Hardware-enabled governance is the idea of building the enforcement of AI rules into the physical chips that frontier AI runs on. Rather than trusting a lab or a state to follow the rules and hoping to catch violations after the fact, you put verification and limits into the silicon itself, where they are far harder to evade and far easier to audit.
The idea rests on a fact that makes AI unusually governable. Training a frontier model takes enormous quantities of specialised chips, concentrated in large data centres, produced by a tiny number of firms through a supply chain with severe chokepoints. Software copies invisibly and instantly. Tens of thousands of advanced processors drawing megawatts of power do not. That physical footprint is the surface governance can grip, the same insight behind compute governance, taken down to the level of the chip.
What could be built into the hardware
The proposals range from modest to ambitious.
- Verification of use. Chips could attest, in a tamper-resistant and privacy-preserving way, to properties of what they are doing, for example how much compute a training run consumed, letting an inspector confirm compliance without reading the model or the data.
- Usage limits. Hardware could enforce ceilings, refusing to participate in a training run above a set scale unless authorised, turning a legal limit into a physical one.
- Location and integrity. Mechanisms could confirm a chip is where it is declared to be and has not been tampered with, supporting export controls and preventing diversion to unmonitored facilities.
Some of these build on secure-hardware features that already exist in modern processors for other reasons. The engineering is hard and partly unsolved, but it is not science fiction, and serious work is underway on making it real.
Why this is such an attractive lever
The appeal is that it addresses the problem that undermines most AI governance: verification. A treaty you cannot check is the Biological Weapons Convention, a real prohibition violated for decades without detection. Governance that can actually confirm compliance, the way the nuclear inspection regime confirms it for fissile material, is governance that can hold. Hardware-enabled mechanisms offer a path to that kind of verification for AI, rooted in physics rather than trust. They could let states agree to limits and confirm each other are keeping them, which is the missing ingredient in almost every international proposal.
The hard part of any AI agreement is not writing the rule. It is proving the rule is being followed. Hardware is where proof might live.
The double edge
Honesty requires naming the risk. A mechanism that lets a legitimate authority verify and limit compute is also a mechanism of control, and control can be abused. Infrastructure built to enforce safety limits could, in the wrong hands, enforce a monopoly, entrench whoever holds the keys, or become a tool of surveillance and coercion. The same lever that could underwrite a fair international pause could underwrite the concentration of power the Foundation warns against elsewhere.
This does not argue against the technology. It argues for building it with governance of the governance: transparency about what the mechanisms do, limits on who controls them, and international rather than unilateral authority. Handled that way, hardware-enabled governance is among the most promising tools available, because it attacks the verification problem at its root. It is one of the more concrete reasons the Foundation believes a credible, checkable international framework is achievable rather than utopian, and it runs through our plan.
Common questions.
It is the approach of building the enforcement of AI rules into the physical chips that frontier AI runs on, rather than relying on developers to follow rules voluntarily and trying to catch violations afterward. By putting verification and limits into the silicon itself, compliance becomes harder to evade and easier to audit. It works because training frontier models requires large quantities of specialised chips concentrated in data centres, a physical footprint that governance can grip.
Several mechanisms are proposed. Chips could attest in a tamper-resistant, privacy-preserving way to properties of what they are doing, such as how much compute a training run used, letting inspectors confirm compliance without reading the model or data. Hardware could enforce usage ceilings, refusing to join a training run above a set scale unless authorised. And mechanisms could confirm a chip's location and integrity to support export controls and prevent diversion to unmonitored sites. Some build on secure-hardware features already present in modern processors.
Because it targets verification, the problem that undermines most AI governance. An agreement no one can check tends to fail, as the unverifiable Biological Weapons Convention did. Hardware-enabled mechanisms offer a route to confirming compliance rooted in physics rather than trust, similar to how nuclear inspection verifies fissile material. That would let states agree to limits and confirm each other are keeping them, supplying the missing ingredient in almost every international AI proposal.
A mechanism that lets a legitimate authority verify and limit compute is also a mechanism of control, and control can be abused. Infrastructure built to enforce safety limits could instead enforce a monopoly, entrench whoever holds the keys, or enable surveillance and coercion. The same lever that could underwrite a fair international pause could underwrite a dangerous concentration of power. The response is not to avoid the technology but to govern it with transparency, limits on who controls it, and international rather than unilateral authority.