Managing Export Control Risks in the AI Chip Ecosystem

Recent actions by the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) and the U.S. Department of Justice (DOJ) highlight how enforcement risk extends beyond manufacturers and exporters to include forwarders, financial institutions, and data center operators. Although U.S. policy direction remains uncertain as the Trump Administration has taken steps to ease some restrictions, this shift is unlikely to alter BIS’s and DOJ’s enforcement focus. Enforcing export controls for advanced computing hardware (“AI chips”) has been a consistent priority across recent administrations. An increase in licensed trade will require additional resources to monitor and enforce license conditions, while a willingness to license some exports will naturally increase enforcement pressure to inhibit circumvention and illicit procurement.

This article summarizes recent policy developments and key enforcement actions in the AI ecosystem and describes compliance considerations, including tailored insights for cloud service providers, data center operators, and financial institutions.

I. Introduction

In recent months, the AI chip and wider semiconductor ecosystems have come under scrutiny as DOJ, in coordination with BIS, has conducted enforcement actions targeting the unlawful diversion of AI chips and other key technologies. Most recently, in January 2026, BIS entered into a $1.5 million settlement with a European company regarding the unlawful in-country transfer of semiconductor manufacturing items subject to the Export Administration Regulations (EAR) to a foundry facility on the Entity List by the European company’s China-based subsidiary. On December 8, 2025, DOJ announced Operation Gatekeeper, which involved the disruption of exports and attempted exports by a multi-defendant network of at least $160 million worth of AI chips to mainland China and Hong Kong, and followed several other similar actions in the AI chip industry.[1] And in July 2025, DOJ and BIS entered into a resolution with a leading U.S. provider of electronic design automation software and semiconductor design technology regarding the unlawful export of those technologies to a Chinese entity on BIS’s Entity List. The resolution addressed civil and criminal enforcement actions and included a $95 million administrative penalty and $45 million in forfeitures. These enforcement efforts, and others highlighted below, reflect continuing serious concern by U.S. officials over the national security implications of advanced computing infrastructure, and several cases demonstrate that enforcement scrutiny and touchpoints extend beyond manufacturers and exporters of record.

In the AI sphere, the Trump Administration has signaled its ongoing review of the underlying policy framework. Just over a month after Operation Gatekeeper was unsealed, BIS issued a new policy to license certain AI hardware to end users in China, conditioned on independent security testing conducted in the United States, among other requirements. Directly following this action, the Trump Administration announced that the United States will permit the subsequent sale and export of certain AI chips, subject to a 25 percent tariff imposed upon entry into the United States for items destined for export to certain end uses and end users.  These recent policy actions underscore that expanded commercial access may not equate to reduced enforcement and compliance risk. On the contrary, the Trump Administration to date has been using its authority in novel ways that combine targeted policy flexibility with heightened compliance and diligence expectations on U.S. and multinational companies. The risk of enforcement is compounded by increased institutional capacity at BIS—Congress recently approved a 23 percent increase in BIS’s Fiscal Year 2026 budget, with several members explicitly signaling bipartisan support for stronger export control enforcement, and several million dollars marked specifically for semiconductor-related enforcement.

II. Policy Background 

Between January and May 2025, BIS issued and then rescinded its Framework for Artificial Intelligence Diffusion (the “AI Diffusion Framework”), which would have expanded export controls on advanced computing integrated circuits (ICs), among other restrictions. In rescinding the AI Diffusion Framework, BIS cited concerns that the rule could hinder U.S. innovation and complicate diplomatic engagement with key partner countries, and indicated that it intended to issue a replacement rule at a later date.  

Importantly, the rescission announcement was not a signal of relaxed enforcement. Rather, in parallel with the announcement, BIS released guidance creating a presumption that dealings involving certain China-linked AI chips would violate U.S. export controls. BIS also made its diligence expectations clear through a policy statement clarifying restrictions on certain activities relating to AI model training in specific countries, and through guidance highlighting common diversion tactics and red flags, including risk indicators tied specifically to data centers and Infrastructure-as-a-Service (IaaS) providers.

