OpenAI and Google reportedly supplied advanced AI services to Singapore-based subsidiaries of Alibaba, Baidu, and Tencent even though their Chinese parent companies appear on the Pentagon’s Section 1260H list, exposing a legal but strategically fraught gap in Washington’s effort to restrict advanced AI access. The transactions were not necessarily prohibited: Singapore-incorporated entities can contract with American providers, and inclusion on the Pentagon list does not automatically impose sanctions or export restrictions. But that legal distinction is precisely why the episode matters. Washington has built much of its China technology policy around controlling geography and hardware, while frontier AI is a cloud service that can cross borders through accounts, subsidiaries, resellers, and millions of ordinary-looking API requests.
The immediate scandal is therefore less clear-cut than the headlines suggest. Crypto Briefing described OpenAI and Google as selling models to Pentagon-blacklisted Chinese firms, while WION, citing the Financial Times, supplied the more important corporate detail: the customers were Singapore-based subsidiaries rather than the listed mainland parent entities themselves. That difference may keep a transaction within existing rules, but it does not answer the national-security question of who ultimately benefits from the model’s capabilities.
This is the point at which AI export control stops resembling a customs checkpoint and starts resembling identity security. The government can restrict where a service is officially offered; the harder problem is determining who controls the customer, who is submitting the prompts, where the resulting knowledge travels, and whether legitimate access is being used to improve a competing model.
The Pentagon’s Section 1260H list identifies companies the Department of Defense believes are connected to China’s military-industrial complex. It is a warning mechanism with political and commercial consequences, but it is not, by itself, a comprehensive sanctions regime or an automatic prohibition on supplying every listed company with American technology.
That distinction matters because the word blacklist implies a clean boundary that the underlying policy does not necessarily create. A company may appear on the Section 1260H list while remaining legally capable of conducting certain transactions through entities incorporated in other jurisdictions. American providers can therefore comply with the formal rule while producing an outcome that appears inconsistent with the rule’s strategic purpose.
The Defense Department describes the list as part of a broader effort to identify contributors to China’s military-civil fusion strategy. The government’s concern is that nominally civilian companies, universities, and research programs can provide technology and expertise that support military modernization. That concern does not disappear when a listed group purchases a service through an overseas subsidiary.
According to the Financial Times reporting summarized by WION, OpenAI and Google confirmed providing advanced AI services to Singapore-based subsidiaries of Alibaba, Baidu, and Tencent. All three parent groups were included on the Pentagon list, but their Singapore entities could legally contract with the American providers.
This is not best understood as a secret shipment smuggled across a border. It is an example of global corporate structure colliding with a control system designed around national territory.
Singapore is not incidental to the story. It is a major technology and business hub through which multinational companies manage customers, cloud operations, contracts, billing, personnel, and regional infrastructure. An entity incorporated there is legally distinct from its parent even when its strategic priorities remain closely aligned with the parent group.
For regulators, that creates a fundamental attribution problem. If access is granted to a Singapore company owned by a listed Chinese group, should the provider treat the customer as Singaporean because of its incorporation, Chinese because of its ownership, or something more complicated because its employees, workloads, data, and beneficiaries may span several countries?
Existing rules leave room for the first answer. National-security hawks will increasingly demand the second.
Singapore appears on OpenAI’s official list of territories in which API access is supported. OpenAI also warns that accessing or offering its services outside supported territories may lead to an account being blocked or suspended.
The policy is internally coherent. OpenAI is not claiming that Chinese ownership is always irrelevant; it is claiming that enforceable contracts, platform monitoring, customer identification, and local jurisdiction can provide a basis for controlled access outside mainland China.
Google has taken a similarly geographic approach, according to WION’s account of the Financial Times report. It said its AI services are available in markets including Singapore and Hong Kong, subject to its usage policies, while acknowledging that “geographical restrictions alone are insufficient” against sophisticated attempts to bypass controls.
That acknowledgment is more consequential than it appears. If geography is insufficient, then a policy based principally on supported countries is not a complete security architecture. It is an availability policy that must be backed by ownership screening, behavioral detection, account linkage, payment analysis, usage monitoring, and enforcement against customers whose activity crosses the line.
The contrast with Anthropic is stark:
OpenAI and Google’s position effectively says that corporate ownership need not decide access if a subsidiary operates in a jurisdiction where contracts and safeguards are enforceable. Anthropic’s policy says ownership itself is the decisive risk factor: a foreign subsidiary owned by a China-headquartered company remains part of the restricted corporate family.
Neither model is cost-free. The OpenAI-Google approach preserves legitimate international business and avoids treating every overseas employee of a Chinese group as an adversarial actor. It also leaves providers responsible for detecting whether apparently lawful usage is serving prohibited or strategically dangerous purposes.
Anthropic’s approach is easier to articulate and potentially easier to enforce. It is also much broader, excluding subsidiaries whose actual work may be commercial, geographically separated, and unrelated to military activity.
The policy dispute is therefore not simply permissive companies versus a cautious one. It is a disagreement over the proper unit of AI export control: the user’s physical location, the contracting entity, the corporate parent, the beneficial owner, or the ultimate application.
An API request can originate from a supported jurisdiction, pass through infrastructure in another country, be paid for by one corporate entity, and deliver an answer to a product or research team somewhere else. The provider may never see the customer’s full internal chain of command or know how the output is later stored, shared, transformed, or used for training.
