AI Infrastructure: While Some Doors Close, Many More Open

As the battle for global AI dominance heats up, new US policies create export controls challenges and—more important—open the way to new opportunities for technology leaders and their boards of directors

As global powers compete to dominate the booming artificial intelligence (AI) sector, new US export controls policies are closing some doors—including to countries subject to US arms embargoes, such as the People’s Republic of China (China), due to stated US national security reasons—but opening the door for opportunities in other countries around the world. The classic saying attributed to Alexander Graham Bell appropriately encapsulates the situation:

When one door closes another door opens; but we so often look so long and so regretfully upon the closed door, that we do not see the ones which open for us.

The new administration is applying a carrot-and-stick strategy to pick winners and losers in the AI dominance race. The carrot comes in the form of more opportunities in global markets; the stick consists of groundwork laid for more effective enforcement of US export controls to prevent diversion. The companies that heed the signals will reap the rewards. The companies that fail to get the message will trigger alarm bells in the form of increasing US export controls enforcement activity that leverages long-existing—yet heretofore underutilized—tools in an unprecedented and highly effective way.

The AI Diffusion Rule Is Dead; Long Live the New AI Diffusion Rule Policy

During the waning days of the Biden administration, the US Department of Commerce’s Bureau of Industry and Security (BIS) issued the Framework for Artificial Intelligence Diffusion (AI Diffusion Rule), which sought to limit the number of advanced computing integrated circuits (ICs) available to countries around the world.

The rule divided the world into three tiers that can be described with an airline ticket analogy: first class, coach, and no ticket. Tier One countries consisted of those traditionally closely allied with the United States. Tier Three consisted of China and other largely heavily sanctioned and/or embargoed countries. The middle ground, Tier Two, consisted of a large swath of countries that represented growth opportunities in the global AI dominance race.

Industry pushed back hard. A main reason involved the limits set on Tier Two countries—as these present large potential growth markets for US technology companies—including India, Israel, Singapore, Saudi Arabia, and the UAE.

Picking up what the old administration left behind, the second Trump administration faced a seemingly impossible challenge: how to reconcile allowing leading US technology companies to continue to sell into global AI growth markets, while addressing real and increasing national security concerns posed by China and its military modernization ambitions.

On May 13, 2025, the Trump administration responded. First, BIS announced that it would rescind the AI Diffusion Rule. This move scrapped the three-tiered quota framework for advanced computing ICs and was soon followed by deals announced in Saudi Arabia and the UAE for large data center investments supplied with leading American technology. Second, and perhaps even more important, BIS simultaneously issued three policy and guidance documents that double down on preventing evasion of US export controls and IC diversion to China:

• Guidance alerting industry to the risks of using Chinese advanced computing ICs, including specific Huawei Ascend chips
• Guidance about potential consequences of allowing US AI chips to be used for training and inference of Chinese AI models
• Guidance to US companies on how to protect supply chains against diversion tactics

These policies go beyond mere economic fears of ceding “intellectual superiority” by focusing on preventing the use of advanced computing ICs for military intelligence and weapons of mass destruction (WMD) in countries of concern. These types of ICs and other related technologies that go into AI infrastructure now trigger catch-all provisions in the Export Administration Regulations (EAR), reshaping compliance considerations for US businesses involved with AI, ICs, semiconductors, data centers, and more.

To be clear: No longer do just technological thresholds or parameters lie at the center of US export controls compliance and enforcement considerations. Moving forward, the critical path for both compliance and enforcement will revolve around the EAR’s end-use and end-user provisions. When the BIS refers to WMD and military intelligence, shipping even a paper chip requires an export license.

The new guidance represents a paradigm shift away from legacy perspectives on US export controls, compliance considerations, and enforcement risks. It lays the groundwork for BIS to bring more corporate cases, resolve them sooner, and levy much higher penalties (seen previously in Foreign Corrupt Practices Act cases, where more than $30 billion in penalties were levied over the past two decades). The game has fundamentally changed, and those who know how to engage with the US government will leave their competitors stuck in obsolete paradigms, mitigating heightened liability risks.

The key lies in “knowledge.”

Effective Due Diligence is Beyond KYC

Despite the May 13 guidance, all is not doom and gloom; rather, by recognizing the signals and taking appropriate action, companies—and their officers and boards of directors—can protect themselves by incorporating the very same elements noted in the new BIS guidance into their own corporate compliance programs.

What does this entail? Until recently, companies might have understood the government’s expectations for due diligence to be largely satisfied through routine Know Your Customer (KYC) screening and not to require looking beyond customers, resellers, or distributors’ representations about end use or end users. This was especially so for companies whose sales channels include one or several layers of distributor and reseller relationships.

Those days are over as, in its guidance and enforcement actions, BIS embraces the EAR’s full definition of “knowledge”—ranging from black-and-white “actual knowledge” of diversion toward more nuanced inferences arising from “an awareness of a high probability” that diversion is occurring or may occur.

