Ted Datta, Senior Director, Head of Industry Practice Group – Europe & Africa at Moody’s
When AI chips make global headlines, it’s rarely about performance specifications. More often, it’s about geopolitical friction, regulatory scrutiny, and compliance risks in supply chains.
As export controls tighten, semiconductor vendors are finding themselves caught in a new kind of risk landscape, one where compliance failures can originate several layers downstream, and one where a single oversight can trigger serious legal, commercial, and reputational consequences. The question isn’t just how AI chips are made, it’s who they’re made for, and whether vendors can truly verify the end-to-end integrity of transactions.
AI chips: High stakes, high risk
AI chips are strategically vital infrastructure, now subject to a complex mesh of export controls, trade sanctions, and ethical sourcing standards. From the extraction of silicon wafers in Asia to final assembly in Outsourced Semiconductor Assembly and Test (OSAT) facilities across the region, the average AI chip passes through multiple jurisdictions before reaching an end user. And every stage of the journey can introduce exposure to new risks and compliance failings.
Trade restrictions on these vital goods are increasing. In early 2025, the US government tightened restrictions on AI chips and data centre Graphic Processing Units (GPUs) destined for dozens of countries. The European Union’s own semiconductor strategy now includes more assertive enforcement around sensitive exports.
Policy is tightening. Yet with reports that high-performance chips are being smuggled into sanctioned markets, there’s evidence to suggest current verification mechanisms are struggling to keep up.
The illusion of control
The main challenge when conducting due diligence on a corporate network is that surface level checks such as supplier/customer onboarding, sanctions list checks, and entity verification protocols may not address the complete risk picture. What about the entities connected to a supply chain that are two or three layers downstream? The distributors’ customers? The affiliate operations in permissive jurisdictions?
This issue is compounded in the instances where risk analysis is being done in silos. Anti-financial crime, procurement, legal and compliance teams may operate in parallel isolation, using disparate tools and fragmented datasets – crucially, risk-relevant insights may not be shared. These siloes can result in critical information about supplier integrity, sanctions risk, or export red flags not reaching decision-makers in time or at all.
Traditional compliance needs a rethink
In this environment, traditional risk management and mitigation techniques, such as periodic reviews, may not suffice. Dynamic and interconnected threats can happen in an instant, such as a change of the Ultimate Beneficial Owner (UBO) of an organisation purchasing AI chips, opening a new avenue to risk that compliance needs to keep pace with.
What’s needed is a sophisticated, real-time approach to risk and compliance, from Know Your Customer due diligence to entity verification and ongoing monitoring.
That starts with creating visibility. Organisations need insights into ownership structures and links, historic ownership connections, and active ownership relationships, to gain a better view of corporate control structures. This process of entity verification; supply chain risk management; and corporate transparency can now be automated and streamlined, providing risk, compliance, legal and procurement teams with real-time access to datasets that reveal interconnected risk insights that can be shared at an enterprise level.
This unified approach to risk management means organisations can assess more relationships rather than just the immediate counterparty. Corporate trees can help reveal ownership hierarchies across borders, highlighting indirect control relationships, circular ownership structures, and hidden dependencies that may otherwise remain buried.
Going further than compliance
This is first and foremost a regulatory issue, but it’s also an operational and reputational one. Failures in entity verification can expose businesses to fines and create strategic risks.
The consequences of a product ending up in a sanctioned market can be swift: blacklisting, contract suspensions, market access restrictions, and erosion of stakeholder trust. When the reputational cost of compliance failures outweighs legal penalties, firms cannot afford blind spots.
Those still relying on outdated verification models may find themselves exposed, whether through regulatory enforcement, reputational fallout, or operational disruption. The firms that thrive will be those who treat entity verification not as a back-office function, but as a core business capability, embedded across operations, powered by real-time data, and built for the complexities of today’s global supply chain.
