Hardware-Enabled Governance Mechanisms
hardware-enabled-governance · Compute governance
Hardware-enabled governance mechanisms (HEGMs, also "on-chip governance" or hardware-enabled mechanisms/HEMs) propose to make AI-governance rules attach to the physical compute layer — AI accelerators (GPUs/ASICs), their firmware, and the datacenters that house them — rather than to actors' self-reports. The aim is to convert compute, an unusually concentrated and excludable input to frontier AI, into a verifiable governance chokepoint. Proposed mechanisms span four families: (1) cryptographic attestation and compute-usage logging that lets a chip prove what workload it ran (e.g., training-run accounting to verify a compute-threshold rule); (2) location verification, typically delay-based geolocation in which a trusted "landmark" server measures a chip's signed-challenge response time to bound its physical location and detect diversion; (3) on-chip usage/licensing controls that can throttle, gate, or disable a chip absent an authorization (a "feature lock" or remote attestation requirement); and (4) tamper-evident/tamper-resistant packaging so the above cannot be silently bypassed. Across these, the load-bearing premise is a hardware root of trust — a per-chip private key that cannot be extracted by an adversary with physical access. The concept underpins both unilateral export-control enforcement (proving a chip is where it was licensed to be) and proposed multilateral, privacy-preserving compliance verification (e.g., flexible hardware-enabled guarantees, "flexHEGs"), where chips would attest compliance with an international agreement without exposing model weights, data, or hyperparameters.
Definition & scope
Covers the physical-compute governance lever: on-chip attestation, compute monitoring/verification, location verification, usage/licensing locks, tamper resistance, and their use for export-control enforcement and proposed multilateral compliance verification. In scope: governance functions that bind to specific accelerators or datacenters and rely on a hardware root of trust. Out of scope: (a) compute-as-a-regulatory-threshold where the FLOP estimate is self-reported or architecture-derived rather than hardware-enforced (see compute-threshold); (b) administrative export controls that operate on paperwork/end-use licensing without any on-chip enforcement (see compute-export-controls); (c) software-only model-side governance (watermarking, evals, KYC at the API layer); and (d) datacenter physical security generally, except where it is the substrate for chip-level attestation. The boundary case — Nvidia's December 2025 software-based location verification using existing confidential-computing features — sits at the edge of scope: it is a chip-assisted but not hardware-hardened mechanism and illustrates the gap between deployed software features and a tamper-resistant on-chip regime.
Locus of dispute: Can on-chip governance mechanisms be made technically feasible and tamper-resistant at frontier scale — without unacceptable security, privacy, or centralization costs — and would they actually bind frontier compute? The dispute turns on the unsolved core: securing a per-chip private key against an adversary with physical access. Proponents (CNAS; the flexHEG/HEM research community) argue much functionality is already on commercial chips and that hardening is a matter of 18 months to ~4 years of engineering; skeptics, including the Semiconductor Industry Association, call blanket on-chip mandates "untested and potentially infeasible," and security researchers warn that remote-disable/usage-lock features create a centralized attack surface and single point of failure. A separate fault line is bindingness: even granting feasibility, would such mechanisms catch circumvention given documented large-scale smuggling and transshipment, or would they merely raise the cost at the margin?
The four mechanism families
Proposed HEGMs cluster into four functional families, each binding a different governance fact to the silicon and each failing in a characteristic way. The maturity labels below are an editorial composite read of the cited literature, not a literature consensus.
(a) Cryptographic attestation and compute-usage logging lets a chip cryptographically prove what workload it ran, enabling, for example, training-run accounting against a compute-threshold rule. Shavit 1 sets out the canonical scheme for verifying large-scale training via compute monitoring; Sastry, Heim, et al. 2 frame it as feasible-in-principle, treating compute as detectable, excludable, and quantifiable. Its failure mode is the integrity of the logs themselves: an operator with firmware access can spoof or omit records unless the signing key is hardware-protected.
