API As A Border: What It Means for Your Stack

Damien Kopp Damien Kopp
API As A Border: What It Means for Your Stack
Share

Executive Summary

  • On April 23, 2026, the White House OSTP issued Memorandum NSTM-4, formally accusing China of conducting "deliberate, industrial-scale campaigns" to distill US frontier AI systems — using tens of thousands of proxy accounts and jailbreaking techniques to extract model capabilities without authorisation.
  • The policy response is moving from chip-layer denial to model-layer denial: API access to frontier models is being drawn into the US technology containment architecture previously reserved for semiconductor export controls.
  • Enforcement remains technically and legally unsettled. No implementation framework has been published. But the direction of travel is clear — AI platform companies are being assigned responsibility for policing access that chipmakers and export agencies previously controlled.
  • For any enterprise distributing model access, building on frontier APIs, or operating AI infrastructure with dual US-China exposure, this creates a new class of stack dependency risk: one that sits not in hardware, but in terms of service, identity verification, and the geopolitical classification of your users and customers.

I. From Silicon to Software: How the Denial Strategy Evolved

The US technology denial strategy against China has followed a consistent escalation logic: identify the layer of the AI stack that creates strategic leverage, restrict it, observe evasion, then move up the stack.

The first layer was semiconductors. Export controls on advanced AI chips — NVIDIA A100 and H100-class GPUs — were introduced in October 2022 and progressively tightened through 2024. The intent was to constrain China's ability to train frontier models by limiting access to the compute required.

The second layer was semiconductor manufacturing equipment. Controls on EUV lithography and advanced packaging targeted the ability to build a domestic chip supply chain, closing the workaround.

Both layers have been partially circumvented. Chinese entities accessed advanced compute through US cloud providers via intermediaries, through offshore training clusters in Southeast Asia, and by physically moving training data across borders. The BIS Affiliates Rule — designed to extend restrictions automatically to entities owned by listed parties — is currently suspended until November 2026 as part of the US-China trade truce.

The third layer is now the model itself.

Try AI Radar (free beta)

II. The Distillation Problem

Knowledge distillation is a standard machine learning technique: a smaller "student" model is trained using outputs from a larger "teacher" model, acquiring comparable capabilities at a fraction of the compute cost. It is widely used and largely legitimate. The problem is its adversarial variant — using the same technique to systematically extract capabilities from a competitor's model at scale, without authorisation, through deception.

The evidentiary record is now substantial. In February 2026, Anthropic disclosed to the House Foreign Affairs Committee that three Chinese AI laboratories — DeepSeek, Moonshot AI, and MiniMax — had run extraction campaigns against its Claude models using approximately 24,000 fraudulent accounts and more than 16 million exchanges. MiniMax alone accounted for more than 13 million exchanges; Moonshot AI focused its extraction on reasoning, tool use, and coding capabilities.

OpenAI made parallel disclosures, describing "ongoing attempts by DeepSeek to distil frontier models through new, obfuscated methods." The House Foreign Affairs Committee report characterised the access infrastructure as sophisticated: open-source relay tools intercepting and rerouting API requests through repositories that advertised format conversion across OpenAI, Claude, and Gemini APIs simultaneously.

On April 23, 2026, the White House OSTP formalised this as a national security matter. Memorandum NSTM-4, "Adversarial Distillation of American AI Models," signed by OSTP Director Michael Kratsios and addressed to all Executive Department and Agency heads, stated that foreign entities — principally based in China — are "engaged in deliberate, industrial-scale campaigns to distil US frontier AI systems," using tens of thousands of proxy accounts and jailbreaking techniques.

Kratsios framed the practice directly: "There is nothing innovative about systematically extracting and copying the innovations of American industry."

The memo's national security framing is deliberate. Extracted capabilities, it argues, flow into Chinese military and intelligence systems stripped of safety constraints — available for offensive cyber operations, influence campaigns, and mass surveillance. This positions distillation not as a commercial IP dispute, but as a state-level technology transfer that bypasses every existing export control mechanism.

