique, effectively unalterable identifier burned into every handset. Whatever happened to the phone — resale, theft, export, jailbreak — its true identity, its financial obligations, and its network eligibility remained permanently verifiable, and a stolen or delinquent device could be blacklisted from legitimate networks worldwide.

The advanced AI accelerator market of 2026 possesses none of this baseline accountability, even though the asset in question is orders of magnitude more strategically consequential than any consumer handset ever was. An advanced accelerator can be purchased in the United States, installed in a data center in Europe, and leased through a cloud API to a user in Asia within milliseconds of coming online. There are no structural incompatibilities to stop this computational fluidity, no carrier locks, no network registration, no blacklist. A chip’s shipping destination no longer establishes its true jurisdiction — if it ever did.

This paper proposes that the technology ecosystem must retire the fiction that a shipping address equals regulatory jurisdiction and adopt, in its place, a framework of Silicon Domicile. Borrowing simultaneously from corporate law — where “domicile” identifies the jurisdiction whose law genuinely governs an entity, regardless of where it transacts — and from the telecom verification model of the IMEI era, Silicon Domicile identifies the exact physical location and true legal identity that genuinely control an advanced accelerator. That verification persists regardless of where the device was purchased, warehoused, installed, leased, remotely accessed, or incorporated into a cloud service. The framework rests on a Six-Factor Silicon Domicile Test — manufacturing and foundry origin, legal owner, beneficial controller, physical installation site, cloud tenant or remote user, and intended and actual workload — enforced through a provenance chain of attesting industry participants and anchored, ultimately, in the silicon itself.

The stakes of getting this architecture right — or of continuing to pretend it is unnecessary — are no longer confined to trade policy. Speaking at the opening of the first United Nations Global Dialogue on Artificial Intelligence Governance in Geneva on July 6, 2026, exactly one month after the KLIA raid, Secretary-General António Guterres warned the assembled delegations that private investment in AI infrastructure had approached half a trillion dollars in a single year while public capacity-building remained “a rounding error,” and framed the danger in terms that map directly onto the governance gap this paper addresses [39]:

“We cannot allow the digital divide to harden into an AI divide.” — António Guterres, Secretary-General of the United Nations [39]

An AI divide, a security gap, and a sovereignty gap — Guterres’s triad — are precisely what an ungoverned, untraceable global pool of accelerators produces: the powerful acquire compute without accountability, the excluded acquire it through smuggling syndicates, and no institution on Earth can say with confidence where the world’s most dangerous industrial capability actually resides. The pages that follow build the case for Silicon Domicile in six movements. Section 1 demonstrates why destination-based export controls have collapsed, both physically and digitally. Section 2 formalizes the separation of ownership, possession, operation, cloud access, and beneficial use, and constructs the Six-Factor Test upon that separation. Section 3 maps the provenance chain — NVIDIA, AMD, TSMC, Samsung, distributors, freight forwarders, neoclouds, and hyperscalers — whose participants must each attest to the factors they control. Section 4 confronts the jailbreak economy: the evasion, modification, and gray-market machinery that any enforcement architecture must survive. Section 5 specifies the technical enforcement layer and the international Silicon Domicile Registry. Section 6 takes the objections seriously — privacy, commercial secrecy, sovereignty, startup access, and the danger of building an excessively centralized surveillance system — and distills the framework into ten governing pillars. The conclusion returns to the question that the KLIA crates pose to every regulator on the planet: the strategic question is no longer “Where was the GPU shipped?” It is “Who ultimately commands its computation?”


Section 1: The Illusion of the Shipping Manifest

Traditional export controls operate on an assumption so deeply embedded that it is rarely stated aloud: that tracking an item to its physical delivery point secures its lifetime compliance. A license is evaluated, a destination is approved, a manifest is stamped, a crate clears customs — and the regulatory system’s engagement with that object effectively ends. For most controlled goods across most of the twentieth century, this assumption was tolerable, because the goods themselves were inert. A machine tool delivered to a factory in an allied country generally stayed in that factory; moving it was expensive, conspicuous, and slow. The advanced AI accelerator violates every premise of that model. It is small relative to its value, extraordinarily liquid, in ferocious global demand, and — most fatally for destination-based control — its computational output can cross any border on Earth without the hardware moving an inch. Once a shipment clears customs, the manifest becomes a historical artifact, utterly blind to the real-time operational reality of the hardware it once described.

To appreciate the scale of the asset class that this obsolete paradigm is asked to govern, consider the most recent corporate disclosures. NVIDIA’s results for the first quarter of fiscal year 2027, reported on May 20, 2026, showed record revenue of $81.6 billion — up 85 percent from a year earlier — of which a record $75.2 billion was Data Center revenue, up 92 percent year over year, driven by the ramp of Blackwell-generation systems [7]. Founder and CEO Jensen Huang described the buildout of AI factories as nothing less than [7]:

“the largest infrastructure expansion in human history” — Jensen Huang, founder and CEO, NVIDIA [7]

The prior fiscal year had already closed at $215.9 billion in total revenue, up 65 percent [9]. Upstream, Taiwan Semiconductor Manufacturing Company — the foundry that physically fabricates nearly every leading accelerator on the planet — reported first-quarter 2026 revenue of US$35.9 billion, up 40.6 percent year over year in dollar terms, with high-performance computing applications surging to 61 percent of total revenue and gross margin reaching an extraordinary 66.2 percent [10][11]. Bernstein Research’s senior semiconductor analyst captured the structural nature of this dominance [12]:

“TSMC’s 62.3% gross margin is a structural advantage, not a cyclical one.” — Stacy Rasgon, Senior Semiconductor Analyst, Bernstein Research [12]

Hundreds of billions of dollars of the most strategically sensitive hardware ever manufactured are now flowing annually through global distribution channels — and the primary compliance instrument applied to that flow remains, in essence, a piece of paper describing where a box was supposed to go.


1.1 The Breakdown of Static Tracking

The physical failure modes of destination-based control are no longer hypothetical; they are documented in indictments, seizures, and quantitative estimates spanning 2023 through 2026.

The gray-market pipeline. Advanced accelerators are highly liquid assets, and transshipment networks reroute them through secondary and tertiary countries with industrial efficiency, invalidating initial customs declarations the moment the crates leave the first port. The Center for a New American Security, working with the Institute for AI Policy and Strategy, estimated that on the order of 140,000 export-controlled AI chips were smuggled into China in 2024 alone, with uncertainty bounds ranging from tens of thousands to nearly a million units depending on model assumptions [18]. Epoch AI’s April 2026 analysis compiled cumulative allegations of diverted or missing chips totaling almost 300,000 H100-equivalents by the end of 2025 — roughly a quarter of the compute China is estimated to have legally imported or domestically produced — and modeled total smuggled volume through 2025 at between 290,000 and 1.6 million H100-equivalents [19]. Erich Grunewald of IAPS, among the most careful empirical researchers on this question, offered a sobering summary of what these flows mean in strategic terms [20]:

smuggled chips represent “between a tenth and a half of China’s AI model-training capacity.” — Erich Grunewald, Institute for AI Policy and Strategy [20]


The supply-chain blind spot. Distribution networks rely overwhelmingly on distributor-led reporting. Once chips enter global channels — passing from chipmaker to server integrator to authorized distributor to regional reseller — manufacturers lose granular visibility into downstream handoffs, and each intermediary has commercial incentives to know as little as legally possible about the next. Grunewald’s 2026 analysis of distribution practices concluded that while most companies perform enough due diligence to comply with the letter of the law, the aggregate system is not remotely sufficient to prevent most smuggling, because no single participant is responsible for the chain as a whole [21].


The inadequacy of paper audits. Compliance verification rests heavily on point-of-sale paperwork — end-user certificates, purchase orders, corporate registrations — which is easily forged, modified, or laundered through cooperative intermediaries. The prosecutions of 2025 and 2026 read like a catalogue of paper’s failures. Over roughly a year, the United States announced six separate prosecutions for smuggling AI chips to China, collectively involving approximately $3 billion worth of NVIDIA products [21]. The largest, unsealed in March 2026, charged individuals including a co-founder of Super Micro Computer with orchestrating a scheme that moved approximately $2.5 billion in US-assembled AI servers to Chinese buyers between 2024 and 2025: shell companies in Southeast Asia placed legitimate-appearing orders, servers were shipped to Taiwan, forwarded onward, repackaged with identifying markings removed, and diverted to the mainland [22]. Surveillance evidence in the case included photographs of dummy servers being relabeled — with a hair dryer — the day before a scheduled inspection by a US agent [21]. In Singapore, the Aperia Group investigation that began in February 2025 culminated in July 2026 with authorities seizing a S$55 million (US$42 million) Good Class Bungalow and filing money-laundering charges, alleging that executives had falsely represented to Dell, Super Micro, and Asus that their own companies would be the end-users of roughly $390 million in servers that were in fact shipped onward through Malaysia [23]. The arithmetic that first drew American investigators’ attention is perhaps the single most damning statistic in the entire literature of destination-based control: Singapore at one point accounted for approximately 28 percent of NVIDIA’s billed revenue, while only about 1 percent of the company’s product was actually delivered there [24]. The invoice address and the physical destination had become almost completely decoupled — at planetary scale, in plain sight, inside one of the world’s most rigorously administered trading hubs.


