Article V: Chip Consolidation

Each Party shall ensure that within their jurisdiction, all covered chip clusters (CCCs), as defined in Article II (i.e., a set of chips with capacity greater than 16 H100-equivalents) [note that 16 H100s collectively cost around $500,000 in 2025 and these are rarely owned by individuals], are located in facilities declared to the ISIA, and that these AI chips are subject to monitoring by the ISIA.
1. Parties shall aim to avoid co-locating AI chips with non-ancillary non-AI computer hardware in these declared facilities.
2. These facilities shall be accessible to physical inspection. This may include, for instance, that verification teams can reach any CCC from at least one airport with scheduled international service within 12 hours.
3. Parties shall not house AI chips in so many different locations that it is infeasible for the ISIA to monitor all locations. If requested by the ISIA, Parties must further consolidate their AI chips into fewer monitored facilities.

Unmonitored AI chips that are not part of a CCC (i.e., that have capacity less than 16 H100‑equivalents) may remain outside of ISIA‑declared facilities, provided that such stockpiles are not aggregated or networked to meet the CCC definition, are not rotated among sites to defeat monitoring, and are not used for prohibited training. Parties will make reasonable efforts to monitor the sale and aggregation of AI chips to ensure that any newly created CCCs are detected and monitored.
Within 120 days of the Treaty entering into force, each Party shall locate, inventory, and consolidate all CCCs into facilities declared to the ISIA. Parties shall not disaggregate, conceal, or otherwise reassign chips to evade this requirement or to cause a set of chips which would have been classified as a CCC to no longer be classified as a CCC.
The ISIA shall monitor the domestic consolidation process, including through on‑site inspections, document and inventory verification, accompaniment of domestic authorities during transfers and inspection, and information sharing with Parties under Article X. The ISIA may require chain‑of‑custody records for transfers and may conduct challenge inspections as described in Article X. Parties shall provide timely access to relevant facilities, transport hubs, and records. Whistleblower protections and incentives under Article X apply to the consolidation process, and the ISIA shall maintain protected reporting channels.
Within 120 days of the Treaty entering into force, Parties shall submit to the ISIA a register of their CCCs. The register must include the location, type, quantity, serial or other unique identifiers where available, and associated interconnects of all AI chips in the CCCs. Each Party shall provide the ISIA with an updated and accurate register no later than every 90 days.
Parties shall provide the ISIA with advance notice of any planned transfer of AI chips, whether domestic or international, no less than 14 days before the planned transfer. No transfer shall proceed unless the ISIA is afforded the opportunity to observe the transfer. For international transfers, both the sending and receiving Parties shall coordinate with the ISIA on routing, custody, and receipt. Emergency transfers undertaken for safety or security reasons shall be notified as soon as practicable, with post‑facto verification.
Broken, defective, surplus, or otherwise decommissioned AI chips shall continue to be treated as functional chips, until the ISIA certifies they are destroyed. Parties shall not destroy AI chips without ISIA oversight. Destruction or rendering permanently inoperable shall be conducted under ISIA oversight using ISIA‑approved methods and recorded in a destruction certificate [the details will need to be explained in an Annex]. Salvage or resale of components from such hardware is prohibited unless expressly authorized by the ISIA.

Precedent

Declaring assets of concern is often a first step in restrictive treaties. Parties to the 1922 Washington Naval Treaty provided inventories of capital ships and their tonnage, and committed to notify each other when replacing these vessels. The 1991 START I treaty included a classified Agreement on Exchange of Coordinates and Site Diagrams (in Article VIII), outlining the sharing of data on the location of all declared strategic arms. Article V, Paragraph 3 of our draft agreement requires parties to locate, inventory, and consolidate covered chip clusters within 120 days.

Consolidating assets to facilitate verification of compliance is often another step in restrictive treaties. Article III of START I forbade ICBMs from being co-located with space-launch facilities, easing monitoring. Paragraph 1.a of our Article V commits parties “to avoid co-locating AI chips with non-ancillary non-AI hardware” for the same reason.

History demonstrates that consolidation also limits breakout potential, by making it easier to strike offending asset concentrations in the event of a crisis of confidence. In the 2016 JCPOA^* (also known as the Iran nuclear deal), Iran agreed to keep its operational uranium enrichment centrifuges at just two designated sites (Natanz and Fordow), both of which were struck in June 2025 operations by Israel and the United States. This motivates a note accompanying our Article V in which we suggest parties locate their covered chip clusters (CCCs) away from population centers.

Monitoring and inspections are common components of prior treaties in limited-trust contexts; we have consequently drafted provisions for this where appropriate, in Paragraphs 1, 4, 6, and 7 of this article. Some specific precedent for this:

Verification of START I included hundreds of on-site inspections in the first few years.
The CWC requires the declaration and inspection of all Chemical Weapons Production Facilities — there have been 97 declared — and the majority of these have been verifiably destroyed. (In requiring the declaration of existing facilities, these agreements also prohibit certain activities from occurring outside declared facilities, analogous to this article’s prohibition on unmonitored CCCs.)
Over 700 declared nuclear facilities around the world are monitored by the IAEA as part of the NPT.