III. The New Compliance Surface: KYC at the API Layer

The policy response is still forming. NSTM-4 directs agencies to share intelligence with US AI companies, co-develop defensive best practices, and explore accountability measures including export controls, entity-list designations, and sanctions. Enforcement mechanisms have not been specified. The legal status of harvested model outputs — whether API completions constitute trade secrets under existing IP frameworks — remains unsettled.

But the structural direction is visible across three simultaneous moves.

Industry self-regulation is consolidating. OpenAI, Anthropic, and Google are now sharing detection signals through the Frontier Model Forum — a rare instance of the three largest US labs cooperating operationally against a common threat. Individual enforcement actions are running in parallel: Anthropic has moved to block third-party harness usage on subscriptions; Google has acted against unauthorised harvesting of its Gemini CLI authentication.

Congressional legislation is advancing. The Deterring American AI Model Theft Act (H.R. 8283, introduced April 15, 2026) would create new civil remedies for model extraction attacks. The House Foreign Affairs Committee advanced more than two dozen export control bills on April 22, including measures that would classify adversarial distillation as industrial espionage and place offending entities on the BIS Entity List.

The compute and model denial strategies are converging. Commerce Secretary Howard Lutnick confirmed on April 23 that no H200 shipments have reached China despite January's policy approval. Experts are simultaneously calling for a halt to AI chip exports, arguing compute restriction is necessary to prevent training of models built on adversarially extracted data.

The combined trajectory points toward a new compliance architecture: AI platform companies bearing responsibility for who accesses their models, for what purpose, and under what geopolitical classification. In practice: know-your-customer obligations at the API layer, geo-fencing, usage monitoring, and potentially the reclassification of API access as an export subject to BIS licensing requirements.

This is a structural shift in where the cost of technology denial policy lands — migrating from hardware supply chains to software distribution infrastructure.

IV. The Dependency Implications for Enterprises

The distillation crackdown creates two distinct categories of enterprise exposure.

For AI platform companies and model distributors, the emerging framework implies new due diligence obligations at the API layer. If model access is reclassified as an export, providers face potential KYC requirements for all downstream users — including those accessing through cloud marketplaces, partnership agreements, fine-tuning services, and intermediary resellers. Current ToS enforcement was not designed to distinguish a legitimate international developer from a restricted entity using proxy and relay infrastructure.

For enterprises building on frontier APIs, the risk is subtler but equally structural. The tightening of access controls creates a new class of supply chain fragility: model access risk. An enterprise whose core AI workflows depend on a specific frontier model API is exposed not only to standard vendor risks — pricing, availability, ToS changes — but to geopolitical classification risk: the possibility that access is restricted or suspended as a function of regulatory action rather than any commercial decision.

The retaliatory dynamic compounds this. China's parallel move — requiring government approval for US investment in Chinese AI firms — is the first turn of a reciprocal restriction cycle. Enterprises with dual exposure face an emerging bifurcation of their model distribution infrastructure that mirrors the semiconductor split already underway.

V. What Enterprises Should Map Now

Map your API dependency graph. Identify every frontier model API in your stack — direct contracts, cloud marketplace access, embedded in SaaS products, fine-tuning and inference services. For each: the provider's incorporation jurisdiction, ToS restrictions on geography and use case, and current access control mechanisms. This is the model-layer equivalent of the SBOM exercise — a bill of materials for your AI capability stack.

Map your distribution surface. If you distribute model access downstream — through APIs, embedded products, or partnerships — identify which users or customers may fall within the categories targeted by emerging controls. Not a compliance exercise today; preparation for when enforcement frameworks are published.

Map the retaliatory surface. If you operate in China or rely on Chinese AI capabilities — models, APIs, compute — model the impact of reciprocal restrictions. Enterprises that have not mapped their China-side AI dependencies have an incomplete stack risk picture.

Try AI Radar (free beta)

VI. The TEKHORA Lens

This fault line is precisely the class of risk TEKHORA is built to surface.