1.2 The Digital Detachment: Cloud-Native Evasion

Even if every crate on Earth were tracked perfectly, destination-based control would still fail, because the modern accelerator’s most valuable output — computation itself — has been detached from the hardware’s location. This is the deeper and less widely appreciated half of the manifest’s obsolescence.


Frictionless remote access. A cluster securely bolted into a highly compliant data center in Virginia can be leased to an adversarial entity through encrypted API endpoints within seconds of a payment clearing. The physical chip never moves; nothing crosses a border that any customs regime has ever been designed to inspect. The scholarly literature has begun to grapple seriously with this reality: Heim and colleagues, in their 2024 analysis of compute providers as regulatory intermediaries, argue that cloud providers now occupy the same structural position with respect to AI that banks occupy with respect to money — they are the chokepoint through which usage actually flows, and any governance regime that ignores them governs only the minority of compute that is owner-operated [35].


Virtual cross-border transit. Cloud infrastructure allows physical silicon to remain static while its computational power instantly crosses geopolitical borders, bypassing traditional customs checkpoints entirely. A training run can begin in one jurisdiction in the evening and, through checkpoint transfer and workload migration, continue in another by morning — with the model weights, the true object of strategic value, residing simultaneously everywhere and nowhere.


Decentralized compute slicing. Multi-tenant virtualization breaks single accelerators into fractional instances leased to distributed, effectively anonymous users across the globe simultaneously. A single physical GPU may, in one billing cycle, serve a university laboratory in one country, a startup in a second, and — absent know-your-customer discipline — a sanctioned entity’s front company in a third. The manifest that accompanied that GPU across the ocean two years earlier has precisely nothing to say about any of this.


1.3 The Mechanics of Jurisdictional Drift

Between the physical gray market and the cloud lies a third evasion stratum: the deliberate legal engineering of ambiguity, which this paper terms jurisdictional drift.

Nested shell companies. Compute is routinely sold to an entity in Country A, which leases it to a corporate vehicle in Country B, which routes the access credentials to an end-user in Country C. Each individual link can be papered to appear compliant; the chain as a whole is designed to be incomprehensible. The United States government has, to its credit, begun attacking exactly this structure. On September 29, 2025, the Commerce Department’s Bureau of Industry and Security published its “Affiliates Rule,” extending Entity List, Military End-User List, and related restrictions to any foreign entity owned 50 percent or more, directly or indirectly, individually or in aggregate, by one or more listed parties — explicitly modeled on the Treasury Department’s long-standing 50 Percent Rule for sanctions [13]. Gibson Dunn’s export-controls practice described the rule as one of the furthest-reaching changes to BIS regulations in years, a fundamental shift from name-based listing to ownership-based restriction, adopted precisely because the old “legally distinct” standard had created a whack-a-mole problem in which listed parties simply spawned new affiliates faster than BIS could enumerate them [14]. Research cited by the Peterson Institute found that 149 separate Huawei entities had accumulated on the Entity List through successive rounds of anti-circumvention additions [15]. The doctrinal significance of the Affiliates Rule for this paper’s argument cannot be overstated: the United States government has formally conceded that headquarters and ultimate parentage — not the name on the invoice — determine who is really buying. That is the beneficial-controller logic of Silicon Domicile, three-quarters adopted.

And yet the rule’s subsequent history demonstrates with equal force why entity-level regulation alone cannot carry the weight. Barely six weeks after its publication, in November 2025, the White House suspended the Affiliates Rule for a full year as part of a broader trade arrangement with Beijing, with Treasury Secretary Scott Bessent explaining that the suspension was exchanged for China’s suspension of rare-earth export controls [16]. Analysts immediately observed the perverse consequence: because the suspension carried a published expiration date, majority-Chinese-owned firms were effectively invited to stockpile formerly restricted goods against a known deadline — as they had before every prior control, including the estimated $16 billion in H20 chips that ByteDance, Alibaba, and Tencent accumulated in the first quarter of 2025 ahead of anticipated restrictions [16]. By early 2026, the approved performance tier of NVIDIA chips exportable to China had risen from the H20 to the more powerful H200, trade negotiators had declared chip controls off the table, and congressional hawks were responding with legislation — the AI OVERWATCH Act advanced through the House Foreign Affairs Committee in January 2026 — to wrest export-licensing authority toward Congress [17]. A control regime that inverts with each electoral or diplomatic cycle is not a control regime; it is weather. Hardware-anchored verification, by contrast, is architecture — it persists across administrations because it is embedded in the installed base itself.


Algorithmic arbitrage. Automated load balancers migrate active AI workloads between international data centers to optimize energy costs and latency, unmooring the software from any single legal jurisdiction as a routine operational matter, with no human decision and no compliance review attached to any individual migration.


White-label cloud providers. Tier-1 providers sell massive blocks of capacity to unverified third-party resellers, creating an opaque layer that shields illicit end-users from primary corporate oversight. The CNAS smuggling analysis identified precisely this structure — real cloud providers established as front companies in third countries, purchasing large volumes directly from server builders and re-exporting a portion — as one of the two principal smuggling pathways, alongside conventional shell-company re-export [18].


The conclusion of this section can be stated plainly. Point-of-sale compliance offers nothing more than a false sense of security: it monitors the initial commercial transaction instead of the continuous computational execution. The scholarly foundation for the alternative already exists. In the landmark 2024 multi-institution study Computing Power and the Governance of Artificial Intelligence — whose nineteen authors span OpenAI, the Centre for the Governance of AI, Cambridge, Oxford, Georgetown, Harvard, and include Turing Award laureate Yoshua Bengio of the Université de Montréal, Professor Gillian K. Hadfield, and Cambridge economist Professor Diane Coyle — the authors establish that compute is uniquely governable among AI inputs precisely because it is detectable (frontier training requires tens of thousands of chips that cannot be acquired or used inconspicuously), excludable (chips are physical goods that can be granted or withheld), and quantifiable (chips, features, and usage can be measured), all reinforced by a supply chain of extreme concentration [4]. Every one of those properties is squandered by a regime that stops looking at the chip the moment it clears customs. Silicon Domicile is, at bottom, a proposal to stop squandering them.


Section 2: The Separation of Powers — Ownership, Possession, Operation, Cloud Access, and Beneficial Use

Corporate law learned centuries ago that “who owns this?” is rarely a single question. A ship may be registered in Monrovia, mortgaged to a bank in London, chartered to an operator in Athens, crewed by a manning agency in Manila, and beneficially owned by a family trust in Geneva. The law responded not by pretending these roles collapse into one, but by developing distinct doctrines — legal title, beneficial ownership, operational control, flag-state jurisdiction — each with its own duties and its own accountable party. The advanced accelerator has undergone exactly this decomposition in less than a decade, while the regulatory apparatus continues to behave as though the entity on the export license embodies all roles at once.


2.1 The Five-Way Split

Consider a single, entirely realistic Blackwell-class cluster in 2026, and trace its roles:

  • Ownership rests with a special-purpose financing vehicle — perhaps a GPU-backed lending structure, a sovereign wealth fund’s infrastructure arm, or a leasing subsidiary of the chipmaker’s own captive finance operation. This entity holds legal title and appears on the purchase documentation. It may never see the hardware.
  • Possession belongs to a colocation data center operator in a third country, which houses, powers, and cools the racks under a hosting agreement. It controls the building, not the workloads.
  • Operation belongs to a “neocloud” — a GPU-specialized cloud company — that installed its own hypervisors, orchestration stack, and networking on the leased hardware and sells capacity by the hour. It controls the software plane.
  • Cloud access belongs to whoever holds valid API credentials this afternoon: a model developer, a research consortium, a reseller’s customer’s customer. This population can change by the minute.
  • Beneficial use — the question of whose strategic purposes the computation ultimately serves — may belong to none of the above: to the entity that commissioned the training run through two intermediaries, that will own the resulting model weights, and that appears in no contract visible to the owner, the possessor, or the operator.

Five roles, five parties, five jurisdictions — one chip. Under destination-based export control, exactly one of these parties (usually the first, occasionally the second) was ever evaluated, and the evaluation happened once, before the other four relationships even existed. This is the analytical core of the manifest’s failure, and it dictates the shape of the remedy: a governance framework must interrogate each role separately, continuously, and verifiably. That framework is the Six-Factor Silicon Domicile Test.