Washington has tightened restrictions on advanced AI chips since 2022, with Nvidia hardware a central target. Those restrictions attempt to limit the computing capacity available for training and operating highly capable models. The strategy assumes that controlling scarce hardware can slow a rival’s progress even when algorithms and research circulate more freely.
Model access changes the calculation. A company that cannot obtain the best chips may still purchase intelligence as a service, using American infrastructure to perform difficult reasoning remotely. It may also use the service to generate training data, evaluate its own systems, improve code, automate research, or accelerate the development of a competing model.
This does not mean every prompt sent by a Chinese-owned company is a technology transfer in the strategic sense. Ordinary enterprise uses—document processing, customer support, software development, translation, search, and analysis—can be commercially routine.
The difficulty is that routine usage and capability extraction use the same interface. Both may consist of paid accounts submitting valid prompts and receiving model outputs. The strategic distinction emerges from intent, scale, coordination, repetition, and what happens to those outputs afterward.
That makes identity and telemetry central to enforcement. A provider must determine whether thousands of accounts are controlled by the same operation, whether prompt patterns suggest systematic capability extraction, and whether traffic routed through supported territories is ultimately serving users in an unsupported one.
The cloud made software location-independent because that was commercially useful. Export-control policy is now trying to reconstruct geographic boundaries inside a service architecture built to erase them.
Distillation is not inherently malicious. In ordinary machine-learning practice, a more capable system can be used to help train a smaller or more efficient one. The resulting model may be cheaper to operate while preserving part of the original system’s performance.
The national-security concern arises when a competing laboratory systematically harvests outputs from an American frontier model to improve its own system. The customer does not need the target model’s source code, architecture, training data, or internal weights. It needs enough carefully chosen interactions to capture useful patterns of reasoning and behavior.
This turns API access into more than software consumption. It can become a channel through which some of the economic value embodied in an expensive model-development program is transferred to a rival.
Anthropic has publicly adopted the hardest line among the three providers. Its policy restricts China-headquartered companies and foreign subsidiaries they control from accessing its most advanced models, specifically citing the possibility that overseas entities could support military or intelligence objectives or use model access for distillation.
The company previously accused DeepSeek, Moonshot, and MiniMax of attempting model distillation. In Congressional testimony in June, Anthropic went further, alleging that Alibaba used “tens of thousands of fraudulent accounts” to conduct more than 28 million exchanges with Claude models.
Those figures illustrate why simple country blocking is inadequate. A sophisticated operation does not need to announce itself as a restricted laboratory. It can distribute requests across accounts, intermediaries, networks, contractors, and corporate entities until the traffic resembles large-scale legitimate demand.
OpenAI’s response also shows that providers already perform a quasi-regulatory function. They monitor behavior, make attribution judgments, terminate accounts, preserve evidence, and notify the government. The state writes broad restrictions, but the model provider operates the checkpoint.
That arrangement gives private companies extraordinary discretion. They decide what constitutes suspicious usage, how much evidence is sufficient, whether an affiliated entity should lose access, and what information should be shared with officials.
It also creates a commercial conflict. API traffic generates revenue, and rapidly growing customers may look valuable before they look dangerous. Effective enforcement requires providers to investigate and potentially terminate precisely the large, intensive usage patterns that can be most lucrative.
Both the Biden and Trump administrations treated AI diffusion as a national-security issue. The Biden administration issued executive orders targeting diffusion, while the Trump administration continued tightening restrictions on technology transfers to China.
China responded with controls of its own, targeting gallium, germanium, and rare earth elements that are important to advanced technology manufacturing. The resulting contest stretches from mines and fabrication plants to data centers and cloud accounts.
But controlling hardware and controlling intelligence are different undertakings. Hardware policy asks whether a specific physical product may be shipped to a particular destination or user. Model policy must ask whether an intangible service is improving a restricted organization’s capabilities, even when the contract, account, and server are all outside mainland China.
The Section 1260H controversy exposes an awkward middle ground. The Pentagon has identified Alibaba, Baidu, and Tencent as companies it believes are connected to China’s military-industrial complex, yet that designation does not automatically prevent all of their overseas entities from purchasing American AI services.
This leaves providers to reconcile several government signals that do not form a single operational rule. Washington wants American companies to lead global AI markets. It also wants to prevent advanced capabilities from strengthening Chinese competitors or military-linked entities. At the same time, its blacklist does not automatically prohibit the transactions now drawing criticism.
Companies can comply with the letter of this framework and still be accused of undermining its purpose. That is not solely a corporate contradiction; it is evidence of incomplete policy design.
If officials believe access by any foreign subsidiary of a listed parent creates unacceptable risk, they will need to say so explicitly. If they believe some subsidiaries should remain eligible, they will need criteria for ownership, governance, personnel, data access, technical separation, and acceptable use.
Leaving that distinction to provider discretion guarantees inconsistent outcomes. Anthropic may block a corporate family that OpenAI or Google serves, while all three companies claim to be supporting American national-security objectives.
A Singapore incorporation is not proof of evasion. It can reflect legitimate regional operations, local employees, tax obligations, customer support, data infrastructure, and compliance responsibilities.
Yet incorporation cannot be treated as conclusive proof of operational independence either. A subsidiary may be legally separate while remaining wholly owned, strategically directed, technically integrated, and financially dependent on its parent.
The practical question is whether safeguards can distinguish a genuine regional business operation from a conduit. OpenAI’s language assumes that some jurisdictions make such safeguards enforceable. The Alibaba-affiliated suspension suggests enforceability is only useful if suspicious behavior can first be detected and attributed.
