The series that translates national-security and AI-policy arguments across partisan lines, because the stakes are too high for tribal shorthand.
Hardware Just Got a Passport
What Happened This Week
Last week, the House Select Committee on the CCP reported out H.R. 3447, the Chip Security Act, with a margin that surprised the committee's own staff. The bill, sponsored by Rep. Bill Huizenga (R-MI) and co-led by Rep. Bill Foster (D-IL), would require advanced AI accelerators sold under U.S. export license to carry on-chip location verification before they leave the loading dock. Nvidia's H200 and B-series, AMD's MI300 line, Intel's Gaudi class, any silicon above the BIS performance threshold would be required to register, in cryptographically signed form, where it is and whether the location matches the export license. Chips that move outside their licensed jurisdiction either stop working or report themselves. The committee report frames this as the most consequential change to BIS enforcement architecture since the 1996 Wassenaar Arrangement implementing regulations.
The bill arrives against a backdrop that the committee leaned into hard. On March 19, 2026, a federal grand jury in the Southern District of New York unsealed the indictment of Yih-Shyan "Wally" Liaw, a Super Micro co-founder and senior vice president, for participating in a diversion scheme that prosecutors allege moved approximately $2.5 billion of restricted advanced chips to mainland Chinese end users across 2024 and 2025. Within that broader scheme, the indictment highlights a single three-week window in 2025 in which roughly $510 million in Nvidia Blackwell and Hopper servers were routed through Taiwan, Thailand, and Hong Kong intermediaries before reaching the final destination. The indictment was followed, six weeks later, by Fortune's reporting on Signal threads in which diversion brokers openly priced, scheduled, and routed shipments while the existing paperwork-based EAR licensing regime was, in real time, generating valid-on-paper end-user certifications for shipments that everyone in the chain knew were going somewhere else. The bill's sponsors put excerpts of the threads into the committee record. The committee passed the bill unanimously.
The mechanism the bill chooses is hardware. Each covered chip would carry a tamper-resistant module, call it a location attestor, that periodically signs a statement of its geographic position using GNSS data fused with cell-tower triangulation and a few other signals chosen specifically to make spoofing expensive. The signed attestation is transmitted, at intervals, to a Commerce-Department-managed reconciler that compares it against the export license on file. Chips that go silent for a defined period, or that report a location inconsistent with their license, can be remotely throttled or rendered inoperable. The bill is now in the House Foreign Affairs Committee and the House Energy and Commerce Committee for a sequential referral and is expected on the floor before the August recess.
Here's What You Need to Know in 30 Seconds
Existing AI chip export controls run on paperwork. Buyers in licensed jurisdictions sign end-user certifications, and BIS verifies a small fraction through post-shipment visits and intelligence tips. The system has failed visibly: an estimated $1 to $2 billion of restricted U.S. chips reached Chinese end users in 2025 alone through Southeast Asian and Gulf intermediaries. The Chip Security Act trades paperwork for physics. Hardware now reports where it is, and chips that wander outside their license either go dark or get flagged. Hawks see the first enforcement tool that matches the stakes. Reformers see a precedent in which the U.S. government mandates that a globally distributed surveillance mechanism be embedded in computing hardware shipped to allies, and they note that the keys to that mechanism sit at the Commerce Department, which has historically used export-control infrastructure for purposes beyond what its initial proponents anticipated. The bill is bipartisan and likely to pass. It will reshape how every sovereign buyer negotiates with U.S. chipmakers from this point forward, and the secondary effects on the Stargate UAE arrangement, the Saudi-Aramco compute deal, and pending EU sovereign-cloud talks are not yet priced in.
The Hawk Case: Paperwork Has Failed and the Bill Knows It
The hawk position on the Chip Security Act starts from a fact that is hard to dispute: the existing export control regime, as administered, has been outpaced by the value at risk. A single advanced accelerator commands a black-market premium of three to five times its list price. The shipments are small enough to move through cargo channels that BIS does not have the staffing to surveil. The end-user certifications are signed by entities that, in many cases, were stood up specifically to sign them. The Commerce Department's post-shipment verification regime, which depends on access to the buyer's facility, has been refused or delayed often enough that the agency itself now treats certifications from a defined set of jurisdictions as low-confidence by policy. The diversion problem, the hawk argues, is not a problem the current system is failing to solve in any meaningful sense; it is a problem the current system is not designed to solve at all.