2.2 The Six-Factor Silicon Domicile Test

Silicon Domicile is established, for any advanced accelerator or coherent cluster of accelerators, by the continuous verification of six factors. The reader familiar with an earlier formulation of this framework as four pillars — Verifiable Home, Beneficial Owner, Operator, and Workload — will recognize all four within the expanded test; the six-factor formulation separates legal from beneficial ownership (because the shell-company cases of Section 1 turn precisely on their divergence) and adds manufacturing origin (because provenance, as Section 3 will show, is where verification must begin). The 2010 telecom analogy remains apt for each factor, and is noted in brief.


Factor 1 — Manufacturing and Foundry Origin. Where, and by whom, was the die fabricated, packaged, and tested? This is the factor the telecom world encoded in the IMEI’s type-allocation prefix, which identified the manufacturer and model before any digit identified the individual unit. For accelerators, origin is the root of the provenance chain: a cryptographic identity fused at the foundry (Section 5) is trustworthy only to the extent the foundry itself is known and audited. Origin also carries direct legal consequence — United States foreign direct product rules already extend American jurisdiction to foreign-made chips produced with American tools, meaning that fabrication origin, not sale location, frequently determines which nation’s law attaches to the silicon for life.


Factor 2 — Legal Owner. Which natural or juridical person holds title? This is the name on the invoice, the financing statement, the insurance policy — the telecom equivalent of the account holder who signed the two-year contract. Legal ownership is the easiest factor to document and the easiest to launder, which is precisely why it cannot stand alone.


Factor 3 — Beneficial Controller. Which ultimate natural person, corporate parent, or sovereign entity financed the hardware, directs its deployment, and reaps its economic rewards, looking through every shell corporation, nominee, nested reseller, and front company in between? Subleasing an AT&T handset to a stranger never absolved the primary account holder of liability; the same principle must hold for a billion-dollar cluster. The BIS Affiliates Rule’s 50-percent ownership test [13][14] and the OFAC rule it copies supply the doctrinal machinery; Silicon Domicile makes the inquiry continuous rather than transactional. It is worth underscoring how rapidly official practice has converged on this factor: guidance now emphasizes the headquarters and ultimate parentage of foreign entities, treating “significant ties” to restricted parents — shared board members, for example — as red flags demanding due diligence even below the 50-percent threshold [15]. The direction of doctrinal travel is unmistakable, even where enforcement has oscillated.


Factor 4 — Physical Installation Site. Where, on the surface of the Earth, is the device racked and running — building, floor, and geopolitical jurisdiction? This is the Verifiable Home: the analogue of the physical network compatibility that bound a 2010 handset to GSM or CDMA infrastructure. Unlike a shipping manifest, which records where hardware was once sent, installation-site verification asks where it is now, continuously, using the hardware-rooted attestation and latency-based geolocation techniques detailed in Section 5.


Factor 5 — Cloud Tenant or Remote User. Who is computing on the device at this moment? Possession without usage visibility is a hollow control — the Virginia cluster leased to an adversary via API never violates any location rule. This factor imports the know-your-customer discipline of finance into the compute layer: cloud providers, as Heim and colleagues argue, are the natural intermediaries through which usage-level accountability flows [35], and the tenant ledger is the compute world’s call-detail record.


Factor 6 — Intended and Actual Workload. What was the computation declared to be, and what is it in fact? The telecom parallel is the unlock status — the handset that actively verified the legitimacy of each network request before granting service. For accelerators, the factor pairs a declared workload class (training above or below a compute threshold, inference, scientific simulation) with technical verification that the declaration matches reality: cluster-scale telemetry, on-chip metering of total operations, and — as the research frontier matures — privacy-preserving proof-of-training-transcript protocols of the kind proposed by Shavit, which would allow a chip owner to prove what was trained without revealing the model itself [34].


#FactorCore Question2010 Telecom AnaloguePrimary Attesting Parties
1Manufacturing & foundry originWhere and by whom was the silicon made?IMEI type-allocation prefixFoundry, chip designer, OSAT
2Legal ownerWho holds title?Named account holderPurchaser, financier, insurer
3Beneficial controllerWho ultimately finances, directs, and profits?Credit-anchored contract liabilityRegulators, banks, corporate registries
4Physical installation siteWhere is it racked right now?GSM/CDMA physical network bindingData center operator, on-chip attestation
5Cloud tenant / remote userWho is computing on it this hour?Active SIM / carrier accountCloud provider, hypervisor logs, KYC
6Intended & actual workloadWhat is it computing, versus what was declared?Carrier lock / unlock statusOperator telemetry, on-chip metering, audits

Table 1. The Six-Factor Silicon Domicile Test, its governing questions, telecom analogues, and attesting parties.


2.3 Domicile as a Composite Judgment

No single factor establishes Silicon Domicile, and — critically — no single factor’s cleanliness excuses failure on another. A cluster with impeccable installation-site attestation but an opaque beneficial controller is not “mostly compliant”; it is a laundering vehicle with good geolocation. Conversely, the test is designed to localize failure: when the Aperia-style scheme misrepresents the end-user, Factors 2 and 3 flag while Factor 1 remains clean, telling investigators precisely which link of the chain was corrupted and which parties owed the breached attestation [23]. The composite structure also future-proofs the framework. If, in some later era, workload verification matures to the point that regulators genuinely trust what chips report about their own computations, the relative weight of location may recede — a possibility the flexHEG research program explicitly anticipates, aiming for locally verified compliance that reduces the need for centralized registries and geolocation altogether [32]. Until that maturity arrives, all six factors must bear weight together.


Section 3: The Provenance Chain — From Foundry to Hyperscaler

A verification framework is only as strong as the parties who perform the verifying. Silicon Domicile therefore cannot be a regulation imposed on an industry from outside; it must be a chain of attestations generated by the industry, at each of the handoffs where knowledge naturally resides. This section maps that chain — the sequence of commercial actors through whose hands every advanced accelerator passes — and assigns to each the factors of the Six-Factor Test that it alone is positioned to attest. The guiding principle is borrowed from food-safety and pharmaceutical serialization law: every party that touches the product certifies the link it controls, so that provenance accumulates rather than evaporates as the product moves downstream.


3.1 The Designers: NVIDIA and AMD

The chain begins with the chip designers, whose commercial position in 2026 borders on the monopolistic. NVIDIA’s $75.2 billion single-quarter Data Center revenue [7] makes it not merely the dominant vendor but, in effect, the census bureau of world compute: no other entity knows more about where advanced accelerators are ordered, configured, and supported. The designers’ provenance duties fall on Factors 1, 2, and — through firmware — 4 and 6. They assign and escrow each device’s cryptographic identity at birth; they record the first legal purchaser; and, because they author the firmware, driver, and microcode stack on which every downstream mechanism of Section 5 depends, they are the parties who can make attestation a condition of full functionality. The designers also illustrate the incentive problem the chain must solve. NVIDIA’s own disclosures show what compliance costs it: the company recorded a $4.5 billion charge in early fiscal 2026 associated with H20 inventory stranded by China restrictions, and reported zero Data Center Hopper shipments to China in the most recent quarter against $4.6 billion a year earlier [8]. A designer asked to police its own customers is being asked to shrink its own market — which is precisely why attestation duties must be uniform, statutory, and industry-wide rather than voluntary and unilateral, and why NVIDIA’s CEO has lobbied so publicly against restriction regimes he characterizes as ceding markets to competitors [27]. Tufts University’s Chris Miller — author of Chip War and the leading academic historian of this industry — framed the countervailing security logic in a December 2025 interview, warning that expanded chip flows to China carry a direct capability transfer [36]:

“it risks giving a shot in the arm to China’s AI ecosystem” — Chris Miller, Professor, Fletcher School, Tufts University [36]

The designers sit exactly at the fulcrum of this tension, which is why the chain cannot begin anywhere else.


3.2 The Foundries: TSMC and Samsung

One step upstream sit the foundries, and here concentration becomes nearly absolute. Stanford University’s Institute for Human-Centered AI, in its 2026 AI Index Report, documents that the United States now hosts more than 5,400 data centers — over ten times any other country — while a single Taiwanese company, TSMC, fabricates nearly every leading AI chip, rendering the entire global AI hardware supply chain dependent on one foundry [5][6]. TSMC’s 61-percent HPC revenue share and its three new 3-nanometer fabs announced with Q1 2026 results [10][11] mean that, for the foreseeable future, essentially every device subject to Silicon Domicile will pass through one of perhaps four fabrication ecosystems (TSMC, Samsung, Intel Foundry, and — for indigenous Chinese parts — SMIC). This is a governance gift of historic proportions. The foundry is where Factor 1 is created and where the hardware root of trust of Section 5 must be physically instantiated: unique keys derived from manufacturing variation, fused device identities, and the tamper-evident packaging within which every later attestation is anchored. Miller’s scholarship supplies the reassuring precedent: the machines that make the machines are effectively unsmugglable — he has assessed the likelihood of acquiring advanced lithography tools through third countries as close to zero, given that mere dozens are produced annually, each requiring multiple aircraft to transport and permanent on-site vendor staff to operate [37]. Governance rooted at the foundry therefore inherits the single most defensible chokepoint in the entire technology stack.


