Hardware Mechanisms for International AI Agreements

Quick Assessment

Key Links

Overview

Hardware mechanisms for international AI agreements are security features embedded in AI accelerators, networking equipment, and related infrastructure that allow parties to an international treaty to verify each other's compliance without relying solely on mutual trust or access-dependent inspections. The core idea is to make high-stakes AI governance tractable by anchoring verification in tamper-resistant physical objects—chips—rather than in software declarations or diplomatic assurances alone.

The strategic case for hardware-enabled governance rests on a structural advantage: advanced AI chips are manufactured in fewer than 20 facilities globally, with TSMCOrganizationTSMCComprehensive overview of TSMC's role as the critical chokepoint for global AI hardware, covering business model, geopolitical risk, AI safety implications, and controversies including Arizona expa... producing roughly 90% of leading-edge chips. This extreme supply chain concentration creates a natural chokepoint for governance that has no parallel in software or data. A January 2024 CNASOrganizationCenter for a New American SecurityCNAS is a moderately important national security think tank with substantive but secondary relevance to AI safety, approaching AI risks through a geopolitical/national security lens rather than exi... report, Secure, Governable Chips, argued that current export controls are insufficient, economically harmful, and invite circumvention through smuggling—and that embedding governance directly into chip hardware via on-chip mechanisms (trusted execution environments, remote attestation, operating licenses, tamper-evidence) would be more effective and less distortionary than blanket export bans.¹ Many of the required technologies already exist in commercial form: NVIDIA H100/H200 chips support confidential computing, Intel provides SGX enclaves, and AMDOrganizationAMDAdvanced Micro Devices (AMD) is the principal competitor to Nvidia in AI accelerator chips, with its Instinct MI300 series GPUs targeting AI training and inference workloads. Founded in 1969 and he... offers SEV encrypted virtualization. What is missing is adversarial hardening against well-resourced state actors with physical hardware access.

The conceptual foundation draws heavily on nuclear arms control precedents. Information Barriers (IBs) used in warhead verification and Permissive Action Links (PALs) used to prevent unauthorized launches both demonstrated that hardware could enforce treaty obligations without exposing sensitive design details. The 1990s Arms Control Exchange (ACE) program between US and Chinese laboratories, which developed seismic monitoring and tamper-proof IB hardware for Comprehensive Test Ban Treaty verification, is a frequently cited analogue. Researchers working on AI hardware mechanisms argue that the same logic—hardware-rooted assurances that permit verification without full disclosure—can be adapted to govern compute thresholds, data center configurations, and training run characteristics.²

The field crystallized rapidly between 2024 and 2026. The CNASOrganizationCenter for a New American SecurityCNAS is a moderately important national security think tank with substantive but secondary relevance to AI safety, approaching AI risks through a geopolitical/national security lens rather than exi... report (January 2024) established the policy framework. A November 2024 report from MIRIOrganizationMachine Intelligence Research InstituteComprehensive organizational history documenting MIRI's trajectory from pioneering AI safety research (2000-2020) to policy advocacy after acknowledging research failure, with detailed financial da...Quality: 50/100 outlined a taxonomy of verification mechanisms. RANDOrganizationRAND CorporationNonprofit global policy think tank. Active in AI policy, security studies, and technology assessment. published working papers on hardware-enabled mechanisms and convened workshops with chip manufacturers, policymakers, and researchers.³ Yoshua BengioPersonYoshua BengioComprehensive biographical overview of Yoshua Bengio's transition from deep learning pioneer (Turing Award 2018) to AI safety advocate, documenting his 2020 pivot at Mila toward safety research, co...Quality: 39/100's FlexHEGProjectFlexHEG (Flexible Hardware-Enabled Guarantees)FlexHEG is a nascent but technically serious proposal to embed tamper-resistant governance processors into AI accelerators, enabling cryptographically verifiable enforcement of international AI com... project received $4.1M from the Survival and Flourishing Fund in 2024 to develop flexible hardware-enabled guarantees with an open-source "Guarantee Processor" architecture.⁴ Subsequent arXiv work (2025) and an Oxford Martin AI Governance Initiative report (2025) elaborated specific mechanism types, mapped them to governance objectives, and assessed their readiness.⁵⁶

History and Precedents

Nuclear Verification as a Template

The intellectual genealogy of hardware mechanisms for AI runs directly through nuclear non-proliferation. The most cited precedent is the US–Russia collaboration on Permissive Action Links and Environmental Sensing Devices between 1994 and 2005, in which the United States shared warhead safety technology with Russia by disclosing design abstractions rather than full specifications—a pattern researchers hope to replicate for AI chip verification. An earlier UK transfer attempt in the 1960s failed because technical sensitivities proved harder to abstract away. The US–China collaboration in the 1990s on launch-integrated nuclear security technology illustrates similar limits in adversarial relationships.²

The Arms Control Exchange program of the 1990s is particularly influential. US national laboratories worked with China's CAEP to build IB systems for warhead verification: six-component tamper-proof hardware assemblies combining data barriers, volatile storage, yes/no displays, security watchdogs, physical shielding, and procedural controls. These devices could confirm whether a warhead met treaty specifications without revealing design secrets. AI researchers cite this as proof of concept that hardware can provide meaningful assurance under adversarial conditions.²

