Hardware-Enabled Governance Mechanisms

Definition and scope

Covers the physical-compute governance lever: on-chip attestation, compute monitoring/verification, location verification, usage/licensing locks, tamper resistance, and their use for export-control enforcement and proposed multilateral compliance verification. In scope: governance functions that bind to specific accelerators or datacenters and rely on a hardware root of trust. Out of scope: (a) compute-as-a-regulatory-threshold where the FLOP estimate is self-reported or architecture-derived rather than hardware-enforced (see compute-threshold); (b) administrative export controls that operate on paperwork/end-use licensing without any on-chip enforcement (see compute-export-controls); (c) software-only model-side governance (watermarking, evals, KYC at the API layer); and (d) datacenter physical security generally, except where it is the substrate for chip-level attestation. The boundary case — Nvidia's December 2025 software-based location verification using existing confidential-computing features — sits at the edge of scope: it is a chip-assisted but not hardware-hardened mechanism and illustrates the gap between deployed software features and a tamper-resistant on-chip regime.

Locus of dispute: Can on-chip governance mechanisms be made technically feasible and tamper-resistant at frontier scale — without unacceptable security, privacy, or centralization costs — and would they actually bind frontier compute? The dispute turns on the unsolved core: securing a per-chip private key against an adversary with physical access. Proponents (CNAS; the flexHEG/HEM research community) argue much functionality is already on commercial chips and that hardening is a matter of 18 months to ~4 years of engineering; skeptics, including the Semiconductor Industry Association, call blanket on-chip mandates "untested and potentially infeasible," and security researchers warn that remote-disable/usage-lock features create a centralized attack surface and single point of failure. A separate fault line is bindingness: even granting feasibility, would such mechanisms catch circumvention given documented large-scale smuggling and transshipment, or would they merely raise the cost at the margin?

Related concepts

• Compute Threshold (AI Governance)— A regulatory trigger expressed as floating-point operations (FLOPs) consumed during model training,
• Frontier-Tier AI— A categorical classification of AI models above certain capability or compute thresholds, indicating
• AI Supply Chain— The end-to-end pipeline of inputs, intermediate artefacts, and downstream applications by which an A
• Policy Instrument— An identifiable technique of collective action — a binding regulation, an executive order, a volunta

Appears in topic articles

• Compute + Model-Weight Export Controls
• Compute-Threshold Reporting
• International Coordination

Social-science evidence — the “so-what”

What the peer-reviewed social science shows: whether the harm this concept addresses is empirically real, and whether governance of it works. The badge is the epistemic status of the evidence(not the policy debate) — “thin” or “absent” efficacy evidence is itself a finding (the “second silence”).

• Is the harm real?evidence: contested

  Compute is a genuine, concentrated governance chokepoint (frontier training depends on a small set of specialized accelerators from a short, concentrated supply chain — detectable, excludable, quantifiable per Sastry/Heim/Brundage et al. 2024), and several HEGM building blocks exist or have been partially demonstrated — but a tamper-resistant on-chip governance regime has NOT been demonstrated and remains largely conceptual. CNAS (Aarne, Fist & Withers 2024) finds much required functionality is already widely deployed on commercial AI chips, yet states these features are not designed to resist a well-resourced attacker with physical access and would need ~18 months to 4 years of hardening for adversarial use. Shavit (2023) and the Sastry/Heim/Brundage et al. (2024) compute-governance synthesis frame compute monitoring and attestation as feasible-in-principle but unproven at scale. Delay-based location verification has been articulated technically (IAPS) and Nvidia shipped a software-based variant in Dec 2025, but commentators (AI Frontiers; IAPS) identify private-key extraction as the security crux and note the security of the on-die key on existing chips is uncertain (IAPS: 'unclear how well-secured this is'; AI Frontiers: on-die key is 'very difficult to remove' but not impossible for a motivated actor). Status: contested/thin — real chokepoint, demonstrated components, no demonstrated tamper-resistant whole.