Google’s observation that geography alone is insufficient points in the same direction. The problem is not that supported markets should be closed. It is that a country field in a billing profile provides little assurance about who ultimately controls the work.
A serious control framework would examine beneficial ownership, parent-company relationships, administrators, payment methods, account creation patterns, network indicators, project membership, request behavior, and downstream deployment. It would also need procedures for legitimate multinational customers whose teams span allowed and restricted markets.
This begins to resemble the compliance systems used in banking rather than ordinary software licensing. Providers may need customer due diligence not only at signup but throughout the relationship, with higher scrutiny for corporate families linked to military, intelligence, sanctions, or export-control concerns.
That shift would be expensive. It could delay onboarding, burden startups, generate false positives, and make global AI services less open. It may nevertheless be the logical consequence of treating frontier models as strategic assets rather than ordinary cloud software.
In June: Anthropic told Congress that Alibaba allegedly used tens of thousands of fraudulent accounts to generate more than 28 million exchanges with Claude models in a distillation operation.
Last month: OpenAI suspended API access for Alibaba-affiliated users after detecting suspected distillation and reported the activity to the US government.
In the latest reporting: The Financial Times reported that OpenAI and Google had provided advanced AI services to Singapore-based subsidiaries of Alibaba, Baidu, and Tencent.
The chronology shows policy moving from physical scarcity toward behavioral enforcement. Chip controls came first because hardware was visible and measurable. The subsequent distillation cases demonstrate that access to an already-trained model can itself become a strategic resource.
A company may believe it is purchasing a productivity service for employees in an allowed market while overlooking how accounts are shared, where contractors work, which subsidiary owns a project, or whether outputs are being collected for model development. The risks sit at the intersection of identity governance, data-loss prevention, procurement, cloud security, and legal compliance.
Parent-company screening will become more important than checking an invoice address. A customer incorporated in Singapore, the United States, or Europe may still be owned or controlled by an organization subject to restrictions elsewhere.
Administrators also need to distinguish ordinary high-volume use from systematic extraction. That task belongs principally to the provider, which can observe model-wide traffic, but enterprise customers should still detect mass account creation, shared API credentials, unusual automation, proxy use, and workloads that do not match the declared business purpose.
API keys deserve particular attention. A key issued to an approved development team can be embedded in unauthorized software, passed to an affiliate, exposed through a repository, or routed through infrastructure controlled by another organization. Once that happens, the nominal customer and the actual user diverge.
The consequences may include immediate suspension. OpenAI’s action against Alibaba-affiliated users indicates that access can be terminated after behavioral detection even when the original contracting route was reportedly lawful.
That possibility should shape resilience planning. Enterprises must not assume continued access to a frontier model simply because they have a paid account and a valid contract. If a provider identifies ownership, routing, or usage concerns, a business-critical AI workflow may stop with little warning.
That would close the specific corporate-ownership gap described in the Financial Times reporting. It would also deny services to entities that may operate lawfully and independently in supported markets, potentially pushing legitimate customers toward Chinese or other non-US providers.
A second approach would preserve access but require enhanced verification. Providers could apply stronger know-your-customer procedures, beneficial-ownership checks, project-level restrictions, usage caps, and behavioral monitoring to companies with high-risk ownership or affiliations.
This model would be more precise but harder to administer. A determined actor can hide control through layered entities, contractors, proxies, resellers, and third-party applications. Providers would also be asked to make sensitive geopolitical judgments about customers without the investigative powers of government.
A third option would regulate model capabilities or usage rather than ownership. Governments might restrict access to the most capable systems, sensitive functions, or unusually large volumes of output while allowing lower-risk commercial applications.
That approach encounters the problem of defining a frontier model in a fast-moving market. Capabilities change rapidly, and the same general-purpose model can produce an innocuous marketing summary in one session and advanced technical assistance in another.
Every restriction also carries a competitive consequence. Chinese developers including DeepSeek, Alibaba, Baidu, and Tencent are accelerating work on competitive large language models. If American providers withdraw from international markets, domestic Chinese systems gain customers, revenue, feedback, and influence.
Export controls may slow access to particular American capabilities without preventing AI development altogether. They can also encourage targeted countries to invest more heavily in domestic substitutes and alternative supply chains.
That does not make controls pointless. Delay can have strategic value, especially when frontier development requires enormous compute, specialized expertise, and repeated experimentation. But policy should not confuse imposing friction with achieving isolation.
The deeper competitive risk is that American providers become both more restricted and easier to imitate. If foreign laboratories can harvest model outputs through distributed accounts while legitimate customers face increasingly cumbersome controls, US companies absorb the commercial cost without obtaining the intended security benefit.
Effective rules must therefore target coordinated behavior as well as formal ownership. A subsidiary ban may close one door, but distillation campaigns can use intermediaries that have no obvious corporate relationship with the ultimate beneficiary.
The optics are straightforward: companies asking Washington to treat frontier AI as a strategic American advantage were reportedly serving subsidiaries of groups the Pentagon associates with China’s military-industrial complex. Crypto Briefing focused on this contradiction, arguing that it weakens the providers’ national-security narrative.
The more precise interpretation is that the providers and the government have not agreed on what that narrative requires in practice. Is a Singapore subsidiary of a listed Chinese group an unacceptable customer, a manageable risk, or a legitimate regional entity until its behavior proves otherwise?
OpenAI appears to favor the third answer, backed by safeguards and post-access enforcement. Google’s position similarly allows service in supported markets while conceding that geography cannot stop sophisticated circumvention. Anthropic starts closer to the first answer and excludes the foreign subsidiaries of China-headquartered companies.