How the AI Hardware Problem Compares to Nuclear Verification

The supply chain concentration is the strongest point of analogy—semiconductor manufacturing is more concentrated than nuclear materials, making upstream controls potentially more effective. The IAEA's tag-and-seal practices for nuclear materials have direct analogues in proposed tamper-evident chip enclosures. However, the analogy breaks down on excludability (compute is general-purpose, not scarce), scale (the number of facilities to monitor is far larger), and speed (AI capabilities can proliferate through weight distribution in hours, not years). CNAS explicitly cautions against slavish adherence to the IAEA model, arguing for mechanisms that allow "policymakers to think beyond the limitations of slow and complex structures such as the IAEA."¹

The Clipper Chip Cautionary Precedent

The most frequently cited cautionary tale for hardware-embedded governance is the 1993 Clipper chip. The Clinton White House proposed mandating a cryptographic chip (MYK-78) in all telecommunications equipment, with each chip's encryption key split and held in escrow by NIST and the Department of the Treasury. Law enforcement could reconstruct the key with a court order.

In 1994, AT&T researcher Matt Blaze demonstrated that the 16-bit integrity hash protecting the escrow system was fatally too short—a brute-force attack averaging only 65,536 attempts could produce a fake escrow field, letting users get strong encryption while defeating key recovery entirely. Combined with massive public opposition (led by the EFF's "Golden Key" coalition) and market failure (the only purchaser was the Department of Justice itself), the program was dead by 1996.

Lessons for AI chip governance: hardware-based backdoors with weak integrity checks can be defeated; governance mechanisms that impose costs without buy-in from manufacturers and users get routed around by the market; and the difference between "surveillance tool" and "verification mechanism" matters enormously for public acceptance. Proponents of HEMs argue their proposals differ from Clipper because they use privacy-preserving verification (proving where a chip is or how much compute was used, without accessing what was computed) rather than content access, and because they have a clearer security rationale.

Timeline of Key Developments in the AI Context

Mechanism Types: Technical Description and R&D Readiness

Research has converged on roughly six distinct hardware mechanism types, each targeting different treaty verification problems. The sections below describe each mechanism, its readiness, and active developers.

1. Location Verification and Geolocking

What it does: Chips verify their geographic location using delay-based challenge-response with cryptographic attestation—not GPS (which is easily spoofed and cannot penetrate data center walls). The process works as follows:

1. A landmark server at a known geographic location sends a cryptographic challenge to an AI chip
2. The chip signs the response using its hardware root of trust—a unique cryptographic key fused into the silicon at manufacturing (already present in NVIDIA H100s)
3. The landmark measures the round-trip delay of the signed response
4. Using speed-of-light physics: if a chip responds in 1 millisecond, the signal traveled at most 186 miles round-trip, so the chip is at most 93 miles away
5. Triangulation from multiple geographically dispersed landmarks narrows the location to ~50–60 mile accuracy (sufficient for country-level verification)

Relay attacks (forwarding challenges to a distant chip) are defeated because the relay itself adds measurable latency. The system does not reveal what models chips are training, what data they process, or what computations they run—it operates independently from computational workloads, like temperature monitoring. For air-gapped facilities, the Chip Security Act provides alternative compliance paths: on-site audits at approved destinations and certifications by US-headquartered entities maintaining secure control.

Why it matters for agreements: Location verification is the prerequisite for export control verification treaties. Without it, no party can confirm that chips sold under a licensing regime have remained with authorized users. It also underpins training run registration regimes that tie permitted compute to specific facilities.

TRL assessment: TRL 4–5. IAPS has demonstrated a working prototype on Nvidia H100 chips using delay-based challenge-response, achieving verification within approximately 300 miles of a Singapore landmark server. Nvidia piloted its own tracking software for Blackwell GPUs in December 2025. IAPS estimates a firmware-only implementation could be completed within 6 months at under $1M, with a landmark network of 100–500 servers costing $2.5–12.5M/year. The bipartisan Chip Security Act (H.R.3447 / S.1705) would mandate location verification on export-controlled chips within 180 days of enactment; House Foreign Affairs Committee markup is scheduled for March 26, 2026.

Active developers: IAPS (Erich Grunewald et al.—primary research group); Nvidia (commercial pilot); MIRIOrganizationMachine Intelligence Research InstituteComprehensive organizational history documenting MIRI's trajectory from pioneering AI safety research (2000-2020) to policy advocacy after acknowledging research failure, with detailed financial da...Quality: 50/100 SPAR projects led by Aaron Scher; Future of Life Institute (James Petrie—identified existing encryption keys in Nvidia processors); O'Gara, Kulp, et al. (arXiv 2025); U.S. government interest through the Trump AI Action Plan (July 2025).

What remains: Improving accuracy near export-control borders, hardening against spoofing attacks (sophisticated actors could tamper with message speeds), scaling to millions of chips, resolving privacy concerns, and establishing multilateral key infrastructure.

Estimated timeline: Firmware-based pilot within 6–12 months if mandated by the Chip Security Act; broader treaty-grade deployment 3–5 years out.⁵⁶

2. On-Chip Attestation and Trusted Execution Environments (TEEs)

What it does: Trusted Execution Environments are hardware-isolated computing regions within a processor that can run code inaccessible even to the chip's owner and produce cryptographically signed attestations about what code was executed and what outputs were produced. On NVIDIA GPUs, confidential computing features provide a commercial approximation of this capability.