In plain language, the mere presence of unaddressed red flags or circumstantial evidence about ICs’ end use (say, an Outlook calendar that reveals a meeting with not just suspect distributors but the end users themselves) could trigger government inquiries and, depending on the responses, enforcement activity. BIS’s May 13 industry guidance lists eleven such red flags, for example, including spikes in order volumes after October 2022, the use of residential addresses or middlemen, and the refusal to disclose installation addresses or headquarters. In this regard, the apparent subjectivity of the “awareness of a high probability” element of “knowledge” presents a simple, moment-of-truth question: What do we think is really happening here?

The regulatory and enforcement emphasis, then, is no longer focused on technical specifications—such as chip speed or processing power—but on how a product will be used and who is using it. A firm can now be penalized not because its technology is inherently dangerous, but because it failed to adequately vet the end use or end user.

The government has signaled a resounding willingness to follow through, but after “talking the talk” for so long it now needs to “walk the walk”—which we expect BIS to do. An initial shot across the bow came in April 2023, when export enforcement penalties—once likened to “parking tickets”—dramatically escalated. A $300 million fine, the largest standalone administrative penalty in BIS history up to that point , was levied against Seagate Technology related to shipments to Chinese company Huawei. Enforcement teams are applying the “awareness of high probability” standard with greater intensity, and cases are expected to move swiftly under the EAR’s full definition of “knowledge” that has been in place for decades.

The result: a new and aggressive regulatory environment in which failing to “know your customer” could jeopardize your license to do business and materially impact your company’s bottom line. On the flip side, this presents companies an opportunity to leverage their own export controls compliance programs as a strategic and competitive advantage over global competitors.

Stay Ahead of the Curve: AI Export Control Compliance as Strategic and Competitive Advantage

While an important foundational component for any compliance program, standard end-use certificates alone are insufficient to mitigate the full scope of red flags as described in the latest BIS guidance. End-use certificates are self-certifications; bad actors planning evasion or diversion efforts will provide any number of self-certifications. Instead, companies seeking to win the AI dominance race and stay ahead of the curve require investigative thinking and a holistic compliance framework that position export controls as a core business function.

For corporate leaders, this critical shift has implications that extend beyond fines and penalties. After all, in Delaware, where most major US companies are registered, directors have fiduciary oversight responsibilities. If the board fails to anticipate risks tied to national security or WMD proliferation, individual directors may be held personally liable as export controls compliance risks increasingly become “central compliance risks.”

What should companies do?

1. Leaders must recognize that compliance under the new guidance is a strategic capability, not a box-checking exercise. Organizations should invest now in developing a more robust KYC function that integrates seamlessly with engineering, sales, and operations and ensures that meaningful “red flags,” if present, are surfaced. This means establishing feedback loops to identify diversion risks across the full customer lifecycle.
2. Compliance programs must embrace the full legal definition of “knowledge,” including updating internal training, auditing distributor and reseller networks, and incorporating forensic evidence practices that align with BIS expectations. Companies’ legal and compliance teams should be attuned to signals that may trigger “an awareness of a high probability” across operations stemming from factors such as high-risk meetings, communications, and logistical anomalies. These signals often tend to hide in plain sight.
3. Transparency with the US government is now a competitive advantage. Firms that proactively disclose concerns and collaborate with regulators may earn the trust and flexibility to operate across borders in an evolving landscape. Even more important, firms that embrace full transparency with the US government position themselves to engage in more fruitful discussions on regulatory red lines. Those that fail to do so may increasingly face blanket bans, especially to the Chinese market.
4. Business development teams must recalibrate their international ambitions. The potential loss of significant portions of the Chinese market is real—but so are the doors opening for potentially dramatic opportunities elsewhere. The global data center buildout is accelerating, with enormous investments underway in the US, Middle East, and India. But these deals increasingly hinge on whether a company can demonstrate anti-diversion controls that satisfy US regulatory requirements.
5. Executives must ensure that board-level governance reflects the new risk environment. That includes reporting on export compliance, independent audits, and risk scenarios that considers not only technological but also geopolitical developments, especially emerging enforcement trends like the US government’s increasing reliance on the “high probability” standard. Doing so is relevant not only in the compliance program itself but also in boards of directors’ satisfaction of their duty of oversight.

A New Public-Private Paradigm

Underlying all of this is a deeper shift in the relationship between government and business. US companies are now expected to be partners in safeguarding national security interests.

That requires a delicate balance. Companies must protect intellectual property, serve customers, and grow internationally, while simultaneously acting as gatekeepers for sensitive technologies. This challenging mandate is quickly becoming non-negotiable.

Following out-of-date strategies that fail to address national security interests leaves your company dangerously exposed. This situation has played out over the last few years with export controls on advanced ICs and congressional inquiries into semiconductor diversion. These strategies emphasized technological thresholds over end-use and end-user provisions that won’t pass muster in light of BIS’ new policy and guidance documents.

To succeed, firms must be agile. Those that read the signals, connect the dots, and act early will succeed and help define a future where innovation and national security coexist.

---

Mike Huneke is co-chair of Hughes Hubbard & Reed LLP’s Sanctions, Export Controls, and AML practice group. His work focuses on helping companies to identify and mitigate export controls and economic sanctions enforcement risks in today’s dynamic, geopolitically charged enforcement environment.