At the end of 2025, the White House and BIS began announcing policies to address certain issues left open by the rescinded AI Diffusion Framework. On December 8, 2025, President Trump announced that the United States will permit the sale of some chips directly to approved customers in China. On January 13, 2026, BIS issued a final rule revising its export licensing policy for these chips to allow case-by-case review—rather than a presumption of denial—for exports to entities in mainland China (including Hong Kong) and Macau, provided specific conditions are satisfied.  

While the rule affects a narrow range of earlier generation AI hardware and is not a replacement for the AI Diffusion Framework, it offers insight into key conditions the U.S. government may consider important for future exports and related activities involving advanced AI compute. These include requirements to screen buyers and customers, obtain certifications, maintain enhanced security and Know-Your-Customer (KYC) procedures, conduct independent third-party testing, and verify shipments will not negatively affect demand from U.S. companies.

Additionally, the rule extends requirements through license conditions on exported hardware to the provision of remote access IaaS, including restrictions on the provision of such services to “IaaS remote end users” that are (1) located in, or having an ultimate parent headquartered in, restricted jurisdictions—specifically Belarus, China, Cuba, Iran, Macau, North Korea, Russia, or Venezuela, or (2) restricted under Part 744 controls (e.g., entities on the Entity List, military-intelligence end users, and certain Russia-linked persons on the Specially Designated Nationals and Blocked Persons (SDN) list, administered by the Department of Treasury’s Office of Foreign Assets Control (OFAC)).

On January 14, 2026, President Trump issued a complementary proclamation under Section 232 of the Trade Expansion Act of 1962, finding that imports of the same chips mentioned in the revised export licensing policy from January 13, 2026, pose a threat to U.S. economic and national security. The proclamation imposed a 25 percent tariff on specified chips, with exemptions for imports supporting the “U.S. technology supply chain and the strengthening of domestic manufacturing capacity.”

Congress in recent months has also continued to play an active role in the direction of U.S. export control policy. On January 12, 2026, the House of Representatives passed the Remote Access Security Act (RASA) (H.R. 2683) (369-22), a bill that would amend the Export Control Reform Act of 2018 (ECRA) to expressly extend U.S. export control jurisdiction to remote access to advanced compute infrastructure by foreign persons, including access via the Internet or cloud computing services, when such use presents a serious national security or foreign policy risk. If enacted, RASA would enhance BIS’s already broad authority to regulate remote access to controlled infrastructure (e.g., through export licenses and conditions) and potentially simplify the process of related licensing and enforcement activities.

III. Overview of Enforcement Framework

BIS regulates the export, reexport, and in-country transfer of controlled items, with licensing requirements generally determined by the classification of the item and the country of destination, end user, and end use.[2] Engaging in covered activities without a required license may violate ECRA and its implementing regulations, the EAR, 15 C.F.R. Part 730 et seq.  

Enforcement actions can arise in a variety of ways, from routine government activities—such as BIS end-use checks and port cargo detentions—to whistleblower reports. Export control investigations also frequently proceed on parallel civil and criminal tracks. BIS pursues civil and administrative enforcement while DOJ pursues criminal matters involving evidence of willful or knowing misconduct. Once an investigation is underway, companies often face rapid government requests, including document preservation notices, administrative subpoenas, requests for interviews of key personnel, and, in some cases, forensic imaging of devices or systems. These investigative steps are commonly used to assess the export classification, end-use diligence, and accuracy of export documentation.

For individuals, penalties include imprisonment, fines, and the denial or revocation of export licenses.[3] For corporate entities, penalties include fines, probationary periods, annual compliance reporting, and internal export control audits.

IV. Recent AI Chip Enforcement Actions

In October 2022, BIS implemented additional controls that significantly expanded licensing requirements and compliance obligations for AI chips and related technologies, particularly in relation to China and companies headquartered there. Consistent with these priorities, DOJ and BIS have pursued a series of high-profile enforcement actions targeting efforts to evade U.S. export controls, three of which are summarized below.

