Introduction: The Day the Buyer List Was Cut in Half

On July 14, 2026, Reuters carried a report, sourced to the Financial Times, that read like a quiet administrative notice but marked the arrival of a new era in technology governance: Nvidia, the world’s most valuable semiconductor company, had removed more than half of the Asian customers previously authorized to buy its advanced artificial-intelligence chips.[1] In their place stood a new internal “white list” of companies that had survived a dramatically tougher compliance regime — field inspections of customer data centers, contract verification, and interviews with end users — concentrated on Singapore, Malaysia, and Japan, the three commercial hubs through which restricted silicon has most often leaked toward China.[1][2] The companies that failed the review, particularly the fast-growing “new cloud” providers that lease raw GPU capacity, were told they could reapply only after making structural changes to their ownership, their record-keeping, and their willingness to be watched.[1]

The proximate causes of Nvidia’s pivot are a matter of public record. In May 2026, the U.S. Commerce Department issued guidance providing that any buyer whose ultimate parent company sits in China or Macau requires an export license regardless of where the purchasing subsidiary is incorporated — a rule that converts opaque ownership itself into a disqualifying red flag.[3] In March 2026, federal prosecutors unsealed charges against the co-founder of Super Micro Computer and two associates for allegedly routing $2.5 billion worth of AI servers containing Nvidia GPUs to Chinese customers through Taiwan and Southeast Asia — the largest export-control case, in dollar terms, ever brought.[6] Four months before that, the Department of Justice had charged two Americans and two Chinese nationals with running a Tampa shell company, incongruously named Janford Realtor LLC, that funneled hundreds of restricted GPUs to China through Malaysia and Thailand.[4][5] And in the background, Washington pressed the company directly: sources told the Financial Times that Nvidia tightened its compliance process only after sustained pressure from the U.S. government.[2]

What makes the July 2026 announcement historically significant is not the size of the list but what the list represents. A chip designer — a private corporation with no police powers, no subpoena authority, and no treaty obligations — is now dispatching its own inspectors to foreign data centers, interviewing end users on foreign soil, and adjudicating which firms in sovereign third countries may participate in the artificial-intelligence economy. The traditional customs house, with its stamps and manifests and dockside inspections, has been quietly supplemented — in places, replaced — by a privatized, extraterritorial, continuous enforcement apparatus. This real-world pivot underscores a critical reality: traditional border-based customs are dead as the primary instrument of technology control. In the era of modern AI, we need what this paper calls “Compute Customs” — a framework that enforces export controls not just at the shipping dock, but across the entire post-distribution lifecycle of the hardware, the clusters into which it is assembled, and the corporate structures that own and lease it.


  [Traditional Border Control] ──> (Physical Shipping Dock) ──> [Enforcement Ends]

                                                                       │

                                                                       ▼

  [Compute Customs Framework] ──> (Post-Distribution Tracking) ──> [Continuous Enforcement]

                                   ├── Cloud Cluster Workloads

                                   ├── Corporate Subsidiaries & Beneficial Owners

                                   └── Real-Time Compute Usage & Telemetry

Figure 1. The paradigm shift: enforcement no longer ends at the dock; it follows the hardware for life.


The phrase “Compute Customs” is chosen deliberately. Customs, in its classical sense, is the machinery by which a sovereign inspects, taxes, and conditions the movement of goods across a geographic line. What this paper describes is the same machinery re-imagined for a commodity that does not stop moving after it crosses the line — a system that follows accelerators, servers, cloud accounts, corporate subsidiaries, beneficial owners, model-training clusters, and compute usage after the hardware has entered another country. The border becomes continuous rather than geographic. It travels with the silicon, attaches to the workload, and persists for the useful life of the asset. That is a genuinely new kind of governance, and it raises genuinely new questions — technical, legal, commercial, and geopolitical — that the six analytical sections and seven policy pillars of this paper attempt to answer in full.

The stakes of getting the answer right are difficult to overstate. Independent researchers at Epoch AI estimate, with ninety percent confidence, that between 290,000 and 1.6 million H100-equivalent accelerators were smuggled into China through the end of 2025, with a median estimate of roughly 660,000 — approximately one third of China’s total AI compute and comparable to the entire fleet of a leading American frontier laboratory.[19] The Center for a New American Security had earlier estimated a median of about 140,000 chips smuggled in 2024 alone.[18] The House Select Committee on the Chinese Communist Party concluded that DeepSeek, the Chinese laboratory whose models startled the world in early 2025, trained its flagship systems on restricted Nvidia chips that should never have reached it — the finding that transformed chip smuggling, in Congress’s eyes, from an enforcement nuisance into a legislative emergency.[9] If export controls are the load-bearing wall of American AI strategy, that wall is visibly cracked. The question this paper asks is not whether to repair it, but whether the wall is even standing in the right place.

The argument proceeds in six movements. Section 1 establishes the conceptual core: the divergence between the sovereignty of silicon and the liquidity of compute, and why controls designed for static objects fail against a flowing utility. Section 2 dissects the anatomy of modern diversion — shells, clouds, and clusters — using the 2024–2026 prosecution record as its evidence base. Section 3 examines the limits of point-of-sale compliance, taking Nvidia’s whitelist as the most sophisticated version of a fundamentally insufficient approach. Section 4 presents the Compute Customs architecture itself, organized around Five Gates that extend from manufacturer authorization to continuous usage monitoring. Section 5 descends into the machinery — chip passports, firmware attestation, geolocation, power signatures, cluster fingerprinting, and the bitter controversy over remote disabling — and Section 6 confronts the extraterritorial cloud problem and the question of whether private corporations can, or should, serve as border authorities. The paper closes with lessons learned, seven operational pillars, and a conclusion about what it means for the border to become a service rather than a place.


Section 1: The Sovereignty of Silicon vs. The Liquidity of Compute

Every regime of export control ever constructed — from the Coordinating Committee for Multilateral Export Controls (CoCom) of the Cold War to the Wassenaar Arrangement that succeeded it — has rested on a single, rarely examined assumption: that the controlled item is a thing, and that things can be stopped at borders. A missile guidance package, a five-axis milling machine, an extreme-ultraviolet lithography tool: each is a discrete physical object whose military utility travels with its mass. Deny the object passage and you deny the capability. This assumption worked, imperfectly but tolerably, for seventy years, because the assumption was largely true. Chris Miller, the Tufts University historian whose book Chip War became the master narrative of the semiconductor contest, has observed that the most tightly controlled items in the ecosystem — advanced lithography machines — are nearly impossible to smuggle precisely because of their physicality: dozens are produced per year, each requires multiple aircraft to transport, and the manufacturer’s own staff must remain on site to operate them.[12] Physicality, in that world, was the regulator’s best friend.

Artificial-intelligence accelerators break the assumption in three distinct ways, and it is worth being precise about each, because the entire Compute Customs framework follows from them. First, AI chips are small, dense, and fungible. A single Nvidia H100 board weighs roughly as much as a hardcover book and is worth more than a luxury automobile; an entire frontier-scale training cluster fits inside a few shipping containers. Investigative reporting compiled by the Institute for AI Policy and Strategy and the Center for a New American Security documents smugglers moving thousands of units through ordinary freight channels, relabeled as consumer electronics, with individual orders reaching $120 million.[18][20] The object is controllable in principle but trivially concealable in practice.

Second — and this is the deeper break — the value of the chip is not its physical form but its liquid utility: compute. Compute can be rented, pooled, subdivided, and accessed globally in microsecond increments. A GPU physically located in Bangkok, Jakarta, or Osaka can be instantly integrated into a model-training cluster directed by a corporate entity in Shenzhen, with no atom of matter crossing any border at any point. Scholars of compute governance — Lennart Heim of RAND, Tim Fist, Janet Egan, and their collaborators — formalized this insight in a 2024 paper on cloud intermediaries, arguing that compute providers occupy the natural chokepoint for AI regulation precisely because the resource they sell is detached from the geography of the hardware that produces it.[15] The regulatory implication is stark: if an adversary cannot import the silicon, they can simply export the workload. The training job travels to the chips; the model weights travel home; the customs officer sees nothing.

Third, the temporal structure of harm has inverted. A diverted machine tool delivers its military value over decades of operation, leaving a long window for detection and interdiction. A diverted GPU cluster can deliver its decisive value — a completed frontier training run — in a matter of months, after which the strategic damage is embodied in a file of model weights small enough to move on a hard drive or an encrypted upload. Yonadav Shavit’s influential 2023 analysis of compute monitoring framed the problem memorably as one of catching the training run while it is still running, because afterward there is nothing left to catch.[17] Enforcement that arrives after the fact — the auditor who discovers, months later, that a server rack is missing — is not enforcement at all. It is archaeology.

Put these three properties together and the failure mode of ordinary export control becomes almost mechanical. Chips can be rerouted through friendly intermediaries; installed in servers whose export classification obscures their contents; leased through brokers and neo-clouds whose ownership is deliberately opaque; accessed through foreign clouds without ever moving; or operated by an overseas subsidiary whose parent sits in a restricted jurisdiction. Each of these five channels defeats the border in a different way, and each has been documented, repeatedly, in the 2024–2026 enforcement record examined in the next section. The Tufts historian’s own comparative point cuts in the same direction: whereas lithography tools cannot realistically transit third countries, high-end GPUs move through exactly the small set of countries whose data-center booms give large shipments plausible cover — which is why Malaysia, Singapore, Indonesia, Thailand, and the Gulf recur in every indictment.[12][18]

“are there any data centers in Cambodia capable of using these chips?”