3.3 The Integrators and Distributors

Between the designer and the end customer stretches the layer where, on the evidence of Section 1, provenance currently goes to die: server integrators (Supermicro, Dell, Foxconn, Wistron, Quanta), authorized distributors, and regional resellers. It was integrator-built servers — not loose chips — that filled the crates at KLIA [1], moved through the Aperia Group’s misrepresentations [23], and constituted the $2.5 billion Super Micro diversion [22]. The reason is structural: integration is where individually serialized chips disappear into assembled systems, where a tracked component becomes an untracked box. Silicon Domicile’s response is serialization continuity — the integrator attests, for every system shipped, the mapping between chassis serial numbers and the device identities of every accelerator inside, so that a crate declared as “computer components” can be interrogated, cryptographically, about exactly which governed dies it contains. Distributors and resellers, for their part, attest Factor 2 transfers: every change of legal owner, reported to the registry of Section 5 within a defined window, exactly as automobile title law has required of dealers for a century. The affirmative due-diligence obligation that the Affiliates Rule already imposes — treat a counterparty as restricted when ownership cannot be verified [14] — becomes, in this architecture, a queryable technical act rather than a manual research project.


3.4 The Freight Forwarders and Logistics Layer

The freight forwarder occupies a peculiar position: it is the only chain participant whose entire function is custody of the hardware in motion, and yet it is the participant about which compliance regimes traditionally ask the least. The 2025–2026 prosecutions repeatedly feature this layer — shipping and freight-forwarding companies in Malaysia and Singapore appear in the August indictment of two Chinese nationals for illegally routing tens of millions of dollars in chips [2], and the Super Micro scheme’s Taiwan-to-Southeast-Asia-to-China itinerary was executed entirely through commercial logistics [22]. Under Silicon Domicile, the forwarder’s attestation is deliberately narrow and mechanical: custody intervals. Which sealed, serialized systems were received, where, when, and to whom relinquished. The forwarder is not asked to evaluate end-users — it lacks the competence — but its custody records close the gap in which crates are today relabeled, split, and re-manifested, and tamper-evident enclosure telemetry (Section 5) turns any in-transit intrusion into a recorded event rather than a hair-dryer anecdote in a later indictment [21].


3.5 The New Clouds

The most consequential new actors in the chain are the GPU-specialized cloud providers — CoreWeave, Lambda, Crusoe, Nebius, and dozens of smaller “new clouds” — together with the national and sovereign AI clouds now proliferating worldwide. NVIDIA’s own segment commentary confirms their weight: roughly half of Data Center revenue now flows to customers other than the traditional hyperscalers, a diversified population of AI clouds, enterprises, and sovereign buyers [8]. Neoclouds embody the five-way split of Section 2.1 in a single business model — they frequently operate hardware they do not own, in facilities they do not control, for tenants they did not originate (capacity is heavily resold) — and they are therefore both the hardest case for Silicon Domicile and its most important test. Their attestation duties span Factors 4, 5, and 6: continuous installation-site verification for every cluster; know-your-customer records for every tenant, including look-through of resold capacity to the ultimate credential holder; and workload-class telemetry against declared use. The CNAS smuggling analysis makes clear why the neocloud layer cannot be exempted: cloud-provider front companies purchasing at volume directly from server builders constitute one of the two principal diversion pathways [18]. A registry that verified every hyperscaler while waving neoclouds through would simply redirect the gray market into the neocloud form.


3.6 The Hyperscalers

At the chain’s terminus sit the hyperscalers — Microsoft, Amazon, Google, Meta, Oracle — operators of the largest coherent accelerator fleets on Earth and, simultaneously, the parties with the most mature compliance machinery. Their role in Silicon Domicile is dual. As operators, they bear the same Factor 4–6 duties as neoclouds, at vastly greater scale but with correspondingly greater capability; the know-your-customer regimes and abuse-detection systems they already run for financial and security purposes are, functionally, prototypes of tenant attestation. As anchors, they serve a subtler purpose: because hyperscalers purchase such enormous shares of each accelerator generation, their procurement standards propagate upstream automatically. When a hyperscaler requires serialization continuity from integrators or attested custody from forwarders as a condition of purchase orders, the entire chain re-tools to comply — regulation by purchase order, faster than any rulemaking. The historical analogue is again telecom: the GSMA IMEI database achieved global coverage not because every nation legislated it simultaneously, but because the largest carriers refused to interconnect with networks that ignored it.


3.7 The Chain, Assembled

Chain ParticipantExamplesFactors AttestedAttestation Content
Chip designerNVIDIA, AMD1, 2, 4, 6Device identity issuance; first sale; firmware enforcement
Foundry / OSATTSMC, Samsung, ASE1Die origin; root-of-trust instantiation; fused identity
Server integratorSupermicro, Dell, Foxconn1, 2Chip-to-chassis serialization continuity
Distributor / resellerAuthorized & regional channels2, 3Title transfers; counterparty ownership screening
Freight forwarderGlobal logistics firms4 (transit)Custody intervals; tamper-evidence telemetry
NeocloudCoreWeave, Lambda, sovereign clouds4, 5, 6Site attestation; tenant KYC; workload telemetry
HyperscalerMicrosoft, AWS, Google, Meta4, 5, 6Fleet attestation at scale; procurement-driven upstream standards
Financier / lessorGPU-backed lenders, SWFs2, 3Beneficial-ownership disclosure; lien registration

Table 2. The Silicon Domicile provenance chain: each participant certifies the link it alone controls.


Two features of the assembled chain deserve emphasis. First, no participant is asked to know what it cannot know: the foundry does not vouch for end-users, the forwarder does not evaluate workloads. The chain’s strength is the composition of narrow, honest attestations, not the omniscience of any link. Second, the chain converts today’s diffuse, deniable ignorance into locatable responsibility. When the next KLIA-style shipment surfaces, the registry will show precisely which attestation was falsified — which integrator’s serialization broke, which distributor’s title transfer went unreported, which forwarder’s custody interval gaps — transforming enforcement from archaeology into audit.


Section 4: The Jailbreak Economy — Evasion, Modification, and the Compute Gray Market

No enforcement architecture deserves to be taken seriously until it has been tested against its adversaries, and the adversaries of compute governance are neither hypothetical nor unsophisticated. The current evasion ecosystem mirrors, with uncanny fidelity, the cat-and-mouse game played by hardware hackers and gray-market exporters during the smartphone boom of 2010. When a device commands ferocious global demand but is restricted by contract or regional lockout, a shadow economy inevitably emerges to liberate the hardware from its software bounds. This section catalogues that economy — not to counsel despair, but because Section 5’s technical design choices are intelligible only as responses to specific, observed attacks.


4.1 The AI Equivalent of “Jailbreaking”

In 2010, jailbreaking exploited vulnerabilities in the iPhone’s iOS firmware to strip away carrier locks and application restrictions, allowing users to run unauthorized software with root privileges. An entire semi-legitimate industry — unlock services in mall kiosks, Gevey SIM interposers, firmware downgrade tools — grew inside the gap between what the hardware could do and what its vendor permitted it to do.


Firmware flashing. Today’s illicit compute operators acquire mid-tier or regionally restricted “export-compliant” accelerators and flash them with modified firmware that unlocks disabled compute units, overrides factory power ceilings, and coaxes the silicon into performance classes it was legally barred from delivering. The commercial precedent is instructive: NVIDIA itself has shipped GPUs with firmware-limited cryptocurrency-mining performance — limits that were partially defeated by driver leaks and BIOS modification within months — demonstrating both that hardware-enforced restriction is commercially practicable and that naive implementations fall quickly .


Driver stripping. Just as jailbreakers bypassed Apple’s code-signing checks, rogue data-center engineers rewrite compilation and driver layers to disguise the true character of a distributed cluster — presenting a unified frontier-scale training run to monitoring tools as a scatter of small, independent academic jobs. This attack targets Factor 6 directly, and it is why workload attestation must ultimately be rooted below the driver, in hardware the operator cannot rewrite [29][31].


4.2 The Gray-Market Export Pipeline

In the early 2010s, suitcases of shrink-wrapped, carrier-locked iPhones were bought retail in New York, flown to markets where the device had not launched, and sold at premium prices, whereupon local technicians forced them onto domestic networks with SIM interposers and software exploits. The modern accelerator gray market runs the identical itinerary at nine-figure scale:


Stage2010 Smartphone Gray Market2026 Accelerator Gray Market
AcquisitionRetail purchase, US storesFront-company purchase orders to integrators [22][23]
TransitSuitcases on passenger flightsFalsely manifested air/sea freight via free trade zones [1][2]
Laundering pointOverseas electronics bazaarsTransshipment hubs; relabeling and repackaging [21][22]
ActivationGevey SIM interposer; software unlockDriver patches; interposed network topologies
ResultPhone forced onto foreign networkChips clustered in unmonitored data centers

Table 3. The gray-market pipeline, then and now.