Why it matters for agreements: TEEs are the enabling technology for IAEA-style monitoring of AI training runs. They allow an international auditor to verify that an approved evaluation or monitoring protocol was actually executed on a specific model, without accessing the model weights or training data directly. They also enable compute metering—logging total FLOPs consumed in a verifiable, tamper-resistant way.

TRL assessment: TRL 5–6 for commercial confidential computing (NVIDIA H100 already supports TEE functionality; NVIDIA Remote Attestation Service is GA). TRL 3–4 for treaty-grade AI monitoring.

The most concrete governance deployment to date is the UK AI Security Institute + Anthropic + OpenMined pilot (2025), which used H100 secure enclaves and AMD SEV-SNP on Azure to run privacy-preserving AI safety evaluations. Key findings: the end-to-end process took 28 minutes and 3 seconds, of which only 1 minute 11 seconds was actual computation—the remaining ~27 minutes was the governance/approval process (stakeholders reviewing code, policies, and execution parameters, then independently approving and cryptographically signing all code). The GPU showed less than 5% performance overhead. The key insight: procedural coordination, not computation, is the bottleneck for TEE-based governance. The cloud provider does not need to be trusted—integrity, authenticity, and confidentiality are guaranteed via hardware attestation.⁷

NVIDIA H100 confidential computing provides a hardware root of trust anchored in on-die silicon, with a chain of trust spanning four processors (CEC EROT → FSP → GSP → SEC2). All CPU-GPU transfers are encrypted across PCIe. Approximately 90% of GPU memory is locked in a Compute Protected Region inaccessible to the host OS, hypervisor, or cloud administrator. Remote attestation verifies 64 measurement records (firmware hashes, configurations) against NVIDIA's Reference Integrity Manifest. The raw compute overhead is zero (plaintext in secure memory); the CPU-GPU interconnect bandwidth is limited to ~4 GB/s due to encryption, resulting in under 7% end-to-end throughput loss for most LLM inference workloads.

Active developers: NVIDIA (commercial NRAS service, go-nvtrust open-source attestation); UK AISI + Anthropic + OpenMined (governance pilot); Intel Trust Authority (composite CPU+GPU attestation); Lucid ComputingOrganizationLucid ComputingStartup building a hardware-rooted zero-trust verification platform for AI workloads. Uses Trusted Execution Environments (Intel TDX, NVIDIA H100 Confidential Computing) and latency-based location ... (commercial TEE-based verification platform using Intel TDX and NVIDIA CC); Oxford Martin AIGI researchers; O'Gara, Kulp, et al.; Yoshua BengioPersonYoshua BengioComprehensive biographical overview of Yoshua Bengio's transition from deep learning pioneer (Turing Award 2018) to AI safety advocate, documenting his 2020 pivot at Mila toward safety research, co...Quality: 39/100's FlexHEG project ($4.1M SFF-funded, developing an open-source "Guarantee Processor" that monitors accelerator usage and a "Secure Enclosure" providing physical tamper protection).⁴ Caliptra 2.1 (AMD/Google/Microsoft/Nvidia under CHIPS Alliance)—an open-source silicon root of trust with quantum-resilient cryptography—is the most promising standardization effort and could become the cross-vendor governance foundation.

What remains: Standardizing what an AI monitoring TEE must certify; adversarial red-teaming (see Security Vulnerabilities in Current TEEs below); establishing mutual evaluation protocols between nations; and resolving IP protection concerns.

Estimated timeline: Prototype treaty-grade TEE monitoring plausibly within 2–4 years; deployment in a real agreement likely 5–8 years out.⁵

3. Compute Metering and Usage Reporting

What it does: Chips continuously log cumulative floating-point operations and periodically report these totals—cryptographically signed—to a registry or auditor. This is distinct from location attestation: metering tracks how much computation was performed, not where.

Why it matters for agreements: Compute metering is the core mechanism for compute allocation treaties that cap how many FLOPs a party can use for AI training above a threshold. It is also necessary for training run registration regimes in which parties declare frontier training runs in advance and regulators verify that declared compute matches actual usage.

TRL assessment: TRL 3–4. Compute logging exists in current chips for internal performance monitoring, but treaty-grade metering requires tamper-resistant accumulation, cryptographic signing, and secure reporting channels not present in commercial silicon.

A key commercial precedent existed in Intel On Demand (also called "Software Defined Silicon"), launched with 4th Gen Xeon Scalable processors in 2022. Hardware accelerator blocks—including Intel QAT (cryptographic acceleration), DSA (data streaming), IAA (analytics), and even SGX (security enclaves)—were physically present on the die but electronically disabled, unlockable through purchased software licenses. This demonstrated that remote feature activation/deactivation in shipping silicon is technically feasible at commercial scale. However, the program was quietly discontinued in November 2025 due to market rejection—hardware buyers expected full capabilities at point of sale. The governance lesson: post-purchase feature gating is technically proven but requires a compelling security rationale, not just a revenue model.

Active developers: James Petrie (Future of Life Institute/Oxford)—authored the foundational offline licensing design targeting existing H100 firmware; O'Gara, Kulp, et al. (arXiv 2025); MIRIOrganizationMachine Intelligence Research InstituteComprehensive organizational history documenting MIRI's trajectory from pioneering AI safety research (2000-2020) to policy advocacy after acknowledging research failure, with detailed financial da...Quality: 50/100 SPAR projects; Joël N. Christoph on market-based compute permit schemes; Longview Philanthropy is funding HEM prototypes.