— Chris Miller, Professor of International History, The Fletcher School, Tufts University  [12]

Miller’s rhetorical question — posed to illustrate how analysts sanity-check suspicious shipment destinations — captures the old method and its obsolescence in a single breath. In 2024, an analyst could still ask whether a destination country possessed data centers capable of absorbing a GPU shipment, and the answer would expose the fraud. By 2026, the question has lost its power, because Southeast Asia’s legitimate data-center boom is real and enormous: Malaysia’s Johor corridor alone absorbed billions of dollars of genuine hyperscale investment, meaning that a thousand-GPU shipment to Kuala Lumpur is no longer facially implausible — it is Tuesday. When legitimate demand and diversionary demand become statistically indistinguishable at the border, the border ceases to carry information. That is the epistemic collapse at the heart of this paper: the geographic checkpoint no longer knows anything.

It follows that export controls must evolve from monitoring the physical transit of silicon to regulating the continuous execution of compute. This is not a rhetorical flourish; it is a change in the mathematical type of the thing being governed. Transit is an event — a point in time, verifiable once. Execution is a process — a function over time, verifiable only by observation that is itself extended over time. Governing an event requires a checkpoint. Governing a process requires telemetry, auditing, attestation, and revocation — in short, it requires the infrastructure this paper assembles under the name Compute Customs. The sovereignty of silicon was a fact about geography. The liquidity of compute is a fact about physics and markets. Policy built on the first fact cannot survive contact with the second.


Section 2: Anatomy of Modern Diversion — Shells, Clouds, and Clusters

If Section 1 described why diversion is possible, this section describes how it is actually done — not hypothetically, but as reconstructed from indictments, plea agreements, corporate disclosures, and investigative reporting between 2024 and mid-2026. The record now available is remarkably rich, because the United States has brought at least six major prosecutions totaling roughly $3 billion in Nvidia products, and allied jurisdictions — Singapore, Malaysia, Taiwan — have opened parallel cases of their own.[20] Read together, these cases reveal not a scattering of opportunists but a repeatable three-tiered diversion architecture, each tier of which is engineered to defeat a specific layer of the traditional control system.


Tier One: Corporate Subsidiaries and Shells — Defeating Buyer Screening

The first tier attacks the know-your-customer layer. Front companies are established in non-embargoed jurisdictions — the ASEAN states, the United Arab Emirates, sometimes the United States itself — with clean balance sheets, plausible business registrations, and directors free of sanctions history. These entities pass initial screening precisely because screening examines the entity rather than the network behind it. The Janford Realtor case is the canonical illustration: a Tampa, Florida company that, despite its name, never conducted a single real-estate transaction, was used between September 2023 and November 2025 to purchase controlled GPUs and export them to China through Malaysia and Thailand, with the conspirators falsifying paperwork, creating fake contracts, and receiving roughly $3.8 million while shipping 400 A100 GPUs, ten Hewlett Packard Enterprise supercomputers stuffed with H100s, and 50 H200s before law enforcement disrupted the final shipments.[4][5]

“disrupting these kinds of black markets of sensitive U.S. technologies”

— John A. Eisenberg, Assistant Attorney General for National Security, U.S. Department of Justice  [4]

Singapore’s Aperia Group prosecution shows the same tier operating at industrial scale. Between November 2023 and February 2025, executives of three affiliated companies allegedly misrepresented to Dell, Super Micro, and Asus that Aperia entities would be the end users of AI servers that were in fact moved onward to Malaysia, in transactions Singaporean prosecutors valued at approximately $390 million.[23] By July 2026 the case had expanded to money-laundering charges, the seizure of a S$55 million ($42.4 million) bungalow allegedly purchased with proceeds, and — in a first for Singapore — the criminal prosecution of the corporate entities themselves.[22] The lesson of Tier One is uncomfortable for compliance departments everywhere: a front company is, by construction, indistinguishable from a customer at the moment of sale. Only the network — the beneficial owners, the money flows, the counterparties two hops away — carries the signal, and point-of-sale screening does not see the network.


Tier Two: Cloud Account Exploitation — Defeating the Concept of Export Itself

The second tier is more elegant, because it involves no smuggling at all. Once hardware is lawfully delivered to entities in permissive jurisdictions, it is racked in hyperscale or neo-cloud data centers, and access to it is sold as Infrastructure-as-a-Service to customers anywhere on Earth. Under Bureau of Industry and Security advisory opinions dating from 2009 to 2014, providing cloud computing access was not an “export” under the Export Administration Regulations — a doctrinal artifact of an era when the cloud meant email servers, not frontier training clusters.[40] Chinese firms exploited the gap systematically. The Wall Street Journal documented Shanghai-based INF Tech gaining access to 2,300 export-banned Blackwell GPUs by renting 32 GB200 servers from an Indonesian telecommunications company in a deal worth roughly $100 million — servers reportedly purchased after the Chinese customer had been secured.[31] Tencent, a designated Chinese military company, secured approximately $1.2 billion in contracts for access to 15,000 Blackwell processors hosted by Japan’s Datasection in Osaka; Alibaba and ByteDance were separately identified training their Qwen and Doubao model families through Southeast Asian data centers, and ByteDance had earlier rented advanced Nvidia capacity from Oracle inside the United States itself.[32][30]

It was this tier that Congress finally moved against in January 2026, when the House passed the Remote Access Security Act (H.R. 2683) by a vote of 369 to 22, amending the Export Control Reform Act so that remote access to a controlled item — including access through a cloud computing service — can be treated as an export event requiring a license.[30][39] Section 6 returns to the profound implementation difficulties this creates; for present purposes, the point is diagnostic. The cloud tier of the diversion architecture does not evade the border. It reveals that, for compute, the border was never really there.


Tier Three: Cluster Aggregation — Defeating Scale Detection

The third tier is the least prosecuted and the most technically interesting. Even where individual shipments and individual accounts survive scrutiny, controls have historically assumed that a strategically dangerous concentration of compute would be visible as a strategically dangerous concentration of hardware — one enormous facility, one enormous power draw, one enormous purchase order. Modern distributed-training techniques dissolve that assumption. Fragmented, smaller data centers — each individually below any reporting threshold, each individually explicable — can be digitally stitched together across buildings, cities, and even national borders using high-bandwidth interconnects and increasingly tolerant training algorithms, forming a unified model-training cluster that exists as a network object with no single physical address. A massive AI training operation hides in plain sight precisely because every one of its physical components looks unremarkable. Research on distributed and decentralized training has repeatedly flagged this as the coming blind spot of compute governance, and the smuggling cases already gesture toward it: the Super Micro indictment describes servers dispersed across a Southeast Asian customer’s facilities whose auditors were steered away from the racks that mattered.[6][43]

The three tiers compose into a full-stack evasion architecture. A shell company (Tier One) takes lawful delivery in a permissive jurisdiction; the hardware enters a neo-cloud that sells capacity to the true principal (Tier Two); and the capacity is federated with other, similarly sourced pools into a training cluster whose aggregate scale no single observer can see (Tier Three). Each tier defeats a different regulatory instrument — KYC, the export definition, and threshold reporting respectively — which is why no single reform, however well-crafted, can close the system. Table 1 summarizes the major documented cases of 2024–2026 and maps each onto the tier structure.


Case / ActionDateMechanismScaleTier
Janford Realtor LLC (DOJ, 4 defendants, Tampa)Nov. 2025U.S. shell company; falsified contracts; transshipment via Malaysia & Thailand400 A100s; 10 HPE supercomputers with H100s; 50 H200s; ~$3.8M proceeds[4][5]1
Super Micro insider case (co-founder W. Liaw et al.)Mar. 2026Insider-directed diversion via Taiwan & Southeast Asian front customer; staged audits; relabeled dummy servers~$2.5B in AI servers since 2024[6][20]1
Zheng / Kelly / English (DOJ)Mar. 2026750-server order (~$170M) placed for fictitious Thai client; Supermicro/Nvidia flagged China link600 export-controlled GPU servers[7]1
Aperia Group (Singapore)2025–2026False end-user declarations to Dell, Super Micro, Asus; servers moved to Malaysia; $42.4M property seized~$390M in transactions[22][23]1
Lenovo / Hao Global resale ring (DOJ, Texas & NJ)2024–2025Domestic purchase; New Jersey warehouse staging; payment webs via Thailand, Singapore, Malaysia, Taiwan7,000+ H100/H200 GPUs, ~$160M order[21]1
INF Tech via Indonesia (WSJ investigation)Nov. 2025Cloud rental of GB200 servers from Indonesian telecom; no hardware movement2,300 Blackwell GPUs, ~$100M[31]2
Tencent–Datasection (Osaka)2025Offshore cloud contracts for Blackwell capacity in Japan15,000 B200s, ~$1.2B[32]2
Aggregate smuggling estimate (Epoch AI)through 2025All channels, modeled from allegations + undetected flow290K–1.6M H100e; median ~660,000 (~1/3 of China’s compute)[19]1–3

Table 1. Major documented diversion cases and estimates, 2024–2026, mapped to the three-tier evasion architecture.


Two features of this record deserve emphasis before we move on. The first is professionalization. Erich Grunewald, the Institute for AI Policy and Strategy researcher who has studied the smuggling economy as closely as anyone, notes that the trade attracts not only dedicated criminal networks but ordinary trading companies that drift into diversion because the margins are irresistible — a B300 server that lists near $500,000 in the United States has fetched roughly $1 million in China.[3][21]

“there are quite a lot of people who are opportunistically smuggling”

— Erich Grunewald, Senior Researcher, Institute for AI Policy and Strategy  [21]

The second feature is insider compromise. The Super Micro case did not involve outsiders deceiving a vigilant company; it allegedly involved a co-founder and board member who oversaw global sales, pressuring and physically deceiving his own compliance team across at least three audits, including the surveilled relabeling of dummy servers with a hair dryer the day before a U.S. government inspection.[20][6] When the diversion network includes the people who operate the control system, point-in-time auditing is not merely weak — it is actively performative, a theater staged for the auditor’s benefit. That realization is the bridge to Section 3.


