Compute Is the New Choke Point

Last week, I wrote about the decision by the Bureau of Industry and Security (BIS) to move away from a blanket presumption of denial for exports of advanced computing items to China and Macau, and instead assess license applications on a case-by-case basis.

In summary, the BIS was signalling a willingness to exercise judgment, provided exporters could demonstrate unusually strong controls around end users, end use, and security.

This week, I came across additional developments that show how the United States is re-engineering how control is exercised, and who bears responsibility when it fails.

Discretion on the front end, accountability on the back end

On 12 January 2026, the US House of Representatives approved amendments to the Export Control Reform Act (ECRA), through H.R. 2683. The bill strengthens enforcement powers, clarifies investigative authority, and sharpens penalties for violations, particularly where sensitive and emerging technologies are concerned.

Read alongside the BIS policy revision and the intent becomes obvious.

BIS is saying:
“We will no longer deny everything by default. We will assess individual cases but only if you can prove control.”

The US Congress, through ECRA, is saying:
“If that discretion is abused, misused, or supported by weak compliance, the consequences will be severe.”

This is a familiar regulatory pattern. We’ve seen it before in AML and sanctions: once regulators move from blunt prohibitions to risk-based judgment, enforcement hardens to make sure flexibility doesn’t turn into leniency.

The real shift: access now matters as much as shipment

The second development that caught my attention is even more consequential.

Under the amended ECRA framework, export controls are no longer limited to physical transfer of goods or technology. Remote access now clearly falls within scope.

In practical terms, that means:

• providing access to US-origin software via SaaS,

• enabling use of controlled technology through cloud infrastructure,

• allowing foreign persons to operate, train, or deploy advanced compute remotely,

can all constitute an export, even if no hardware ever leaves US soil.

This is particularly explicit for advanced computing and AI-related technologies.

That clarification closes what was becoming an obvious loophole. In an era where AI capability is delivered through cloud access rather than ownership of chips, controlling only physical shipment would have made export controls largely symbolic.

Why advanced compute sits at the centre of all this?

None of this is accidental.

Advanced compute such as high-end GPUs, accelerators, and the infrastructure that supports them is now understood by regulators as a strategic resource, not just a commercial product. It enables military applications, large-scale surveillance, advanced cyber capabilities, and rapid AI model development.

From that perspective, it makes NO sense to control:

• shipment of chips, but ignore:

• remote access to the same compute power.

The revised BIS licensing policy and the ECRA amendment are two sides of the same coin: capability matters more than form.

Export controls start to look very familiar

At this point, the parallels with financial-crime compliance become hard to ignore.

What BIS and Congress are now asking exporters and technology providers to demonstrate looks a lot like:

• KYC on end users,

• beneficial ownership analysis,

• verification of how a service is actually used,

• ongoing monitoring rather than one-off checks,

• escalation when facts change.

The object may be compute rather than capital, but the logic is identical.

Export control compliance is now a governance and risk-management discipline with expectations that extend well beyond the legal team.

Why this matters beyond exporters?

It’s tempting to read all of this as “an issue for chipmakers and cloud providers.” In my opinion, that would be a mistake.

These changes affect:

• cloud and SaaS providers hosting AI workloads,

• firms financing advanced-tech supply chains,

• investors backing AI-dependent business models,

• banks onboarding technology clients with complex compute dependencies,

• enterprises consuming AI services across borders.

Once access itself becomes regulated, someone must decide who gets access, under what conditions, and how it can be withdrawn. That decision now carries export-control risk.

In other words, just as banks became enforcement multipliers for sanctions and AML, commercial counterparties are increasingly becoming enforcement multipliers for export controls.

Putting the pieces together

So what do we have?

• BIS introduces case-by-case licensing for advanced compute (discretion, not relaxation).

• ECRA amendments harden enforcement and accountability (discretion with consequences).

• Remote access is explicitly treated as an export (no cloud workaround).

• Advanced compute is treated as a strategic choke point (not just another product).

The system is being redesigned to prevent arbitrage between physical and digital delivery, and to ensure that judgment is matched with responsibility.

A closing thought

Across sanctions, AML, outbound investment rules, AI governance, and now export controls, regulators are converging on the same expectation: show us that you understand the risk, and can manage it in practice, not just on paper.

Export controls are no longer about moving goods across borders. They are about granting capability across networks. And in an AI-driven world, that distinction matters more than ever.

As always, if you’re thinking through how these developments affect your organisation, whether as an exporter, financier, service provider, or investor, I’m very happy to compare notes.

Thanks for reading,
Alexey