What remains: Designing tamper-resistant counter architectures; securing the reporting channel against man-in-the-middle attacks; establishing international standards for what constitutes a "frontier training run" for metering purposes; and integrating with data center inspection regimes to cross-check reported figures.

Estimated timeline: Basic metering prototypes within 2–3 years; treaty-integrated deployment within 6–10 years.²⁵

4. Interconnect Limits and Networking Controls

What it does: Bandwidth restrictions on the high-speed interconnects that link AI accelerators within and between data center pods. By capping the communication bandwidth available to a training cluster, regulators can limit the effective scale of training runs even if raw chip counts exceed treaty limits. Detection relies on auditing networking equipment configurations and traffic patterns.

Why it matters for agreements: Interconnect limits provide a complementary lever to compute metering in compute allocation treaties. They are particularly relevant for preventing the assembly of unauthorized superclusters by aggregating nominally permitted compute resources.

TRL assessment: TRL 3. Networking equipment already supports configurable bandwidth limits, but the governance infrastructure—agreed thresholds, monitoring protocols, audit procedures for networking hardware—does not yet exist.

Active developers: Aaron Scher and MIRIOrganizationMachine Intelligence Research InstituteComprehensive organizational history documenting MIRI's trajectory from pioneering AI safety research (2000-2020) to policy advocacy after acknowledging research failure, with detailed financial da...Quality: 50/100 SPAR projects are specifically developing the "Networking Equipment Interconnect Limits" mechanism and assessing its security and efficacy.

What remains: Determining appropriate bandwidth thresholds; evaluating evasion via alternative topologies; integrating with chip-level compute metering; and establishing inspection rights for networking infrastructure.

Estimated timeline: Policy-ready framework within 2–4 years if MIRI SPAR work is completed and adopted; implementation in agreements likely 5–8 years out.⁵

5. Chip Tracking and Supply Chain Monitoring

What it does: Tracking advanced AI chips from fabrication through deployment via serial numbers, cryptographic identifiers, and physical monitoring of fab facilities. Because advanced AI chips are manufactured in fewer than 20 facilities globally—with TSMC producing roughly 90% of leading-edge chips—supply chain monitoring is unusually tractable compared to most dual-use technologies.

Why it matters for agreements: Chip tracking underpins export control verification by creating an auditable chain of custody from manufacture to end-user. It also supports IAEA-style registration by enabling inspectors to cross-reference declared inventories against fabrication records. Multilateral export controls on production equipment (EUV lithography machines, etc.) complement chip-level tracking.

TRL assessment: TRL 4–5. Serial number tracking and export licensing databases already exist. What is missing is cryptographic binding between physical chips and their declared identities (to prevent substitution attacks), mutual access protocols for fab inspection, and international data-sharing on chip deployment.

Active developers: US government (export control enforcement); MIRIOrganizationMachine Intelligence Research InstituteComprehensive organizational history documenting MIRI's trajectory from pioneering AI safety research (2000-2020) to policy advocacy after acknowledging research failure, with detailed financial da...Quality: 50/100 SPAR projects on global supply tracking; Oxford Martin AIGI researchers.

What remains: Cryptographic identity binding in chip packaging; international fab inspection agreements; data-sharing protocols for tracking chips across jurisdictions; and addressing the "gray zone" of near-frontier chips that fall below formal export control thresholds.

Estimated timeline: Enhanced tracking for top-tier chips within 1–3 years with policy commitment; comprehensive treaty-grade tracking within 5–7 years.⁶⁸

6. Remote Disablement (Kill Switches)

What it does: Cryptographic mechanisms that allow an authorized party—potentially an international body or the chip manufacturer—to disable chip functionality remotely if a violation is detected. This is the enforcement counterpart to location verification.

Why it matters for agreements: Remote disablement provides a credible deterrent and response mechanism for export control violations. Without it, the only enforcement option for a diverted chip is physical recovery.

TRL assessment: TRL 2–3. The concept is technically straightforward (secure boot chains with remotely revocable keys), but no production AI accelerator implements this for treaty purposes. The geopolitical sensitivity is extreme: a US-controlled kill switch on chips sold globally would likely deter adoption even among NATO allies, and the governance of who controls the disablement key is deeply contested.

Active developers: Primarily conceptual; referenced in arXiv and MIRI reports as a design option rather than an active development program.

What remains: Almost everything: governance of the key, hardening against abuse, international agreement on trigger conditions, liability frameworks, and diplomatic acceptance. This mechanism likely requires the most governance work of any on this list.

Estimated timeline: No near-term deployment path without significant diplomatic breakthroughs; speculative on a 10+ year horizon.⁵⁶

R&D Readiness Summary

Mechanism-to-Agreement Mapping

The following table maps each hardware mechanism to the governance agreement types it enables or is prerequisite for.

Key: ✓✓ = primary enabling mechanism; ✓ = important supporting role; ◑ = partial relevance; ✗ = not directly relevant

Threat Model: Three Adversary Levels

The CNAS Secure, Governable Chips report introduced a three-level threat model that has become standard in the HEM literature.¹ Different mechanisms are appropriate at different levels, and the staged implementation roadmap reflects this:

Level 1 — Minimally Adversarial. Actors trying to circumvent controls with limited resources (unauthorized commercial use, small-scale chip diversion, license violations). Most mechanisms work at this level: software monitoring, basic firmware licenses, commercial TEEs, location pings without hardening, customs data analysis, and whistleblower programs provide effective deterrence. Even basic logging and spot-checks deter actors unwilling to risk discovery.