Section 3: The Limits of Point-of-Sale Compliance

It would be a mistake to read Nvidia’s July 2026 whitelist as a cosmetic gesture. By the standards of corporate export compliance, it is the most aggressive program a chip designer has ever operated: on-site inspections of customer facilities, verification of downstream contracts, interviews with the human beings who claim to be end users, and the summary removal of more than half of an entire continent’s authorized buyer base, with reinstatement conditioned on structural reform.[1][2] It was undertaken, moreover, against the company’s own immediate revenue interest and under the shadow of the May 2026 Commerce guidance that made ultimate-parent ownership a licensing trigger.[3] If point-of-sale compliance could work, this is what working would look like. The analytical value of the program lies precisely in demonstrating why even its best version is structurally insufficient. Four limits recur, and each maps to a property of the diversion architecture described in Section 2.

The first limit is temporal. Auditing a buyer at the moment of transaction captures a snapshot of a corporate entity at time T. But corporations are not static: a distributor may be fully compliant on Monday and sell its equity, its management, or simply its warehouse keys to a hostile principal on Tuesday. The Aperia companies were established, functioning Singaporean businesses when Dell and Super Micro screened them; the fraud, prosecutors allege, lived in what happened to the servers after the screening was over.[23] Ownership verification without continuous re-verification is a photograph of a river.

The second limit is epistemic. End-user interviews and contractual end-use clauses — necessary steps, and now standard in Nvidia’s program — rely on self-reporting by the only party with an incentive to lie, backed by lagging documentary indicators. The Super Micro indictment shows how little protection even physical inspection provides when the counterparty controls the theater: auditors were shown “friendly” reviewers, steered away from the racks that had left for China, and presented with relabeled dummy servers assembled the night before.[6][20] A point-in-time inspection verifies the state of a warehouse, not the trajectory of its contents. By the time a later inspection reveals that a server rack is missing or misconfigured, months of high-end AI model training may already have concluded — and, per Section 1’s temporal inversion, the strategic harm is complete and irreversible.

The third limit is architectural. Point-of-sale compliance governs the first transaction in what is typically a chain of five or more: designer to OEM, OEM to distributor, distributor to integrator, integrator to data-center operator, operator to cloud tenant. Nvidia’s whitelist reaches its direct customers; it cannot reach the fourth resale, the leasing arrangement, or the cloud account — which is exactly where Tier Two of the diversion architecture lives. The INF Tech affair required no deception of Nvidia at all: the GB200 servers were lawfully sold, lawfully exported to Indonesia, and lawfully racked; the controlled capability then flowed to Shanghai over a network cable that no compliance program touched.[31]

The fourth limit is incentive incoherence, and it is the most delicate, because it implicates the enforcing corporation itself. Nvidia’s fiscal reality is that China was, until restrictions bit, on the order of one eighth to one quarter of its revenue, and every unit denied to a diverter is not necessarily a unit unsold — but every compliance dollar is a real cost, and every rejected buyer is a real customer relationship destroyed.[35][27] The company’s leadership has argued forcefully, and not irrationally, that maximal restriction merely accelerates Huawei’s rise; its CEO lobbied successfully for the H200 opening of December 2025; and its public posture toward hardware-level tracking mandates has ranged from skeptical to scathing.[27][33][9] A control system whose principal enforcement agent is also the party with the largest financial stake in the volume of trade is a system with a structural conflict of interest at its center — a theme Section 6 develops under the heading of private border authorities. None of this is an accusation of bad faith; it is an observation about institutional design. We do not staff customs houses with the exporters’ sales departments, for reasons that long predate the semiconductor.

The general conclusion is that point-of-sale verification is an analog tool attempting to solve a digital, hyper-velocity evasion problem. It inspects entities when the threat lives in networks; it inspects moments when the threat lives in processes; it inspects the first transaction when the threat lives in the fifth; and it asks the seller to police a trade the seller profits from. Each defect is individually patchable and collectively fatal. What is required is not a better snapshot but a different instrument class altogether — one that treats enforcement as an ongoing service co-extensive with the life of the hardware. That instrument class is the subject of the next section.


Section 4: The Compute Customs Architecture — Five Gates from Fab to Workload

The Compute Customs Architecture proposed here fuses hardware-level verification with cloud-level monitoring and corporate-network analysis into a single integrated system. Its organizing principle can be stated in one sentence: every advanced accelerator passes through five sequential gates — manufacturer authorization, buyer verification, shipping inspection, installation verification, and continuous usage monitoring — and the control regime remains attached to the chip at every gate, for life. The first three gates modernize functions that existing export control already performs, badly; the last two are genuinely new, and they are where the paradigm shifts from gatekeeping event to enforcement service. The architecture rests on three technical pillars, visualized below, which subsequent sections elaborate: hardware telemetry rooted in the silicon itself, continuous workload auditing at the cloud layer, and corporate ownership graphing at the institutional layer.


                            ┌─────────────────────────┐

                            │  Compute Customs Framework  │

                            └─────────────┬─────────────┘

                                          │

        ┌────────────────────────────────┼────────────────────────────────┐

        ▼                                 ▼                                 ▼

 ┌──────────────┐                 ┌──────────────┐                 ┌──────────────┐

 │   Hardware   │                 │  Continuous  │                 │  Corporate   │

 │  Telemetry   │                 │   Workload   │                 │  Ownership   │

 │  (Silicon)   │                 │   Auditing   │                 │   Graphing   │

 └──────────────┘                 └──────────────┘                 └──────────────┘

Figure 2. The three technical pillars of the Compute Customs framework.


Gate One: Manufacturer Authorization

The first gate operates before any chip exists as a deliverable product. Under Compute Customs, the right to fabricate and package accelerators above defined performance thresholds — the total-processing-performance and performance-density parameters already embedded in Export Control Classification Numbers 3A090 and 4A090 — carries an affirmative obligation to build governability into the silicon: unique cryptographic device identities fused at manufacture, secure-boot firmware, and the attestation primitives described in Section 5.[8][14] This is the moment of maximum regulatory leverage, because the manufacturing chokepoint is real and narrow: one leading-edge foundry ecosystem, a handful of packaging houses, two dominant designers. The Chip Security Act, in both its House and Senate forms, adopts exactly this logic, requiring that covered integrated-circuit products be outfitted with location-verification mechanisms before export, using techniques feasible at enactment, within 180 days.[8] Gate One converts governability from an aftermarket accessory into a condition of existence for the product class.


Gate Two: Buyer Verification

The second gate is the traditional KYC function, rebuilt around networks rather than entities. Verification under Compute Customs means beneficial-ownership resolution to the level of ultimate parents — the standard the Commerce Department’s May 2026 guidance effectively imposed when it required licenses for any buyer with a Chinese or Macanese ultimate parent regardless of subsidiary domicile — combined with adverse-network screening: who are the buyer’s counterparties, who financed it, who shares its directors, and does its purchasing pattern match its business?[3] Nvidia’s whitelist, with its site visits and end-user interviews, is Gate Two’s private-sector prototype.[1][2] The gate’s defining feature under Compute Customs, however, is that its judgments expire: verification is re-performed on a fixed cycle and re-triggered automatically by ownership changes, because — as Section 3 established — a buyer is a time series, not a document.


Gate Three: Shipping Inspection

The third gate modernizes the physical customs function that gives the framework its name. Serialized, cryptographically signed manifests — chip passports, in the vocabulary of Section 5 — accompany every controlled shipment, enabling any customs service en route to verify that the crate’s declared contents match the fused identities inside it. Multilateral participation is the crux: Malaysia’s Directive No. 1/2025, which since July 14, 2025 has required a strategic trade permit and thirty days’ advance notice for the export, transshipment, or transit of U.S.-origin high-performance AI chips, demonstrates that key intermediary states will build the legal plumbing when pressed.[24][25] Gate Three is where the traditional border retains genuine value — as a checkpoint that reads the hardware’s own credentials rather than the shipper’s paperwork.


Gate Four: Installation Verification

The fourth gate is new. Upon delivery, before an accelerator is licensed to run at full capability, it must be activated in place: the chip attests its identity, its firmware state, and its measured location to the manufacturer’s licensing service, which checks the attestation against the export license of record and issues a time-limited operating certificate. Installation verification closes the gap between “shipped to the licensed destination” and “operating at the licensed destination” — the gap through which every transshipment scheme in Table 1 passed. It also creates the inventory baseline that makes later anomalies detectable: a chip that attested from Johor in March and attests from an unregistered subnet in October is, by that fact alone, a flagged chip. The Chip Security Act’s reporting obligations — license holders must promptly report credible information that a product has been diverted, relocated, or tampered with, including attempts to spoof its location mechanisms — supply the legal skeleton for this gate.[8]


Gate Five: Continuous Usage Monitoring

The fifth gate is the paradigm shift proper: enforcement as a subscription that lasts as long as the silicon does. Deployed fleets periodically re-attest location and configuration; cloud operators report aggregate utilization by verified customer class; cluster-scale telemetry — interconnect topology, power signatures, job-scheduling patterns — feeds anomaly detection tuned to the signatures of covert aggregation described in Section 2’s third tier. Where attestations fail, certificates lapse and performance degrades gracefully rather than catastrophically — a design choice, defended in Section 5, that distinguishes licensing from the “kill switch” caricature. Gate Five is the gate that makes the other four honest: without it, Gates One through Four merely relocate the moment after which nobody is watching. Table 2 summarizes the full sequence.