  Sources: Aarne, O., Fist, T., & Withers, C. (2024). Secure, Governable Chips. CNAS. https://www.cnas.org/publications/reports/secure-governable-chips; Shavit, Y. (2023). What does it take to catch a Chinchilla? Verifying Rules on Large-Scale Neural Network Training via Compute Monitoring. arXiv:2303.11341. https://arxiv.org/abs/2303.11341; Sastry, G., Heim, L., Belfield, H., Anderljung, M., Brundage, M., et al. (2024). Computing Power and the Governance of Artificial Intelligence. arXiv:2402.08797. https://arxiv.org/abs/2402.08797; IAPS, Location Verification for AI Chips. https://www.iaps.ai/research/location-verification-for-ai-chips; Can 'Location Verification' Stop AI Chip Smuggling? AI Frontiers. https://ai-frontiers.org/articles/location-verification-ai-chips

• Does governance work?evidence: absent

  There is no deployed on-chip governance regime, so direct evidence that governing via hardware WORKS is absent. The currently operative hardware-adjacent lever — administrative export controls without on-chip enforcement — shows substantial circumvention: U.S. prosecutors documented a smuggling scheme moving ~$160M of restricted Nvidia H100/H200 GPUs to China (Oct 2024–May 2025; Alan Hao Hsu / Hao Global guilty plea Oct 10, 2025) via Southeast-Asian transshipment and falsified end-user/shipping records, and reporting estimates large volumes of advanced GPUs reached China after tightened controls. This is the policy gap on-chip mechanisms are PROPOSED to close, but the proposal is unenacted: the US Chip Security Act (H.R.3447) was only ordered-reported (House Foreign Affairs, Mar 26, 2026; not law; ~37% enactment odds per GovTrack) and the Semiconductor Industry Association opposes blanket on-chip mandates as 'untested, and potentially infeasible'; the EU AI Act mandates no on-chip mechanism. Net: governance-efficacy evidence for HEGMs specifically is absent (no regime to evaluate); the adjacent evidence shows paperwork-based controls leak, which is the motivating problem rather than a test of the mechanism.

  Sources: $160 million export-controlled Nvidia GPUs allegedly smuggled to China (Hao Global, guilty plea Oct 2025). CNBC, Dec 31, 2025. https://www.cnbc.com/2025/12/31/160-million-export-controlled-nvidia-gpus-allegedly-smuggled-to-china.html; Chip Security Act, H.R.3447 / S.1705, 119th Congress (ordered reported Mar 26, 2026; not enacted). https://www.congress.gov/bill/119th-congress/house-bill/3447; Semiconductor Industry Association statement opposing blanket on-chip mandates (2026). https://www.semiconductors.org/sia-statement-on-chip-security-act/; Kulp, G., Gonzales, D., Smith, E., Heim, L., Puri, P., Vermeer, M. J. D., & Winkelman, Z. (2024). Hardware-Enabled Governance Mechanisms. RAND WRA3056-1. https://www.rand.org/pubs/working_papers/WRA3056-1.html

Evidence base

42 academic & grey-literature sources on the topics this concept relates to — catalogued metadata with a primary link; one-line findings are ✦ AI-generated summaries, labeled as such (charter §7.9). Browse the full literature index.