Hardware-level verification, the hawk continues, is the first proposal in two decades of export-control reform that addresses the actual enforcement gap. Paperwork tells you what the buyer claims. The chip tells you what is. The two diverge whenever the chain of custody includes anyone with a financial incentive to lie, which is to say, in every diversion case BIS has prosecuted since 2020. The Super Micro indictment is the version that became visible. The hawk's claim is that for every visible case, there are five or ten that did not generate an indictable record because the diversion happened cleanly. A reconciler that gets a signed location statement from the chip itself removes the entire surface area of paper-based fraud, because the question is no longer what the certification says but what the chip says.
The hawk also takes seriously a point the reformer tends to skip past. The capacity of frontier AI to compress the cost of developing dangerous capabilities, biological, cyber, kinetic, is a function of compute access. The 2024 and 2025 hardening of the BIS rules was motivated by an analytic finding from ODNI that adversary access to frontier compute, at the scale Chinese state-affiliated buyers were assembling through 2024, was a meaningful contributor to the rate at which adversary capabilities were closing the gap with U.S. capabilities. The hawk does not argue that the Chip Security Act stops adversary AI development; that ship has sailed. The hawk argues that it slows the rate of acquisition, raises the cost, and provides U.S. intelligence with a real-time map of where restricted compute is operating, which is, on its own terms, a strategic gain the existing regime cannot deliver.
The hawk's bottom line: The Chip Security Act is the first export-control reform proposal in twenty years where the enforcement mechanism is engineered to match the value being protected. Paperwork was always going to be defeated by a $500 million per chip arbitrage, because there is no clerk anywhere who can hold a line against margins like that. Hardware can. The bill is not perfect, and the implementation will be messy, but the alternative (continuing to pretend that end-user certifications mean something) is the path the current regime is already on, and it is the path that produced the Super Micro indictment and the dozen others sitting in front of grand juries right now. The hawk supports the bill because the hawk has read the indictments.
The Reformer Case: You Are Building the Surveillance Stack on Top of the Chip
The reformer position is not that diversion is fine. The reformer position is that the architecture the bill establishes will outlive the diversion problem and will be applied, eventually, to purposes the bill's current sponsors are not contemplating. The mechanism is the issue. A globally distributed system of cryptographically signed location attestations from advanced computing hardware, reconciled in real time against a federal database, is a surveillance infrastructure. It is being built for export-control enforcement. It will not stay there. The reformer's claim is not that the bill is malicious; it is that the bill is the kind of dual-use infrastructure that the United States, when it has built such infrastructure for limited national-security purposes in the past, has reliably found new uses for within a decade.
The reformer points to two structural facts about the bill that have not received sufficient attention. The first is that the location attestor, once embedded, reports continuously, not on event. The bill's drafting permits the reconciler to query covered chips at any interval the Commerce Department deems appropriate, and the chip is required to respond. That is the same architectural choice the Foreign Intelligence Surveillance Court has, in adjacent contexts, scrutinized closely under the Fourth Amendment. The chips in question will sit in datacenters that process the inference workloads of every major U.S. enterprise, every allied government's sovereign compute deployment, and every academic institution that has a high-end research cluster. The continuous-reporting architecture creates a federal capacity to know, in close to real time, where U.S.-origin frontier compute is operating globally, which is a different question from whether any specific chip has been diverted.
The second structural fact is the key custody question. The location attestor is cryptographically signed, which means somebody holds the signing keys. The bill places those keys at the Commerce Department, with a redundant copy at NIST. The bill does not address what happens when a future administration uses the keys for a purpose the current sponsors did not anticipate. The bill does not address what happens when an allied government, having purchased compute under license, asks for access to attestation data about chips operating on its own sovereign territory. The bill does not address what happens when the keys are compromised, which they will eventually be, because every centralized signing infrastructure of comparable scale has been compromised at least once. The reformer reads these omissions as governance gaps, not technical oversights. The omissions matter because the system, once built, becomes the system of record for everyone.
The reformer also flags a foreign-policy cost the bill's sponsors have downplayed. The Stargate UAE arrangement, announced in early 2025, was the first large-scale sovereign compute deal in which a non-treaty ally agreed to operate advanced U.S. accelerators under a U.S. licensing regime. Saudi Arabia followed. The EU's sovereign-cloud working group has been negotiating a similar framework since late 2025. Each of these arrangements depends, politically, on the partner government being able to tell its public that its sovereign infrastructure is its own. The Chip Security Act, by mandating continuous attestation back to a U.S. federal reconciler, embeds in the silicon the proposition that the silicon is not, in any operational sense, sovereign. The reformer's claim is that this is a price the U.S. may want to pay; the reformer's complaint is that the bill is being marketed as costless to those relationships, and it is not.