Similar to Paragraph 3 of this article, numerous arms control agreements require that parties not interfere with each other’s NTM in the context of treaty verification. Examples include SALT I,^† ABM,^‡ INF,^§ and START I.

Precedent for parties restricting their domestic private sector industries to meet treaty commitments (as would need to be the case with AI) can be seen in U.S. legislation following its ratification of the CWC: The Chemical Weapons Convention Implementation Act of 1998 and Department of Commerce regulations ensured U.S. entities were in compliance. Similarly, the U.S. Congress amended the Clean Air Act following ratification of the Montreal Protocol to ban ozone-depleting substances.

Approaches to implementing chip centralization in the U.S. might run through the Fifth Amendment’s Takings Clause, in which the government can use its power of eminent domain to seize private property for public purposes, so long as it pays appropriate compensation.

Notes

Article V aims to centralize, into monitored facilities, all AI chip clusters (i.e., sets of interconnected chips above a small size) and the vast majority of AI chips. Monitoring itself is covered in Article VI, and prevention of proliferation is covered in Article VII.

Our draft specifies international verification of this centralization process so that all parties can confirm that all other parties have also centralized their chips. Verification of this type is likely to be straightforward for large AI datacenters, as intelligence agencies are likely to already know where these are. For smaller datacenters, the ISIA can provide oversight of domestic centralization processes as a confidence-building measure.

Chip centralization is an important first step to restricting the development of artificial superintelligence. Centralizing chips in declared facilities enables further monitoring for how these chips are being used, or verification that they are powered off (if they are not safe to use). Centralization would also make it easier for parties to destroy these chips, as might become necessary under Article XII, if a Party persists in violating the treaty.

We avoid recommending, in the treaty text, that CCCs be located away from population centers, despite their capacity for danger. We avoid this restriction both because (in the case of treaty violations) datacenters can likely be shut down without much collateral damage, and because modern datacenters are already regularly located near cities. That said, alternative treaties might prefer to proscribe treating AI datacenters as military facilities, given their potential to pose grave security threats.

Verifying Centralization

Most parties would not and should not blindly trust other parties to follow the rules, and would need some way to verify compliance. The centralization of AI chips into declared facilities makes it possible for ISIA inspections and monitoring to confirm the presence and activity of the chips.

Centralization might not be strictly necessary if there are other ways to monitor AI chips. Unfortunately, we think this is currently the only feasible option short of physically destroying all existing stockpiles of AI chips, given the limited security mechanisms in current chips today.

In the future, hardware-enabled governance mechanisms could be developed to enable remote governance of AI chips, so that chips don’t need to be centralized to declared locations. Aarne et al. (2024) provide estimates for the implementation time of some of these on-chip governance mechanisms. Their estimates cover the timeline to develop mechanisms that are robust against different adversaries. For concision, we will use their estimates for security in a covertly adversarial context where competent state actors may try to break the governance mechanisms but would face major consequences if caught. They estimate a development time of two to five years for ideal solutions, with less secure but potentially workable options available in just months.

Even though that report is over a year old, we are not aware of significant progress toward these mechanisms, and we think two to five additional years is the most relevant estimate from Aarne et al. Which is to say that, possibly, after a few years of research and development into chip security measures, it would be possible to confidently monitor chips without centralizing them, after some further lag time for new securely-monitorable chips to be produced, and/or for old chips to be retrofitted. Aarne et al. estimate that the first of these options might take four years, but we are optimistic that retrofitting could be done in one to two years if chips are already being tracked.

While centralization as discussed in Article V entails the physical concentration of covered chip clusters, it does not require that governments take ownership of chips. For large datacenters, the treaty permits the datacenter and its chips to remain where they are, under private ownership, so long as they receive monitoring and oversight from the domestic government and the ISIA. This monitoring would ensure that datacenters are engaged only in non-AI activities or permitted AI activities like running old models. For smaller chip aggregations, it may be necessary to physically move them into a larger datacenter, with their owner continuing to access the chips remotely; we do not consider this an overly onerous restriction given that it is already common in cloud computing arrangements.

Feasibility

It looks feasible to verifiably consolidate the majority of AI chips. The very largest AI datacenters, such as those with more than 100,000 H100-equivalents, are hard to hide. They are detectable from their physical footprint and power draw, and many of them are publicly reported on. In fact, it’s probably possible for intelligence services to track and locate datacenters as small as around 10,000 H100-equivalents. Locating smaller datacenters would involve domestic authorities using various powers in cooperation with ISIA inspectors.

States have a range of tools available for tracking down chips owned domestically. They can legally require reporting of all chip clusters larger than 16 H100s; they can use sales records and other financial information from chip distributors; they can interview technicians with expertise in datacenter construction; etc. If they suspect smuggling, obfuscation, or concealment of chips, they can employ law enforcement to investigate further. This process of domestic centralization would be overseen by ISIA inspectors to ensure thorough compliance.