(b) Delay-based location verification has a trusted 'landmark' server time a chip's signed-challenge response to bound its physical location and detect diversion. IAPS articulated the technique (IAPS, Location Verification for AI Chips) and Nvidia shipped a software variant in December 2025. Its failure mode is relay/proxy attacks and the precision floor of round-trip timing, plus reliance on an unhardened on-die key.
(c) On-chip usage and licensing locks can throttle or gate a chip absent a valid authorization (a 'feature lock' or offline-licensing scheme, per CNAS — Aarne, Fist & Withers 2024, and RAND — Kulp et al. WRA3056-1 2024). Their failure mode is that the same remote-disable path is a centralized attack surface and single point of failure.
(d) Tamper-evident/tamper-resistant packaging is the substrate that prevents the other three from being silently bypassed; CNAS treats it as the least mature element, requiring roughly 18 months to four years of hardening against a resourced attacker with physical access (Aarne, Fist & Withers 2024).
Technical crux: the hardware root of trust
Every family above reduces to one requirement: a per-chip private key that an adversary with physical possession of the chip cannot extract. If that key can be lifted, attestations can be forged, location challenges relayed, and licensing locks counterfeited — so the whole regime stands or falls on this primitive, which is why the article's locus of dispute names it explicitly. That this primitive is still an open research target rather than a settled tool is exactly how the field characterizes it: Reuel et al. 3 catalog compute measurement, verification, and reporting as unsolved 'open problems in technical AI governance,' and Wasil et al. 4 survey ten candidate verification methods for detecting unauthorized training as a still-maturing technical basis rather than a fielded guarantee.
The relevant primary literature is hardware security, not AI policy. Two device-level approaches are typically invoked. Physical unclonable functions (PUFs) derive a key from uncontrollable manufacturing variation rather than storing it in memory; Herder, Yu, Koushanfar & Devadas (2014, Proc. IEEE 102(8):1126–1141) is the canonical tutorial, and it is candid that 'strong' PUFs face machine-learning modeling attacks and 'weak' PUFs face invasive probing. The alternative is a trusted execution environment with remote attestation, where a vendor-rooted key signs a measurement of the loaded code; Costan & Devadas (2016, Intel SGX Explained, IACR ePrint 2016/086) is the reference account, and the subsequent decade of SGX/TEE side-channel and key-extraction breaks underscores that hardened key storage degrades under sustained physical and microarchitectural attack.
This is precisely the concern the page already attributes to IAPS ('unclear how well-secured this is') and AI Frontiers (the on-die key is 'very difficult to remove' but not impossible for a motivated actor). No fielded primitive yet guarantees key secrecy against an adversary in physical possession of the chip — which makes the hardware root of trust the unsolved core of HEGMs rather than an implementation detail.
Development timeline
The concept crystallized rapidly over roughly thirty months. Shavit 1 supplied the foundational scheme for verifying training rules via compute monitoring and attestation. In January 2024 two anchor reports landed within weeks of each other: CNAS's Secure, Governable Chips (Aarne, Fist & Withers, Jan 8 2024), which argued much functionality already exists on commercial accelerators but is not hardened against a resourced attacker, and RAND's Hardware-Enabled Governance Mechanisms working paper (Kulp et al., WRA3056-1). The broader synthesis Computing Power and the Governance of Artificial Intelligence 2 situated compute as a uniquely governable lever, and the parallel verification literature 4 began mapping the methods such a lever would need.
Through 2024–2025 the multilateral, privacy-preserving strand matured under the flexHEG (flexible hardware-enabled guarantees) banner: a Bengio-hosted memo (Mechanisms for Flexible Hardware-Enabled Guarantees, August 2024, v1.2), with technical expansions on arXiv in mid-2025 5. In December 2025 Nvidia disclosed (Reuters, Dec 9 2025) a software-based location-verification option using existing confidential-computing features and server-latency timing — a chip-assisted, read-only mechanism, explicitly not a tamper-resistant on-chip regime and with no kill switch. On the legislative side, the U.S. Chip Security Act (H.R.3447 / S.1705, 119th Congress) was ordered reported by House Foreign Affairs on March 26 2026 (HFAC 2026) — a committee step, not enactment. No HEGM is law as of mid-2026.