Level 2 — Covertly Adversarial. Substantial resources available; actors seek to circumvent controls without detection (state-sponsored smuggling networks, insider threats at cloud providers, sophisticated industrial espionage). Requires defense-in-depth: tamper-evident hardware where modification leaves indelible physical evidence, periodic physical inspections, challenge-response geolocation with multiple landmark servers, encrypted interconnect, and attestation with key rotation. The key insight is that tamper-evident (not tamper-proof) hardware combined with periodic inspections can catch covert violations.

Level 3 — Openly Adversarial. Nation-states willing to spend "very significant resources" and indifferent to discovery (state-level programs seeking advanced AI capabilities despite international prohibitions). This is where current technology fails most dramatically. Requires full tamper-proofing (not just evidence), hardened security modules resistant to physical attacks, multi-party key management, and interlock-based designs like FlexHEG. AMD and Intel explicitly consider physical attacks "out of scope" for their current products. Full tamper-proofing against state-level adversaries is estimated at 4+ years of R&D.¹⁹

The staged approach matters because different governance use cases face different threat levels. Export control enforcement against smuggling networks (Level 2) requires different hardening than treaty verification between rival states (Level 3). Starting with Level 1 mechanisms provides immediate value while harder problems are solved.

Security Vulnerabilities in Current TEEs

A series of attacks published in October 2025 demonstrated that every major TEE platform has exploitable physical-access vulnerabilities. These findings are significant because nearly all HEM proposals rely on TEE-based remote attestation as a foundation.⁹

Key implications for hardware governance:

• Attestation is forgeable on current hardware. Remote attestation—the foundation of nearly all HEM proposals—can be defeated with a $50 device on DDR4 systems. The BatteringRAM attack makes SEV-SNP attestations "completely useless" by replaying launch digests to make compromised VMs appear genuine.
• Physical attacks are cheap, not nation-state-budget operations. This moves the threat from Level 3 down to Level 2.
• Vendor response is inadequate for governance. Both Intel and AMD "acknowledged findings but noted that physical attacks on DRAM are out of scope for their current products." Defending requires "fundamental redesign of memory encryption."
• DDR5 is not a safe harbor. TEE.fail demonstrated that DDR5 architectural changes do not prevent all attacks.
• Caliptra and next-generation designs may address these vulnerabilities, but no production hardware yet incorporates governance-grade tamper resistance.

These vulnerabilities do not invalidate the HEM research program—they clarify the R&D gap. Level 1 and Level 2 adversaries are unlikely to deploy physical interposers at scale, and firmware-based mechanisms (location verification, offline licensing) have separate trust foundations. But treaty-grade assurances against Level 3 adversaries require hardware not yet built.

Legislative Landscape

Chip Security ActPolicyChip Security ActThe Chip Security Act (H.R. 3447/S. 1705) would require location verification mechanisms on advanced AI chips to prevent export control evasion, representing a concrete compute governance intervent... (H.R.3447 / S.1705)

The most significant legislative effort to date. Introduced May 2025 by Sen. Tom Cotton (R-AR) with bipartisan cosponsors including Sen. Elizabeth Warren (D-MA), and Rep. Bill Huizenga (R-MI) with 34 House cosponsors.

Key provisions:

• Requires the Secretary of Commerce to issue standards for "chip security mechanisms" on export-controlled chips (ECCN 3A090, 4A090) within 180 days
• Mandates location verification capability—specifically ping-based delay measurement, not GPS (which is easily spoofed and cannot penetrate data center walls)
• Companies must notify the Bureau of Industry and SecurityOrganizationBureau of Industry and SecurityBIS is a high-relevance regulatory actor for AI governance due to its semiconductor export controls and emerging AI diffusion rules; this article provides an unusually thorough, well-sourced, and b... if they discover chips in unauthorized locations or detect tampering
• Requires DoC and DoD to assess whether additional mechanisms (workload verification, performance degradation, kill switches) are needed
• Explicitly prohibits kill switches and geofencing mechanisms that could "hinder the capability or functionality" of chips

Industry opposition: The Semiconductor Industry Association stated it "cannot support blanket mandates for new, untested, and potentially infeasible on-chip mechanisms" and warned of "undermining global trust in American semiconductor technologies."¹⁰

Scale of the smuggling problem: An estimated 140,000 chips worth $5–7 billion were smuggled to China in 2024, and HuaweiOrganizationHuaweiHuawei Technologies is a Chinese multinational technology company that, through its HiSilicon subsidiary, designs the Ascend series of AI accelerator chips. Huawei was placed on the U.S. Entity Lis... obtained 2.9+ million AI chip dies from TSMC via intermediaries.

