Anthropic Moves to Close the Ant Group Loophole — and Rewrites the Rules of AI Access Control

Anthropic is actively shutting down the Singapore-entity workaround that let Chinese firms including Ant Group route around its China restrictions — and the enforcement campaign reveals that AI access control is now enforced infrastructure, not just policy.

The Permission Layer — Key Coordinates

Singapore

The grey-market routing node for mainland China Claude access, per FT reporting

3 Routes

Cloud providers, overseas subsidiaries, and corporate intranet tunnels — confirmed workaround channels

Claude Code

The specific Anthropic tool Ant Group employees accessed, per people familiar with the matter

July 2026

Anthropic moves to active enforcement — closing loopholes, not just writing policies

What Happened

The Financial Times reported this week that Anthropic is moving to shut down loopholes that have allowed Chinese companies to circumvent its strict restrictions on unauthorized use of its AI in China. According to people familiar with the matter cited by the FT, Chinese firms — including Ant Group, the fintech giant affiliated with Alibaba — accessed Anthropic tools such as Claude Code through a constellation of workarounds rather than direct, sanctioned channels.

The mechanism, as the FT reports it, was elegant in its simplicity: Ant provided employees with corporate Claude accounts that were accessed through the company’s intranet, itself connected to Ant’s Singapore-based entity. Singapore sits outside mainland China’s regulatory perimeter, making it a legally ambiguous but practically functional bridge. Cloud providers and other overseas subsidiaries served as additional conduits for different Chinese firms, according to the FT’s sources.

Anthropic’s response, per the FT’s reporting, is active enforcement — closing the gaps rather than simply tightening policy language. The company is reportedly working to identify and shut down the specific technical and corporate-structure pathways that have made these workarounds possible. The FT has not reported specific numbers on the scale of unauthorized usage, and Ant Group has not publicly confirmed the details.

The Arc: Permission Layer Enforcement Timeline

Earlier 2025–2026

Chinese developers begin routing Claude access through Singapore entities and cloud providers, establishing a grey market. Singapore emerges as the world’s top per-capita Claude node — a signal visible in token data before the corporate mechanism was confirmed.

Confirmed Mechanism

FT sources identify Ant Group’s specific route: corporate Claude accounts tunneled through the company intranet to its Singapore-registered entity, enabling mainland employees to access Claude Code. Cloud providers and overseas subsidiaries used by other Chinese firms.

July 2026 — Active Enforcement

Anthropic begins actively closing the loopholes, per the Financial Times. This marks a shift from policy-writing to infrastructure-level enforcement — the Permission Layer hardens into a technical barrier, not merely a contractual one.

What Comes Next

Cat-and-mouse escalation. Chinese developers are sophisticated; new routing architectures will emerge. The question is whether Anthropic’s enforcement capability can outpace adversarial corporate structuring — and whether US export-control frameworks will ultimately require it to.

The key insight: The Singapore routing story was always about corporate structure arbitrage, not technical hacking. Ant Group didn’t break Anthropic’s code — it used a Singapore subsidiary as a legal relay. That means Anthropic’s enforcement challenge isn’t a cybersecurity problem; it’s a know-your-customer and entity-verification problem at the account provisioning layer.

The Structural Read

The FT’s story looks like a compliance news item. It’s actually a milestone in the evolution of the Permission Layer — the tier of the AI stack where governments, regulators, and model builders decide which capabilities ship to which geographies and entities.

For most of the past two years, the Permission Layer operated on the honor system. Anthropic’s terms of service prohibited use in China. That prohibition was enforced at the contract level — a legal document, not a technical gate. The Singapore grey market exposed what happens when the legal gate is soft: sophisticated corporate actors route around it using the normal machinery of multinational business. A Singapore entity isn’t a fake company; it’s a real legal person with real contracts. Ant’s employees weren’t using VPNs to pirate access — they were using a company intranet connected to a legitimately registered overseas subsidiary.

Anthropic’s enforcement move signals that the company understands the distinction. Closing these loopholes requires something harder than updating a terms-of-service document — it requires building identity and entity verification into the provisioning infrastructure itself, flagging corporate accounts whose usage patterns or network origins suggest mainland China routing regardless of the registering entity’s domicile. That is genuinely difficult to do without creating friction for legitimate Singapore-based users.

