A chip that slips through leaves no record. It becomes shadow compute, and it forces American planners to assume the worst about Chinese capability instead of measuring it. Uncertainty speeds the race.
The damage runs forward too. Any future compute agreement will need a baseline both sides trust. Hidden stockpiles wreck that baseline before talks begin.
Washington, meanwhile, faces two bad options. Refuse to sell, and China builds its own chip stack. Sell freely, and you arm the actors the controls exist to stop. Policy lurches from deal to deal, scandal to scandal.
The controls aren’t too strict or too loose. They’re too crude.
A chip that can’t be governed after it ships shouldn’t leave the country. A chip that can be governed is a different object, and selling it widely is a strategic win.
The solution:licensing enforced by the chip itself
Every chip ships with a signed compute budget that counts down as the chip runs. Renewing it takes a cryptographic signature from an authorized party.
No signature, no compute.
Steal the chip, smuggle it, resell it through six intermediaries: the budget still runs out, and nobody can refill it. From the next hardware generation onward, a smuggled chip is a brick. Today’s ungoverned chips age out as inventory turns over.
FIG. 02 — THE BUDGET LIFECYCLE
1 — CHIP SHIPS
BUDGET FULL — SIGNED
2 — GAUGE DRAINS WITH USE
COUNTING DOWN
3 — TWO ENDINGS
SIGNED RENEWAL → RUNNING
NO SIGNATURE → BRICK
The mechanism is offline licensing, built on a flexible hardware-enabled guarantee, or flexHEG: a small guarantee processor sealed inside a tamper-respondent enclosure.
This turns access from a switch into a dial. Regulators can size budgets so exported compute serves commerce but stays below frontier-training scale, then resize them without touching the hardware.
Rules vary by destination.
FIG. 03 — RULES BY DESTINATION
STANDARD TIER
ALLIES AND PARTNERS
Metering only
RESTRICTED TIER
CAPPED OR REVIEWED DESTINATIONS
Metering
Cluster-size caps
Inference-only mode with periodic inspections
Cluster caps limit scale, not content. Frontier training needs thousands of chips wired into one synchronized, high-bandwidth cluster. Hardware can cap that cluster without ever reading the workload.
Privacy is built in. The chip never reports what you run: no models, no weights, no data. At renewal it proves one thing, that no one has tampered with it. The stricter measures, inspections and inference-only modes, apply to restricted destinations alone, as the price of access.
The technology doesn’t exist yet. Pieces of it do: today’s datacenter GPUs already ship with a hardware root of trust, secure boot, and cryptographic attestation. But those features protect a cloud customer from a snooping host. They don’t protect a chip from its own owner, and they don’t resist physical attack. That harder mechanism exists on paper, designed and published. No one has built it at industrial scale, and no one will until chipmakers have a reason to. The plan’s job is to create that reason.
The plan:a standing offer that summons the technology
The two sides are talking past each other. Nvidia has said it in public: no backdoors, no kill switches, no spyware. It sells trust as much as silicon, and hardware its customers suspect of phoning home would poison the whole product line. Washington, meanwhile, won’t widen access to chips it can’t govern. Nobody has put an offer on the table that changes either calculus.
The Commerce Department can break the deadlock by publishing a license exception under authority it already holds. Chips with certified hardware guarantees earn standing, streamlined export to markets now capped or reviewed one deal at a time: the Gulf states, Southeast Asia, the forty-odd countries treated as transshipment suspects. Ungoverned chips face the same restrictions they face today. China remains a separate decision for later, under the strictest rules.
Chipmakers gain plenty. Today every major export is a one-off negotiation that can collapse with a single news cycle. Certification turns it into a published standing rule: bigger volumes, faster approvals, insurance against the next smuggling scandal.
None of this needs new law or a vote in Congress. Commerce wrote and enacted its last major chip rule in five weeks, and it already conditions export licenses on independent third-party testing. This proposal swaps improvised per-deal conditions for one fixed condition, published in advance and the same for everyone.
FIG. 04 — THEORY OF CHANGE
01
Rule published
02 →
Chipmakers build governed silicon against a guaranteed market
03 →
Governed exports replace shadow compute as fleets turn over
04 →
Compute accounting exists when the world needs it
The timeline is honest but slow. Regulators can write the rule in a few months. The first governed silicon ships in roughly three years, and coverage compounds with every generation after. Existing controls continue unchanged in the meantime. Nothing gets worse during the wait.
FIG. 05 — TIMELINE
2026 RULE PUBLISHED
~2029 FIRST GOVERNED SILICON SHIPS
2030s GOVERNED SHARE RISING
Who decides what qualifies? The rule sets the certification criteria or adopts a published open standard, and accredited independent labs do the testing. The floor is resistance to a class break: if one successful attack copies across the fleet, the mechanism fails.
Is that bar reachable? Banks have trusted tamper-respondent hardware to guard payment keys for decades. Even game consoles, cheap silicon in the hands of millions of motivated hackers, have gone years without a break. And a chip that falls one unit at a time in a lab doesn’t defeat the regime, because nobody runs a covert extraction lab ten thousand times. What’s unproved is whether the mechanism holds against a state’s budget at datacenter scale. Fund that test first.
This blueprint represents an alignment of incentives.
FIG. 06 — WHO GAINS WHAT
CHIPMAKERS
Chipmakers get standing authorization instead of fragile one-off approvals.
GOVERNMENT
Government gets enforcement that doesn’t depend on catching smugglers.
BUYER COUNTRIES
Buyer countries get more access.
US
US gains better visibility into where foreign compute concentrates.
Will it stay trusted? Buyers accept governed hardware only if renewals are boringly reliable. One pulled license would do more to finance a rival chip stack than years of Chinese industrial policy. Any power to deny compute must be rule-based, published, and reserved for extreme events such as treaty breach. The model is deterrence, not sanctions.
What this buys
Someday, after a capability jump or a warning shot, governments might want better control over the world’s AI compute, perhaps including a US-China agreement to slow down. Such a deal lives or dies on verification: every FLOP traceable to a signed budget. Facility inspections fail against the one facility nobody declared.
This plan builds that accounting now, while it’s cheap, so the machinery exists when the moment arrives.
A treaty needs the American side to prove itself to a counterparty that trusts nothing. A governed fleet is that proof, ready-made. It is the half of treaty verification the US can build without anyone’s permission.
Statement on UAE and Saudi Chip ExportsU.S. Department of Commerce · Nov 20, 2025Gulf access today: per-deal authorizations for G42 and HUMAIN, each with negotiated security conditions.