America Can’t Export-Control AI Like It’s a Crate of Chips

The most important AI export-control story right now is not a chip shipment stuck at a port. It is a model being switched off.

On June 12, Anthropic said it would disable access to its Fable 5 and Mythos 5 models for all users after the U.S. government ordered the company to suspend access for foreign nationals, citing national-security concerns, according to Reuters¹. Amazon Web Services, which distributes Anthropic models to customers, said Anthropic asked it to revoke access in all regions, the same report said. That single episode captures the problem Washington is now trying to solve: artificial intelligence is not just a thing you ship. It is chips, cloud servers, secret model files, public code, application programming interfaces, data-center partnerships, and people spread across borders.

Export controls are government rules that restrict the transfer of sensitive goods, software, or technology to certain countries, companies, people, or uses. They work best when the thing being controlled is scarce, physical, and traceable. Advanced AI chips fit that model fairly well. Model weights do not. Model weights are the learned parameters that make a trained AI system behave as it does. API access means using a model remotely through a company-controlled interface. Cloud compute means renting processing power in data centers rather than owning the machines. Once the debate moves from chips to weights, APIs, and cloud access, the state is no longer just checking boxes at customs. It is trying to govern a live global service.

My view is blunt: the United States can design useful AI controls, but not if it treats model access as if it were a container of Nvidia processors. Washington should control advanced chips, semiconductor equipment, military and intelligence end users, non-public frontier model weights, and unusually large training runs on U.S. cloud infrastructure. It should not build a broad, nationality-based model and API access regime. That kind of system will hurt U.S. companies, scare allies, and push customers toward Chinese and sovereign alternatives faster than it slows serious adversaries.

The government has already tested both instincts. In January 2025, the Commerce Department’s Bureau of Industry and Security, or BIS, announced rules covering advanced computing chips and certain closed AI model weights, while updating a Data Center Validated End User program meant to approve trusted data-center customers, according to BIS². The rule tried to move beyond semiconductors into the broader AI supply chain. Then, in May 2025, Commerce rescinded the Biden-era AI Diffusion Rule, saying its requirements would have burdened companies, stifled American innovation, and downgraded dozens of countries to second-tier status, according to BIS³. The Trump administration still promised access for trusted foreign countries while keeping technology away from adversaries. That is the right ambition. The rescission shows how easy it is to design the wrong machinery.

The hard distinction is between pre-diffusion and post-diffusion controls. Before a frontier model’s weights are released, the U.S. has leverage. A closed-weight frontier model sitting inside Anthropic, OpenAI, Google, or Meta can be licensed, audited, or restricted. A large training run on AWS, Azure, Google Cloud, or another U.S.-linked cloud can be reported. A data-center deal involving an entity tied to China’s military can be blocked. Commerce’s proposed infrastructure-as-a-service rule already points in this direction: it would require U.S. cloud providers to report when a foreign person uses U.S. cloud services to train a large AI model with potential malicious cyber capabilities, and it would require foreign resellers to verify customers in certain cases, according to the Federal Register⁴.

After diffusion, the leverage collapses. DeepSeek, the Chinese AI firm that shook markets with its low-cost reasoning models, is the warning label. DeepSeek’s own R1 release said its code and models were under the MIT License, that users could distill and commercialize freely, and that the community could use model weights and outputs, according to DeepSeek⁵. Once weights and derivatives are mirrored, hosted, fine-tuned, and built into other products around the world, blacklisting the original company may still matter for procurement, financing, and stigma. It cannot unrelease the model.

That does not mean controls are useless. It means their purpose should be delay and friction, not fantasy containment. A senior U.S. official told Reuters in 2025 that DeepSeek supported Chinese military and intelligence operations and sought to use Southeast Asian shell companies and regional data centers to reach restricted chips, according to a Reuters report republished by Investing.com⁶. Reuters also reported this week that the U.S. held off blacklisting DeepSeek and more than 100 other firms deemed security risks, according to Investing.com⁷. If those reports are accurate, they cut both ways: adversaries still want U.S.-origin compute, but Washington is also discovering how politically costly entity-list escalation can be.