The reformer's bottom line: The bill builds the right enforcement architecture for the wrong governance environment. The architecture itself is sound and probably necessary. The governance scaffolding around it (who holds the keys, who audits the reconciler, what happens when allied governments object, what the data is permitted to be used for, what the sunset provisions are) is almost entirely absent from the current draft. The reformer is not asking the hawk to drop the bill. The reformer is asking the hawk to take the bill seriously enough to put a Bill of Rights around it. The mechanism is too consequential to ship with the governance left as a follow-up.
Where They Actually Agree
The hawk and the reformer agree, when the cameras are off, on more than they agree on when the cameras are on. Both sides agree that the existing paperwork regime cannot hold against the current diversion economics. Both sides agree that hardware-level enforcement is the only category of intervention that scales with the value being protected. Both sides agree that the Super Micro case is the visible fraction of a larger pattern and that the pattern is getting worse, not better. Both sides agree that something has to change, and both sides agree that what changes will shape the structure of U.S.-allied compute cooperation for the next decade.
Both sides also agree that the bill in its current form is under-specified on governance. The hawk's view is that the under-specification is appropriate because the architecture has to be stood up before the governance can be written against it. The reformer's view is that the under-specification is dangerous because architectures rarely get governance retrofitted after they are operational. The hawk and the reformer arrive at the same observation and read it in opposite directions.
Both sides agree on a third point that has gotten less attention: the bill's implementation timeline assumes a level of cooperation from the chipmakers that the bill itself does not require. Nvidia, AMD, and Intel will need to redesign covered products to incorporate the attestation module. The module exists in prototype, jointly developed by a DARPA program and two of the three chipmakers, but production integration is an eighteen-to-twenty-four-month process at minimum, and the bill's enforcement clock starts the day it is signed. The result is that the first wave of covered chips will be the ones already in distribution channels at signing, which the bill addresses through a separate registration regime that nobody on either side believes will work cleanly. Both the hawk and the reformer see the implementation transition as the place where the bill is most likely to produce unintended consequences. They disagree on whether those consequences are tolerable.
Both sides agree, finally, that the bill will pass in something close to its current form. The hawk thinks this is good news. The reformer thinks this is news. Neither thinks it will not happen. The bipartisan margin on the committee vote, the indictment-rich record in the committee report, and the political cost of opposing an enforcement upgrade in the wake of a publicly visible $2.5 billion diversion case all point in the same direction. The fight is not whether the bill becomes law. The fight is what gets attached to it on the way, and the window for amendments is the four weeks between the floor schedule announcement and the Rules Committee markup. That window is open now.
Where They Don't (And Shouldn't Pretend To)
On surveillance creep. The hawk treats continuous location attestation as a narrow, mission-specific tool whose scope can be controlled through statute and Commerce Department rulemaking. The reformer treats it as the kind of infrastructure that the U.S. government, having built, will not be able to refrain from extending. Both sides are reading the same statutory text and the same historical record. The hawk reads Section 702 as a tool that has been bounded successfully through reauthorization. The reformer reads Section 702 as a tool whose scope expanded across two decades despite reauthorization. The disagreement is irreducible because it depends on a forecast about institutional behavior over time.
On allied sovereignty. The hawk argues that the U.S. is, in fact, providing the compute, and the conditions for providing it are within U.S. discretion to set. The reformer argues that the conditions, once set in hardware, foreclose negotiating positions allied governments will not be able to recover later. The hawk reads the Stargate UAE deal as a successful precedent. The reformer reads the Stargate UAE deal as the moment the U.S. acquired a coercive instrument it has not yet decided how to use. Both readings are defensible. The relevant question is what the next allied government will conclude, and that depends on factors neither side can model from where they sit.
On key custody. The hawk trusts the Commerce Department and NIST to administer the signing infrastructure in line with the bill's stated purpose. The reformer notes that the Commerce Department also administers entity-listing decisions that have, over the past three administrations, been used for purposes ranging from trade-negotiation pressure to foreign-policy signaling. The hawk says the key custody is constrained by statute. The reformer says statutes get amended. Both are correct about a different time horizon.
On private-sector compliance cost. The hawk treats the implementation cost (chip redesign, datacenter integration, attestation latency) as a one-time tax on an industry that has the margins to absorb it. The reformer treats the cost as a fixed input that will, over time, push frontier compute production toward jurisdictions that do not impose the architecture, with second-order effects on where the next generation of frontier development actually happens. Industry is, predictably, taking both positions in different rooms.
Here's My Two Cents
The Chip Security Act is the most consequential piece of AI-related legislation Congress has moved this term, and almost nobody outside the export-control community is paying attention to it. That asymmetry is not accidental. The bill is technical enough to be hard to summarize, bipartisan enough to be hard to politicize, and aimed at a problem (chip diversion to adversary end users) that has near-universal support as a policy goal. The result is that a piece of legislation whose architecture will define, for at least the next decade, how the United States projects control over its most strategically sensitive computing exports is moving through the House on a substantive consensus and a procedural quiet that benefits the sponsors and obscures the stakes from the public.