Transshipment laundering. Straw purchasers establish front companies in compliant jurisdictions, order hardware under the guise of local corporate expansion, intercept crates at international logistics hubs, and reroute them through multiple neutral borders before delivery to unmonitored facilities. Every element of this template appears in the documented record: the Aperia Group’s misrepresented end-user declarations to Dell, Super Micro, and Asus [23]; the Super Micro scheme’s Taiwan and Southeast Asia waypoints and unmarked repackaging [22]; the KLIA free-trade-zone staging [1]. The House Select Committee on China has assessed that well over $1 billion in controlled chips reached China through such channels in violation of export controls [42], and the DeepSeek episode — the Committee’s early-2025 conclusion that the company’s flagship model had been trained partly on restricted NVIDIA chips that should never have reached it — converted smuggling, in Congress’s eyes, from an enforcement nuisance into a legislative emergency [27].


Hardware interposition. Analogous to the physical SIM shims that tricked a handset into believing it remained on its home network, illicit clusters employ specialized bridges and custom switch topologies to make smuggled accelerators cluster seamlessly while concealing true network latency and physical coordinates from remote audits. This is the attack class that latency-based geolocation (Section 5.2) must be engineered against — and the reason the technique relies on speed-of-light physics, which no switch topology can counterfeit in the direction of appearing closer to a reference beacon than the fiber path permits.


4.3 The Failure of the Status Quo — and Its Price

The telecom industry learned quickly that recording which retail store sold a phone was a useless defense against a globalized gray market; only device-level identity plus network-level enforcement plus a shared blacklist collapsed the stolen-handset economy. The AI industry is currently re-learning that lesson at vastly higher stakes and with vastly weaker instruments. Six federal prosecutions and roughly $3 billion in charged NVIDIA product in a single year [21] represent the visible fraction of a market whose invisible fraction credible estimates place at hundreds of thousands of accelerators [18][19]. Grunewald’s structural diagnosis bears repeating: enforcement is delegated, in practice, to selling companies that are not strongly incentivized to perform the due diligence that would prevent most smuggling, overseen by an agency too understaffed to vet every sale, let alone re-verify after delivery [21]. Paper controls police a liquid asset with static tools. Without a hardware-enforced Silicon Domicile that automatically re-locks the device when its environment changes — when its location shifts, its owner changes unreported, its cluster topology mutates — the gray market will continue to outpace the regulatory state through software modification and physical smuggling, as it has every year since the first accelerator controls were imposed in 2022.


Section 5: Technical Enforcement and the International Silicon Domicile Registry

If Sections 1 through 4 establish that paper cannot govern silicon, this section establishes what can: the silicon itself, participating in its own governance. The proposition is no longer speculative. Between 2024 and 2026, a substantial technical literature — anchored by the Center for a New American Security’s Secure, Governable Chips report, RAND’s analysis of hardware-enabled governance mechanisms, the flexHEG research program, and a 2025 paper on hardware-enabled verification co-authored by researchers at NVIDIA itself — has converged on the conclusion that the security technologies already shipping in modern accelerators (hardware roots of trust, trusted execution environments, cryptographic attestation) can be extended into a platform for adaptive, updatable, privacy-preserving policy enforcement [29][30][31][32]. Congress has moved in parallel: the Chip Security Act, introduced in the Senate by Tom Cotton in April 2025 and in the House the following month, would require every covered integrated circuit product to be outfitted with chip security mechanisms implementing location verification — using techniques feasible on the date of enactment — before export, re-export, or in-country transfer, with mandatory tamper reporting and a multi-year Commerce–Defense assessment pipeline for additional mechanisms [25][26]. The bill passed the House Foreign Affairs Committee with bipartisan support in March 2026 [27], has attracted public support from a half-dozen technology companies [28], and — tellingly — its committee passage came the same week federal prosecutors charged yet another chip-diversion conspiracy. Senator Cotton’s framing of the objective is the legislative statement of this paper’s thesis [26]:

the goal is to “expand access to US technology without compromising our national security.” — Senator Tom Cotton (R-AR), sponsor, Chip Security Act [26]

What follows translates the four-pillar telecom model — unique identity, environmental lock, kill mechanism, shared blacklist — into the accelerator context, then assembles the registry those mechanisms report to.


5.1 The Silicon IMEI: Immutable Identity and Attestation

A mobile IMEI is burned into non-volatile memory at manufacture. The accelerator’s equivalent is established with stronger cryptography and deeper physics.


Silicon fingerprinting. During fabrication, microscopic, uncontrollable variations in transistor characteristics are harvested by Physically Unclonable Functions (PUFs) to derive a cryptographic key that is unique to the individual die, never leaves it, and cannot be extracted or cloned — a fingerprint that is not stored in the silicon but is the silicon. Where PUF derivation is impractical, foundry-fused key material within a hardware root of trust serves the same role. Either way, Factor 1 of the Six-Factor Test acquires a physical anchor at the only moment in the device’s life when its provenance is perfectly known: birth.


Cryptographic attestation. At every boot, and on joining any cluster fabric, the device signs an attestation with its internal key: this specific die, running this specific firmware measurement, in this specific hardware environment. Verifiers — the registry, a cloud tenant, an auditor — can confirm the claim against the manufacturer’s escrowed public identity without learning anything else about the system. The building blocks are, crucially, already commercial: modern data-center GPUs ship with hardware roots of trust, secure boot, and confidential-computing attestation, and RAND’s analysis observes that existing on-device performance counters already track the operations, interconnect bandwidth, and power draw that governance-grade metering would formalize [31]. The engineering task is consolidation and hardening, not invention — which is precisely the assessment of the NVIDIA-affiliated researchers who catalogue secure boot, device attestation, and confidential computing as the practically available foundation for verifiable location reporting, cluster-configuration verification, and offline licensing [30].


5.2 The Digital Carrier Lock: Geofencing and Environment Verification

An AT&T carrier lock prevented registration with unauthorized towers. The accelerator’s equivalent binds Factor 4 — installation site — to physics and to cryptography simultaneously.


Latency-based geolocation. The device’s secure firmware periodically executes challenge-response exchanges with a distributed constellation of authorized reference beacons. Because no signal outruns light in fiber, round-trip timing places a hard physical bound on the device’s distance from each beacon; triangulated across several beacons, the technique confines the device to a region — country-scale confidence today, metropolitan-scale with denser beacon networks — without GPS hardware, without satellite dependence, and without the spoofing fragility of radio-navigation. Representative Bill Foster of Illinois — a former Fermilab particle physicist who designed chips professionally before entering Congress — has publicly argued, with independent technical experts concurring, that the capability to track chips post-sale is readily available and substantially already present in NVIDIA’s shipping hardware [44]. A device that cannot complete its location proof, or whose proven region diverges from its registered installation site, transitions automatically to a restricted state and flags the registry.


Environment attestation. The chip verifies the cryptographic identity of its surroundings: the specific baseboard, the NVLink or fabric switches, the sibling accelerators of its registered cluster. Removal from the approved rack, insertion into an unregistered topology, or the appearance of interposer hardware (Section 4.2) breaks the verification chain — converting the smuggler’s reinstallation problem from “plug it in” to “defeat tamper-responsive cryptographic hardware without detection.” The flexHEG program pushes this furthest, proposing a guarantee processor within a tamper-responsive enclosure that observes all instructions and data transfers to and from the accelerator, enabling rule enforcement — operation caps, cluster limits, licensing checks — that is verified locally and privacy-preservingly, reducing dependence on centralized registries and inspections [32][33].


5.3 The Graduated Response: From Re-Verification to Zero-Power State

When a consumer stopped paying an AT&T bill or reported a handset stolen, the carrier blacklisted the IMEI and the device became an expensive paperweight. The accelerator analogue must be engineered with far greater care — a false-positive kill on a hospital’s diagnostic cluster or a treaty partner’s sovereign cloud is a diplomatic incident, not a customer-service call — and so Silicon Domicile specifies a graduated enforcement ladder rather than a hair-trigger switch:

  1. Attestation lapse (missed check-in, minor anomaly): grace period, logged, registry flagged; full performance continues.
  2. Verification failure (location divergence, environment break, unreported ownership change): performance governor engages — clock and interconnect throttling that preserves basic function while destroying frontier-training utility.
  3. Confirmed violation (registry adjudication; tamper evidence; blacklisted controller): fabric de-authentication — the device refuses to route data across its high-speed interconnects, neutralizing cluster-scale utility.
  4. Terminal state (persistent tamper, theft, sanctioned seizure): the power-management controller drops into a locked, un-bootable zero-power state, reversible only by an authorized cryptographic unlock from the governing authority.