Locating large datacenters could happen quickly, in days or weeks. Actually centralizing chips could take longer, as it might be necessary to build further datacenter capacity in the facilities that would become CCCs.

One significant challenge is providing justified confidence that one Party is not doing a secret AI project with non-declared AI chips. ISIA verification of domestic chip centralization provides some assurance, but it may not be sufficient if some country could purposefully undermine domestic centralization efforts. For further assurances against illegal AI projects, see the intelligence gathering and challenge inspections discussed in Article X.

On the Definition of CCCs

Our definition of CCC draws a line at 16 H100-equivalents. This threshold aims to meet a few criteria:

Monitoring chip clusters larger than 16 H100s works well with the training FLOP thresholds in Article IV. Training with 16 H100s (FP8 precision, 50 percent utilization — realistic but optimistic parameters) would take 7.3 days to get to 1e22 FLOP, and 2 years to get to 1e24 FLOP. Therefore, it would be feasible for people to use undeclared chips to reach the bottom threshold, but it would be somewhat impractical for them to get to the prohibited training threshold.
This threshold is plausibly sufficient for preventing the advancement of AI capabilities, when combined with bans on AI research in Article VIII. Article IV lays out training restrictions where large-scale training is prohibited and medium-scale training is allowed but subject to oversight. It is probably acceptable — that is, it probably poses minimal risk — to allow small-scale training, such as the amount that can be done on 16 H100s in a realistic time frame.
This threshold has limited impact on hobbyists and consumers. Very few individuals own more than 16 H100s. In mid-2025, a set of 16 H100 chips costs around $500,000. This isn’t a threshold one would accidentally cross by having a few old gaming consoles laying around.
Consolidating AI chips gets harder as the allowable quantity shrinks. Finding datacenters with 100,000 chips is easy; finding those with 10,000 is likely also relatively easy; with 1,000 it’s unclear; and below 100, it may start to become quite difficult. The 16 H100 threshold is likely to be challenging, and is picked partially due to the increasing infeasibility of still lower thresholds.
Despite potential enforcement challenges, it is possible that this definition would need to be revised and the threshold brought lower (e.g., 8 H100-equivalents). In our treaty, the ISIA would be tasked with assessing this definition and changing it as needed.

Other Considerations

This article calls for parties to avoid co-locating AI chips with non-ancillary non-AI chips. This is suggested because co-location might make verification of chip use (Article VII) more difficult. However, this is not strictly necessary, and it may not be desired. AI chips are currently often colocated with non-AI chips, and the inconvenience of changing this could outweigh the inconvenience of monitoring and verifying the AI chips in a datacenter that mixes AI chips with non-AI chips.

There is some risk that private citizens could construct an unmonitored CCC from “loose” H100-equivalent chips. To combat this, the treaty holds that parties shall make “reasonable effort” to monitor chip sales (in excess of 1 H100-equivalent) and detect the formation of new CCCs. More stringent measures could be taken, such as requiring all such chips and sales to be formally registered and tracked. Our draft does not go to that length, both because we do not expect all that many “loose” H100-equivalent chips to be unaccounted-for after all chips in CCCs are cataloged, and because other mechanisms (such as the whistleblower protections in Article X) help with the detection of newly-formed CCCs.

Rather than immediately requiring small clusters (e.g., 100 H100s) to be centralized, the treaty could instead implement a staged approach. For example: In the first 10 days all datacenters with more than 100,000 H100-equivalent chips must be centralized and declared, then in the next 30 days all datacenters with more than 10,000 H100-equivalent chips must be centralized and declared, etc. A tiered approach might better track international verification capacity as intelligence services ramp up their detection efforts.

One downside of a staged approach is that it might provide more opportunities for states to hide chips and establish secret datacenters. This approach nevertheless parallels how some previous international agreements have worked within the constraints of their verification and enforcement options. For instance, the 1963 Partial Test Ban Treaty did not ban underground testing of nuclear weapons, due to the difficulty in detecting such tests.

* The Joint Comprehensive Plan of Action was finalized in 2015 between the five permanent members of the United Nations Security Council, Germany, the European Union, and Iran. When it took effect in January of 2016, Iran gained sanctions relief and other provisions in exchange for accepting restrictions on its nuclear program.

† The Strategic Arms Limitation Talks (SALT) commenced in 1969 between the U.S. and USSR, producing the SALT I treaty, signed in 1972, which froze the number of strategic ballistic missile launchers and regulated the addition of new submarine-launched ballistic missiles, among other restrictions.

‡ The 1972 Anti-Ballistic Missile Treaty (ABM) grew out of the original SALT talks, and limited each party to two anti-ballistic complexes each (later, just one) with restrictions on their armament and tracking capabilities.

§ With the 1987 Intermediate-Range Nuclear Forces Treaty (INF), the U.S. and USSR agreed to ban most nuclear delivery systems with ranges in between those of battlefield and intercontinental systems. (Given the short warning time strikes from such systems would afford, they were seen more as destabilizing offensive systems than as defensive assets.)

Article VI: AI Chip Production Monitoring

→