Stop Stealing Our Chips ActPolicyStop Stealing Our Chips ActThe Stop Stealing Our Chips Act (Senate Apr. 2025, House Dec. 2025) creates an SEC-modeled whistleblower incentive program at BIS to enforce AI chip export controls against smuggling to China and o... (S.1473 / H.R.6322)

Introduced April 2025 by Sens. Mike Rounds (R-SD) and Mark Warner (D-VA). Creates a whistleblower incentive program at BIS modeled after the SEC Whistleblower Incentive Program: 10–30% of collected fines for original information leading to penalties exceeding $1 million. Anonymous reporting permitted; retaliation protections included. Funded via an "Export Compliance Accountability Fund" financed by collected fines (no new appropriations).¹¹

Key Researchers

Governance Integration

Hardware mechanisms are not self-sufficient. Research consistently emphasizes that they must be embedded within broader governance frameworks to be effective.²⁵ Three governance models are most commonly discussed:

Bilateral arms control mirrors US–Russia nuclear precedents and is considered the most near-term feasible option for US–China AI agreements. Hardware mechanisms provide the verification layer that makes commitments credible; Charles Martinet (Oxford Martin AIGI) is specifically mapping the technical and political feasibility of US–China bilateral agreements.

IAEA for AI would establish an international body with inspection rights and hardware monitoring authority analogous to the International Atomic Energy Agency. Hardware mechanisms—particularly TEEs, compute metering, and chip tracking—would form the technical backbone of such an institution's verification capability.

CERN-like joint development involves placing frontier AI development in shared international facilities under multilateral governance. In this model, hardware mechanisms enforce operational boundaries and usage limits within the shared facility itself, reducing the need for monitoring across sovereign borders.

Baker et al. (RAND, July 2025) proposed a "Six Layers of Verification" framework: (1) built-in chip security features, (2–3) separate monitoring devices attached to chips, (4–6) personnel-based mechanisms including whistleblower programs. This layered approach reflects a consensus that no single hardware mechanism is sufficient; verification depends on hardware, physical inspection, and human intelligence working together.

The CNAS Secure, Governable Chips report proposed a staged implementation roadmap reflecting increasing technical difficulty:¹

• Phase 1 (near-term): Firmware updates to exported AI chips; early hardware operating licenses linked to export license terms; target high-diversion-risk geographies first
• Phase 2 (medium-term): Make devices tamper-evident so that modifications leave visible physical evidence; sufficient with periodic physical inspections
• Phase 3 (next-generation chips): Harden hardware security features toward full tamper-proofing; reduce or eliminate inspection requirements

The report emphasized that on-chip mechanisms do not require secret monitoring or insecure "back doors"—they use privacy-preserving verification and licensed operation models, analogous to software product activation. The proposed architecture consists of a hardened security module on all high-performance data center AI chips that validates current firmware/software and operating licenses before the chip can operate.

Research also highlights the synergy between hardware mechanisms and complementary non-hardware approaches: satellite remote sensing of data center energy consumption, physical inspections of fabrication facilities, and shared data centers in geopolitically neutral locations all reduce the verification burden on hardware alone.²⁵

Key Organizations and Companies

Research Organizations

Startups and Commercial Efforts

Lucid Computing is notable as one of the only dedicated startups in the hardware governance space. Its product suite includes a compliance marketplace with pre-built modules for GDPR, HIPAA, EU AI Act, and ITAR; an observer dashboard for real-time audit logging; and "Digital Embassies" for sovereign AI infrastructure. The company uses "Double Lock" CPU-level encryption that prevents even cloud administrators from accessing models or memory, and latency-based location proofs that use speed-of-light measurements to cryptographic attestation servers.¹²

Chip Manufacturers with Relevant Capabilities

Major chip companies already ship hardware that could support governance mechanisms, though none currently implement these features for treaty purposes:

• NVIDIAOrganizationNVIDIANVIDIA holds 90-95% of the AI accelerator market, with its H100, H200, and B200 GPUs powering virtually all frontier AI training. Revenue reached $130.5B in FY2025 (114% YoY growth), driven almost ...: Confidential computing on H100/H200/Blackwell GPUs; NVIDIA Remote Attestation Service (NRAS); go-nvtrust open-source attestation library; piloted tracking software for Blackwell GPUs (December 2025)
• Intel: Software Guard Extensions (SGX); Trust Domain Extensions (TDX); Intel Trust Authority for composite CPU+GPU attestation
• AMD: Secure Encrypted Virtualization (SEV/SEV-SNP) TEE technology; contributed to Caliptra open-source silicon root of trust
• Caliptra 2.1 (AMD/Google/Microsoft/NVIDIA under CHIPS AllianceOrganizationCHIPS AllianceOpen-source hardware development organization under the Linux Foundation. Hosts the Caliptra project (open-source silicon Root of Trust) with contributors including AMD, Google, Microsoft, NVIDIA, ...): Open-source silicon root of trust (~1.6M logic gates, dual RISC-V cores) providing identity, measured boot, and attestation. Version 2.1 adds quantum-resilient cryptography (ML-DSA for post-quantum signatures, ML-KEM for key exchange) and ownership transfer for code integrity—potentially the most promising cross-vendor governance foundation

Key Funders

Investment Landscape and Funding Gaps

The disparity between investment in AI capabilities and investment in hardware governance is stark. AI infrastructure spending exceeds $1 trillion in committed projects as of 2025, with hyperscalers spending over $300 billion in annual capital expenditure. Hardware governance R&D, by contrast, is likely in the low tens of millions total across all funders and startups combined.