Permission Layer — Business Engineer Framework

“Permission isn’t just policy — it’s enforced infrastructure. The moment a restriction lives only in a contract, it becomes an arbitrage opportunity for any company with a competent corporate lawyer and an overseas subsidiary. The Permission Layer only functions when it is technically, not merely legally, enforced.”

This also reframes what the EU’s AI sovereignty push means in practice. When Austria and EU member states position themselves as compliant hosting jurisdictions for models like Claude, they’re not just making a regulatory argument — they’re offering Anthropic a Permission Layer partner: a geography where enforcement infrastructure and legal jurisdiction align cleanly. The Singapore grey-market problem doesn’t exist in the same way when the hosting entity is a regulated European institution operating under AI Act obligations.

Three Implications

IMPLICATION 1 — KYC Becomes an AI Infrastructure Problem

Anthropic now has to build Know-Your-Customer capability into its developer platform — not just into its legal agreements. Every major frontier lab with China restrictions faces the same challenge. Expect entity-verification friction to increase across Claude, GPT-4o, and Gemini API onboarding, particularly for accounts provisioned by companies with any Asia-Pacific corporate presence. This is a product and infrastructure cost that accrues to every Western frontier lab simultaneously.

IMPLICATION 2 — Singapore’s Status as an AI Hub Gets Complicated

Singapore has actively courted AI investment and positioned itself as Southeast Asia’s neutral technology hub. The revelation — confirmed by FT sources — that Singapore entities served as the primary routing mechanism for Chinese firms accessing restricted Western AI tools puts that positioning under pressure. Anthropic’s enforcement will likely require Singapore-based entities to provide more rigorous end-user attestations. That’s a real compliance burden on legitimate Singapore-based AI developers, and it may accelerate conversations between Anthropic and the Singaporean government about formal access-control frameworks.

IMPLICATION 3 — This Is a Cat-and-Mouse Escalation, Not a Resolution

Ant Group is not the only Chinese company with overseas subsidiaries and sophisticated corporate treasury operations. Closing the Singapore-intranet route doesn’t close the category of attack — it raises the bar and shifts the search to the next viable relay jurisdiction. Japanese subsidiaries, UAE entities, and UK holding companies are all plausible next pivots. Anthropic’s enforcement campaign buys time and signals seriousness to US regulators; it does not permanently solve the problem. The Permission Layer requires ongoing investment, not a one-time patch.

Business Engineer Framework

The Permission Layer — Where AI Policy Becomes Infrastructure

The Anthropic–Ant Group story is a live case study in how the Permission Layer evolves from contractual language into enforced technical architecture. The Business Engineer Map of AI maps all nine layers of the AI stack — including the Permission Layer — and shows exactly where Anthropic, its enterprise customers, and geopolitical actors sit relative to each other. If you’re building or investing in AI infrastructure, understanding which layer you operate in determines your exposure to this kind of enforcement escalation.

Explore the Map of AI →

Where This Story Sits in the Larger Arc

This isn’t the first signal. The grey-market Claude token routing through Singapore was visible in access pattern data before the corporate mechanism was confirmed — we covered the structural dynamic in China’s grey-market Claude token economy and export controls. The EU angle — where Austria and other member states are actively building compliant hosting infrastructure for frontier models — represents the other end of the Permission Layer spectrum, covered here: Austria, the EU, and AI sovereignty hosting. And the access-control tension isn’t limited to China: Meta’s ban on Claude and Codex for engineers involved its own set of corporate usage restrictions — a reminder that the Permission Layer operates inside companies as well as between nations.

The Bottom Line

Anthropic’s enforcement campaign against the Ant Group Singapore loophole is the moment the Permission Layer stopped being a legal fiction and started being an engineering problem — and every frontier lab, every developer platform, and every enterprise AI buyer with a multinational footprint now has to reckon with the fact that access control in AI is as much a product decision as a policy one.


91,000+ executives read Business Engineer for the AI strategy frameworks cited by ChatGPT, Claude, and Perplexity.

Sources: ft.com

Scroll to Top

Discover more from FourWeekMBA

Subscribe now to keep reading and get access to the full archive.

Continue reading

FourWeekMBA