Policy landscape and counter-arguments
No operative instrument mandates an on-chip mechanism. The EU AI Act's compute trigger (Art. 51, 10^25 FLOP) is self-reported or architecture-derived, not hardware-enforced — compute is the metric used to identify general-purpose models 6, but the threshold is read off declarations rather than the silicon. The currently binding U.S. lever is administrative export control — BIS rules on advanced accelerators under the Export Administration Regulations and entity-list designations (the January-2025 'AI Diffusion' tiered rule was rescinded by BIS in mid-2025 before it took effect) — which operates on licensing and end-use paperwork with no chip-level enforcement, and which documented smuggling cases and circumvention show leaks at scale 7. The Chip Security Act would mandate on-chip location verification but remains unenacted and ordered-reported only; the Semiconductor Industry Association opposes blanket on-chip mandates as 'untested, and potentially infeasible.' China-side, Beijing maintains its own export and procurement controls and has discouraged purchases of some U.S. accelerators, so any verification regime would have to function across mutually distrustful jurisdictions — the techno-bloc fragmentation Weymouth 8 describes, layered on a semiconductor value chain that geopolitics is already reshaping 9.
The cited counter-arguments are positions held by named actors, not literature findings. Privacy and centralization: Castro (Center for Data Innovation, Mar 21 2024) argues remote-disable measures erode trust and competitiveness and that the U.S. would object to symmetric foreign controls (Castro 2024). New attack surface / cyber-vulnerability: Nvidia (Reber, Aug 5 2025) contends mandated backdoors and kill switches 'create single points of failure and violate the fundamental principles of cybersecurity,' invoking the discredited 1990s Clipper Chip (NVIDIA 2025). The visible corpus skews toward the compute-governance proponent community (CNAS, RAND, GovAI/flexHEG), with industry and civil-liberties critiques comparatively under-represented relative to their substantive weight.
Use in governance
Appears in topic articles
Editorial note
Author/provenance accuracy notes for downstream editors (ALL verified by web search 2026-06-19): (1) The companion paper "Computing Power and the Governance of Artificial Intelligence" (arXiv:2402.08797, Feb 2024) is led by Girish Sastry — Brundage is the 5th of 19 co-authors (Sastry, Heim, Belfield, Anderljung, Brundage, et al.); do NOT cite it as "Brundage et al." (2) Shavit, Y. (2023), "What does it take to catch a Chinchilla?" (arXiv:2303.11341) is single-author — confirmed. (3) flexHEG/HEM line: the RAND working paper is Kulp, Gonzales, Smith, Heim, Puri, Vermeer & Winkelman (WRA3056-1, Jan 2024) — confirmed author list; the flexHEG reports are associated with the GovAI/Bengio-hosted memo series and flexheg.com — verify exact author lists per artifact before quoting. (4) usedByInstruments is intentionally empty: no PUBLISHED instrument mandates on-chip governance. The EU AI Act uses compute as a self-reported/architecture-based threshold (Art. 51, 10^25 FLOP), not hardware-enforced; the US Chip Security Act (H.R.3447 / S.1705, 119th Congress) would mandate on-chip location verification but as of 2026-06 was only ordered-reported (House Foreign Affairs, Mar 26, 2026; ~37% GovTrack enactment odds), not enacted, with SIA opposition — if it is later enacted, add it here. (5) Nvidia's Dec 2025 location-verification is software-based (optional, Blackwell-first) over existing confidential-computing/telemetry features, NOT a tamper-resistant on-chip regime — characterize as chip-assisted, not on-chip-hardened, to avoid overclaim.