GateFunctionInstrumentsDefeats (from Section 2)
1. Manufacturer AuthorizationGovernability built into silicon as condition of fabricationFused device IDs; secure boot; attestation primitives; Chip Security Act mandates[8][14]Untraceable gray-market resale; identity laundering of boards
2. Buyer VerificationNetwork-level KYC with expiring judgmentsUltimate-parent resolution; adverse-network screening; site visits; end-user interviews[3][1]Tier 1 shells and front companies
3. Shipping InspectionHardware-readable customs at every transit pointChip passports; signed manifests; multilateral permit regimes (Malaysia Directive 1/2025)[24]Relabeling; transshipment via third countries
4. Installation VerificationActivation-in-place against license of recordLocation attestation; operating certificates; mandatory diversion reporting[8]Ship-to-A, install-in-B schemes; post-delivery relocation
5. Continuous Usage MonitoringLifetime telemetry, auditing, and revocable licensingPeriodic re-attestation; cluster fingerprinting; C-KYC reporting; graceful degradation[14][16]Tier 2 cloud exploitation; Tier 3 covert aggregation

Table 2. The Five Gates of Compute Customs and the evasion channels each is designed to close.


A final architectural remark. The five gates are deliberately redundant — a defense-in-depth design in which no single gate is load-bearing. This matters because every individual mechanism in the system can be defeated by a sufficiently resourced adversary: shells can be layered, attestations can be attacked, telemetry can be jammed. The design wager of Compute Customs is not that any gate is impenetrable but that the joint probability of silently defeating all five, continuously, across a fleet large enough to matter, is low — and that the attempt itself generates detectable exhaust. Export control, correctly understood, was never about hermetic denial; it is about raising the cost, delay, and detection probability of acquisition until the adversary’s domestic alternative becomes the rational choice. The gates should be evaluated against that standard, not against an imaginary standard of perfection.


Section 5: From Chip Passports to Compute Telemetry — The Machinery of the Continuous Border

Architectures are only as credible as their machinery, and the machinery of Compute Customs must answer a hard question: can a piece of silicon, sitting in a hostile or indifferent jurisdiction, prove facts about itself — its identity, its location, its configuration, its workload — to a verifier thousands of miles away, against an owner motivated to lie? The answer that has emerged from the 2024–2026 technical literature is a qualified yes, and the qualifications matter as much as the affirmation. This section walks the full stack, from the humblest instrument (a serial number) to the most contested (remote disablement), pausing on each of the seven mechanisms the outline of this paper committed us to examine: serial numbers, firmware attestations, geolocation signals, cluster configuration, power signatures, maintenance records, and the remote-disabling controversy.


5.1 The Chip Passport: Identity as the Root of Everything

Every subsequent mechanism presupposes that a chip is who it says it is. Modern accelerators already contain the necessary primitive: a unique device identity, fused into hardware at manufacture, bound to a private key that never leaves the die, from which the chip can sign statements — attestations — that any party holding the manufacturer’s public certificates can verify. Nvidia’s Hopper and Blackwell generations ship with confidential-computing features and device attestation built for exactly this kind of assurance, originally marketed to cloud customers who wished to verify the integrity of rented hardware. The Compute Customs insight is that the same primitive serves the regulator: a signed identity plus a registry of licensed identities equals a passport system. The Chip Security Act’s recordkeeping provisions — directing the Commerce Secretary to maintain a record of covered products including the location and current end user of each — are, in effect, the passport office.[8] Passports do not prevent crime; they make anonymous existence impossible, which changes every downstream calculation. A smuggled chip with a fused identity is a chip that can never again safely attach to licensed infrastructure, accept signed firmware updates, or participate in attested clusters — a permanent ghost, cut off from the ecosystem’s bloodstream.


5.2 Firmware Attestation: Proving the Software State

Identity without integrity is insufficient: a chip could be genuine while running modified firmware that lies about everything else. Firmware attestation — the chip cryptographically measuring its own boot chain and reporting the measurements — extends trust from the silicon to the software that operates it. The flexible hardware-enabled guarantees (flexHEG) research program, articulated by James Petrie, Onni Aarne, Nora Ammann, and David Dalrymple in 2025, generalizes this into a design philosophy: secure enclaves and verification modules on the accelerator enforce updatable rule sets — location constraints, interconnect limits, usage quotas — whose satisfaction the hardware itself can prove to remote parties, without exposing the workload’s content.[14] The RAND Corporation’s hardware-enabled governance mechanisms literature reaches parallel conclusions: on-die mechanisms for metering, licensing, and location constraint are feasible with near-term engineering, provided they are designed in at Gate One rather than bolted on afterward.[13][14]


5.3 Geolocation: Where Is the Chip, Really?

Location is the pivotal fact for export control and the hardest to prove, because GPS receivers can be spoofed and a chip has no window to look out of. The practical answer, developed in the location-verification literature and reflected in the Chip Security Act’s technical assessments, is network-latency triangulation anchored in cryptography: trusted landmark servers in known locations challenge the chip; the chip’s secure element signs responses; and the speed of light does the rest, since a chip in Shenzhen cannot answer a Singapore landmark as quickly as a chip in Singapore can.[8][14] Latency triangulation yields coarse resolution — country-or-metropolitan scale rather than street address — but coarse resolution is precisely what export control requires: the regulator does not need to know which rack; it needs to know which jurisdiction. Sustained anomalies — responses consistent with a high-latency proxy relay, or attestation gaps during suspicious windows — become enforcement signals in their own right, and under the Act’s reporting provisions, tampering attempts against the location mechanism are themselves reportable events.[8] Executive policy has converged on the same instrument: the White House’s July 2025 AI Action Plan explicitly tasked the Commerce Department, working with industry, to identify location-verification features for advanced AI chips and to use them to ensure the chips are not diverted to prohibited countries — the first time hardware-level location proof appeared as declared national strategy rather than think-tank proposal.[37]


5.4 Cluster Configuration and Dynamic Fingerprinting

The counter to Tier Three aggregation is telemetry at the cluster level. Training frontier models imposes a distinctive communications physiology on the hardware that runs it: all-reduce traffic patterns, sustained near-peak utilization across synchronized devices, characteristic interconnect topologies, and — where operators attempt to federate across sites — wide-area traffic signatures that ordinary inference workloads never produce. Machine-learning classifiers trained on these signatures can flag, with useful confidence, when nominally independent facilities are behaving as one organism. Configuration attestation complements the statistical approach: flexHEG-style interconnect controls can require that a chip only form high-bandwidth clusters with other attested, licensed chips, making covert aggregation not merely detectable but mechanically difficult.[14] This is Pillar Three of the framework’s technical triad, and it is the least mature — an honest limitation flagged again in Section 8’s research agenda.


5.5 Power Signatures and the Physics of Concealment

Even a perfectly software-silent data center speaks through its electricity. Frontier training runs draw tens of megawatts continuously for weeks, with load profiles — flat, high, synchronized, punctuated by checkpoint dips — that differ measurably from the bursty demand of commercial cloud serving. Grid-level power monitoring, thermal imagery, and satellite observation therefore form an out-of-band verification channel that no firmware compromise can silence, and analysts have long used exactly these methods to study data-center buildouts — while also documenting their limits, as Heim’s cautionary analysis of satellite imagery for AI data centers makes clear.[13] Power signatures will rarely convict; their role in Compute Customs is to corroborate or contradict the story the silicon tells, and inconsistency between channels is itself the alarm.


5.6 Maintenance Records: The Unclassified Goldmine

The least glamorous instrument may be the most immediately practical. Advanced accelerators fail constantly at fleet scale; they demand firmware updates, driver support, replacement parts, warranty service, and — for liquid-cooled rack-scale systems — specialized field engineering. Every service interaction is a location proof and an operator proof. A fleet that never calls home is either extraordinarily lucky or deliberately hiding; a warranty claim originating from an unlicensed jurisdiction is a confession. Structured correctly — with manufacturers obligated to reconcile service telemetry against the license registry of Gate Four — the ordinary commercial exhaust of keeping GPUs alive becomes a passive, low-cost, continuously updated census of where the world’s controlled compute actually lives. Smugglers understand this, which is why diverted fleets forgo support and run degraded — itself a tax on diversion that policy should deliberately deepen.


