Recent actions by the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) and the U.S. Department of Justice (DOJ) highlight how enforcement risk extends beyond manufacturers and exporters to include forwarders, financial institutions, and data center operators. Although U.S. policy direction remains uncertain as the Trump Administration has taken steps to ease some restrictions, this shift is unlikely to alter BIS’s and DOJ’s enforcement focus. Enforcing export controls for advanced computing hardware (“AI chips”) has been a consistent priority across recent administrations. An increase in licensed trade will require additional resources to monitor and enforce license conditions, while a willingness to license some exports will naturally increase enforcement pressure to inhibit circumvention and illicit procurement.
This article summarizes recent policy developments and key enforcement actions in the AI ecosystem and describes compliance considerations, including tailored insights for cloud service providers, data center operators, and financial institutions.
In recent months, the AI chip and wider semiconductor ecosystems have come under scrutiny as DOJ, in coordination with BIS, has conducted enforcement actions targeting the unlawful diversion of AI chips and other key technologies. Most recently, in January 2026, BIS entered into a $1.5 million settlement with a European company regarding the unlawful in-country transfer of semiconductor manufacturing items subject to the Export Administration Regulations (EAR) to a foundry facility on the Entity List by the European company’s China-based subsidiary. On December 8, 2025, DOJ announced Operation Gatekeeper, which involved the disruption of exports and attempted exports by a multi-defendant network of at least $160 million worth of AI chips to mainland China and Hong Kong, and followed several other similar actions in the AI chip industry.[1] And in July 2025, DOJ and BIS entered into a resolution with a leading U.S. provider of electronic design automation software and semiconductor design technology regarding the unlawful export of those technologies to a Chinese entity on BIS’s Entity List. The resolution addressed civil and criminal enforcement actions and included a $95 million administrative penalty and $45 million in forfeitures. These enforcement efforts, and others highlighted below, reflect continuing serious concern by U.S. officials over the national security implications of advanced computing infrastructure, and several cases demonstrate that enforcement scrutiny and touchpoints extend beyond manufacturers and exporters of record.
In the AI sphere, the Trump Administration has signaled its ongoing review of the underlying policy framework. Just over a month after Operation Gatekeeper was unsealed, BIS issued a new policy to license certain AI hardware to end users in China, conditioned on independent security testing conducted in the United States, among other requirements. Directly following this action, the Trump Administration announced that the United States will permit the subsequent sale and export of certain AI chips, subject to a 25 percent tariff imposed upon entry into the United States for items destined for export to certain end uses and end users. These recent policy actions underscore that expanded commercial access may not equate to reduced enforcement and compliance risk. On the contrary, the Trump Administration to date has been using its authority in novel ways that combine targeted policy flexibility with heightened compliance and diligence expectations on U.S. and multinational companies. The risk of enforcement is compounded by increased institutional capacity at BIS—Congress recently approved a 23 percent increase in BIS’s Fiscal Year 2026 budget, with several members explicitly signaling bipartisan support for stronger export control enforcement, and several million dollars marked specifically for semiconductor-related enforcement.
Between January and May 2025, BIS issued and then rescinded its Framework for Artificial Intelligence Diffusion (the “AI Diffusion Framework”), which would have expanded export controls on advanced computing integrated circuits (ICs), among other restrictions. In rescinding the AI Diffusion Framework, BIS cited concerns that the rule could hinder U.S. innovation and complicate diplomatic engagement with key partner countries, and indicated that it intended to issue a replacement rule at a later date.
Importantly, the rescission announcement was not a signal of relaxed enforcement. Rather, in parallel with the announcement, BIS released guidance creating a presumption that dealings involving certain China-linked AI chips would violate U.S. export controls. BIS also made its diligence expectations clear through a policy statement clarifying restrictions on certain activities relating to AI model training in specific countries, and through guidance highlighting common diversion tactics and red flags, including risk indicators tied specifically to data centers and Infrastructure-as-a-Service (IaaS) providers.
At the end of 2025, the White House and BIS began announcing policies to address certain issues left open by the rescinded AI Diffusion Framework. On December 8, 2025, President Trump announced that the United States will permit the sale of some chips directly to approved customers in China. On January 13, 2026, BIS issued a final rule revising its export licensing policy for these chips to allow case-by-case review—rather than a presumption of denial—for exports to entities in mainland China (including Hong Kong) and Macau, provided specific conditions are satisfied.