See also
Further reading
Sources on the broader topics this concept relates to — complementing, not standing in for, the primary sources cited inline above. 42 academic & grey-literature sources; catalogued metadata with a primary link; one-line findings are ✦ AI-generated summaries, labeled as such (charter §7.9). Browse the full literature index.
- China's semiconductor conundrum: understanding US export controls and their efficacy Peer-reviewed✦ AIArgues "America's chokepoint strategy is increasingly proving to be a fallacy": Chinese chipmakers have "managed to circumvent these measures" in four ways, accelerating domestic innovation.
- Defending Compute Thresholds Against Legal Loopholes Preprint✦ AIIdentifies 'enhancement techniques that are capable of decreasing training compute usage while preserving... model capabilities', exposing loopholes in compute-reporting thresholds.
- Export Controls and Innovation in Sanctioned Countries Working paper✦ AIUsing the 2007 US 'China Rule', finds sanctioned Chinese firms raised R&D by ~49% and patenting by ~41% — evidence export controls can accelerate the target's indigenous innovation.
- The establishment of an international AI agency: an applied solution to global AI governance Peer-reviewed✦ AIProposes a UN-backed International Artificial Intelligence Agency modelled on the IAEA, arguing 'only an IAIA can legitimately oversee a global AI governance framework involving all major powers.'
- Framework Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law (Council Eur.) — with Introductory Note Peer-reviewed✦ AIReproduces and annotates the first legally binding international AI treaty, grounding cross-border AI governance in legality, proportionality, transparency, accountability and non-discrimination across the AI lifecycle.
- Digital Disintegration: Techno-Blocs and Strategic Sovereignty in the AI Era Peer-reviewed✦ AIArgues states increasingly assert 'strategic digital sovereignty...through selective alliances with firms and other governments,' fragmenting global AI infrastructure into techno-blocs rather than multilateral order.
- Computing Power and the Governance of Artificial Intelligence Preprint✦ AIArgues compute is a uniquely governable lever because it is "detectable, excludable, and quantifiable, and is produced via an extremely concentrated supply chain".
- Training Compute Thresholds: Features and Functions in AI Regulation Preprint✦ AIFinds "training compute currently is the most suitable metric to identify GPAI models", but thresholds should only trigger further scrutiny, not determine risk measures alone.
- Compute North vs. Compute South: The Uneven Possibilities of Compute-based AI Governance Around the Globe Peer-reviewed✦ AICensus of hyperscale cloud regions shows a divide between "Compute North" states hosting training-relevant compute and a Compute South, shaping who can wield compute-based governance.
- Global AI governance: barriers and pathways forward Peer-reviewed✦ AIDiagnoses a global AI governance deficit and, weighing new centralized institutions against coordinating existing ones, recommends foregrounding the OECD as the centre for AI policy expertise.
- Governing Through the Cloud: The Intermediary Role of Compute Providers in AI Regulation Preprint✦ AIArgues 'compute providers should have legal obligations' to secure infrastructure, keep records, verify activity and report frontier training as regulatory intermediaries.
- Verification methods for international AI agreements Preprint✦ AISurveys '10 verification methods that could detect... unauthorized AI training... and unauthorized data centers', mapping the technical basis for compute-disclosure regimes.
+ 30 more across this concept's topics — see the literature index.
References
Sources cited inline in the analysis (linked from the superscript markers), then the primary instrument sources behind the classifications.