The feasibility literature counsels exactly this humility: the recent arXiv taxonomy of twenty hardware-governance mechanisms classifies monitoring and administrative enforcement as deployable today, while hardware off-switches and remote disablement remain R&D-stage technically and, in their most aggressive forms, speculative politically [31]. The ladder lets policy ride today’s rungs while research hardens tomorrow’s.


5.4 The International Silicon Domicile Registry

The final element of the 2010 telecom model was neither the chip nor the carrier but the database behind them: the GSMA IMEI blacklist, which made a stolen handset worthless on any legitimate network worldwide and thereby collapsed the economics of handset theft. The accelerator equivalent is the International Silicon Domicile Registry — a federated cryptographic ledger recording, for every advanced accelerator manufactured, the current attested state of all six factors.

Its architecture follows four design commitments, each answering an objection developed fully in Section 6:


Federated, not centralized. National and regional registry nodes interoperate through a common attestation protocol, as DNS roots or SWIFT messaging do; no single sovereign holds the master switch. Confidential records — beneficial ownership, tenant identities, workload declarations — remain within the jurisdiction of filing, exposed to other nodes only as zero-knowledge proofs of compliance (“this cluster’s controller is not a listed party”) rather than as raw data.


Dynamic status flags. Every device identity carries a real-time operational status — Verified, Leased/Restricted, Under Review, Blacklisted — updated by attestation flows from the provenance chain of Section 3. Status is a queryable fact available to any counterparty: an insurer pricing a cluster, a bank collateralizing GPU-backed debt, a cloud customer verifying its provider, a customs officer confronting seventy-two crates of “computer components” armed, this time, with a scanner instead of a crowbar.


Device IdentityStatusNetwork Consequence
SD-882A…F3VERIFIEDFull fabric authorization; standard licensing
SD-401B…9CLEASED / RESTRICTEDWorkload caps enforced; tenant KYC required
SD-77D0…21UNDER REVIEWGrace-period telemetry; enhanced reporting
SD-119X…4EBLACKLISTEDFabric de-authentication; firmware/CDN denial; graduated lock

Table 4. Registry status flags and their hardware consequences.


Enforcement at the network edge. A blacklisted handset was rejected by towers on every continent; a blacklisted accelerator is isolated by the layers it cannot live without — denied fabric authorization by compliant switches, denied microcode patches, CUDA-stack updates, and security fixes by firmware distribution channels, denied peering by tier-1 providers bound to registry compliance. Traditional sanctions require maritime tracking and months of legal process; registry enforcement is near-instantaneous and surgically confined to the specific device identities in violation.


Verification as market infrastructure, not merely security apparatus. The registry’s deepest incentive alignment is commercial. Hundreds of billions of dollars in accelerators are now financed as collateral — GPU-backed lending is among the fastest-growing categories of infrastructure credit — and no lender can currently verify, independently and continuously, that its collateral exists, where it sits, or who controls it. Registry attestation gives clean-domicile hardware a financing premium and gray hardware a discount, recruiting banks, insurers, and auditors as enforcement multipliers. The Institute for Foundational Progress line of argument deserves emphasis here: hardware-based verification is framed by its proponents not as a wall but as a passport — the instrument that would let American technology diffuse faster and more widely, because trusted verification substitutes for blanket country-tier restrictions [33][43]. The same logic animates the GAIN AI Act’s congressional coalition, which spans, remarkably, America-First conservatives and progressive Democrats [38]:

“The Gain AI Act is simply an America First amendment.” — Senator Jim Banks (R-IN) [38]

Whatever one’s politics, the coalition’s breadth signals that hardware-anchored accountability has become one of the few propositions in technology policy capable of commanding durable, cross-ideological support — the necessary condition for infrastructure meant to outlast administrations.


Section 6: Objections and Limits

An architecture with the power to identify, locate, meter, and disable the world’s most valuable computing devices is an architecture that can be abused, and a paper that proposed it without confronting that fact would deserve the skepticism it received. This section takes the five strongest objections in turn — privacy, commercial secrecy, sovereignty, startup access, and the danger of an excessively centralized surveillance system — states each at full strength, and shows how the framework’s design either answers it or must be constrained by it. It then distills the whole argument into ten pillars.


6.1 Privacy: The Workload Is the Secret

The objection. Factor 6 asks what a chip is computing. Model architectures, training datasets, and optimization techniques are among the most closely guarded secrets in the modern economy, and in academic and civil-society contexts, workload surveillance can chill legitimate research or expose dissidents’ computational activity to hostile states. A registry that reads workloads is a surveillance instrument, full stop.

The response. Silicon Domicile must be — and technically can be — built on the principle of proving without revealing. The verification literature has developed precisely for this reason: Shavit’s proof-of-training-transcript framework allows a party to demonstrate which rules a training run obeyed without disclosing the run itself [34]; trusted-execution attestation confirms workload class (training above threshold X; inference; simulation) without exposing content; flexHEG’s entire design goal is local, privacy-preserving compliance verification that removes the need for centralized inspection of anything [32]. The registry stores claims and proofs, never data or weights. Where this discipline cannot yet be technically guaranteed, workload verification should remain the shallowest factor — class declarations plus aggregate metering — rather than deep inspection. Privacy is not a constraint bolted onto Silicon Domicile; it is a load-bearing wall, because no sovereign or commercial actor will ever join a registry that reads its secrets.


6.2 Commercial Secrecy: The Fleet Map Is the Strategy

The objection. A registry of who owns which clusters, where, at what scale, is a real-time map of every AI company’s capital expenditure and strategic direction — catastrophic if leaked, valuable enough to be attacked constantly, and dangerous even in aggregate (a nation’s total attested compute is itself an intelligence product).

The response. Three mitigations, in descending order of importance. First, federation with data locality: raw records live in the filing jurisdiction; cross-node queries return compliance proofs, not inventories. Second, tiered visibility: counterparties see status flags (Table 4), regulators see the factors within their jurisdiction, and no single actor — including the registry operators — holds the global map in cleartext. Third, honesty about residual risk: some aggregate signal will exist wherever attestation exists, exactly as securities disclosure reveals strategy to competitors. Societies accepted that bargain for capital markets because opacity’s costs proved greater; the seventy-two crates at KLIA are a reminder of what compute opacity is already costing.


6.3 Sovereignty: The Kill Switch Is a Weapon

The objection. This is the gravest objection, and it should be stated without euphemism: a remote disablement capability administered through a registry in which the United States and its allies hold decisive weight is, from the perspective of every other capital, a foreign hand on the master switch of the digital economy. No serious state will voluntarily install another state’s kill switch in its critical infrastructure. Worse, the mere credible threat of arbitrary blacklisting incentivizes exactly the outcome the framework exists to prevent: crash programs of unregistered, ungoverned indigenous hardware.

The response. Four commitments follow. First, graduation before termination: the enforcement ladder of Section 5.3 makes zero-power lockout a last resort behind throttling and fabric de-authentication, and the political-feasibility literature is candid that remote disablement in its strongest form may never be appropriate for state-to-state contexts [31]. Second, due process in the registry’s charter: adjudication before blacklisting, appeal rights, published evidentiary standards, and supermajority requirements for status changes affecting sovereign infrastructure — an architecture closer to ICANN-with-teeth than to a unilateral sanctions office. Third, reciprocity: the mechanisms must bind their architects too; a registry the United States exempts itself from is a cartel instrument and will be treated as one. The “Compute Cartel” framing that occasionally surfaces in enforcement-alliance advocacy should, on this ground, be explicitly rejected: the goal is a verification commons, and the difference is precisely the difference between the GSMA blacklist (which every carrier joined because it protected every carrier) and an embargo (which its targets route around). Fourth, realism: some states will refuse regardless, and the registry’s value does not depend on universality — it depends on making verified compute more valuable than unverified compute in every market the participating economies touch, which, given the supply-chain concentration documented in Section 3, is very nearly every market on Earth.


6.4 Startup Access and the Compute Divide

The objection. Compliance architectures are regressive: hyperscalers absorb attestation costs as rounding errors, while startups, universities, and developing-world researchers drown in them. A domicile regime could freeze the compute oligopoly in place and widen the very divide Guterres warned against.

The response. The burden allocation in Section 3 is deliberately top-heavy — attestation duties fall on designers, foundries, integrators, and cloud operators, the concentrated layers, while a startup renting registry-verified capacity inherits compliance passively, exactly as a small business inherits banking compliance by holding an account rather than by becoming a bank. Done properly, the registry improves small-actor access: verified provenance is what makes it safe for regulators to permit broad diffusion, and what makes it possible for lenders to finance smaller operators’ hardware on reasonable terms. The IMF’s parallel warning about infrastructural exclusion applies with full force to compute [41]:

without foundational access, countries “cannot be part of the AI revolution.” — Kristalina Georgieva, Managing Director, International Monetary Fund [41]

A well-designed Silicon Domicile is an instrument for diffusion — the verification that lets chips flow to a hundred countries because their misuse can finally be detected — and the UN’s own framing supports the same conclusion, with Guterres arguing that widely shared, well-governed AI could “compress decades of development into years” [40]. The regime’s designers must nonetheless treat access metrics as first-class success criteria, with fee waivers, open-source attestation tooling, and capacity-building support for developing-economy registry nodes, or the objection will become a prophecy.


