The export controls were supposed to be a wall; they're turning out to be a speed bump with a purchase order form.

The Summary

The Signal

The H200 chips represent the cutting edge of what Washington allows to flow into China, a carefully calibrated compromise between commerce and national security. The calculation assumed that capping performance would slow military AI development. But procurement documents tell a different story: institutions that explicitly support China's defense apparatus aren't scrambling for smuggled contraband. They're filing paperwork for the best gear that's technically legal.

Seven universities is not a massive number, but it's a clear pattern. These aren't general research institutions dabbling in machine learning for academic curiosity. They're nodes in China's civil-military fusion strategy, where the line between civilian research and defense application is deliberately blurred. The H200 purchases suggest they've mapped the regulatory terrain and are operating right up to the edge.

"The most powerful AI processors ever allowed by the US to be sold in China are now on shopping lists at military-linked universities."

This raises three uncomfortable questions:

  • If export controls set the bar at H200, does that just tell adversaries exactly what capability to acquire?
  • Are we creating a "good enough" threshold that's actually plenty good for military AI applications?
  • What happens when the next-gen chip becomes the new legal ceiling?

The fourth web runs on compute. Agents need inference power. Autonomous systems need training at scale. The H200 isn't just a chip, it's the engine for building intelligent systems. If those systems are being built inside institutions that feed China's military modernization, the export control strategy isn't containing risk. It's standardizing it.

The Implication

Watch Nvidia's China revenue in the coming quarters, and watch how Washington responds when the procurement paper trail becomes undeniable. This isn't a violation anyone can prosecute, it's a policy working exactly as written while achieving the opposite of its intent. The real question is whether export controls as currently designed can ever work when the adversary is willing to accept "good enough" and you're the one defining what that means.

For companies building agent infrastructure, this is a reminder that geopolitics doesn't stop at the model layer. Where your compute comes from, where it's deployed, and who can access it, those aren't just compliance questions. They're strategic vulnerabilities.

Sources

Bloomberg Tech