5.7 The Remote-Disabling Controversy

Finally, the storm center. If a chip can verify its location and refuse to operate outside its license, then somewhere in the system there exists a capability that opponents will call a kill switch — and in 2025 that argument moved from hypothetical to geopolitical. In late July 2025, the Cyberspace Administration of China summoned Nvidia to answer for alleged “backdoor safety risks” in the H20 chips newly cleared for the Chinese market, demanding documentation on tracking and remote-shutdown capabilities.[33] Nvidia’s chief security officer, David Reber Jr., responded with an unequivocal public repudiation — of Chinese suspicions and American legislative proposals alike — invoking the 1990s Clipper Chip debacle and comparing mandated disablement to a car whose dealership keeps a remote control for the parking brake.[33]

“Embedding backdoors and kill switches into chips would be a gift to hackers”

— David Reber Jr., Chief Security Officer, NVIDIA  [33]

The security argument deserves to be taken seriously rather than dismissed as lobbying. A covert, centrally triggerable shutdown pathway in the world’s computing substrate would indeed be a catastrophic single point of failure: discovered by an adversary, it becomes a weapon; leaked, it becomes ransomware’s dream. But the argument, taken seriously, indicts a design that Compute Customs does not require. There is a fundamental difference between a covert kill switch — a secret, remotely invocable off-button — and overt, disclosed, cryptographic licensing, in which the chip’s full performance is contingent on the periodic renewal of an operating certificate, exactly as enterprise software licensing has functioned for decades. The first is a vulnerability wearing a policy costume. The second is an availability property that the owner knows about, contracts around, and can satisfy by the simple expedient of not diverting the hardware. Failure modes are designed to degrade gracefully — throttling toward export-compliant performance thresholds after extended attestation failure, with generous grace periods and offline tolerances — rather than to brick a hospital’s imaging cluster because a certificate server hiccuped. The honest debate, in other words, is not “kill switch: yes or no,” but “which party bears the availability risk of licensing infrastructure, under what transparency, with what recourse.” That is a hard institutional question — Section 7 returns to it — but it is a question of governance design, not of cybersecurity impossibility. It is telling that by mid-2026, half a dozen technology companies had publicly endorsed the Chip Security Act’s location-verification mandates, suggesting that industry opposition is neither monolithic nor immovable.[10]

One more actor’s position must be recorded, because it reveals the strategic stakes with unusual clarity: Beijing objects to the telemetry, too. The same Chinese state that benefits from diversion has banned its own champions from buying H20s partly on the stated ground that American chips might track and betray them — and reporting through 2026 suggests Chinese regulators contemplated approving H200 purchases only where domestic chips could not suffice.[33][29] The People’s Republic, in other words, concedes the central premise of this paper: post-distribution hardware is a vector of continuous foreign presence. Both superpowers now behave as if the chip is a border. Only one of them has said so out loud.


Section 6: The Extraterritorial Cloud and the Private Border Authority

6.1 The Cloud Problem Stated Honestly

Should Chinese firms be able to access controlled capabilities through GPUs physically located in Malaysia, Singapore, Indonesia, Japan, or the Gulf? Stated that baldly, the question sounds rhetorical — and the January 2026 House vote of 369 to 22 for the Remote Access Security Act suggests Washington considers it settled.[30][39] But the question decomposes into three harder ones. First, the definitional question: what is an export, when nothing moves? RASA’s answer — remote access to a controlled item is an export event — overturns nearly two decades of Bureau of Industry and Security doctrine under which cloud provision was not exporting, a doctrine on which the entire global cloud industry built its compliance architecture.[40] Second, the line-drawing question: which access? An API call to a hosted model is not a training tenancy; inference below certain scales is strategically trivial; and a rule that cannot distinguish renting 15,000 Blackwells from querying a chatbot will either be unenforceable or economically ruinous. Third, the sovereignty question, which is the deepest: RASA asserts American jurisdiction over a transaction between a Chinese customer and an Indonesian data center running lawfully purchased hardware on Indonesian soil — jurisdiction premised entirely on the American origin of the silicon’s design. That is the Foreign Direct Product Rule’s logic extended from manufacturing to usage, and it stretches the concept of origin further than it has ever been stretched.

“cloud compute is subject to U.S. export control law, just like physical chips”

— Rep. John Moolenaar, Chairman, House Select Committee on the Chinese Communist Party  [30]

The empirical case for acting is nonetheless overwhelming, and it is worth restating the record from Section 2 in the cloud’s own terms: 2,300 Blackwell GPUs reached a Shanghai startup through an Indonesian rental without a single export violation as the law then stood; $1.2 billion in Osaka-hosted capacity flowed to a designated Chinese military company; and the pattern extended to the largest Chinese platforms training flagship model families through Southeast Asian intermediaries.[31][32] The Biden administration had attempted an administrative answer — the January 2025 AI Diffusion Rule’s worldwide licensing tiers, paired with know-your-customer expectations for infrastructure-as-a-service providers descending from the 2021 and 2024 IaaS rulemakings — but the Diffusion Rule was rescinded by the incoming administration in May 2025, two days before its compliance date, as “overly bureaucratic” and diplomatically corrosive, leaving guidance documents and red-flag lists in place of a framework.[26][13] The result, through 2025, was the worst of both worlds: cloud access formally unregulated, physical exports policed by episodic prosecution, and policy oscillating with each news cycle — an oscillation vividly illustrated by the H200 saga, in which chips restricted in January 2025 were approved for China in December 2025 at a 25 percent revenue share to the U.S. Treasury, subjected in January 2026 to a 50-percent-of-domestic-volume cap and mandatory routing through U.S. third-party verification laboratories, and then stalled for months between Washington’s conditions and Beijing’s countervailing approval regime.[27][28][29]

“keeping the technology out of the hands of our adversaries”

— Jeffery Kessler, U.S. Under Secretary of Commerce for Industry and Security  [26]

Beneath the policy churn sits an observability problem that no statute alone can fix. Governments can watch ore move through checkpoints and track ships by transponder; but the bits traversing cloud networks carry no passport, a petabyte of training data is never stamped at any counter, and once hardware has been activated abroad it exits the export logs forever — which is why analysts of the cloud loophole conclude that all of the law’s leverage points currently sit at the sale of the physical hardware, none at the utilization of compute beyond it.[42] The Remote Access Security Act supplies the missing jurisdiction; only the telemetry and KYC architecture of this paper supplies the missing eyes.


6.2 Cloud Know-Your-Customer as the Positive Program

The constructive answer to the cloud problem is not to ban the cloud but to make it legible — the compute-provider KYC program that Janet Egan and Lennart Heim proposed in 2023 and that has since migrated from working paper to legislative text.[16] Under a mature C-KYC regime, providers operating controlled accelerators anywhere in the world, as a condition of receiving and servicing that hardware, verify the beneficial ownership of accounts consuming high-performance capacity above defined thresholds; screen them against restricted-party lists including ultimate parents; monitor for the structuring behaviors — account splitting, capacity brokering, nested resellers — by which sophisticated customers evade thresholds; and report aggregate consumption by verified customer class to their licensing authority. The analogy to anti-money-laundering banking regulation is exact and instructive: banks did not want the role, the role imposed real costs, evasion never fell to zero — and yet the regime transformed illicit finance from a frictionless default into a specialized, risky, expensive craft. That is the correct ambition for compute. Crucially, C-KYC also answers the line-drawing question above: obligations scale with capability consumed, so the chatbot query is untouched while the ten-thousand-GPU tenancy is interrogated. The direction of travel is bipartisan and explicit: the Commerce Secretary has sketched a future in which allies purchase advanced computing freely —

“provided they’re run by an approved American data center operator”

— Howard Lutnick, U.S. Secretary of Commerce, on conditions for allied access to advanced chips  [38]


6.3 Private Corporations as Border Authorities

Every mechanism surveyed so far — whitelists, passports, attestation, C-KYC — shares a structural feature that this paper’s title elevates to a thesis: the enforcing hands are private. Nvidia and AMD decide who is authorized to buy; server manufacturers and distributors decide whose orders look genuine; cloud providers vet tenants; banks screen the payments; insurers price the diversion risk of cargo; logistics companies decide which crates to question. The state sets parameters and prosecutes failures, but the operational border — the actual daily machinery of inclusion and exclusion — runs on corporate infrastructure. The July 2026 whitelist is simply the most visible instance of a general phenomenon: when a private enterprise must conduct its own international end-user interviews and cut off entire regional buyer pools, it signals that public policy has failed to provide the technical and legal infrastructure the moment demands, and has outsourced the border instead.[1][2]

The outsourcing has real advantages — corporations possess the telemetry, the customer relationships, and the update channels that governments lack — but it carries three pathologies that any honest framework must confront. The first is the conflict of interest already diagnosed in Section 3: the border authority profits from the traffic it polices. The second is asymmetric capacity: Nvidia can afford field inspectors in three countries; the hundred smaller firms in the supply chain — board makers, integrators, regional distributors — cannot, and Section 2’s record shows diversion flowing precisely through the weakest links, including insiders at a major server OEM.[6][20] The third is accountability: when a private whitelist destroys a legitimate Malaysian neo-cloud’s business by mistake, the firm has no tribunal, no due process, and no appeal beyond the vendor’s goodwill — a delegation of quasi-sovereign power without quasi-sovereign safeguards. The Compute Customs framework accepts corporate enforcement as inevitable but insists on re-anchoring it: public rules defining the gates, public registries behind the passports, statutory safe harbors and appeal rights for the governed, and — through the financial channel — the enlistment of actors whose incentives point the right way. Banks and insurers, unlike chip sellers, lose money when diversion succeeds; BIS’s 2024 guidance to financial institutions on export-control compliance was an early recognition that the payment rail is a border, too.[18]

It is also at this junction that the tension between corporate revenue and national security stops being abstract and becomes arithmetic. Nvidia’s first quarter of fiscal 2027 — the quarter ending April 2026, reported that May — recorded $81.6 billion in revenue, up 85 percent year over year, with data-center revenue of $75.2 billion; the same filing recorded zero data-center Hopper shipments to China, against $4.6 billion in the year-ago quarter, and guided to $91.0 billion for the second quarter while assuming no China data-center compute revenue at all.[34][35] A company that can grow 85 percent while writing China to zero has, paradoxically, both less commercial need to fight controls and more resources to implement them — which may explain why the whitelist arrived in 2026 and not 2023. But the same numbers explain the ferocity of the lobbying over each marginal opening: at Chinese street prices roughly double U.S. list, every licensed channel is a multi-billion-dollar prize, and the December 2025 H200 decision — taken days after the CEO’s direct meeting with the President, over the objection of national-security officials who called the H200 the decisive constraint on Chinese AI — shows how far commercial gravity can bend policy.[27][41][29]

“the one thing holding China back in AI”

— Chris McGuire, former White House National Security Council official, on the H200  [41]

The scholarly community’s verdict on that opening was largely unsparing. Chris Miller, appearing on CNBC days after the December announcement, argued that the United States holds a commanding lead in AI chip production — a lead that has been one of the key drivers of American AI leadership — and warned that widening the flow of accelerators to China endangers precisely that advantage.[11]

“risks giving a shot in the arm to China’s AI ecosystem”

— Chris Miller, Professor, The Fletcher School, Tufts University, on expanded chip flows to China  [11]


Section 7: Legal and Geopolitical Challenges of Post-Distribution Tracking

A framework that follows hardware into other countries’ territory, other companies’ data centers, and other people’s workloads collides with three bodies of law and at least one body of politics. This section takes the collisions in ascending order of difficulty, because the temptation in enforcement debates is to treat objections as obstacles to be overrun rather than constraints to be designed for — and a Compute Customs regime that ignores these constraints will fail diplomatically even if it succeeds technically.