Both critiques are correct. The hawk is correct that the existing regime has failed and that hardware-level enforcement is the only category of intervention that can hold against the current diversion economics. The reformer is correct that a globally distributed attestation infrastructure, controlled centrally by the Commerce Department, is the kind of dual-use system that the United States has reliably found new applications for over time. The right reading of the bill is not that one of these critiques wins. The right reading is that the bill is simultaneously the best available enforcement tool and a meaningful expansion of federal surveillance reach into globally deployed computing hardware, and that both of those things are true at once. Treating it as one or the other is the analytic mistake the cable-news version of this debate is already making.
The hawks have the policy moment. The reformers have the governance argument. The optimal outcome, which I do not think is the most likely outcome, is that the bill passes with the architecture intact and with the governance scaffolding (key custody review by an inspector general, sunset provisions on continuous attestation, allied-government access protocols, a notification regime for any use of the system outside its original mission) written in as amendments before floor consideration. The work of writing those amendments is happening in the offices of three senators and a half-dozen House members who, between them, have neither the public visibility nor the institutional standing to force the issue without help. The help they need is from the industry, which has so far been content to negotiate the implementation cost line item rather than the governance frame. That is a mistake the industry will, in my reading, come to regret within five years of the bill's enactment.
The structural point that matters more than any of the specific amendments is this. The Chip Security Act is the first piece of U.S. legislation in which the enforcement of an export-control regime is engineered directly into the physical artifact being controlled. That is a doctrinal shift, not a policy update. Every prior generation of export-control enforcement relied on a paper trail, an audit, a customs inspection, a post-shipment visit. This bill relies on the chip itself. The architecture is a precedent. The precedent will be extended. The next bill will not be about advanced AI accelerators. It will be about quantum hardware, or biotech production equipment, or some category of next-generation manufacturing input that does not yet have a name. The Chip Security Act is the template for everything in that category that follows. The reformers are right that the template needs to be written carefully. The hawks are right that the template needs to be written soon. The mistake is letting one of those priorities crowd out the other.
There is a question I keep coming back to that I do not see in the public debate, and it is the one that probably matters most over the long horizon. The bill assumes that the United States is, and will remain, the producer of the chips that need to be controlled. That assumption is currently correct. It will not remain correct indefinitely. The Chinese state has spent the past four years building domestic capacity in advanced lithography, advanced packaging, and high-bandwidth memory specifically because the existing export-control regime made acquisition of U.S. chips structurally unreliable. If the Chip Security Act succeeds at what it is designed to do, the rate at which Chinese domestic capacity matures will accelerate, not decelerate, because the only path to compute access for any actor the U.S. is willing to restrict will run through Chinese fabs. The hawk's response to this is that we should restrict harder and earlier, not later, because the only thing worse than slowing adversary AI development is slowing it less than we could have. The reformer's response is that the bill accelerates the bifurcation of the global compute supply into a U.S.-aligned ecosystem and a Chinese-aligned ecosystem, and that the long-term costs of bifurcation include losing the ability to influence the technical and governance norms that govern the Chinese ecosystem. Both responses are defensible. Neither is in the bill. Both belong in the floor debate.
Position yourself accordingly. The chipmakers should be lobbying the governance amendments as hard as they are lobbying the implementation timeline, because the governance amendments are what protect them from a future administration using the attestation infrastructure for something they have no interest in being implicated in. The allied governments negotiating sovereign compute arrangements should be reading the bill text now, not after enactment, because the negotiating room they have today is room they will not have once attestation is the operating norm. The civil-liberties community, which has been almost entirely absent from this fight because it does not present as a civil-liberties fight, should be in the room. And the rest of us should at least understand that the most important AI policy question of 2026 is not what happens to the federal preemption EO and not what happens to the workforce-displacement bill. It is what gets embedded in the silicon, who holds the keys, and what the next administration decides those keys are for. Hardware just got a passport. The question is who issues it, who reads it, and who decides when the visa expires.
I do not know how this lands. I know that the bill is moving, the architecture is consequential, and the work of putting the right governance around the right enforcement tool is the work that determines whether the bill, twenty years from now, looks like a model or like a warning.
Related Briefings
Anna R. Dudley writes on national security, intelligence policy, and the places where hawks and reformers need to find each other. Bipartisan Translation is the weekly series for the conversation that is not happening on cable news. Subscribe at annardudley.substack.com.