The end of chip smuggling

A workable blueprint for a chip licensing regime

For policymakers: download the one-page policy version of the blueprint.
Download the one-page memo

The problem: shadow compute fuels the race

Our current export controls stop at the border.

A chip that slips through leaves no record. It becomes shadow compute, and it forces American planners to assume the worst about Chinese capability instead of measuring it. Uncertainty speeds the race.

US officials claim DeepSeek trained its latest model on several thousand smuggled Blackwell chips at a data center in Inner Mongolia. The chips, they say, traveled inside servers sold to approved countries, then crossed the border in pieces. While Nvidia and DeepSeek deny it, nobody can prove the story either way, and that is the deeper problem.

FIG. 01 — THE SMUGGLING ROUTE
FACTORY
APPROVED BUYER
DISMANTLED SERVERS
INNER MONGOLIA
NO FILING. NO RECORD. STILL RUNNING.

The damage runs forward too. Any future compute agreement will need a baseline both sides trust. Hidden stockpiles wreck that baseline before talks begin.

Washington, meanwhile, faces two bad options. Refuse to sell, and China builds its own chip stack. Sell freely, and you arm the actors the controls exist to stop. Policy lurches from deal to deal, scandal to scandal.

The controls aren’t too strict or too loose. They’re too crude.

A chip that can’t be governed after it ships shouldn’t leave the country. A chip that can be governed is a different object, and selling it widely is a strategic win.

The solution: licensing enforced by the chip itself

Every chip ships with a signed compute budget that counts down as the chip runs. Renewing it takes a cryptographic signature from an authorized party.

No signature, no compute.

Steal the chip, smuggle it, resell it through six intermediaries: the budget still runs out, and nobody can refill it. From the next hardware generation onward, a smuggled chip is a brick. Today’s ungoverned chips age out as inventory turns over.

FIG. 02 — THE BUDGET LIFECYCLE
1 — CHIP SHIPS
BUDGET FULL — SIGNED
2 — GAUGE DRAINS WITH USE
COUNTING DOWN
3 — TWO ENDINGS
SIGNED RENEWAL → RUNNING
NO SIGNATURE → BRICK

The mechanism is offline licensing, built on a flexible hardware-enabled guarantee, or flexHEG: a small guarantee processor sealed inside a tamper-respondent enclosure.

This turns access from a switch into a dial. Regulators can size budgets so exported compute serves commerce but stays below frontier-training scale, then resize them without touching the hardware.

Rules vary by destination.

FIG. 03 — RULES BY DESTINATION
STANDARD TIER
ALLIES AND PARTNERS
  • Metering only
RESTRICTED TIER
CAPPED OR REVIEWED DESTINATIONS
  • Metering
  • Cluster-size caps
  • Inference-only mode with periodic inspections

Cluster caps limit scale, not content. Frontier training needs thousands of chips wired into one synchronized, high-bandwidth cluster. Hardware can cap that cluster without ever reading the workload.

Privacy is built in. The chip never reports what you run: no models, no weights, no data. At renewal it proves one thing, that no one has tampered with it. The stricter measures, inspections and inference-only modes, apply to restricted destinations alone, as the price of access.

The technology doesn’t exist yet. Pieces of it do: today’s datacenter GPUs already ship with a hardware root of trust, secure boot, and cryptographic attestation. But those features protect a cloud customer from a snooping host. They don’t protect a chip from its own owner, and they don’t resist physical attack. That harder mechanism exists on paper, designed and published. No one has built it at industrial scale, and no one will until chipmakers have a reason to. The plan’s job is to create that reason.

The plan: a standing offer that summons the technology

The two sides are talking past each other. Nvidia has said it in public: no backdoors, no kill switches, no spyware. It sells trust as much as silicon, and hardware its customers suspect of phoning home would poison the whole product line. Washington, meanwhile, won’t widen access to chips it can’t govern. Nobody has put an offer on the table that changes either calculus.

The Commerce Department can break the deadlock by publishing a license exception under authority it already holds. Chips with certified hardware guarantees earn standing, streamlined export to markets now capped or reviewed one deal at a time: the Gulf states, Southeast Asia, the forty-odd countries treated as transshipment suspects. Ungoverned chips face the same restrictions they face today. China remains a separate decision for later, under the strictest rules.

Chipmakers gain plenty. Today every major export is a one-off negotiation that can collapse with a single news cycle. Certification turns it into a published standing rule: bigger volumes, faster approvals, insurance against the next smuggling scandal.

None of this needs new law or a vote in Congress. Commerce wrote and enacted its last major chip rule in five weeks, and it already conditions export licenses on independent third-party testing. This proposal swaps improvised per-deal conditions for one fixed condition, published in advance and the same for everyone.

FIG. 04 — THEORY OF CHANGE
01
Rule published
02
Chipmakers build governed silicon against a guaranteed market
03
Governed exports replace shadow compute as fleets turn over
04
Compute accounting exists when the world needs it

The timeline is honest but slow. Regulators can write the rule in a few months. The first governed silicon ships in roughly three years, and coverage compounds with every generation after. Existing controls continue unchanged in the meantime. Nothing gets worse during the wait.

FIG. 05 — TIMELINE
2026
RULE PUBLISHED
~2029
FIRST GOVERNED SILICON SHIPS
2030s
GOVERNED SHARE RISING

Who decides what qualifies? The rule sets the certification criteria or adopts a published open standard, and accredited independent labs do the testing. The floor is resistance to a class break: if one successful attack copies across the fleet, the mechanism fails.