The question is not whether your AI vendor has a model vulnerability. It is where that vendor is incorporated, who controls access to its models, under what legal authority that access exists, and what geopolitical events can sever or restrict it independent of any commercial decision.

AI Radar already tracks the regulatory and enforcement signals that define this landscape — NSTM-4, congressional legislation, BIS enforcement trajectory, Frontier Model Forum actions — across 50+ jurisdictions, updated weekly.

TEKHORA maps the dependency graph: which models your organisation uses, who provides them, where those providers are incorporated, what access controls they operate, and what geopolitical risk surface each vendor-jurisdiction pairing creates. The model-layer denial architecture now emerging in US policy is exactly the kind of structural shift that should appear in your stack map before it appears in your operations.

Explore AI Radar at radar.tekhora.com — and message us for early access to TEKHORA.

What to Watch

  • BIS and Commerce Department — Any implementing regulations classifying API access as an export; covered model thresholds; penalty structures
  • Frontier Model Forum — Further operational cooperation on access restriction and detection infrastructure
  • H.R. 8283 and House Foreign Affairs Committee bills — Progress through committee markup
  • Trump-Xi summit (May 14–15, 2026) — AI distillation is a central agenda item; outcome determines pace of enforcement
  • China reciprocal measures — Any restrictions on US model access in China or implementation of foreign investment approval regime
  • BIS Affiliates Rule — Suspension expires November 2026; reinstatement extends restrictions to entities owned by listed parties

Sources

(Paste into Ghost post footer)

  1. White House OSTP — Adversarial Distillation of American AI Models (April 23, 2026)
  2. Nextgov/FCW — "White House accuses China of 'deliberate, industrial-scale campaigns'..." — https://www.nextgov.com/artificial-intelligence/2026/04/white-house-accuses-china-deliberate-industrial-scale-campaigns-steal-us-ai-models/413083/
  3. NYU RITS — "White House Memo Targets 'Adversarial Distillation' of US AI Models" — https://rits.shanghai.nyu.edu/ai/white-house-memo-targets-adversarial-distillation-of-u-s-ai-models
  4. NPR — "Trump administration vows crackdown on Chinese firms 'exploiting' US AI models" — https://www.npr.org/2026/04/24/g-s1-118582/administration-crackdown-on-chinese-firms-exploiting-u-s-ai-models
  5. Just Security — "The Case for Imposing Costs on China's AI Distillation Campaigns" — https://www.justsecurity.org/134124/costs-china-ai-distillation/
  6. The Next Web — "China plans to block US investment in its top AI firms..." — https://thenextweb.com/news/china-us-investment-ai-startups-approval
  7. ResultSense — "OpenAI, Anthropic and Google Unite Against China AI Distillation" — https://www.resultsense.com/news/2026-04-07-frontier-labs-china-distillation-pact
  8. Nextgov/FCW — "Experts call for halt of AI chip exports to China..." — https://www.nextgov.com/artificial-intelligence/2026/04/experts-call-halt-ai-chip-exports-china-after-white-house-distillation-warning/413132/
  9. AI2.Work — "White House Accuses China of Industrial-Scale AI IP Theft" — https://ai2.work/blog/white-house-accuses-china-of-industrial-scale-ai-intellectual-property-theft
  10. ASIS Online — "US Government Claims China is Engaged in 'Industrial-Scale Campaign'..." — https://www.asisonline.org/security-management-magazine/latest-news/today-in-security/2026/april/Distillation-AI-Systems/

This article is for informational purposes only and does not constitute legal, regulatory, or investment advice.

TEKHORA is a platform by RebootUp Pte Ltd — insights.tekhora.com

Share

Detecting Fault Lines In AI Regulations And How It Affects Your Organisation

Tags

AI Radar Weekly Briefing

Stay ahead of AI risk

Get weekly intelligence on AI regulation, geopolitics, and enterprise risk — straight to your inbox.

Subscribe