While the rule affects a narrow range of earlier generation AI hardware and is not a replacement for the AI Diffusion Framework, it offers insight into key conditions the U.S. government may consider important for future exports and related activities involving advanced AI compute. These include requirements to screen buyers and customers, obtain certifications, maintain enhanced security and Know-Your-Customer (KYC) procedures, conduct independent third-party testing, and verify shipments will not negatively affect demand from U.S. companies.
Additionally, the rule extends requirements through license conditions on exported hardware to the provision of remote access IaaS, including restrictions on the provision of such services to “IaaS remote end users” that are (1) located in, or having an ultimate parent headquartered in, restricted jurisdictions—specifically Belarus, China, Cuba, Iran, Macau, North Korea, Russia, or Venezuela, or (2) restricted under Part 744 controls (e.g., entities on the Entity List, military-intelligence end users, and certain Russia-linked persons on the Specially Designated Nationals and Blocked Persons (SDN) list, administered by the Department of Treasury’s Office of Foreign Assets Control (OFAC)).
On January 14, 2026, President Trump issued a complementary proclamation under Section 232 of the Trade Expansion Act of 1962, finding that imports of the same chips mentioned in the revised export licensing policy from January 13, 2026, pose a threat to U.S. economic and national security. The proclamation imposed a 25 percent tariff on specified chips, with exemptions for imports supporting the “U.S. technology supply chain and the strengthening of domestic manufacturing capacity.”
Congress in recent months has also continued to play an active role in the direction of U.S. export control policy. On January 12, 2026, the House of Representatives passed the Remote Access Security Act (RASA) (H.R. 2683) (369-22), a bill that would amend the Export Control Reform Act of 2018 (ECRA) to expressly extend U.S. export control jurisdiction to remote access to advanced compute infrastructure by foreign persons, including access via the Internet or cloud computing services, when such use presents a serious national security or foreign policy risk. If enacted, RASA would enhance BIS’s already broad authority to regulate remote access to controlled infrastructure (e.g., through export licenses and conditions) and potentially simplify the process of related licensing and enforcement activities.
BIS regulates the export, reexport, and in-country transfer of controlled items, with licensing requirements generally determined by the classification of the item and the country of destination, end user, and end use.[2] Engaging in covered activities without a required license may violate ECRA and its implementing regulations, the EAR, 15 C.F.R. Part 730 et seq.
Enforcement actions can arise in a variety of ways, from routine government activities—such as BIS end-use checks and port cargo detentions—to whistleblower reports. Export control investigations also frequently proceed on parallel civil and criminal tracks. BIS pursues civil and administrative enforcement while DOJ pursues criminal matters involving evidence of willful or knowing misconduct. Once an investigation is underway, companies often face rapid government requests, including document preservation notices, administrative subpoenas, requests for interviews of key personnel, and, in some cases, forensic imaging of devices or systems. These investigative steps are commonly used to assess the export classification, end-use diligence, and accuracy of export documentation.
For individuals, penalties include imprisonment, fines, and the denial or revocation of export licenses.[3] For corporate entities, penalties include fines, probationary periods, annual compliance reporting, and internal export control audits.
In October 2022, BIS implemented additional controls that significantly expanded licensing requirements and compliance obligations for AI chips and related technologies, particularly in relation to China and companies headquartered there. Consistent with these priorities, DOJ and BIS have pursued a series of high-profile enforcement actions targeting efforts to evade U.S. export controls, three of which are summarized below.
In December 2025, DOJ announced a successful operation that dismantled a sophisticated smuggling network involving multiple defendants exporting and attempting to export controlled chips to mainland China and Hong Kong. From 2023 to present, the network allegedly used straw purchasers and intermediary U.S. warehouses to falsely indicate that the chips were for U.S. customers or customers in third-party countries, such as Taiwan and Thailand, in order to ultimately conceal the end destination.[4] The chips were shipped to multiple U.S. warehouses where individuals re-labeled the original equipment manufacturer’s logo with fictitious branding and misclassified the goods as “adapters,” “adapter modules,” or “contactor controllers.” Two of the defendants—a Canadian citizen and CEO of a Virginia-based IT company, and a Chinese national and owner of a New York-based technology company—allegedly independently conspired with employees of a Hong Kong-based logistics company and a mainland China-based AI technology company to complete their scheme. Additionally, another defendant that has already pleaded guilty received more than $50 million in wire transfers that originated from China.