- Shavit (2023) What does it take to catch a Chinchilla? Verifying Rules on Large-Scale Neural Network Training via Compute Monitoring, arXiv. arXiv:2303.11341 — Proposes chip-level monitoring (on-chip logging, supply-chain oversight) giving governments "high confidence that no actor uses large quantities of specialized ML chips" in violation of rules. ↩
- Sastry, Heim, Belfield, Anderljung, Brundage, et al. (2024) Computing Power and the Governance of Artificial Intelligence, arXiv. arXiv:2402.08797 — Argues compute is a uniquely governable lever because it is "detectable, excludable, and quantifiable, and is produced via an extremely concentrated supply chain". ↩
- Anka Reuel, Ben Bucknall, Stephen Casper, Tim Fist, Lennart Heim, et al. (34 authors) (2024) Open Problems in Technical AI Governance, arXiv (cs.CY). arXiv:2407.14981 — Catalogs open problems in 'technical analysis and tools for supporting the effective governance of AI', including compute measurement, verification and reporting gaps. ↩
- Akash R. Wasil, Tom Reed, Jack William Miller, Peter Barnett (2024) Verification methods for international AI agreements, arXiv (cs.CY). arXiv:2408.16074 — Surveys '10 verification methods that could detect... unauthorized AI training... and unauthorized data centers', mapping the technical basis for compute-disclosure regimes. ↩
- arXiv:2506.03409 ↩
- Heim & Koessler (2024) Training Compute Thresholds: Features and Functions in AI Regulation, arXiv. arXiv:2405.10799 — Finds "training compute currently is the most suitable metric to identify GPAI models", but thresholds should only trigger further scrutiny, not determine risk measures alone. ↩
- Megha Shrivastava and Amrita Jash (2025) China's semiconductor conundrum: understanding US export controls and their efficacy, Cogent Social Sciences. 10.1080/23311886.2025.2528450 — Argues "America's chokepoint strategy is increasingly proving to be a fallacy": Chinese chipmakers have "managed to circumvent these measures" in four ways, accelerating domestic innovation. ↩
- Stephen Weymouth (2025) Digital Disintegration: Techno-Blocs and Strategic Sovereignty in the AI Era, International Organization. 10.1017/S0020818325101070 — Argues states increasingly assert 'strategic digital sovereignty...through selective alliances with firms and other governments,' fragmenting global AI infrastructure into techno-blocs rather than multilateral order. ↩
- Chan-Yuan Wong, Henry Wai-chung Yeung, Shaopeng Huang, Jaeyong Song, Keun Lee (2024) Geopolitics and the changing landscape of global value chains and competition in the global semiconductor industry: Rivalry and catch-up in chip manufacturing in East Asia, Technological Forecasting and Social Change. 10.1016/j.techfore.2024.123749 — Analyses how geopolitics reshapes semiconductor global value chains and East-Asian rivalry/catch-up, the structural backdrop against which chip export controls operate. ↩
- Aarne, O., Fist, T., & Withers, C. (2024). Secure, Governable Chips: Using On-Chip Mechanisms to Manage National Security Risks from AI & Advanced Computing. Center for a New American Security (CNAS), January 8, 2024.
Cite this article 8 formats · BibTeX, RIS, APA, Chicago, … · 1-click copy
Persistent identifier: https://policywindow.org/wiki/hardware-enabled-governance — committed-stable URL with content-versioning via ?asOf= (rollout pending per methodology §7). DOIs via Zenodo are on the roadmap.
Article tools — track changes, suggest an edit
View history — every captured revision of this article · What links here
Social-science evidence — the “so-what”
What the peer-reviewed social science shows: whether the harm this concept addresses is empirically real, and whether governance of it works. The badge is the epistemic status of the evidence(not the policy debate) — “thin” or “absent” efficacy evidence is itself a finding (the “second silence”). Each epistemic-status label is Policy Window's editorial assessment of the cited evidence base (a structured classification), not a verdict any single source issues.