Operation Gatekeeper

In December 2025, DOJ announced a successful operation that dismantled a sophisticated smuggling network involving multiple defendants exporting and attempting to export controlled chips to mainland China and Hong Kong. From 2023 to present, the network allegedly used straw purchasers and intermediary U.S. warehouses to falsely indicate that the chips were for U.S. customers or customers in third-party countries, such as Taiwan and Thailand, in order to ultimately conceal the end destination.[4] The chips were shipped to multiple U.S. warehouses where individuals re-labeled the original equipment manufacturer’s logo with fictitious branding and misclassified the goods as “adapters,” “adapter modules,” or “contactor controllers.” Two of the defendants—a Canadian citizen and CEO of a Virginia-based IT company, and a Chinese national and owner of a New York-based technology company—allegedly independently conspired with employees of a Hong Kong-based logistics company and a mainland China-based AI technology company to complete their scheme. Additionally, another defendant that has already pleaded guilty received more than $50 million in wire transfers that originated from China.

Janford Realtor, LLC

In November 2025, DOJ announced charges against two U.S. citizens and two Chinese nationals residing in the United States for their alleged roles in a conspiracy to illegally export advanced AI chips to China. According to the indictment, from September 2023 to November 2025, the defendants used a Florida-based front company, Janford Realtor, LLC, to purchase and send controlled chips to China while disguising the true destination through intermediaries. The defendants relied on a company with no legitimate role in the chip industry to place orders for AI chips, falsified export documentation, and created fake contracts to make it appear that the chips were destined for end users in Malaysia and Thailand. The alleged conspiracy generated nearly $4 million in wire transfers from China.[5]

ALX Solutions Inc.

In August 2025, DOJ announced charges against two Chinese nationals for knowingly exporting advanced AI chips to China in violation of U.S. export controls. From October 2022 through July 2025, the defendants allegedly used their California-based company, ALX Solutions Inc., to route shipments of advanced chips through intermediary freight forwarders in Singapore and Malaysia in order to disguise the true destination. The company had been formed just 20 days after BIS began requiring licenses for the chips at issue in the case.

The complaint identifies multiple “red flags,” including the defendants misclassifying controlled chips as EAR99 (i.e., low-technology consumer goods), selling to companies with no apparent history of using the exported items or infrastructure to actually use the exported items, listing freight forwarders that ordinary act the intermediary consignees as the ultimate consignees (i.e., the purchasers and end users of the products), and receiving payments from entities that were not listed as receiving any of the products. The company also failed a BIS end-use check in Singapore.[6] The alleged conspirators received approximately $1 million in payments from a China-based company, along with additional funds from entities in mainland China and Hong Kong, rather than from the listed end users themselves.

V. Compliance Considerations

Taken together, these recent enforcement actions reflect a consistent pattern: many of the alleged schemes employed transactional and behavioral “red flags” identified in BIS’s May 2025 guidance on AI chip diversion, raising expectations by BIS and DOJ that intermediaries will recognize, raise, and potentially report suspicious activity. BIS’s revised export licensing policy from January 2026 reinforces and raises compliance expectations for companies in the AI chip ecosystem—whether directly through license conditions, or indirectly by signaling the U.S. government’s views on what constitutes appropriate protections.

All companies operating in the AI ecosystem should reassess their compliance frameworks with an emphasis on early identification and remediation of export-control risk. The following key considerations align with BIS’s guidance and should be considered, but the right suite of mitigation measures will depend on a transaction’s facts and circumstances. No one measure is sufficient in all cases, nor is the absence of any particular measure fatal to a compliance plan.

• Strengthen end-use and end-user verification. Enhanced diligence may be warranted where customers lack a legitimate business history, technical capability, or infrastructure consistent with advanced AI chip use, or where they cannot articulate the nature of their end use or the range of other end users that may have access to, or use of, controlled items.   
• Scrutinize routing and transaction structures. Third-party country routing through common transshipment hubs, opaque ownership structures, or inconsistencies among purchasers, consignees, and payors may indicate diversion risk.
• Be alert to diversion tactics. Watch for requests involving relabeling, repackaging, and unusual storage arrangements in shipping or export documentation.
• Prepare to comply with BIS’s revised export licensing framework. Assess readiness to meet formalized license conditions, including enhanced security and access-control requirements, robust KYC and counterparty screening, certifications relating to domestic availability and shipment limits, and heightened end-use and end-user monitoring—particularly where deployments involve customers in China or Chinese-headquartered entities.