The AI governance software market received approximately $691M across 47 deals from 2022 to 2025, peaking in 2024 at over $330M driven by EU AI Act urgency. But hardware-enabled governance—the physical layer that governance software depends on—is dramatically underfunded relative to its importance. The entire funding landscape consists of:

• Philanthropic grants: Longview ($2–10M RFP), SFF ($4.1M to FlexHEG), FLI and Open Philanthropy (smaller grants)
• Government research contracts: RAND, CNAS, and national lab work funded through standard government research channels
• Venture capital: Essentially limited to Lucid Computing (early-stage, undisclosed amount); Mithril Security ($1.7M) was the only other notable startup before its acquisition in 2024

CNAS estimated that implementing hardened on-chip governance would require "moderate development effort" extending existing chip functionality, with a timeline of 18 months to 4 years.¹ IAPS estimated the location verification infrastructure—firmware updates plus a network of 100–500 landmark servers—could be deployed for under $1M in development costs and $2.5–12.5M/year in operating costs.¹³ These are modest sums relative to the scale of the problem, suggesting that the binding constraint is not cost but policy commitment and commercial incentives.

The CNAS report proposed that the US government create "advance export market commitments"—offering future export market access in exchange for implementing specific security features—as a way to align chip manufacturer incentives without requiring public spending.¹ This approach would leverage the lost revenue from existing export restrictions rather than adding new costs.

Criticisms and Limitations

Technical Vulnerabilities

Current AI chips were not designed with treaty verification in mind and contain security assumptions that may not hold under adversarial conditions. MIRIOrganizationMachine Intelligence Research InstituteComprehensive organizational history documenting MIRI's trajectory from pioneering AI safety research (2000-2020) to policy advocacy after acknowledging research failure, with detailed financial da...Quality: 50/100 SPAR projects are assessing whether existing chips are adequate for high-stakes verification with minimal augmentations—such as video cameras to monitor physical access—or whether major R&D is required. The consensus in the research literature is that existing commercial TEE implementations are not yet ready for treaty-grade use without significant hardening.⁵⁶

The problem of backdooring is particularly acute: chips could be designed with concealed vulnerabilities that allow owners to circumvent monitoring. Mutual evaluation of chip designs and fabrication monitoring are proposed mitigations, but these are themselves technically complex and require significant access rights that states may be unwilling to grant.

Market Bifurcation

If only some chips ship with treaty-required security features, manufacturers face incentives to create separate product lines for different markets—one with safeguards for regulated jurisdictions, one without for others. This bifurcation could undermine universal coverage while fragmenting the global chip market in ways that disadvantage compliant manufacturers.² The problem is exacerbated by the rise of open-source instruction set architectures (ISAs) such as RISC-V, which reduce the leverage that proprietary hardware manufacturers provide.

Adversarial Evasion

Undeclared data centers, smuggled legacy chips, and substitution of near-frontier commodity GPUs (which are nearly as capable as specialized accelerators for some training tasks) all represent evasion strategies that hardware mechanisms alone cannot address. Consumer GPUs present a particular challenge: their widespread availability means that compute caps enforced only on specialized accelerators could be circumvented through distributed training on consumer hardware.⁶⁸

Decentralized training is an increasingly viable evasion vector. Techniques like DiLoCo (Distributed Low-Communication) reduce inter-node synchronization by 500x, enabling training across geographically dispersed sites with limited bandwidth. The INTELLECT-1 project trained a 10B parameter model across multiple continents, synchronizing only once every 38 minutes. Consilience reached 40B parameters. However, these are ~1,000x smaller than current frontier models, and decentralized networks have ~300x less effective throughput than frontier datacenters. Since early 2024, startups have raised ≈$145 million to pursue decentralized training, with some targeting frontier-competitive models. The technology is not yet a credible path to frontier capabilities, but it is progressing rapidly enough to warrant governance attention—particularly because obfuscating synchronization patterns across cloud providers is "likely possible," and true peer-to-peer networks create "no obvious point of accountability or intervention."¹⁴

Geopolitical and Sovereignty Concerns

On-chip monitoring and remote disablement capabilities raise sovereignty concerns that extend beyond adversarial relationships. A Chinese delegate at the first UN Security Council meeting focused on AI explicitly stated that US export controls undermined prospects for international cooperation on AI governance—suggesting that hardware mechanisms perceived as US-controlled surveillance tools may be counterproductive. Some researchers note that trust is a precondition for international agreements rather than a product of verification mechanisms, and that a cycle of misperceptions about motives is already underway.⁸

The concern about remote disablement is especially pointed: a US-controlled kill switch on chips sold globally could deter adoption even among close allies, raising questions about economic dependence and the asymmetric power dynamics embedded in the technical architecture.

Software and Model Weight Security

Hardware-based governance of compute access does not secure AI model weights once training is complete. Fine-tuning and deploying a trained model does not require frontier hardware, meaning that hardware controls over training do not prevent proliferation of dangerous capabilities through weight distribution. Research argues that effective international agreements must combine hardware controls with robust cyber and physical security for AI systems themselves—a substantially harder problem.¹⁵

Authoritarian Participation

Perhaps the most fundamental political challenge is that illiberal states are unlikely to accept verification arrangements that provide meaningful transparency into their AI programs. China's refusal to sign a nonbinding blueprint on responsible AI in the military domain illustrates the difficulty of obtaining participation from precisely the actors whose compliance matters most. Hardware mechanisms that are technically sound may nonetheless fail to achieve their governance objectives if key parties opt out.⁸

International Perspectives

China is pursuing aggressive semiconductor self-reliance. Xi Jinping urged "nationwide mobilization" for AI hardware independence at an April 2025 Politburo session, and in November 2025 Beijing banned foreign AI chips in state-funded data centers. China has demanded "security evidence" from NVIDIA over H20 chip backdoor fears, illustrating deep suspicion of US on-chip governance proposals. China's own Global AI Governance Action Plan (July 2025) advocates for multilateral governance rather than US-led unilateral controls. Despite export restrictions, an estimated 140,000 chips worth $5–7 billion were smuggled into China in 2024.