These policies communicate different risk tolerances to Washington. Anthropic is willing to sacrifice a broader category of potential business in exchange for a cleaner ownership rule. OpenAI and Google are attempting to preserve international access while policing conduct.
The suspected distillation case raises doubts about whether conduct-based enforcement happens early enough. A provider may ultimately detect and terminate an operation, but meaningful capability transfer could occur before suspension.
Conversely, an ownership-wide ban offers simplicity at the cost of discrimination between subsidiaries. It assumes that control by a restricted parent outweighs local governance and the declared purpose of the account.
There is no frictionless answer. But there is a credibility requirement: providers cannot simultaneously argue that their models are critical national-security assets and treat ownership screening as ordinary cloud-account administration.
If they want to remain primary architects of the rules, they will need to disclose more about how they verify customers, detect cross-border access, identify coordinated extraction, and decide when an overseas subsidiary is sufficiently independent from its parent.
The next layer will concern organizational identity: beneficial ownership, account administration, corporate affiliation, personnel access, data destinations, and the relationship between a customer’s stated purpose and its observed behavior.
Technical controls will matter as much as legal rules. Providers will need systems that connect apparently separate accounts, recognize coordinated prompting, detect automation designed to extract capabilities, and identify when services are being relayed to unsupported users.
Those controls will inevitably affect ordinary customers. False positives may suspend legitimate developers. Privacy concerns will grow as providers collect more identity and traffic information. Smaller firms may struggle to satisfy compliance demands designed around multinational corporations and state-linked threats.
There is also a risk of fragmentation. If every provider applies a different ownership test, customers will face inconsistent access across models. A company accepted by Google or OpenAI may be rejected by Anthropic, not because the underlying law differs but because each provider has chosen a different interpretation of strategic risk.
A government framework could reduce that inconsistency, but it would also formalize a major expansion of export control into general-purpose software. The United States would have to define which models, capabilities, customers, and activities justify restrictions—and how far those restrictions should follow a company outside its home country.
This episode suggests that the debate can no longer be postponed. The Section 1260H list has created a warning without a complete transaction rule, leaving companies to decide how much warning is enough.
The immediate scandal is therefore less clear-cut than the headlines suggest. Crypto Briefing described OpenAI and Google as selling models to Pentagon-blacklisted Chinese firms, while WION, citing the Financial Times, supplied the more important corporate detail: the customers were Singapore-based subsidiaries rather than the listed mainland parent entities themselves. That difference may keep a transaction within existing rules, but it does not answer the national-security question of who ultimately benefits from the model’s capabilities.
This is the point at which AI export control stops resembling a customs checkpoint and starts resembling identity security. The government can restrict where a service is officially offered; the harder problem is determining who controls the customer, who is submitting the prompts, where the resulting knowledge travels, and whether legitimate access is being used to improve a competing model.
The Blacklist Headline Hides the Real Policy Failure
The Pentagon’s Section 1260H list identifies companies the Department of Defense believes are connected to China’s military-industrial complex. It is a warning mechanism with political and commercial consequences, but it is not, by itself, a comprehensive sanctions regime or an automatic prohibition on supplying every listed company with American technology.That distinction matters because the word blacklist implies a clean boundary that the underlying policy does not necessarily create. A company may appear on the Section 1260H list while remaining legally capable of conducting certain transactions through entities incorporated in other jurisdictions. American providers can therefore comply with the formal rule while producing an outcome that appears inconsistent with the rule’s strategic purpose.
The Defense Department describes the list as part of a broader effort to identify contributors to China’s military-civil fusion strategy. The government’s concern is that nominally civilian companies, universities, and research programs can provide technology and expertise that support military modernization. That concern does not disappear when a listed group purchases a service through an overseas subsidiary.
According to the Financial Times reporting summarized by WION, OpenAI and Google confirmed providing advanced AI services to Singapore-based subsidiaries of Alibaba, Baidu, and Tencent. All three parent groups were included on the Pentagon list, but their Singapore entities could legally contract with the American providers.
This is not best understood as a secret shipment smuggled across a border. It is an example of global corporate structure colliding with a control system designed around national territory.
Singapore is not incidental to the story. It is a major technology and business hub through which multinational companies manage customers, cloud operations, contracts, billing, personnel, and regional infrastructure. An entity incorporated there is legally distinct from its parent even when its strategic priorities remain closely aligned with the parent group.
For regulators, that creates a fundamental attribution problem. If access is granted to a Singapore company owned by a listed Chinese group, should the provider treat the customer as Singaporean because of its incorporation, Chinese because of its ownership, or something more complicated because its employees, workloads, data, and beneficiaries may span several countries?
Existing rules leave room for the first answer. National-security hawks will increasingly demand the second.
OpenAI and Google Are Defending Jurisdiction-Based Access
OpenAI’s stated position draws a boundary between direct access from mainland China and access by Chinese-owned companies operating in jurisdictions where the company believes it can apply safeguards. The company told the Financial Times that it “blocks direct access to its models from China” but permits some Chinese-owned businesses to use its services in places “where safeguards can be enforced.”Singapore appears on OpenAI’s official list of territories in which API access is supported. OpenAI also warns that accessing or offering its services outside supported territories may lead to an account being blocked or suspended.
The policy is internally coherent. OpenAI is not claiming that Chinese ownership is always irrelevant; it is claiming that enforceable contracts, platform monitoring, customer identification, and local jurisdiction can provide a basis for controlled access outside mainland China.