The strongest argument for broader controls is simple: chips-only rules leave giant holes. A Chinese military-linked lab may not need to import the latest chips directly if it can rent cloud compute through affiliates, use overseas partners, distill a U.S. model through API calls, or gain access through a data-center joint venture. This is not paranoia. It is the normal behavior of a world where software capability leaks through services, contractors, and subsidiaries.

But the Anthropic shutdown shows what happens when the fix is designed around identity rather than risk. Reuters reported that the order covered foreign nationals and that Anthropic said the net effect was disabling Fable 5 and Mythos 5 for all customers to ensure compliance, according to Reuters¹. The point is not that Anthropic was uniquely clumsy. The point is that model access is operationally messy. A rule aimed at a forbidden person can force a company to police employees, contractors, cloud regions, customer staff, resellers, affiliates, and API usage patterns in real time. If the company cannot separate permitted from prohibited access with confidence, it will default to shutdown.

Allies noticed. Canadian Prime Minister Mark Carney said the U.S. restrictions showed the danger of overreliance on a limited number of American providers, and warned that governments should diversify rather than accept one option, according to the Associated Press⁸. At the G7, leaders discussed a trusted-partners scheme to let select non-U.S. countries access advanced American AI models, according to Reuters⁹. That sounds cooperative, but I read it as a warning: allies want American AI, but they do not want American political discretion sitting like a kill switch over their hospitals, banks, militaries, and cyber agencies.

This matters commercially because the U.S. lead in AI is not just research prestige. It is distribution. American firms dominate the cloud layer where AI is trained and deployed. Synergy Research Group estimated global cloud infrastructure spending hit $129 billion in the first quarter of 2026, with Amazon at 28 percent, Microsoft at 21 percent, and Google at 14 percent, according to Data Center Dynamics¹⁰. If Washington makes those platforms feel politically unreliable, foreign governments will not simply beg for exemptions. They will fund sovereign clouds, buy non-U.S. accelerators, and accept lower-performing models if those models come with fewer strings.

China’s substitution push is already underway. A CSIS analysis of DeepSeek and Huawei argued that Chinese advances partly reflected failures in earlier export-control implementation, while also concluding that controls can still play a role if they preserve U.S. advantages in the race, according to CSIS¹¹. A later CSIS paper warned that broadened, unilateral U.S. export controls have generated unanticipated Chinese responses and made it harder to rally allies, while a March 2026 survey found 56 percent of semiconductor and IT firms reported average license review times over 180 days, according to CSIS¹². That is not an argument for surrender. It is an argument for restraint.

The policy I would back has four parts. First, keep tightening physical chokepoints: advanced chips, chipmaking equipment, high-bandwidth memory, and the foreign subsidiaries used to route them. Second, require reporting and possible licenses for very large foreign training runs on U.S. cloud infrastructure, especially when the customer, reseller, beneficial owner, or end use raises military, intelligence, or cyber-offense concerns. Third, control transfers of non-public frontier model weights, because those files are the closest thing AI has to a weapons-grade blueprint before release. Fourth, give allies a treaty-like access channel, not a revocable favor. Trusted allies should mean countries and firms that meet clear standards on ownership, security audits, non-diversion, data-center controls, and reciprocal enforcement.

What I would not back is a broad API regime that treats ordinary foreign use of U.S. models as presumptively suspect. Nor would I try to police open-source communities after weights are already public. Those moves would spend American market power for little security return.

The next indicator to watch is whether Commerce replaces the rescinded AI Diffusion Rule with a narrow cloud-and-weights licensing system or reaches again for nationality-based model restrictions. If the next major order forces another global shutdown by a U.S. AI provider, the policy will already be failing. If, instead, we see transparent licenses for allied cloud customers, mandatory reporting for large adversary-linked training runs, and real enforcement against shell-company chip diversion, Washington may have found the narrow lane where AI export controls can still work.