Infrastructure suppliers, operators, and IaaS providers should consider additional factors: 

• Capacity and infrastructure assessment: Conduct enhanced end-user diligence by independently validating that purported end users possess the technical capability and infrastructure to deploy or use advanced AI chips.  Ensure that power, cooling, and physical space capacity actually support claimed or marketed deployments (an issue BIS specifically identified as a diversion-risk indicator in its May 2025 guidance).
• Access controls and logging: Consider the use of monitoring mechanisms, such as geo- and IP-based screening, identity and access management, and audit logging, that clearly track who accessed infrastructure or relevant platforms, as well as when, and from where (information that may be critical in a potential enforcement investigation).
• Contractual provisions: To the extent feasible, build in protections like audit rights, termination and suspension triggers and periods, and obligations to cooperate with end-use checks and other compliance activities.

Financial institutions should pay close attention to specific red flags associated with the intersection of export controls and traditional financial crime and anti-money laundering risk:

• Mismatch between payment counterparties and end users: Payments originating from entities that do not align with the listed end users or consignees on shipping documentation, particularly where the payer has no apparent commercial relationship to the transaction.
• Newly formed entities: Recently established companies that begin engaging in large cross-border payments or high-value transactions shortly after regulatory changes or the imposition of new export controls, raising questions about their purpose and operational legitimacy.

VI. Conclusion

The recent wave of AI chip enforcement actions underscores a clear message: while policy frameworks governing advanced computing technologies may continue to evolve, enforcement risk remains. DOJ and BIS have demonstrated a willingness to pursue complex, multi-jurisdictional investigations that reach well beyond manufacturers and exporters to include intermediaries, service providers, financial institutions, and data center operators. In addition to proactively identifying export-control risk, we are monitoring several open policy questions that are likely to shape compliance expectations in 2026, and recommend that companies begin assessing their compliance frameworks accordingly.

• Will the Trump Administration issue a fulsome replacement for the AI Diffusion Framework, and if not, which elements of the framework will the Trump Administration keep or cut?
• To what extent will the U.S. and other governments enforce or expand security, monitoring, reporting, and other requirements for permissible exports and deployments, and what will be the impact of diplomacy and international technology and enforcement partnerships?
• What role will Congress and elections play in shaping White House policy, and what additional compliance burdens and business risks could result?

Companies that align their compliance programs now to anticipate these developments will be best positioned to manage regulatory risk and sustain lawful participation in the global AI chip ecosystem.

Kara Podraza, an associate in our Washington, D.C. office, contributed to the writing of this article.

[1] U.S. Department of Justice, U.S. Authorities Shut Down Major China-Linked AI Tech Smuggling Network, (last accessed Jan. 20, 2026).

[2] U.S. Department of Commerce, Bureau of Industry and Security, What is an ECCN? (last accessed Jan. 20, 2026); U.S. Department of Commerce, Bureau of Industry and Security, End-user controls, (last accessed Jan. 20, 2026).

[3] U.S. Department of Commerce, Bureau of Industry and Security, Penalties (last accessed Jan. 20, 2026).

[4] Plea Agreement, United States v. Alan Hao Hsu, Case No 4:25-cr-00510 (S.D. Tex. Oct. 10, 2025); Criminal Complaint, United States v. Fanyue Gong, Case No 4:25-mj-718 (S.D. Tex. Dec. 2, 2025); Criminal Complaint, United States v. Benlin Yuan, Case No. 4:25-mj712 (S.D. Tex. Nov. 28, 2025).

[5] Indictment, United States v. Hon Ning Ho, et al., Case No. 8:25-cr-530 (S.D. Fla. Nov. 13, 2025).

[6] Criminal Complaint, United States v. Chuan Geng, Case No. 2:25-mj-04821 (C.D. Cal. Aug 1, 2025).