Google has taken a similarly geographic approach, according to WION’s account of the Financial Times report. It said its AI services are available in markets including Singapore and Hong Kong, subject to its usage policies, while acknowledging that “geographical restrictions alone are insufficient” against sophisticated attempts to bypass controls.
That acknowledgment is more consequential than it appears. If geography is insufficient, then a policy based principally on supported countries is not a complete security architecture. It is an availability policy that must be backed by ownership screening, behavioral detection, account linkage, payment analysis, usage monitoring, and enforcement against customers whose activity crosses the line.
The contrast with Anthropic is stark:
| Provider | Treatment of mainland China | Treatment of foreign subsidiaries | Reported enforcement concern | Policy model |
|---|---|---|---|---|
| OpenAI | Blocks direct model access | May permit Chinese-owned companies where safeguards can be enforced | Suspended Alibaba-affiliated API access over suspected distillation | Jurisdiction plus monitoring |
| Services restricted by market availability and usage policies | Available in markets including Singapore and Hong Kong | Says geography alone cannot stop sophisticated circumvention | Geography plus platform policies | |
| Anthropic | Restricts access by China-headquartered companies | Also bans foreign subsidiaries they own from its most advanced models | Alleges organized distillation attempts by Chinese AI groups | Parent-ownership exclusion |
Neither model is cost-free. The OpenAI-Google approach preserves legitimate international business and avoids treating every overseas employee of a Chinese group as an adversarial actor. It also leaves providers responsible for detecting whether apparently lawful usage is serving prohibited or strategically dangerous purposes.
Anthropic’s approach is easier to articulate and potentially easier to enforce. It is also much broader, excluding subsidiaries whose actual work may be commercial, geographically separated, and unrelated to military activity.
The policy dispute is therefore not simply permissive companies versus a cautious one. It is a disagreement over the proper unit of AI export control: the user’s physical location, the contracting entity, the corporate parent, the beneficial owner, or the ultimate application.
AI Models Cross Borders Without Crossing Customs
Advanced chips are physical objects. Their manufacture, shipment, ownership, installation, and movement can be documented, licensed, intercepted, or denied. Cloud AI is consumed as an ongoing stream of computation, and that difference makes traditional export-control concepts much less reliable.An API request can originate from a supported jurisdiction, pass through infrastructure in another country, be paid for by one corporate entity, and deliver an answer to a product or research team somewhere else. The provider may never see the customer’s full internal chain of command or know how the output is later stored, shared, transformed, or used for training.
Washington has tightened restrictions on advanced AI chips since 2022, with Nvidia hardware a central target. Those restrictions attempt to limit the computing capacity available for training and operating highly capable models. The strategy assumes that controlling scarce hardware can slow a rival’s progress even when algorithms and research circulate more freely.
Model access changes the calculation. A company that cannot obtain the best chips may still purchase intelligence as a service, using American infrastructure to perform difficult reasoning remotely. It may also use the service to generate training data, evaluate its own systems, improve code, automate research, or accelerate the development of a competing model.
This does not mean every prompt sent by a Chinese-owned company is a technology transfer in the strategic sense. Ordinary enterprise uses—document processing, customer support, software development, translation, search, and analysis—can be commercially routine.
The difficulty is that routine usage and capability extraction use the same interface. Both may consist of paid accounts submitting valid prompts and receiving model outputs. The strategic distinction emerges from intent, scale, coordination, repetition, and what happens to those outputs afterward.
That makes identity and telemetry central to enforcement. A provider must determine whether thousands of accounts are controlled by the same operation, whether prompt patterns suggest systematic capability extraction, and whether traffic routed through supported territories is ultimately serving users in an unsupported one.
The cloud made software location-independent because that was commercially useful. Export-control policy is now trying to reconstruct geographic boundaries inside a service architecture built to erase them.
Distillation Turns Commercial Access Into a Strategic Pipeline
The reported suspension of Alibaba-affiliated users demonstrates how quickly an apparently lawful customer relationship can become an enforcement case. OpenAI said it suspended their API access last month after detecting suspected distillation and reported the activity to the US government.Distillation is not inherently malicious. In ordinary machine-learning practice, a more capable system can be used to help train a smaller or more efficient one. The resulting model may be cheaper to operate while preserving part of the original system’s performance.
The national-security concern arises when a competing laboratory systematically harvests outputs from an American frontier model to improve its own system. The customer does not need the target model’s source code, architecture, training data, or internal weights. It needs enough carefully chosen interactions to capture useful patterns of reasoning and behavior.
This turns API access into more than software consumption. It can become a channel through which some of the economic value embodied in an expensive model-development program is transferred to a rival.
Anthropic has publicly adopted the hardest line among the three providers. Its policy restricts China-headquartered companies and foreign subsidiaries they control from accessing its most advanced models, specifically citing the possibility that overseas entities could support military or intelligence objectives or use model access for distillation.
The company previously accused DeepSeek, Moonshot, and MiniMax of attempting model distillation. In Congressional testimony in June, Anthropic went further, alleging that Alibaba used “tens of thousands of fraudulent accounts” to conduct more than 28 million exchanges with Claude models.
Those figures illustrate why simple country blocking is inadequate. A sophisticated operation does not need to announce itself as a restricted laboratory. It can distribute requests across accounts, intermediaries, networks, contractors, and corporate entities until the traffic resembles large-scale legitimate demand.
