Compute Passports and Model Weight Controls: The Policy Battle That Will Decide Who Trains Frontier AI

The chip export control strategy has a fundamental weakness: once a model is trained, the weights — the billions of numerical parameters that encode the model's intelligence — can be stored on a hard drive, emailed, and deployed anywhere in the world.

DeepSeek V3 weights are on HuggingFace. Anyone, anywhere, can download them. Nvidia export controls do not apply to software.

This gap has driven a new policy debate in Washington, Brussels, and London: should frontier AI model weights be regulated like weapons? And should the right to train frontier AI models require a government-issued "compute passport" or licence?

These proposals are controversial, technically complex, and have major implications for every developer building with or on top of frontier AI models. Here is the current state of the debate.

What Are Model Weights and Why Do They Matter?

A trained AI model is, technically, a large array of floating-point numbers — the weights — plus the software to run inference. GPT-4 has an estimated 1.8 trillion parameters. Claude 3.5 Sonnet has hundreds of billions. Each parameter is a number, typically stored in 16-bit floating point format.

The entire trained GPT-4 model would take approximately 3.6 terabytes to store in FP16 format — roughly the storage capacity of a modern laptop. It could fit on a consumer external SSD that costs $150.

The training run that produced GPT-4 cost an estimated $100 million in compute and took months. The resulting model — the weights — can be copied in minutes.

This asymmetry is why weight controls are under discussion. If you control chips, you slow the training of new models. But you do not affect the deployment of already-trained models. And with open-weight model releases from Meta (Llama 3/4), DeepSeek, Mistral, and others, a growing number of frontier-capable models are publicly available regardless of chip access.

The "Compute Passport" Proposal

The compute passport concept originated in UK AI safety policy circles (specifically from researchers affiliated with the Centre for the Governance of AI and the UK AI Safety Institute) and was picked up by US policy researchers at RAND and Georgetown's CSET.

The core idea: training runs above a compute threshold (typically set at 10^26 FLOP — roughly 10x the compute used for GPT-4) would require pre-registration with a national authority. The registration would include:

• Identity verification of the organisation conducting the training
• Stated purpose and application domain
• Safety testing commitments
• Notification to relevant national security agencies

The threshold is designed to capture only frontier-scale training runs — the training runs that produce genuinely new capability at the frontier — while leaving smaller fine-tuning, research runs, and open-source development unaffected.

Proponents argue this provides visibility without control: governments would know who is training what, enabling oversight without preventing the training itself.

The Model Weight Export Control Proposal

A separate, more aggressive proposal would treat model weights above a capability threshold (to be defined by technical criteria such as benchmark performance on specific tasks) as controlled goods — similar to how encryption software was controlled under the EAR until the late 1990s.

Under this proposal:

• Training a model above the capability threshold would require an export licence to share weights internationally
• Open-weight releases of models above the threshold would require government review
• Downloading model weights from foreign sources above the threshold could require import licence

The capability threshold is the critical and contested variable. Defining what "dangerous" capability means for AI is harder than defining performance parameters for weapons systems. A model might be capable of accelerating biological weapons design and also capable of accelerating drug discovery — the same capability, different application.

Who Is Pushing These Proposals and Who Opposes Them

Supporters of weight controls / compute passports:

• National security community in the US (NSA, certain DoD offices, Congressional AI caucus members)
• UK AI Safety Institute (which has advocated for international coordination on frontier AI governance)
• Some academic AI safety researchers (Stuart Russell, Paul Christiano and affiliated researchers)
• Certain EU policymakers who see weight controls as complementing the AI Act's systemic risk provisions

Opponents:

• Open-source AI community (Meta, Mistral, EleutherAI, Hugging Face): argue that weight controls would cede the open-source AI ecosystem to closed US providers and to Chinese developers who would not comply with US restrictions
• Civil liberties organisations: argue compute passports are surveillance infrastructure for AI development
• AI researchers: argue that capability thresholds are technically impossible to define coherently
• Economic arguments: weight controls would disadvantage US AI companies in global markets where foreign competitors operate without equivalent restrictions

The Open vs Closed AI Model Question

The weight control debate crystallises a fundamental tension in AI policy: open-weight model releases have massively democratised access to frontier AI capability. They have also made it impossible to restrict access to that capability once a model is released.

Meta's Llama 3 (405B parameter version) is more capable than GPT-4 on many benchmarks and is freely downloadable. DeepSeek V3 (685B parameter model, MoE architecture) is more capable than older closed models and is freely downloadable. Once these models exist and their weights are public, no subsequent export control can put them back in the bottle.

The policy question this creates: do governments impose weight controls pre-release (requiring approval before any open-weight release), or accept that the open-weight ecosystem is ungovernable and focus controls only on future frontier training?

Pre-release controls would effectively end open-weight releases of frontier models, concentrating AI capability in a small number of licensed commercial providers. This would significantly change the developer ecosystem — no more fine-tuning on open weights, no more running models locally, no more Hugging Face ecosystem for frontier-class models.

The Current Status (March 2026)

No country has implemented weight controls or compute passport requirements as of March 2026. The EU AI Act's GPAI provisions (requiring documentation and copyright compliance for foundation models) are the closest to regulatory framework for frontier models, but they do not restrict who can train or release models.

The Biden administration's October 2023 AI Executive Order included a reporting requirement for large training runs (the "dual-use foundation model" reporting requirement to the Department of Commerce). The Trump administration's January 2025 executive order rescinded this requirement.

The current US position is de-regulation of AI development domestically, combined with increasing restriction on chip and equipment exports to strategic competitors. This is an internally consistent strategy — accelerate US AI development while restricting foreign access to the inputs.

The UK AI Safety Institute is actively developing technical standards for evaluating frontier model capability that could underpin a future compute passport regime. Work is at the research stage.

What Developers Need to Know

There are no current weight restrictions on frontier models. You can download DeepSeek V3, Llama 3 405B, Mistral Large, and other frontier-class models freely. This will likely remain true in 2026.

Monitor EU GPAI enforcement. The EU AI Act's requirements for systemic risk GPAI models (adversarial testing, incident reporting, transparency) are the most likely path to de facto weight controls in the near term — not through explicit restriction but through compliance costs that limit who can afford to release open-weight frontier models.

Understand the geopolitical sensitivity of model provenance. Using DeepSeek models (Chinese origin) in government, defence, or critical infrastructure applications is increasingly subject to scrutiny. Several US states have banned DeepSeek from government devices. Compliance teams should assess model provenance as part of AI system governance.

The open-weight ecosystem faces existential policy pressure. If geopolitical AI competition intensifies to the point where weight controls become politically viable, the developer ecosystem built on Llama, Mistral, and DeepSeek open weights would be fundamentally disrupted. Maintain awareness of this tail risk in architectural decisions.