Is that bar reachable? Banks have trusted tamper-respondent hardware to guard payment keys for decades. Even game consoles, cheap silicon in the hands of millions of motivated hackers, have gone years without a break. And a chip that falls one unit at a time in a lab doesn’t defeat the regime, because nobody runs a covert extraction lab ten thousand times. What’s unproved is whether the mechanism holds against a state’s budget at datacenter scale. Fund that test first.

This plan stands on prior work. RAND proposed hardware mechanisms as a path to export relief. CNAS proposed advance market commitments for chip security. The flexHEG reports specify the architecture. New here is the instrument: a standing license exception, rules tiered by destination, and a path from smuggling enforcement to treaty infrastructure.

Will anyone say yes?

This blueprint represents an alignment of incentives.

FIG. 06 — WHO GAINS WHAT
CHIPMAKERS
Chipmakers get standing authorization instead of fragile one-off approvals.
GOVERNMENT
Government gets enforcement that doesn’t depend on catching smugglers.
BUYER COUNTRIES
Buyer countries get more access.
US
US gains better visibility into where foreign compute concentrates.

Will it stay trusted? Buyers accept governed hardware only if renewals are boringly reliable. One pulled license would do more to finance a rival chip stack than years of Chinese industrial policy. Any power to deny compute must be rule-based, published, and reserved for extreme events such as treaty breach. The model is deterrence, not sanctions.

What this buys

Someday, after a capability jump or a warning shot, governments might want better control over the world’s AI compute, perhaps including a US-China agreement to slow down. Such a deal lives or dies on verification: every FLOP traceable to a signed budget. Facility inspections fail against the one facility nobody declared.

This plan builds that accounting now, while it’s cheap, so the machinery exists when the moment arrives.

A treaty needs the American side to prove itself to a counterparty that trusts nothing. A governed fleet is that proof, ready-made. It is the half of treaty verification the US can build without anyone’s permission.

SOURCES
  1. Exclusive: China’s DeepSeek trained AI model on Nvidia’s best chip despite US ban, official says Reuters · Feb 24, 2026 The official claim: Blackwells likely clustered at DeepSeek’s data center in Inner Mongolia.
  2. DeepSeek reportedly using thousands of smuggled Nvidia chips for AI training The Decoder · Dec 10, 2025 Summarizes The Information’s investigation: servers bought legally in Southeast Asia, dismantled, moved through customs, reassembled in China.
  3. Nvidia decries ‘far-fetched’ reports of smuggling in face of DeepSeek training reports Tom’s Hardware · Dec 2025
  4. DeepSeek launches 1.6-trillion-parameter V4 on Huawei chips as U.S. escalates AI theft accusations Tom’s Hardware · 2026 DeepSeek’s public position: lawfully acquired H800s and Huawei Ascend silicon, no Blackwells.
  5. Hardware-Enabled Governance Mechanisms: Developing Technical Solutions to Exempt Items from Export Controls RAND, working paper WR-A3056-1 · 2024 Origin of the offline-licensing approach: renewable, cryptographically signed limits on exported AI hardware.
  6. Flexible Hardware-Enabled Guarantees, reports I–III flexheg.com · 2025 Specifies the architecture: a guarantee processor inside a tamper-respondent secure enclosure.
  7. Data on GPU clusters Epoch AI
  8. Confidential computing on NVIDIA H100 GPUs for secure and trustworthy AI NVIDIA Developer Blog · 2023 Today’s shipping security features: on-die root of trust, secure and measured boot, signed attestation.
  9. Technical Options for Flexible Hardware-Enabled Guarantees (flexHEG Part II) arXiv:2506.03409 · 2025
  10. No Backdoors. No Kill Switches. No Spyware. NVIDIA Blog · Aug 5, 2025
  11. Export Administration Regulations, 15 CFR Part 740: License Exceptions eCFR The standing authority under which Commerce publishes license exceptions by rule, without new legislation.
  12. Statement on UAE and Saudi Chip Exports U.S. Department of Commerce · Nov 20, 2025 Gulf access today: per-deal authorizations for G42 and HUMAIN, each with negotiated security conditions.
  13. Administration Policies on Advanced AI Chips Codified Mayer Brown · Jan 2026 Documents new license requirements for roughly forty countries assessed as diversion risks to China.
  14. Revision to License Review Policy for Advanced Computing Commodities Federal Register · effective Jan 15, 2026 The rule itself, containing the independent third-party testing condition on license applications.
  15. Trump greenlights Nvidia H200 sales to China if U.S. gets 25% cut CNBC · Dec 8, 2025 Start of the five-week clock: policy announced Dec 8, 2025; the rule above took effect Jan 15, 2026.
  16. BIS Revises Export Review Policy for Advanced AI Chips Destined for China and Macau Morgan Lewis · Jan 2026
  17. Security Engineering, ch. 16: Physical Tamper Resistance Ross Anderson, Cambridge · PDF The history of banking’s tamper-resistant hardware, from IBM security modules onward.
  18. Microsoft’s ‘unhackable’ Xbox One has been hacked by ‘Bliss’ Tom’s Hardware · 2026 The Xbox One stood for twelve years; the break that finally landed is a per-unit physical attack.
  19. Secure, Governable Chips CNAS · Jan 2024 Proposes on-chip governance and advance market commitments to fund chip-security R&D.