6.2.3 Enforcement of Compute Usage Restrictions
Original Problem in the Paper
Motivation: export controls on high-end AI chips are blunt and collateral-damage-prone; BIS requested technical solutions limiting controlled items from being used in large aggregations for training dual-use foundation models. Open problems: remote attestation for disaggregated/heterogeneous machines; attest acceptable cluster configurations; restrict cluster configurations or GPU interconnect bandwidth; develop protocols/hardware features resilient to circumvention and confidentiality concerns.
July 2026 Update & Trajectory
Policy controls are operational and tightening, but technical on-chip/cluster enforcement is not. BIS maintains advanced-computing licensing/due-diligence regimes, and Caliptra/OpenTitan/NVIDIA attestation make parts of remote verification tractable. I found no verified July 2026 deployment of enforceable chip-level limits that reliably prevent high-end chips from being aggregated for frontier training while permitting benign workloads.
Deployed / Operationalized
- Export-control licensing, end-use/end-user due diligence, country/headquarters-based guidance, and IC designer authorization timelines.
- Attestation building blocks for device identity and measured boot in datacenter SoCs and H100 GPUs.
- Cloud procurement/account controls and contractual restrictions; enforcement is administrative/operational more than silicon-enforced.
New Tractable Vectors
- Remote attestation of cluster membership and configuration using chip identity certificates, roots of trust, and cloud inventory telemetry.
- Policy engines that decide whether an attested configuration/workload is allowed before granting licenses, secrets, or interconnect access.
- Auditable export-control compliance for cloud-hosted accelerator fleets.
Key Open Questions
- Circumvention-resistant yet privacy-preserving proof that a workload is or is not frontier-model training.
- Technical controls for disaggregated, rented, resold, smuggled, or heterogeneous accelerator clusters outside cooperative clouds.
- Avoiding collateral damage and denial-of-service when limiting interconnect bandwidth or cluster size.