• China's semiconductor conundrum: understanding US export controls and their efficacy ↗Peer-reviewed✦ AIArgues "America's chokepoint strategy is increasingly proving to be a fallacy": Chinese chipmakers have "managed to circumvent these measures" in four ways, accelerating domestic innovation.
• Defending Compute Thresholds Against Legal Loopholes ↗Preprint✦ AIIdentifies 'enhancement techniques that are capable of decreasing training compute usage while preserving... model capabilities', exposing loopholes in compute-reporting thresholds.
• Export Controls and Innovation in Sanctioned Countries ↗Working paper✦ AIUsing the 2007 US 'China Rule', finds sanctioned Chinese firms raised R&D by ~49% and patenting by ~41% — evidence export controls can accelerate the target's indigenous innovation.
• The establishment of an international AI agency: an applied solution to global AI governance ↗Peer-reviewed✦ AIProposes a UN-backed International Artificial Intelligence Agency modelled on the IAEA, arguing 'only an IAIA can legitimately oversee a global AI governance framework involving all major powers.'
• Framework Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law (Council Eur.) — with Introductory Note ↗Peer-reviewed✦ AIReproduces and annotates the first legally binding international AI treaty, grounding cross-border AI governance in legality, proportionality, transparency, accountability and non-discrimination across the AI lifecycle.
• Digital Disintegration: Techno-Blocs and Strategic Sovereignty in the AI Era ↗Peer-reviewed✦ AIArgues states increasingly assert 'strategic digital sovereignty...through selective alliances with firms and other governments,' fragmenting global AI infrastructure into techno-blocs rather than multilateral order.
• Computing Power and the Governance of Artificial Intelligence ↗Preprint✦ AIArgues compute is a uniquely governable lever because it is "detectable, excludable, and quantifiable, and is produced via an extremely concentrated supply chain".
• Training Compute Thresholds: Features and Functions in AI Regulation ↗Preprint✦ AIFinds "training compute currently is the most suitable metric to identify GPAI models", but thresholds should only trigger further scrutiny, not determine risk measures alone.
• Compute North vs. Compute South: The Uneven Possibilities of Compute-based AI Governance Around the Globe ↗Peer-reviewed✦ AICensus of hyperscale cloud regions shows a divide between "Compute North" states hosting training-relevant compute and a Compute South, shaping who can wield compute-based governance.
• Global AI governance: barriers and pathways forward ↗Peer-reviewed✦ AIDiagnoses a global AI governance deficit and, weighing new centralized institutions against coordinating existing ones, recommends foregrounding the OECD as the centre for AI policy expertise.
• Governing Through the Cloud: The Intermediary Role of Compute Providers in AI Regulation ↗Preprint✦ AIArgues 'compute providers should have legal obligations' to secure infrastructure, keep records, verify activity and report frontier training as regulatory intermediaries.
• Verification methods for international AI agreements ↗Preprint✦ AISurveys '10 verification methods that could detect... unauthorized AI training... and unauthorized data centers', mapping the technical basis for compute-disclosure regimes.

+ 30 more across this concept's topics — see the literature index.

Editorial note

Author/provenance accuracy notes for downstream editors (ALL verified by web search 2026-06-19): (1) The companion paper "Computing Power and the Governance of Artificial Intelligence" (arXiv:2402.08797, Feb 2024) is led by Girish Sastry — Brundage is the 5th of 19 co-authors (Sastry, Heim, Belfield, Anderljung, Brundage, et al.); do NOT cite it as "Brundage et al." (2) Shavit, Y. (2023), "What does it take to catch a Chinchilla?" (arXiv:2303.11341) is single-author — confirmed. (3) flexHEG/HEM line: the RAND working paper is Kulp, Gonzales, Smith, Heim, Puri, Vermeer & Winkelman (WRA3056-1, Jan 2024) — confirmed author list; the flexHEG reports are associated with the GovAI/Bengio-hosted memo series and flexheg.com — verify exact author lists per artifact before quoting. (4) usedByInstruments is intentionally empty: no PUBLISHED instrument mandates on-chip governance. The EU AI Act uses compute as a self-reported/architecture-based threshold (Art. 51, 10^25 FLOP), not hardware-enforced; the US Chip Security Act (H.R.3447 / S.1705, 119th Congress) would mandate on-chip location verification but as of 2026-06 was only ordered-reported (House Foreign Affairs, Mar 26, 2026; ~37% GovTrack enactment odds), not enacted, with SIA opposition — if it is later enacted, add it here. (5) Nvidia's Dec 2025 location-verification is software-based (optional, Blackwell-first) over existing confidential-computing/telemetry features, NOT a tamper-resistant on-chip regime — characterize as chip-assisted, not on-chip-hardened, to avoid overclaim.