6.5 Centralization: Do Not Build the Panopticon

The objection. Every argument in this paper could be read as a brief for a single global database, administered by the powerful, watching all computation forever — infrastructure that, once built, will be repurposed by whoever captures it, for purposes its architects never intended.

The response. The objection is correct, which is why the paper’s architecture refuses the single database at every layer: federated nodes, data locality, zero-knowledge cross-queries, tiered visibility, due process, reciprocity, graduated enforcement, and — as the flexHEG program demonstrates — a research trajectory whose endpoint is less centralization over time, as locally verified, open-source, tamper-responsive mechanisms progressively replace registry dependence [32]. The honest formulation is this: some verification infrastructure is coming, because the status quo of Sections 1 and 4 is intolerable to every major government simultaneously; the live question is whether it is designed now, in the open, with distributed power and auditable code — or improvised later, in crisis, by whichever state moves first. Panopticons are what get built in the second scenario.


Section 7: What Have We Learned? The Ten Pillars of Silicon Domicile

The friction points of the 2010 mobile-phone market, the enforcement record of 2023–2026, and the technical literature together yield ten foundational truths for advanced compute governance:

Pillar 1 — Static tracking is dead. A manifest records where hardware was once sent; it cannot secure lifetime compliance, any more than the retail counter that sold an iPhone could keep it off a Malaysian network [1][18].

Pillar 2 — Borders are irrelevant to computation. Physical shipping addresses are a useless proxy for digital jurisdiction when the workload, not the device, crosses the border [35].

Pillar 3 — Ownership and control must be pierced, continuously. The invoice name is the beginning of the inquiry, never its end; beneficial control is the fact that matters, and it changes over the asset’s life [13][14][23].

Pillar 4 — Identity must be hardcoded. An unalterable silicon identity — cryptographic root of trust, PUF-derived, foundry-anchored — is the precondition for every other mechanism, as the IMEI was for telecom [29][30].

Pillar 5 — The environment dictates the lock. Devices must verify where they are and what surrounds them, and restrict themselves when the answer changes without authorization [25][31].

Pillar 6 — Verification must be dynamic. Identity, location, ownership, tenancy, and workload are checked continuously at the silicon level, not attested once at procurement [30].

Pillar 7 — Attestation is non-negotiable, and it composes. Each provenance-chain participant certifies the narrow link it controls; governance strength is the composition of honest, bounded attestations, not the omniscience of any single party (see Section 3).

Pillar 8 — Isolation is the ultimate enforcement. Individual tracking without a shared registry is bookkeeping; the network-edge consequences of a common blacklist are what collapsed handset theft and what will collapse the compute gray market (see Section 5.4).

Pillar 9 — Opacity is itself a threat. Anonymous compute clusters — regardless of what they are computing today — are standing risks to security and stability, exactly as unregistered aircraft and anonymous bank accounts came to be understood [4][39].

Pillar 10 — Governance must be worthy of the governed. Privacy-preserving by construction, federated by charter, due-process-bound, reciprocal, and access-promoting — or it will deserve, and receive, the world’s refusal (see Sections 6.1–6.5).


Conclusion: Who Ultimately Commands the Computation?

The high-performance computing landscape can no longer operate on an honor system of paper manifests and point-of-sale background checks. The evidence assembled in this paper — seventy-two falsely declared crates in a Kuala Lumpur free-trade zone [1]; a city-state whose invoice share of the world’s most important company exceeded its delivery share by a factor of nearly thirty [24]; hundreds of thousands of accelerators credibly estimated to have crossed the one border they were forbidden to cross [18][19]; a landmark ownership rule suspended within six weeks of its creation as a bargaining chip [16] — describes not a system with gaps but a fiction with exceptions. The fiction is that a shipping address equals regulatory jurisdiction. Every sophisticated actor on Earth has stopped believing it; only the compliance architecture still pretends.

The lessons of the 2010 telecom market prove that the alternative is neither exotic nor untested. An industry facing a globally demanded, easily diverted, contract-encumbered device solved its accountability crisis by anchoring governance to the device itself: immutable identity, environmental locks, graduated network consequences, and a shared international blacklist. Every element of that model now has a documented accelerator-class counterpart in the technical literature [29][30][31][32], a legislative vehicle advancing with bipartisan support [25][27][28], and a commercial constituency — chipmakers, lenders, insurers, cloud providers, and the governments of both exporting and importing nations — whose interests converge on verifiability. What has been missing is the unifying framework, and that is what Silicon Domicile supplies: six factors, continuously verified, attested link by link along the provenance chain from the foundry that fabricates the die to the tenant that rents its final hour, recorded in a federated registry designed with the humility its power demands.

By implementing this framework, the technology ecosystem can bind abstract, fluid cloud computation to concrete physical and legal realities — grounding every advanced accelerator to a verifiable home, a beneficial owner, an operator, and a workload — while preserving the privacy, the sovereignty, and the broad access without which no such regime should be built at all. The buildout that NVIDIA’s chief executive calls the largest infrastructure expansion in human history [7] is being financed, permitted, and celebrated in public; it should not be governed in the dark. Just as the cell-phone industry learned to manage a billion roaming devices by anchoring security to device identity, the future of AI accountability will not be written on compliance forms. It must be etched directly into the silicon itself.

And so the strategic question inverts, permanently. For eighty years of export control, the question was “Where was it shipped?” For the accelerator age, the question — the only question the seventy-two crates at KLIA were ever really asking — is:

“Who ultimately commands its computation?”


Footnotes / Endnotes:

[1] Royal Malaysia Customs Department / The Star (Malaysia), “Customs Dept seizes 72 servers with AI chips worth RM53mil,” June 26, 2026. https://www.thestar.com.my/news/nation/2026/06/26/customs-dept-seizes-72-servers-with-ai-chips-worth-rm53mil

[2] Free Malaysia Today (with Reuters), “Customs dept seizes AI chips worth nearly RM53mil at KLIA,” June 26, 2026. https://www.freemalaysiatoday.com/category/nation/2026/06/26/customs-dept-seizes-ai-chips-worth-nearly-rm53mil-at-klia

[3] Media Selangor, “Customs seizes RM52.9m worth of AI chip servers at KLIA,” June 26, 2026. https://mediaselangor.com/en/2026/06/381539

[4] Girish Sastry, Lennart Heim, Haydn Belfield, Markus Anderljung, Miles Brundage, Julian Hazell, Cullen O’Keefe, Gillian K. Hadfield, Richard Ngo, Konstantin Pilz, George Gor, Emma Bluemke, Sarah Shoker, Janet Egan, Robert F. Trager, Shahar Avin, Adrian Weller, Yoshua Bengio, and Diane Coyle, “Computing Power and the Governance of Artificial Intelligence,” Centre for the Governance of AI et al., February 14, 2024. https://www.governance.ai/analysis/computing-power-and-the-governance-of-ai

[5] Stanford Institute for Human-Centered Artificial Intelligence (HAI), “The 2026 AI Index Report,” April 2026. https://hai.stanford.edu/ai-index/2026-ai-index-report

[6] United Nations University Campus Computing Centre, “What the 2026 Stanford AI Index Report Tells Us About the State of AI,” June 2026. https://c3.unu.edu/blog/2026-stanford-ai-index-report-takeaways

[7] NVIDIA Corporation, “NVIDIA Announces Financial Results for First Quarter Fiscal 2027” (Form 8-K press release; Jensen Huang statement), U.S. Securities and Exchange Commission, May 20, 2026. https://www.sec.gov/Archives/edgar/data/0001045810/000104581026000051/q1fy27pr.htm

[8] NVIDIA Corporation, “CFO Commentary on First Quarter Fiscal 2027 Results,” U.S. Securities and Exchange Commission, May 20, 2026. https://www.sec.gov/Archives/edgar/data/0001045810/000104581026000051/q1fy27cfocommentary.htm

[9] NVIDIA Corporation, “NVIDIA Announces Financial Results for Fourth Quarter and Fiscal 2026,” U.S. Securities and Exchange Commission, February 25, 2026. https://www.sec.gov/Archives/edgar/data/1045810/000104581026000019/q4fy26pr.htm

[10] MacroMicro Research, “TSMC Q1 2026: Record Results and Rare Capacity Expansion as the AI Megatrend Takes Shape,” April 17, 2026. https://en.macromicro.me/blog/tsmc-q1-earnings-call-rare-capacity-expansion-as-the-ai-megatrend-takes-shape

[11] AlphaSense, “Taiwan Semiconductor Manufacturing Co. Ltd. — Q1 2026 Earnings Summary,” April 2026. https://www.alpha-sense.com/earnings/tsm/

