The Passport, Not the Owner: How a Blacklisted Firm Becomes a Legal Customer
The whole story turns on a single technical distinction that most people assume works the other way around. US export controls, as they stand, police two things: named places and named entities. Mainland China is a restricted destination; Singapore is not [1]. What the rules do not police is corporate ownership - the question of who ultimately controls the customer sitting on the other end of the API call.
That gap is exactly wide enough to drive a subsidiary through. Alibaba, Baidu, and Tencent are all on the Pentagon's 1260H list, the roster of companies Washington accuses of ties to the Chinese military [3]. But their AI services were bought not by the Beijing parent - they were bought by Singapore-registered affiliates. Same corporate family, different passport. Because the account resolves to Singapore rather than mainland China, it clears the controls automatically. OpenAI and Google both confirmed the arrangement, and neither had to break a rule to enter it [2].
The current regime does block direct access to a handful of frontier models from inside China, but it stops well short of a blanket ban on Chinese-headquartered firms - even the ones on the 1260H list - using cutting-edge AI software [1]. Google, for its part, has effectively conceded the limit out loud, acknowledging that geographic borders carry limited enforcement value when the customer's true center of gravity is elsewhere [2]. That admission is the tell: the enforcers know the map they are drawing lines on is not the map the money moves on.