The European Union is focused on "digital sovereignty" and reducing dependence on non-EU AI technologies. The European Council adopted EuroHPC JU amendments in January 2026 to create "AI gigafactories." The EU AI Act focuses on software-level governance (risk classification, compliance requirements) rather than hardware mechanisms. European chip firms may benefit from positioning as "less politically encumbered" alternatives to US chips with embedded governance. The Netherlands controls ASMLOrganizationASMLASML is the world's sole supplier of EUV lithography machines, making it a critical chokepoint in AI compute governance and U.S.-China technology competition; this article provides a thorough, well...'s EUV lithography equipment, giving it significant leverage in semiconductor supply chains.

Other actors: The UK AI Safety Institute has led practical work on TEE-based evaluation through the OpenMined pilot. The UN Global Dialogue on AI Governance (2026) provides a forum for debating norms. The Simon Institute for Longterm Governance has mapped IAEA verification tools to AI governance analogues. Japan and South Korea—both critical semiconductor supply chain partners—have bilateral AI safety agreements but focus more on evaluation than hardware governance.

Opportunities for Action

Based on recommendations from CNAS, RAND, IAPS, FAS, and Longview Philanthropy, the following are the highest-leverage actions for advancing hardware-enabled governance:

For Policymakers

• Pass the Chip Security Act. Location verification is the lowest-hanging fruit: it can be implemented via firmware update with no hardware changes, at under $1M development cost, and would immediately address the $5–7B annual chip smuggling problem.¹³¹⁰
• Create advance export market commitments. Offer chip manufacturers future export market access in exchange for implementing specific security features, leveraging lost revenue from current export restrictions rather than requiring new spending.¹
• Fund R&D through existing channels. The Federation of American Scientists recommends ≈$40M/year for an AI Assurance and Security R&D Consortium jointly led by DARPA and NSF, plus NSF EAGER/RAPID fast-grant programs for hardware security.¹⁶
• Establish red-teaming programs. DHS/CISA should create bug bounty and red-teaming programs for AI chip hardware security, starting with a public prize for finding vulnerabilities in current implementations.¹

For Funders and Philanthropists

• Apply to Longview Philanthropy's HEM RFP ($2–10M available) for prototype development, secure enclosure designs, and red-teaming.¹⁷
• Support FlexHEG-style open-source projects. The SFF's $4.1M to FlexHEG demonstrates the model; more funding is needed for tamper-resistant enclosure prototyping and hardware verification standards.
• Fund talent development. Hardware security researchers with both semiconductor expertise and governance knowledge are extremely scarce. 46% of industry leaders cite skill gaps as the primary barrier.

For Chip Companies

• Proactively build governance features. CNAS argues that early compliance demonstrates market advantages for export control access. NVIDIA's Blackwell tracking pilot and Caliptra 2.1 are steps in this direction.
• Harden TEEs against physical attacks. The BatteringRAM/WireTap/TEE.fail research shows that current attestation can be defeated for under $1,000. Next-generation designs need governance-grade tamper resistance, not just commercial-grade.

For Researchers

• Prototype firmware-level mechanisms on existing hardware. Location verification and offline licensing can be demonstrated on current H100/H200 chips without hardware changes.
• Red-team existing proposals. Rigorous adversarial testing of proposed mechanisms is the fastest way to determine which approaches are viable and which need redesign.
• Develop privacy-preserving verification. Techniques that verify compliance without revealing training data, model weights, or proprietary configurations are essential for adoption.

Key Uncertainties

• Adequacy of current chips: Whether existing AI accelerators can be augmented to provide treaty-grade verification without full redesign is being actively investigated by MIRI SPAR projects; no consensus answer exists.
• Governance key management: Who controls cryptographic keys for attestation and (potentially) remote disablement in a multilateral arrangement remains unresolved and is arguably the central political challenge.
• Threshold definition: What FLOP thresholds, cluster sizes, or capability markers should trigger treaty obligations is contested; hardware mechanisms cannot function until this policy question is answered.
• China and other major power buy-in: Whether the major AI-developing states will accept any hardware monitoring arrangement, and under what conditions, is deeply uncertain. China's self-reliance drive and ban on foreign chips in state data centers suggest limited near-term willingness.
• Open-source hardware impact: The growth of RISC-V and open hardware ecosystems may reduce the leverage point that proprietary chip manufacturers currently provide.
• TEE vulnerability timeline: How quickly next-generation chips will address the BatteringRAM/WireTap/TEE.fail class of physical attacks is unclear; AMD and Intel currently consider physical attacks "out of scope."
• Commercial incentives alignment: Whether chip manufacturers will voluntarily implement governance features without mandates, or whether legislative action (Chip Security Act) is required.

Sources