7.1 Jurisdictional Overreach and the Sovereignty of Intermediary States

Extraterritorial tracking challenges the national sovereignty of importing nations in a way that ordinary export licensing never did. A license condition binds the exporter; continuous telemetry binds the territory. When an accelerator in a Thai, Malaysian, or Emirati data center reports its location daily to an American manufacturer under an American statute, the host state hosts a foreign monitoring apparatus it never legislated — and states notice. Thailand has already appeared in the prosecution record as a transshipment waypoint and can reasonably object to being conscripted, unconsulted, into someone else’s enforcement perimeter; industry groups have warned that a government chip-tracking mandate risks convincing exactly the countries America needs as customers that the American AI stack arrives with an American leash, pushing them toward alternative suppliers.[9] Yet the record also contains the counter-example that defines the constructive path: Malaysia. Rather than resent the perimeter, Kuala Lumpur internalized it — issuing Directive No. 1/2025 under its own Strategic Trade Act, requiring its own permits for the export, transshipment, and transit of U.S.-origin AI chips, and declaring in its own voice that it would police its own jurisdiction.[24][25]

“Malaysia stands firm against any attempt to circumvent export controls”

— Ministry of Investment, Trade and Industry (MITI), Government of Malaysia  [25]

The Malaysian precedent suggests the correct legal architecture for the whole system: not American telemetry imposed on foreign soil, but harmonized national regimes — each intermediary state operating its own gates under its own law, interoperating through shared registries and mutual recognition, in the manner of aviation safety or Basel banking standards. Sovereignty objections dissolve when the sovereign owns the checkpoint. The diplomatic work of Compute Customs is to make owning the checkpoint more attractive than hosting the gray trade — through preferential access to allocation, through the Validated-End-User-style privileges the diffusion debates contemplated, and through the reputational shelter that Singapore’s vigorous prosecutions have visibly purchased.[22][13]


7.2 Privacy, Trade Secrets, and the Verification Paradox

Continuous workload auditing risks exposing exactly the things a functioning economy must protect: proprietary model architectures, training datasets, commercial strategies encoded in job-scheduling patterns, and — where telemetry is fine-grained — the confidential business of every innocent tenant sharing the monitored infrastructure. The verification paradox is that the regulator needs to know who is training what scale of model without learning what the model is; the operator needs to prove compliance without performing disclosure. The technical literature’s answer is the family of privacy-preserving verification methods — trusted execution environments that measure workloads inside sealed enclaves and emit only compliance verdicts; zero-knowledge proof systems that demonstrate properties of a computation without revealing the computation; and aggregate, threshold-based reporting that never touches individual tenants below strategic scale.[14][17] These tools are real but young; their performance overheads at frontier scale are unproven; and the framework must therefore be sequenced honestly — coarse instruments first (location, identity, aggregate capacity), fine instruments (workload classification) only as the cryptography matures. A Compute Customs regime that demanded plaintext visibility into the world’s workloads would deserve the resistance it would get.


7.3 Contractual Enforceability Across Legal Systems

The third collision is quieter but commercially decisive: can post-sale conditions — attestation duties, audit rights, degradation clauses — actually be enforced across the dozens of legal systems where controlled hardware lives? Contract law in most jurisdictions is hostile to remote disablement of sold goods; consumer-protection and computer-misuse statutes in some countries arguably criminalize it; insolvency proceedings can strip covenants from assets; and a foreign court asked to bless an American vendor’s throttling of a domestic company’s property may see expropriation where Washington sees compliance. The practical answers are structural rather than heroic: shift from sale to lease or licensed-capacity models for the highest tiers of hardware, so that continuing conditions attach to a continuing relationship rather than a completed transfer; anchor enforcement in the certificate infrastructure — a lapsed license is a service not rendered, not a sabotage committed; and write the arbitration, notice, and cure provisions with the same care the aviation industry writes airworthiness directives. Post-distribution contractual escrow — hardware functionality tied to a continuously renewed, legally backed digital certificate — is Pillar Five of the operational program below, and it is drafted precisely to survive this gauntlet.


7.4 The Geopolitics of Reciprocity

Finally, the political constraint that dwarfs the legal ones: whatever machinery America builds into its silicon, others will build into theirs, and the norm once established will be universal. A world of attested, licensed, telemetered compute is also a world in which Chinese accelerators attest to Beijing, in which every buyer of anyone’s hardware inherits someone’s continuous presence, and in which the neutrality of computing infrastructure — already a polite fiction — is formally dead. Beijing’s 2025 security campaign against the H20 shows the reciprocal logic already operating; the fragmentation of the global stack into attested spheres of influence is not a risk of Compute Customs so much as its probable equilibrium.[33] The honest defense is comparative: the alternative equilibrium — unverifiable diffusion of the most strategically consequential technology in history, governed by episodic criminal prosecution after the harm — is worse, and was already collapsing on its own evidence by 2026. Frameworks do not get to choose between themselves and a perfect world; they choose between themselves and the status quo’s trajectory.


Section 8: What Have We Learned?

Six lessons emerge from the record assembled in this paper, and they are worth stating plainly, because each inverts an assumption that governed policy as recently as 2023.

First: the perimeter-defense model of trade policy is obsolete for this technology class. It is no longer sufficient to regulate the transfer of technology; we must regulate its operation. The evidence is not theoretical — it is 660,000 median-estimate H100-equivalents inside China, a third of that country’s compute, moved through and around a perimeter that was never designed to see networks, processes, or workloads.[19]

Second: hardware security is now inseparable from national security, and the market has already voted. Nvidia’s whitelist, its field inspectors, its end-user interviews — these are the behaviors of a firm that has concluded the perimeter will not protect it from the consequences of what happens beyond the perimeter.[1][2] When the most commercially motivated actor in the system voluntarily amputates half a continent’s buyer list, the actor is telling us what it believes about the enforcement environment’s direction.

Third: private manufacturers have become de facto border agencies, and that delegation is currently running without the accountability infrastructure — due process, appeal, public rulemaking — that border power requires. The framework’s task is not to reverse the delegation, which is irreversible, but to constitutionalize it.

Fourth: policy oscillation is itself a proliferation vector. The 2025–2026 sequence — Diffusion Rule issued in January, rescinded in May; H20 banned in April, licensed in July, boycotted by Beijing in August; H200 restricted, then approved at 25 percent revenue share in December, then capped and tariffed in January — taught every participant in the market that restrictions are negotiable and temporary, which is precisely the belief that makes stockpiling, smuggling, and speculative diversion rational.[26][27][29] Nor did the oscillation begin in 2025: Gregory C. Allen of the Center for Strategic and International Studies characterized the late-term December 2024 controls as a “bombshell” — the third major rewrite of the regime in twenty-six months — and each rewrite reset the compliance calculations of every firm and every smuggler simultaneously.[36] The Super Micro indictment captures the mechanism in a single detail: an executive allegedly urging a customer to accelerate shipments ahead of an announced rule’s effective date.[20] Verification architecture embedded in hardware — the Chip Security Act’s explicit design goal — is, among other things, an attempt to build enforcement that survives executive mood swings.[9]

Fifth: allies and intermediaries will build their own gates when given reasons to — Malaysia’s directive, Singapore’s prosecutions, Taiwan’s interdictions — and the multilateral layer is therefore a design surface, not a pipe dream.[24][22]

Sixth, and most fundamentally: the object of control has changed type. The physical chip is merely the vessel; compute is the currency. Everything else in this paper is a corollary of that sentence.


The Seven Pillars of Compute Customs

To operationalize the framework, global regulators and technology manufacturers must establish seven foundational pillars. The first five correspond to the technical and institutional gates developed above; the sixth and seventh — added here to the original five-pillar program — supply the enforcement capacity and the privacy legitimacy without which the first five would remain, respectively, toothless and intolerable.