Compute is a genuine, concentrated governance chokepoint (frontier training depends on a small set of specialized accelerators from a short, concentrated supply chain — detectable, excludable, quantifiable per Sastry/Heim/Brundage et al. 2024), and several HEGM building blocks exist or have been partially demonstrated — but a tamper-resistant on-chip governance regime has NOT been demonstrated and remains largely conceptual. CNAS (Aarne, Fist & Withers 2024) finds much required functionality is already widely deployed on commercial AI chips, yet states these features are not designed to resist a well-resourced attacker with physical access and would need ~18 months to 4 years of hardening for adversarial use. Shavit (2023) and the Sastry/Heim/Brundage et al. (2024) compute-governance synthesis frame compute monitoring and attestation as feasible-in-principle but unproven at scale. Delay-based location verification has been articulated technically (IAPS) and Nvidia shipped a software-based variant in Dec 2025, but commentators (AI Frontiers; IAPS) identify private-key extraction as the security crux and note the security of the on-die key on existing chips is uncertain (IAPS: 'unclear how well-secured this is'; AI Frontiers: on-die key is 'very difficult to remove' but not impossible for a motivated actor). Status: contested/thin — real chokepoint, demonstrated components, no demonstrated tamper-resistant whole.
Sources: Aarne, O., Fist, T., & Withers, C. (2024). Secure, Governable Chips. CNAS. https://www.cnas.org/publications/reports/secure-governable-chips; Shavit, Y. (2023). What does it take to catch a Chinchilla? Verifying Rules on Large-Scale Neural Network Training via Compute Monitoring. arXiv:2303.11341. https://arxiv.org/abs/2303.11341; Sastry, G., Heim, L., Belfield, H., Anderljung, M., Brundage, M., et al. (2024). Computing Power and the Governance of Artificial Intelligence. arXiv:2402.08797. https://arxiv.org/abs/2402.08797; IAPS, Location Verification for AI Chips. https://www.iaps.ai/research/location-verification-for-ai-chips; Can 'Location Verification' Stop AI Chip Smuggling? AI Frontiers. https://ai-frontiers.org/articles/location-verification-ai-chips
There is no deployed on-chip governance regime, so direct evidence that governing via hardware WORKS is absent. The currently operative hardware-adjacent lever — administrative export controls without on-chip enforcement — shows substantial circumvention: U.S. prosecutors documented a smuggling scheme moving ~$160M of restricted Nvidia H100/H200 GPUs to China (Oct 2024–May 2025; Alan Hao Hsu / Hao Global guilty plea Oct 10, 2025) via Southeast-Asian transshipment and falsified end-user/shipping records, and reporting estimates large volumes of advanced GPUs reached China after tightened controls. This is the policy gap on-chip mechanisms are PROPOSED to close, but the proposal is unenacted: the US Chip Security Act (H.R.3447) was only ordered-reported (House Foreign Affairs, Mar 26, 2026; not law; ~37% enactment odds per GovTrack) and the Semiconductor Industry Association opposes blanket on-chip mandates as 'untested, and potentially infeasible'; the EU AI Act mandates no on-chip mechanism. Net: governance-efficacy evidence for HEGMs specifically is absent (no regime to evaluate); the adjacent evidence shows paperwork-based controls leak, which is the motivating problem rather than a test of the mechanism.
Sources: $160 million export-controlled Nvidia GPUs allegedly smuggled to China (Hao Global, guilty plea Oct 2025). CNBC, Dec 31, 2025. https://www.cnbc.com/2025/12/31/160-million-export-controlled-nvidia-gpus-allegedly-smuggled-to-china.html; Chip Security Act, H.R.3447 / S.1705, 119th Congress (ordered reported Mar 26, 2026; not enacted). https://www.congress.gov/bill/119th-congress/house-bill/3447; Semiconductor Industry Association statement opposing blanket on-chip mandates (2026). https://www.semiconductors.org/sia-statement-on-chip-security-act/; Kulp, G., Gonzales, D., Smith, E., Heim, L., Puri, P., Vermeer, M. J. D., & Winkelman, Z. (2024). Hardware-Enabled Governance Mechanisms. RAND WRA3056-1. https://www.rand.org/pubs/working_papers/WRA3056-1.html