OpenAI’s response also shows that providers already perform a quasi-regulatory function. They monitor behavior, make attribution judgments, terminate accounts, preserve evidence, and notify the government. The state writes broad restrictions, but the model provider operates the checkpoint.
That arrangement gives private companies extraordinary discretion. They decide what constitutes suspicious usage, how much evidence is sufficient, whether an affiliated entity should lose access, and what information should be shared with officials.
It also creates a commercial conflict. API traffic generates revenue, and rapidly growing customers may look valuable before they look dangerous. Effective enforcement requires providers to investigate and potentially terminate precisely the large, intensive usage patterns that can be most lucrative.
Washington Has Controlled Hardware More Successfully Than Intent
The United States has spent years constructing barriers around the physical ingredients of advanced AI. Controls on high-end chips, manufacturing equipment, and technology transfer are meant to slow China’s access to the compute required for frontier systems.Both the Biden and Trump administrations treated AI diffusion as a national-security issue. The Biden administration issued executive orders targeting diffusion, while the Trump administration continued tightening restrictions on technology transfers to China.
China responded with controls of its own, targeting gallium, germanium, and rare earth elements that are important to advanced technology manufacturing. The resulting contest stretches from mines and fabrication plants to data centers and cloud accounts.
But controlling hardware and controlling intelligence are different undertakings. Hardware policy asks whether a specific physical product may be shipped to a particular destination or user. Model policy must ask whether an intangible service is improving a restricted organization’s capabilities, even when the contract, account, and server are all outside mainland China.
The Section 1260H controversy exposes an awkward middle ground. The Pentagon has identified Alibaba, Baidu, and Tencent as companies it believes are connected to China’s military-industrial complex, yet that designation does not automatically prevent all of their overseas entities from purchasing American AI services.
This leaves providers to reconcile several government signals that do not form a single operational rule. Washington wants American companies to lead global AI markets. It also wants to prevent advanced capabilities from strengthening Chinese competitors or military-linked entities. At the same time, its blacklist does not automatically prohibit the transactions now drawing criticism.
Companies can comply with the letter of this framework and still be accused of undermining its purpose. That is not solely a corporate contradiction; it is evidence of incomplete policy design.
If officials believe access by any foreign subsidiary of a listed parent creates unacceptable risk, they will need to say so explicitly. If they believe some subsidiaries should remain eligible, they will need criteria for ownership, governance, personnel, data access, technical separation, and acceptable use.
Leaving that distinction to provider discretion guarantees inconsistent outcomes. Anthropic may block a corporate family that OpenAI or Google serves, while all three companies claim to be supporting American national-security objectives.
Singapore Is a Gateway, Not the Villain
The reporting risks casting Singapore as a loophole jurisdiction, but the underlying issue is broader than any single country. Global companies routinely establish regional subsidiaries in stable commercial centers, and American technology providers routinely contract with those entities.A Singapore incorporation is not proof of evasion. It can reflect legitimate regional operations, local employees, tax obligations, customer support, data infrastructure, and compliance responsibilities.
Yet incorporation cannot be treated as conclusive proof of operational independence either. A subsidiary may be legally separate while remaining wholly owned, strategically directed, technically integrated, and financially dependent on its parent.
The practical question is whether safeguards can distinguish a genuine regional business operation from a conduit. OpenAI’s language assumes that some jurisdictions make such safeguards enforceable. The Alibaba-affiliated suspension suggests enforceability is only useful if suspicious behavior can first be detected and attributed.
Google’s observation that geography alone is insufficient points in the same direction. The problem is not that supported markets should be closed. It is that a country field in a billing profile provides little assurance about who ultimately controls the work.
A serious control framework would examine beneficial ownership, parent-company relationships, administrators, payment methods, account creation patterns, network indicators, project membership, request behavior, and downstream deployment. It would also need procedures for legitimate multinational customers whose teams span allowed and restricted markets.
This begins to resemble the compliance systems used in banking rather than ordinary software licensing. Providers may need customer due diligence not only at signup but throughout the relationship, with higher scrutiny for corporate families linked to military, intelligence, sanctions, or export-control concerns.
That shift would be expensive. It could delay onboarding, burden startups, generate false positives, and make global AI services less open. It may nevertheless be the logical consequence of treating frontier models as strategic assets rather than ordinary cloud software.
Timeline
Since 2022: The United States tightened restrictions on exports of advanced AI chips, particularly Nvidia hardware, as part of a broader attempt to slow China’s access to cutting-edge computing.In June: Anthropic told Congress that Alibaba allegedly used tens of thousands of fraudulent accounts to generate more than 28 million exchanges with Claude models in a distillation operation.
Last month: OpenAI suspended API access for Alibaba-affiliated users after detecting suspected distillation and reported the activity to the US government.
In the latest reporting: The Financial Times reported that OpenAI and Google had provided advanced AI services to Singapore-based subsidiaries of Alibaba, Baidu, and Tencent.
The chronology shows policy moving from physical scarcity toward behavioral enforcement. Chip controls came first because hardware was visible and measurable. The subsequent distillation cases demonstrate that access to an already-trained model can itself become a strategic resource.
Enterprise IT Is Being Pulled Into Export-Control Enforcement
For Windows administrators and enterprise security teams, the story is not an abstract dispute among governments and frontier laboratories. Businesses increasingly access models through browser sessions, developer tools, internal assistants, cloud integrations, and API credentials distributed across software teams.A company may believe it is purchasing a productivity service for employees in an allowed market while overlooking how accounts are shared, where contractors work, which subsidiary owns a project, or whether outputs are being collected for model development. The risks sit at the intersection of identity governance, data-loss prevention, procurement, cloud security, and legal compliance.