In November 2025, DOJ announced charges against two U.S. citizens and two Chinese nationals residing in the United States for their alleged roles in a conspiracy to illegally export advanced AI chips to China. According to the indictment, from September 2023 to November 2025, the defendants used a Florida-based front company, Janford Realtor, LLC, to purchase and send controlled chips to China while disguising the true destination through intermediaries. The defendants relied on a company with no legitimate role in the chip industry to place orders for AI chips, falsified export documentation, and created fake contracts to make it appear that the chips were destined for end users in Malaysia and Thailand. The alleged conspiracy generated nearly $4 million in wire transfers from China.[5]
In August 2025, DOJ announced charges against two Chinese nationals for knowingly exporting advanced AI chips to China in violation of U.S. export controls. From October 2022 through July 2025, the defendants allegedly used their California-based company, ALX Solutions Inc., to route shipments of advanced chips through intermediary freight forwarders in Singapore and Malaysia in order to disguise the true destination. The company had been formed just 20 days after BIS began requiring licenses for the chips at issue in the case.
The complaint identifies multiple “red flags,” including the defendants misclassifying controlled chips as EAR99 (i.e., low-technology consumer goods), selling to companies with no apparent history of using the exported items or infrastructure to actually use the exported items, listing freight forwarders that ordinary act the intermediary consignees as the ultimate consignees (i.e., the purchasers and end users of the products), and receiving payments from entities that were not listed as receiving any of the products. The company also failed a BIS end-use check in Singapore.[6] The alleged conspirators received approximately $1 million in payments from a China-based company, along with additional funds from entities in mainland China and Hong Kong, rather than from the listed end users themselves.
Taken together, these recent enforcement actions reflect a consistent pattern: many of the alleged schemes employed transactional and behavioral “red flags” identified in BIS’s May 2025 guidance on AI chip diversion, raising expectations by BIS and DOJ that intermediaries will recognize, raise, and potentially report suspicious activity. BIS’s revised export licensing policy from January 2026 reinforces and raises compliance expectations for companies in the AI chip ecosystem—whether directly through license conditions, or indirectly by signaling the U.S. government’s views on what constitutes appropriate protections.
All companies operating in the AI ecosystem should reassess their compliance frameworks with an emphasis on early identification and remediation of export-control risk. The following key considerations align with BIS’s guidance and should be considered, but the right suite of mitigation measures will depend on a transaction’s facts and circumstances. No one measure is sufficient in all cases, nor is the absence of any particular measure fatal to a compliance plan.
Infrastructure suppliers, operators, and IaaS providers should consider additional factors:
Financial institutions should pay close attention to specific red flags associated with the intersection of export controls and traditional financial crime and anti-money laundering risk:
The recent wave of AI chip enforcement actions underscores a clear message: while policy frameworks governing advanced computing technologies may continue to evolve, enforcement risk remains. DOJ and BIS have demonstrated a willingness to pursue complex, multi-jurisdictional investigations that reach well beyond manufacturers and exporters to include intermediaries, service providers, financial institutions, and data center operators. In addition to proactively identifying export-control risk, we are monitoring several open policy questions that are likely to shape compliance expectations in 2026, and recommend that companies begin assessing their compliance frameworks accordingly.
Companies that align their compliance programs now to anticipate these developments will be best positioned to manage regulatory risk and sustain lawful participation in the global AI chip ecosystem.
Kara Podraza, an associate in our Washington, D.C. office, contributed to the writing of this article.
[1] U.S. Department of Justice, U.S. Authorities Shut Down Major China-Linked AI Tech Smuggling Network, (last accessed Jan. 20, 2026).
[2] U.S. Department of Commerce, Bureau of Industry and Security, What is an ECCN? (last accessed Jan. 20, 2026); U.S. Department of Commerce, Bureau of Industry and Security, End-user controls, (last accessed Jan. 20, 2026).
[3] U.S. Department of Commerce, Bureau of Industry and Security, Penalties (last accessed Jan. 20, 2026).
[4] Plea Agreement, United States v. Alan Hao Hsu, Case No 4:25-cr-00510 (S.D. Tex. Oct. 10, 2025); Criminal Complaint, United States v. Fanyue Gong, Case No 4:25-mj-718 (S.D. Tex. Dec. 2, 2025); Criminal Complaint, United States v. Benlin Yuan, Case No. 4:25-mj712 (S.D. Tex. Nov. 28, 2025).
[5] Indictment, United States v. Hon Ning Ho, et al., Case No. 8:25-cr-530 (S.D. Fla. Nov. 13, 2025).
[6] Criminal Complaint, United States v. Chuan Geng, Case No. 2:25-mj-04821 (C.D. Cal. Aug 1, 2025).