Pillar 1: Hardware-Rooted Telemetry (HRT)

Mandate cryptographic, hardware-level identity, location, and configuration reporting built directly into the silicon architectures of all frontier AI accelerators, following the Chip Security Act’s sequencing: feasible mechanisms — fused identities and latency-based location verification — within 180 days of enactment, with a statutory assessment pipeline for secondary mechanisms such as interconnect licensing and usage metering as the flexHEG research program matures them.[8][14] Design rules: overt, documented, and auditable, never covert; fail-graceful, never fail-dead; and standardized across vendors so that governability does not become a competitive tax on whoever implements it first.[10]


Pillar 2: Cloud-Provider Know-Your-Customer (C-KYC)

Standardize, across allied jurisdictions, regulations requiring platforms that operate controlled accelerators to verify the beneficial ownership — to ultimate parents — of accounts consuming high-performance compute above defined thresholds, to screen against restricted-party and adverse-network lists, to detect structuring, and to report aggregate verified consumption.[16][15] Pair the obligation with the Remote Access Security Act’s jurisdictional clarification so that provision of controlled capacity to restricted principals is an export event wherever the racks stand, while calibrating thresholds so that ordinary inference and small-scale research never enter the system’s field of view.[30][39]


Pillar 3: Dynamic Cluster Fingerprinting

Fund, deploy, and continuously retrain machine-learning systems that analyze telemetry, interconnect topology, data-transfer patterns, power signatures, and job-scheduling behavior across global data centers to detect when disparate nodes are being surreptitiously linked into unified training clusters — the Tier Three threat — and complement detection with prevention by conditioning high-bandwidth cluster formation on mutual attestation among licensed devices.[14][43]


Pillar 4: Corporate Ownership Graphing and Continuous Buyer Verification

Replace point-of-sale KYC with a standing, registry-backed graph of the corporate networks surrounding every authorized buyer — beneficial owners, ultimate parents, shared directors, financing sources, counterparties — refreshed on ownership events and audited on a fixed cycle, with the May 2026 ultimate-parent licensing standard as the floor.[3] Nvidia’s whitelist demonstrates feasibility; the pillar’s work is to convert a proprietary corporate practice into a public, appealable, mutually recognized institution.[1]


Pillar 5: Post-Distribution Contractual Escrow

Establish the legal framework — through model license conditions, lease-first commercial structures for top-tier hardware, and treaty-level mutual recognition — under which hardware functionality above export-compliant thresholds is tied to a continuous, legally backed digital operating certificate that lapses if attestation fails or compliance audits are missed, with defined notice, cure, arbitration, and force-majeure provisions so that the mechanism reads as licensing rather than sabotage in every jurisdiction where it must survive judicial scrutiny.


Pillar 6: Multilateral Transshipment Harmonization and Enforcement Capacity

Create unified data-sharing agreements among allied and intermediary nations — building outward from Malaysia’s Directive 1/2025, Singapore’s prosecutorial precedents, and the U.S.-allied licensing architecture — to flag and block front companies and illicit tech-hubs before hardware procurement occurs, and to reconcile national registries of chip passports at every transit point.[24][22] Match the paper architecture with human capacity: fund the Bureau of Industry and Security’s enforcement corps to the scale of the trade it polices, and enact the whistleblower-award and qui tam mechanisms already proposed in the Senate, which the SEC’s program suggests could substantially self-finance — a reform Grunewald and others have championed as the highest-leverage cheap fix in the entire system.[18][21]


Pillar 7: Privacy-Preserving Verification Standards

Charter, jointly with allied standards bodies and the cryptographic research community, the development and certification of zero-knowledge and enclave-based verification protocols that let operators prove compliance — location, aggregate scale, customer class — without exposing workloads, models, datasets, or innocent tenants; and bind Pillars 1 through 3 to those standards as they mature, so that the continuous border earns the consent of the governed rather than merely their compliance.[14][17]


PillarMandatePrimary InstrumentsLead Actors
1. HRTGovernability fused into silicon at manufactureDevice IDs; location attestation; secure firmware; Chip Security Act[8]Designers, foundries, BIS
2. C-KYCLegible cloud: verified beneficial ownership of large compute consumersUltimate-parent screening; thresholds; RASA jurisdiction[16][30]Cloud & neo-cloud providers, BIS
3. FingerprintingDetect & prevent covert cluster aggregationTelemetry ML; power signatures; attested interconnects[14]Regulators, grid operators, vendors
4. Ownership GraphingContinuous, network-level buyer verificationRegistries; ownership-event triggers; site inspection[3][1]Manufacturers, registries, allied agencies
5. Contractual EscrowLifetime license conditions that survive resaleOperating certificates; lease-first models; arbitrationVendors, insurers, courts
6. Multilateral HarmonizationShared gates, shared data, funded enforcementPermit regimes; passport reconciliation; whistleblower awards[24][18]State Dept., MITI-style ministries, BIS
7. Privacy-Preserving VerificationCompliance proofs without disclosureZero-knowledge proofs; trusted enclaves; aggregate reporting[14][17]Standards bodies, cryptographers

Table 3. The Seven Pillars of Compute Customs: mandates, instruments, and lead actors.


Conclusion: The Border as a Service

The traditional methods of keeping critical technologies out of the hands of adversaries are failing against the fluid, decentralized nature of modern artificial intelligence — failing not marginally but categorically, because they were built to stop objects and the object of value has become a flow. The physical chip is merely the vessel; compute is the currency. Nvidia’s drastic reduction of its Asian buyer list in July 2026, and its turn toward intrusive post-sale auditing under governmental pressure, is the first major corporate acknowledgment of this paradigm shift — an admission, written in the language of compliance programs, that the dock is no longer where the border lives.[1][2]

What this paper has proposed is to stop treating that admission as an improvisation and start treating it as a constitution. By formalizing today’s ad-hoc private compliance measures into a rigorous, technology-driven framework of Compute Customs — five gates from fab to workload, seven pillars from silicon telemetry to privacy-preserving proof, harmonized across the intermediary states that have already begun building their own checkpoints — policymakers can move past static border controls toward something the moment actually requires: continuous, hardware-verified post-distribution tracking; rigorous cloud-cluster auditing; and proactive corporate ownership mapping, all bounded by the due-process, sovereignty, and privacy constraints that make a border legitimate rather than merely effective.

The framework will be attacked from both flanks, and both attacks contain truth. Industry will say, with Nvidia’s security chief, that governability mechanisms can become vulnerabilities; the answer is not denial but design — overt licensing rather than covert switches, graceful degradation rather than remote destruction, standards rather than secrets.[33][10] Sovereigntists and civil libertarians will say that a world of attested, telemetered compute normalizes surveillance of the infrastructure of thought; the answer is Pillar Seven — verification without disclosure — and the candid acknowledgment that the reciprocal, fragmented equilibrium is coming regardless, and the only live question is whether it arrives with rules. Between the flanks stands the record this paper has documented: hundreds of thousands of the most strategically consequential devices ever manufactured, moved through shells, clouds, and clusters into the hands of the state they were controlled against, while the enforcement system photographed the river and called it monitoring.[19][18]

Customs, at its origin, was never really about the dock. It was about a political community’s claim to know and to choose what crosses into the space it is responsible for. For seventy years geography let us implement that claim with stamps and checkpoints, and geography has now withdrawn the favor. The claim survives; only the implementation must change. The border becomes continuous rather than geographic — a service running for the life of the silicon, verifying rather than trusting, everywhere the compute flows. Building that border deliberately, multilaterally, and with its limits designed in is the work this decade’s technology policy will be judged by. The alternative is not an open world. It is an unwatched one.


Footnotes / Endnotes

[1]  Devika Nair (Reuters), “Nvidia halves Asia buyer list in China chip crackdown, FT reports,” Reuters via Yahoo Finance, July 13, 2026. https://finance.yahoo.com/technology/ai/articles/nvidia-halves-asia-buyer-list-033140201.html

[2]  Tom’s Hardware, “Nvidia slashes list of authorized customers in Asia in a bid to reduce AI chip smuggling — company sent field inspectors, called customers to check if business is genuine after pressure from Washington,” July 2026. https://www.tomshardware.com/tech-industry/big-tech/nvidia-slashes-list-of-authorized-customers-in-asia-in-a-bid-to-reduce-ai-chip-smuggling-report-claims-company-sent-field-inspectors-called-customers-to-check-if-business-is-genuine-after-pressure-from-washington

[3]  Softonic News, “Nvidia overhauls Asian chip sales: cuts buyer list amid export crackdown,” July 2026 (detailing the May 31, 2026 U.S. Commerce Department ultimate-parent guidance and China B300 street pricing). https://en.softonic.com/articles/nvidia-overhauls-asian-chip-sales-cuts-buyer-list-amid-export-crackdown

[4]  U.S. Department of Justice, Office of Public Affairs, “U.S. Citizens and Chinese Nationals Arrested for Exporting Artificial Intelligence Technology to China” (statement of Asst. Attorney General John A. Eisenberg), November 20, 2025. https://www.justice.gov/opa/pr/us-citizens-and-chinese-nationals-arrested-exporting-artificial-intelligence-technology

[5]  CBS News, “Justice Department charges 4 men in U.S. in scheme to export AI chips to China,” November 21, 2025. https://www.cbsnews.com/news/justice-department-charges-4-us-scheme-export-ai-chips-china/

[6]  CNBC, “Super Micro shares tank 33% after employees charged with smuggling Nvidia chips to China,” March 19, 2026. https://www.cnbc.com/2026/03/19/us-tech-execs-smuggled-nvidia-chips-to-china-prosecutors-say.html

[7]  The Register, “Three more charged with trying to smuggle GPUs to China,” March 26, 2026. https://www.theregister.com/on-prem/2026/03/26/three-more-charged-with-trying-to-smuggle-gpus-to-china/5224160

[8]  U.S. Congress, H.R. 3447 / S. 1705, “Chip Security Act,” 119th Congress (2025–2026), full text. https://www.congress.gov/bill/119th-congress/house-bill/3447/text

[9]  The Cyber Express, “Congress Wants a Tracker on Every Advanced AI Chip US Exports,” March 27, 2026 (House Foreign Affairs Committee passage; DeepSeek findings of the Select Committee on China). https://thecyberexpress.com/advanced-ai-chip-chip-security-act/

[10]  NBC News, “Chips Security Act gains industry support: letter,” June 2026. https://www.nbcnews.com/tech/tech-news/chips-security-act-gains-industry-support-letter-rcna350500

[11]  Chris Miller (Professor of International History, The Fletcher School, Tufts University), interview on CNBC Squawk Box, December 12, 2025; transcript excerpts via StartupHub.ai. https://www.startuphub.ai/ai-news/ai-video/2025/chip-war-author-chris-miller-on-the-battle-of-ai-chip-export-controls/