Parent-company screening will become more important than checking an invoice address. A customer incorporated in Singapore, the United States, or Europe may still be owned or controlled by an organization subject to restrictions elsewhere.
Administrators also need to distinguish ordinary high-volume use from systematic extraction. That task belongs principally to the provider, which can observe model-wide traffic, but enterprise customers should still detect mass account creation, shared API credentials, unusual automation, proxy use, and workloads that do not match the declared business purpose.
API keys deserve particular attention. A key issued to an approved development team can be embedded in unauthorized software, passed to an affiliate, exposed through a repository, or routed through infrastructure controlled by another organization. Once that happens, the nominal customer and the actual user diverge.
The consequences may include immediate suspension. OpenAI’s action against Alibaba-affiliated users indicates that access can be terminated after behavioral detection even when the original contracting route was reportedly lawful.
That possibility should shape resilience planning. Enterprises must not assume continued access to a frontier model simply because they have a paid account and a valid contract. If a provider identifies ownership, routing, or usage concerns, a business-critical AI workflow may stop with little warning.
Action checklist for admins
- Map every approved AI account and API project to its contracting entity, parent company, administrators, developers, and ultimate business owner.
- Prevent API-key sharing across subsidiaries, contractors, and unsupported jurisdictions; rotate any credential whose control cannot be demonstrated.
- Monitor for bulk account creation, proxy routing, abnormal prompt automation, and sudden usage increases inconsistent with the approved workload.
- Record where prompts originate, where outputs are stored, and whether model responses are being retained for training or evaluation.
- Require procurement and legal review when a customer, vendor, investor, or parent organization appears on a military-linked or export-control list.
- Build continuity plans for AI-dependent applications so a provider suspension does not disable an essential enterprise process.
Stricter Rules Will Reshape the AI Market, Not End the Race
The most obvious policy response would be to treat foreign subsidiaries as extensions of restricted parent companies. Anthropic has already adopted that principle for access to its most advanced models.That would close the specific corporate-ownership gap described in the Financial Times reporting. It would also deny services to entities that may operate lawfully and independently in supported markets, potentially pushing legitimate customers toward Chinese or other non-US providers.
A second approach would preserve access but require enhanced verification. Providers could apply stronger know-your-customer procedures, beneficial-ownership checks, project-level restrictions, usage caps, and behavioral monitoring to companies with high-risk ownership or affiliations.
This model would be more precise but harder to administer. A determined actor can hide control through layered entities, contractors, proxies, resellers, and third-party applications. Providers would also be asked to make sensitive geopolitical judgments about customers without the investigative powers of government.
A third option would regulate model capabilities or usage rather than ownership. Governments might restrict access to the most capable systems, sensitive functions, or unusually large volumes of output while allowing lower-risk commercial applications.
That approach encounters the problem of defining a frontier model in a fast-moving market. Capabilities change rapidly, and the same general-purpose model can produce an innocuous marketing summary in one session and advanced technical assistance in another.
Every restriction also carries a competitive consequence. Chinese developers including DeepSeek, Alibaba, Baidu, and Tencent are accelerating work on competitive large language models. If American providers withdraw from international markets, domestic Chinese systems gain customers, revenue, feedback, and influence.
Export controls may slow access to particular American capabilities without preventing AI development altogether. They can also encourage targeted countries to invest more heavily in domestic substitutes and alternative supply chains.
That does not make controls pointless. Delay can have strategic value, especially when frontier development requires enormous compute, specialized expertise, and repeated experimentation. But policy should not confuse imposing friction with achieving isolation.
The deeper competitive risk is that American providers become both more restricted and easier to imitate. If foreign laboratories can harvest model outputs through distributed accounts while legitimate customers face increasingly cumbersome controls, US companies absorb the commercial cost without obtaining the intended security benefit.
Effective rules must therefore target coordinated behavior as well as formal ownership. A subsidiary ban may close one door, but distillation campaigns can use intermediaries that have no obvious corporate relationship with the ultimate beneficiary.
The Pentagon List Is Becoming a Test of Corporate Credibility
OpenAI and Google have positioned themselves as important partners in American technological and national-security strategy. That makes the reported transactions politically combustible even if they complied with existing law.The optics are straightforward: companies asking Washington to treat frontier AI as a strategic American advantage were reportedly serving subsidiaries of groups the Pentagon associates with China’s military-industrial complex. Crypto Briefing focused on this contradiction, arguing that it weakens the providers’ national-security narrative.
The more precise interpretation is that the providers and the government have not agreed on what that narrative requires in practice. Is a Singapore subsidiary of a listed Chinese group an unacceptable customer, a manageable risk, or a legitimate regional entity until its behavior proves otherwise?
OpenAI appears to favor the third answer, backed by safeguards and post-access enforcement. Google’s position similarly allows service in supported markets while conceding that geography cannot stop sophisticated circumvention. Anthropic starts closer to the first answer and excludes the foreign subsidiaries of China-headquartered companies.
These policies communicate different risk tolerances to Washington. Anthropic is willing to sacrifice a broader category of potential business in exchange for a cleaner ownership rule. OpenAI and Google are attempting to preserve international access while policing conduct.
The suspected distillation case raises doubts about whether conduct-based enforcement happens early enough. A provider may ultimately detect and terminate an operation, but meaningful capability transfer could occur before suspension.