[12] Stacy Rasgon (Bernstein Research), quoted in Tech-Insider, “TSMC Q1 2026 Revenue: $35.71B Earnings Beat and $56B Capex,” June 4, 2026. https://tech-insider.org/tsmc-q1-2026-revenue-35-billion-ai-chip-capex/

[13] Sidley Austin LLP, “U.S. Commerce Department Bureau of Industry and Security Adopts ‘50 Percent Rule’ for Export Controls,” October 2025. https://www.sidley.com/en/insights/newsupdates/2025/10/us-commerce-department-bureau-of-industry-and-security-adopts-50-percent-rule-for-export-controls

[14] Gibson, Dunn & Crutcher LLP, “A Watershed Moment for Export Controls — The Risks and Complexities of the Commerce Department’s ‘Affiliates Rule,’” October 4, 2025. https://www.gibsondunn.com/watershed-moment-for-export-controls-the-risks-and-complexities-of-the-commerce-department-affiliates-rule/

[15] Peterson Institute for International Economics (PIIE), “A new export rule escalates US-China tensions,” Realtime Economics, 2025. https://www.piie.com/blogs/realtime-economics/2025/new-export-rule-escalates-us-china-tensions

[16] The National Interest, “What the Affiliate Rule Reversal Reveals About US Export Controls for Tech Firms” (incl. Treasury Secretary Scott Bessent’s explanation of the November 2025 suspension), December 26, 2025. https://nationalinterest.org/blog/techland/what-the-affiliate-rule-reversal-reveals-about-us-export-controls-for-tech-firms

[17] East Asia Forum, “US chip export controls have cooled down,” March 11, 2026. https://eastasiaforum.org/2026/03/11/us-chip-export-controls-have-cooled-down/

[18] Timothy Fist and Erich Grunewald, “Countering AI Chip Smuggling Has Become a National Security Priority,” Center for a New American Security (CNAS) with the Institute for AI Policy and Strategy, June 11, 2025. https://www.cnas.org/publications/reports/countering-ai-chip-smuggling-has-become-a-national-security-priority

[19] Epoch AI, “Diversion and resale: estimating compute smuggling to China,” April 29, 2026. https://epoch.ai/publications/chip-smuggling

[20] Erich Grunewald (IAPS), quoted in AI Frontiers, “Can ‘Location Verification’ Stop AI Chip Smuggling?,” February 16, 2026. https://ai-frontiers.org/articles/location-verification-ai-chips

[21] Erich Grunewald, “How banned AI chips end up in China,” guest essay, Peter Wildeford’s newsletter / The Substrate, May 18, 2026. https://blog.peterwildeford.com/p/how-banned-ai-chips-end-up-in-china

[22] Tech-Insider, “Super Micro $2.5B Chip Smuggling Case,” updated April 2026. https://tech-insider.org/super-micro-nvidia-chip-smuggling-china-2026/

[23] Sebastian Strangio, “Singaporean Police Seize $42M Bungalow in Nvidia Chip Smuggling Probe,” The Diplomat, July 2026. https://thediplomat.com/2026/07/singaporean-police-seize-42m-bungalow-in-nvidia-chip-smuggling-probe/

[24] Tom’s Hardware, “Singapore cops seize $42 million mansion… of suspected Nvidia AI GPU smugglers,” July 2026 (reporting the ~28% billed-revenue vs. ~1% delivery discrepancy). https://www.tomshardware.com/tech-industry/singapore-cops-seize-usd42-million-mansion-freeze-usd772k-bank-account-of-suspected-nvidia-ai-gpu-smugglers-individuals-alleged-to-have-illegally-exported-data-center-servers-to-china-charged-with-fraud-money-laundering

[25] U.S. Congress, H.R. 3447 — Chip Security Act, 119th Congress (2025–2026), bill text. https://www.congress.gov/bill/119th-congress/house-bill/3447/text

[26] Senator Tom Cotton, quoted in Data Center Dynamics, “US lawmaker introduces legislation to geo-tag advanced semiconductors,” May 14, 2025. https://www.datacenterdynamics.com/en/news/us-lawmaker-introduces-legislation-to-geo-tag-advanced-technology/

[27] The Cyber Express, “Congress Wants a Tracker on Every Advanced AI Chip US Exports,” March 27, 2026. https://thecyberexpress.com/advanced-ai-chip-chip-security-act/

[28] NBC News, “Bill that would mandate AI chip location tracking gains industry support,” June 2026. https://www.nbcnews.com/tech/tech-news/chips-security-act-gains-industry-support-letter-rcna350500

[29] Onni Aarne, Tim Fist, and Caleb Withers, “Secure, Governable Chips: Using On-Chip Mechanisms to Manage National Security Risks from AI & Advanced Computing,” Center for a New American Security (CNAS), January 8, 2024. https://www.cnas.org/publications/reports/secure-governable-chips

[30] “Hardware-Enabled Mechanisms for Verifying Responsible AI Development” (research co-authored with NVIDIA-affiliated researchers), arXiv:2505.03742, April 2025. https://arxiv.org/abs/2505.03742

[31] “Hardware-Level Governance of AI Compute: A Feasibility Taxonomy for Regulatory Compliance and Treaty Verification” (surveying RAND’s Hardware-Enabled Governance Mechanisms [Kulp et al., 2024], FlexHEG [Petrie et al., 2025], and related work), arXiv:2604.04712, April 2026. https://arxiv.org/abs/2604.04712

[32] Survival and Flourishing Fund, “SFF-2024 Flexible Hardware-Enabled Guarantees (flexHEG) Funding Round” (describing the flexHEG interim report and design goals). https://survivalandflourishing.fund/2024/flexhegs-application

[33] Institute for Progress (IFP), “Faster AI Diffusion Through Hardware-Based Verification,” 2025. https://ifp.org/faster-ai-diffusion-through-hardware-based-verification/

[34] Yonadav Shavit, “What does it take to catch a Chinchilla? Verifying Rules on Large-Scale Neural Network Training via Compute Monitoring,” arXiv:2303.11341, 2023. https://arxiv.org/abs/2303.11341

[35] Lennart Heim et al., “Governing Through the Cloud: The Intermediary Role of Compute Providers in AI Regulation,” arXiv:2403.08501, March 2024. https://arxiv.org/abs/2403.08501

[36] Chris Miller (Professor, Fletcher School, Tufts University), interview on CNBC Squawk Box, as transcribed by StartupHub.ai, “‘Chip War’ author Chris Miller on the battle of AI chip export controls,” December 12, 2025. https://www.startuphub.ai/ai-news/ai-video/2025/chip-war-author-chris-miller-on-the-battle-of-ai-chip-export-controls/

[37] Chris Miller, interview with Noah Smith, “Interview: Chris Miller, historian and author of ‘Chip War,’” Noahpinion, 2023. https://www.noahpinion.blog/p/interview-chris-miller-historian

[38] Chris Miller’s Newsletter, “The Shifting Politics of AI Chip Export Controls” (incl. Senator Jim Banks on the GAIN AI Act), December 11, 2025. https://chrismillersnewsletter.substack.com/p/the-shifting-politics-of-ai-chip

[39] António Guterres, Secretary-General of the United Nations, “Remarks to the Opening of the First Global Dialogue on Artificial Intelligence Governance,” Geneva, July 6, 2026 (UN Meetings Coverage SG/SM/23211). https://press.un.org/en/2026/sgsm23211.doc.htm

[40] UN News, “From AI to ‘killer robots’: UN chief issues urgent governance call,” July 2026. https://news.un.org/en/story/2026/07/1167873

[41] Kristalina Georgieva (IMF Managing Director), remarks at the IMF–World Bank Annual Meetings 2025, as reported by the GW Regulatory Studies Center, “Toward a New Multilateralism for AI.” https://regulatorystudies.columbian.gwu.edu/toward-new-multilateralism-ai-insights-imf-annual-meetings-2025

[42] FDD Action, “Action Alert: Support H.R. 3447, the Chip Security Act” (citing the House Select Committee on China’s assessment of more than $1 billion in smuggled controlled chips), March 25, 2026. https://www.fddaction.org/action-alert/2026/03/25/action-alert-support-h-r-3447-the-chip-security-act-and-other-measures/

[43] GeoComply and the American Security Fund, “The Chip Security Act: Location Verification for the AI Age” (joint whitepaper), March 2026. https://www.geocomply.com/resources/whitepaper/the-chip-security-act-location-verification-for-the-ai-age/

[44] Representative Bill Foster (D-IL), technical remarks on chip tracking as reported by Reuters and summarized at Slashdot, “US Senator Introduces Bill Calling For Location-Tracking on AI Chips To Limit China Access,” May 9, 2025. https://news.slashdot.org/story/25/05/09/1850212/us-senator-introduces-bill-calling-for-location-tracking-on-ai-chips-to-limit-china-access