6.2.3 Enforcement of Compute Usage Restrictions
Original Problem in the Paper
Motivation: export controls on high-end AI chips are blunt instruments that can create collateral damage; BIS had asked for technical solutions to limit controlled items from being used with large numbers of other items for training large dual-use foundation models. The paper's open problems included remote attestation for disaggregated and heterogeneous machines, attesting acceptable cluster configurations, restricting cluster configurations or GPU communication bandwidth, and designing protocols or hardware features that are resilient to circumvention while addressing confidentiality concerns.
July 2026 Update & Trajectory
BIS export-control requirements for advanced-computing items remain operational, including May/June 2026 guidance on D:5/Macau-headquartered entities and related .z items, but the cited sources show administrative controls and attestation building blocks rather than deployed chip- or cluster-level enforcement of compute-usage limits. BIS also maintains due-diligence measures for advanced-computing integrated circuits. Caliptra and NVIDIA H100 confidential-computing documentation show device identity, measured boot, and attestation building blocks that make parts of remote verification tractable. Google Cloud documentation shows operational remote attestation for disaggregated machines in a cooperative cloud, including signed policies and withholding jobs or user data when attestation fails. The sources reviewed here do not establish a July 2026 deployment of chip-level controls that reliably prevent high-end accelerators from being aggregated for frontier training while preserving benign workloads.
Deployed / Operationalized
- BIS licensing requirements for advanced-computing items, including country/headquarters-based guidance for D:5/Macau entities and related advanced-computing items.
- BIS due-diligence measures for advanced-computing integrated circuits in the supply chain.
- Device identity, measured boot, and attestation primitives for datacenter-class SoCs and H100 GPUs.
- In cooperative cloud settings, remote attestation of disaggregated machines with signed, machine-readable policies and gating of jobs or user data on successful attestation.
New Tractable Vectors
- Remote attestation of machine or cluster configuration using device or RTM identity certificates, roots of trust, signed policies, and provider control-plane hardware models; robust cluster-wide accelerator membership attestation remains a tractable extension rather than a demonstrated full enforcement system.
- Policy engines that decide whether an attested machine or cluster state is allowed before granting jobs, user data, task credentials, or other secrets; applying similar gating to export-license workflows or accelerator interconnect access remains a proposed governance design that needs separate support.
- Auditable export-control compliance workflows that combine administrative licensing and due-diligence records with technical attestation logs in cooperative accelerator fleets.
Key Open Questions
- Circumvention-resistant yet privacy-preserving proof that a workload is or is not frontier-model training.
- Technical controls for disaggregated, rented, resold, smuggled, or heterogeneous accelerator clusters outside cooperative clouds.
- Avoiding collateral damage and denial-of-service risks when limiting interconnect bandwidth or cluster size.
- Turning device or machine attestation into cluster-level compute-usage enforcement without exposing confidential workloads or creating brittle chokepoints.