Conversely, an ownership-wide ban offers simplicity at the cost of discrimination between subsidiaries. It assumes that control by a restricted parent outweighs local governance and the declared purpose of the account.
There is no frictionless answer. But there is a credibility requirement: providers cannot simultaneously argue that their models are critical national-security assets and treat ownership screening as ordinary cloud-account administration.
If they want to remain primary architects of the rules, they will need to disclose more about how they verify customers, detect cross-border access, identify coordinated extraction, and decide when an overseas subsidiary is sufficiently independent from its parent.
The Next Export Regime Will Be Written in Identity Logs
The emerging policy debate will likely move beyond lists of supported countries. Geography is too easy to obscure, and incorporation is too weak a proxy for control.The next layer will concern organizational identity: beneficial ownership, account administration, corporate affiliation, personnel access, data destinations, and the relationship between a customer’s stated purpose and its observed behavior.
Technical controls will matter as much as legal rules. Providers will need systems that connect apparently separate accounts, recognize coordinated prompting, detect automation designed to extract capabilities, and identify when services are being relayed to unsupported users.
Those controls will inevitably affect ordinary customers. False positives may suspend legitimate developers. Privacy concerns will grow as providers collect more identity and traffic information. Smaller firms may struggle to satisfy compliance demands designed around multinational corporations and state-linked threats.
There is also a risk of fragmentation. If every provider applies a different ownership test, customers will face inconsistent access across models. A company accepted by Google or OpenAI may be rejected by Anthropic, not because the underlying law differs but because each provider has chosen a different interpretation of strategic risk.
A government framework could reduce that inconsistency, but it would also formalize a major expansion of export control into general-purpose software. The United States would have to define which models, capabilities, customers, and activities justify restrictions—and how far those restrictions should follow a company outside its home country.
This episode suggests that the debate can no longer be postponed. The Section 1260H list has created a warning without a complete transaction rule, leaving companies to decide how much warning is enough.
What IT Leaders Should Carry Forward
The reported sales do not prove that OpenAI or Google knowingly supplied Chinese military programs, and inclusion on the Pentagon list does not automatically prohibit all transactions with an overseas subsidiary. The consequential finding is that current controls allow strategically sensitive AI access to depend on corporate geography even though providers acknowledge that geography is not enough.- OpenAI and Google reportedly served Singapore subsidiaries of Alibaba, Baidu, and Tencent, not the mainland parents directly.
- The Section 1260H designation signals Pentagon concern but does not automatically impose sanctions or export restrictions.
- OpenAI permits some Chinese-owned companies to operate in jurisdictions where it believes safeguards can be enforced.
- Google acknowledges that location-based restrictions alone cannot stop sophisticated circumvention.
- Anthropic applies the broader ownership rule, excluding foreign subsidiaries controlled by China-headquartered companies.
- Suspected distillation turns account identity, API telemetry, and behavioral detection into core export-control mechanisms.
References
- Primary source: Crypto Briefing
Published: Fri, 10 Jul 2026 15:31:02 GMT
OpenAI and Google caught selling AI models to Pentagon-blacklisted Chinese firms
OpenAI and Google reportedly sold AI models to Chinese firms on the Pentagon's blacklist, raising serious questions about US technology export controls.cryptobriefing.com - Independent coverage: WION
Published: 2026-07-10T10:30:11.350614
- Official source: help.openai.com
- Related coverage: defense.gov
- Related coverage: investing.com
OpenAI, Google supplied AI models to Pentagon-blacklisted Chinese firms: FT By Investing.com
OpenAI, Google supplied AI models to Pentagon-blacklisted Chinese firms: FTwww.investing.com - Official source: cdn.openai.com
- Related coverage: omni.se
Open AI och Google sålde AI till svartlistade bolag
Singaporebaserade dotterbolag till kinesiska Alibaba, Baidu och Tencent har kunnat köpa avancerade AI-modeller av de amerikanska teknikbolagen Open AI och Google, rapporterar Financial Times. Detta trots att moderbolagen har svartlistats av Pentagon.omni.se - Related coverage: forbes.com
OpenAI Believes DeepSeek ‘Distilled’ Its Data For Training—Here's What To Know About The Technique
White House AI czar David Sacks alleged Tuesday that DeepSeek had used OpenAI’s data outputs to train its latest models through a process called distillation.www.forbes.com - Related coverage: theinformation.com
Alibaba Denies Report That It Helps China’s Military — The Information
Alibaba Group denied a Financial Times report that alleged the Chinese tech giant provides China’s military with technology support and data. The FT reported Saturday that a White House national security memo, which was provided to the newspaper, includes declassified intelligence on the work...www.theinformation.com - Related coverage: fstech.co.uk
Goldman Sachs ‘stops bankers’ accessing Anthropic’s Claude models in Hong Kong
Bankers working for Goldman Sachs in Hong Kong no longer have access to Anthropic’s AI models, according to a report by the Financial Times.www.fstech.co.uk - Official source: anthropic.com
Anthropic Economic Index report: Cadences \ Anthropic
In the latest Anthropic Economic Index report, we look at when people come to Claude, what they produce with it, and how they perceive AI’s impact on their work.www.anthropic.com - Related coverage: tomshardware.com
Anthropic claims that China's Alibaba used 25,000 fake accounts and 28.8 million exchanges to illicitly 'distill' its Claude model — violations occurred from April to June 2026 | Tom's Hardware
Someone is copying Anthropic's homework.www.tomshardware.com