[12]  Sayari, “Navigating Emerging Chip Developments: 4 Key Questions for Chip War Author Chris Miller,” July 2024. https://sayari.com/resources/navigating-emerging-chip-developments-4-key-questions-for-chip-war-author-chris-miller/

[13]  Lennart Heim (RAND Corporation), “Understanding the Artificial Intelligence Diffusion Framework: Can Export Controls Create a U.S.-Led Global Artificial Intelligence Ecosystem?” RAND Perspective PEA3776-1, January 2025. https://www.rand.org/pubs/perspectives/PEA3776-1.html

[14]  James Petrie, Onni Aarne, Nora Ammann & David Dalrymple, “Flexible Hardware-Enabled Guarantees for AI Compute,” arXiv:2506.15093, 2025. https://arxiv.org/abs/2506.15093

[15]  Lennart Heim, Tim Fist, Janet Egan, Sihao Huang, Stephen Zekany, Robert Trager, Michael A. Osborne & Noa Zilberman, “Governing Through the Cloud: The Intermediary Role of Compute Providers in AI Regulation,” arXiv:2403.08501, March 2024. https://arxiv.org/abs/2403.08501

[16]  Janet Egan & Lennart Heim, “Oversight for Frontier AI Through a Know-Your-Customer Scheme for Compute Providers,” arXiv:2310.13625, October 2023. https://arxiv.org/abs/2310.13625

[17]  Yonadav Shavit, “What Does It Take to Catch a Chinchilla? Verifying Rules on Large-Scale Neural Network Training via Compute Monitoring,” arXiv:2303.11341, 2023. https://arxiv.org/abs/2303.11341

[18]  Tim Fist & Erich Grunewald, “Countering AI Chip Smuggling Has Become a National Security Priority,” Center for a New American Security (CNAS), June 2025. https://www.cnas.org/publications/reports/countering-ai-chip-smuggling-has-become-a-national-security-priority

[19]  Epoch AI, “Diversion and Resale: Estimating Compute Smuggling to China,” April 2026. https://epoch.ai/publications/chip-smuggling

[20]  Erich Grunewald (Institute for AI Policy and Strategy), “How Banned AI Chips End Up in China,” guest essay, May 2026. https://blog.peterwildeford.com/p/how-banned-ai-chips-end-up-in-china

[21]  The Wire China, “Chasing the Chip Smugglers” (quoting Erich Grunewald, IAPS), March 1, 2026. https://www.thewirechina.com/2026/03/01/chasing-the-chip-smugglers-nvidia-ai-chips-china/

[22]  The Diplomat, “Singaporean Police Seize $42M Bungalow in Nvidia Chip Smuggling Probe,” July 2026. https://thediplomat.com/2026/07/singaporean-police-seize-42m-bungalow-in-nvidia-chip-smuggling-probe/

[23]  TechCrunch, “Singapore grants bail for Nvidia chip smugglers in alleged $390M fraud,” March 13, 2025. https://techcrunch.com/2025/03/13/singapore-grants-bail-for-nvidia-chip-smugglers-in-alleged-390m-fraud/

[24]  Baker McKenzie Global Sanctions & Export Controls Blog, “Malaysia Introduces New Export Control Directive for Advanced AI Chips” (MITI Directive No. 1/2025 under the Strategic Trade Act 2010), July 17, 2025. https://sanctionsnews.bakermckenzie.com/malaysia-introduces-new-export-control-directive-for-advanced-ai-chips/

[25]  TechCrunch, “Malaysia will require trade permits for US AI chips” (quoting the MITI media statement), July 14, 2025. https://techcrunch.com/2025/07/14/malaysia-will-require-trade-permits-for-u-s-ai-chips/

[26]  U.S. Department of Commerce, Bureau of Industry and Security, “Department of Commerce Announces Rescission of Biden-Era Artificial Intelligence Diffusion Rule” (statement of Under Secretary Jeffery Kessler), May 2025. https://www.bis.gov/press-release/department-commerce-announces-rescission-biden-era-artificial-intelligence-diffusion-rule-strengthens

[27]  CNBC, “Trump greenlights Nvidia H200 AI chip sales to China if U.S. gets 25% cut, says Xi responded positively,” December 8, 2025. https://www.cnbc.com/2025/12/08/trump-nvidia-h200-sales-china.html

[28]  Council on Foreign Relations (Michael C. Horowitz & Chris McGuire), “The Consequences of Exporting Nvidia’s H200 Chips to China,” Expert Brief, December 9, 2025. https://www.cfr.org/expert-brief/consequences-exporting-nvidias-h200-chips-china

[29]  CRN Asia, “Trump greenlights Nvidia H200 chip sales to China after months of industry lobbying — then imposes 25% tariff” (BIS conditions: January 16, 2026 effective date; 50% domestic-volume cap; U.S. third-party laboratory verification), January 2026. https://www.crnasia.com/news/2026/components-and-peripherals/trump-greenlights-nvidia-h200-chip-sales-to-china-after-mont

[30]  U.S. House Select Committee on the Chinese Communist Party, “House Passes Bipartisan Legislation to Limit Adversaries’ Remote Access to Critical Technology” (statement of Chairman John Moolenaar), January 12, 2026. https://chinaselectcommittee.house.gov/media/press-releases/house-passes-bipartisan-legislation-to-limit-adversaries-remote-access-to-critical-technology

[31]  Tom’s Hardware, “U.S. House passes bill to stop Chinese companies from accessing export-controlled American AI chips using offshore rental loophole — Remote Access Security Act effectively extends export controls to the cloud,” January 13, 2026. https://www.tomshardware.com/tech-industry/artificial-intelligence/u-s-house-passes-bill-to-stop-chinese-companies-from-accessing-export-controlled-american-ai-chips-using-offshore-rental-loophole-remote-access-security-access-act-effectively-extends-export-controls-to-the-cloud

[32]  Introl, “Remote Access Security Act: House Passes Bill 369-22 Extending Export Controls to Cloud Computing,” January 23, 2026 (INF Tech/Indonesia; Tencent–Datasection Osaka contracts). https://introl.com/blog/remote-access-security-act-cloud-loophole-export-controls-2026

[33]  David Reber Jr. (Chief Security Officer, NVIDIA), “No Backdoors. No Kill Switches. No Spyware.” NVIDIA Blog, August 5, 2025. https://blogs.nvidia.com/blog/no-backdoors-no-kill-switches-no-spyware/

[34]  NVIDIA Corporation, “CFO Commentary on First Quarter Fiscal 2027 Results,” SEC Form 8-K exhibit, May 20, 2026 (revenue $81.6B; Data Center $75.2B; no Hopper shipments to China vs. $4.6B a year earlier). https://www.sec.gov/Archives/edgar/data/0001045810/000104581026000051/q1fy27cfocommentary.htm

[35]  CNBC, “Nvidia earnings takeaways: Data center revenue nearly doubles — live coverage of Q1 fiscal 2027 results,” May 20–21, 2026 ($91B Q2 guidance excluding China). https://www.cnbc.com/2026/05/20/nvidia-nvda-earnings-report-q1-2027.html

[36]  Gregory C. Allen (Director, Wadhwani AI Center, Center for Strategic and International Studies), “Understanding the Biden Administration’s Updated Export Controls,” CSIS, December 2024. https://www.csis.org/analysis/understanding-biden-administrations-updated-export-controls

[37]  Crowell & Moring LLP, International Trade Law blog, “Export Controls and America’s AI Action Plan” (White House AI Action Plan, Pillar III: location-verification features for advanced AI chips), July 30, 2025. https://www.cmtradelaw.com/2025/07/export-controls-and-americas-ai-action-plan/

[38]  Freshfields, “BIS Rescinds AI Diffusion Rule, Issues Notice of ‘High Probability’ Enforcement Related to AI and Semiconductors” (quoting U.S. Commerce Secretary Howard Lutnick), June 2025. https://www.freshfields.com/en/our-thinking/blogs/a-fresh-take/bis-rescinds-ai-diffusion-rule-issues-notice-of-high-probability-enforcement-r-102kp9j

[39]  eeNews Europe, “US House moves to extend AI chip export controls to the cloud” (H.R. 2683, 369–22 vote of January 12, 2026), January 13, 2026. https://www.eenewseurope.com/en/ai-chip-export-controls-cloud-remote-access-security-act/

[40]  SoftwareSeni, “The AI Overwatch Act and Remote Access Security Act — How New Laws Are Reshaping Cloud GPU Access” (BIS advisory opinions 2009–2014 on cloud provision; Senate companion S. 3519), April 2026. https://www.softwareseni.com/the-ai-overwatch-act-and-remote-access-security-act-how-new-laws-are-reshaping-cloud-gpu-access/

[41]  Introl, “Trump Lets Nvidia Sell H200 Chips to China for 25% Revenue” (quoting former NSC official Chris McGuire; Mercator Institute analyst Antonia Hmaidi), December 29, 2025. https://introl.com/blog/trump-nvidia-china-export-control-reversal-december-2025

[42]  The Economy (economy.ac), “The Cloud Loophole: Why Chip Sanctions Cannot Secure U.S. AI Leadership,” May 2026. https://economy.ac/research/2026/05/202605289177

[43]  “Hardware-Level Governance of AI Compute: A Feasibility Taxonomy for Regulatory Compliance and Treaty Verification,” arXiv:2604.04712, April 2026 (surveying location attestation, trusted execution environments, compute metering, interconnect limits, and distributed-training governance gaps). https://arxiv.org/abs/2604.04712