Anthropic is actively shutting down the Singapore-entity workaround that let Chinese firms including Ant Group route around its China restrictions — and the enforcement campaign reveals that AI access control is now enforced infrastructure, not just policy.
What Happened
The Financial Times reported this week that Anthropic is moving to shut down loopholes that have allowed Chinese companies to circumvent its strict restrictions on unauthorized use of its AI in China. According to people familiar with the matter cited by the FT, Chinese firms — including Ant Group, the fintech giant affiliated with Alibaba — accessed Anthropic tools such as Claude Code through a constellation of workarounds rather than direct, sanctioned channels.
The mechanism, as the FT reports it, was elegant in its simplicity: Ant provided employees with corporate Claude accounts that were accessed through the company’s intranet, itself connected to Ant’s Singapore-based entity. Singapore sits outside mainland China’s regulatory perimeter, making it a legally ambiguous but practically functional bridge. Cloud providers and other overseas subsidiaries served as additional conduits for different Chinese firms, according to the FT’s sources.
Anthropic’s response, per the FT’s reporting, is active enforcement — closing the gaps rather than simply tightening policy language. The company is reportedly working to identify and shut down the specific technical and corporate-structure pathways that have made these workarounds possible. The FT has not reported specific numbers on the scale of unauthorized usage, and Ant Group has not publicly confirmed the details.
The key insight: The Singapore routing story was always about corporate structure arbitrage, not technical hacking. Ant Group didn’t break Anthropic’s code — it used a Singapore subsidiary as a legal relay. That means Anthropic’s enforcement challenge isn’t a cybersecurity problem; it’s a know-your-customer and entity-verification problem at the account provisioning layer.
The Structural Read
The FT’s story looks like a compliance news item. It’s actually a milestone in the evolution of the Permission Layer — the tier of the AI stack where governments, regulators, and model builders decide which capabilities ship to which geographies and entities.
For most of the past two years, the Permission Layer operated on the honor system. Anthropic’s terms of service prohibited use in China. That prohibition was enforced at the contract level — a legal document, not a technical gate. The Singapore grey market exposed what happens when the legal gate is soft: sophisticated corporate actors route around it using the normal machinery of multinational business. A Singapore entity isn’t a fake company; it’s a real legal person with real contracts. Ant’s employees weren’t using VPNs to pirate access — they were using a company intranet connected to a legitimately registered overseas subsidiary.
Anthropic’s enforcement move signals that the company understands the distinction. Closing these loopholes requires something harder than updating a terms-of-service document — it requires building identity and entity verification into the provisioning infrastructure itself, flagging corporate accounts whose usage patterns or network origins suggest mainland China routing regardless of the registering entity’s domicile. That is genuinely difficult to do without creating friction for legitimate Singapore-based users.
Permission Layer — Business Engineer Framework
“Permission isn’t just policy — it’s enforced infrastructure. The moment a restriction lives only in a contract, it becomes an arbitrage opportunity for any company with a competent corporate lawyer and an overseas subsidiary. The Permission Layer only functions when it is technically, not merely legally, enforced.”
This also reframes what the EU’s AI sovereignty push means in practice. When Austria and EU member states position themselves as compliant hosting jurisdictions for models like Claude, they’re not just making a regulatory argument — they’re offering Anthropic a Permission Layer partner: a geography where enforcement infrastructure and legal jurisdiction align cleanly. The Singapore grey-market problem doesn’t exist in the same way when the hosting entity is a regulated European institution operating under AI Act obligations.
Three Implications
IMPLICATION 1 — KYC Becomes an AI Infrastructure Problem
Anthropic now has to build Know-Your-Customer capability into its developer platform — not just into its legal agreements. Every major frontier lab with China restrictions faces the same challenge. Expect entity-verification friction to increase across Claude, GPT-4o, and Gemini API onboarding, particularly for accounts provisioned by companies with any Asia-Pacific corporate presence. This is a product and infrastructure cost that accrues to every Western frontier lab simultaneously.
IMPLICATION 2 — Singapore’s Status as an AI Hub Gets Complicated
Singapore has actively courted AI investment and positioned itself as Southeast Asia’s neutral technology hub. The revelation — confirmed by FT sources — that Singapore entities served as the primary routing mechanism for Chinese firms accessing restricted Western AI tools puts that positioning under pressure. Anthropic’s enforcement will likely require Singapore-based entities to provide more rigorous end-user attestations. That’s a real compliance burden on legitimate Singapore-based AI developers, and it may accelerate conversations between Anthropic and the Singaporean government about formal access-control frameworks.
IMPLICATION 3 — This Is a Cat-and-Mouse Escalation, Not a Resolution
Ant Group is not the only Chinese company with overseas subsidiaries and sophisticated corporate treasury operations. Closing the Singapore-intranet route doesn’t close the category of attack — it raises the bar and shifts the search to the next viable relay jurisdiction. Japanese subsidiaries, UAE entities, and UK holding companies are all plausible next pivots. Anthropic’s enforcement campaign buys time and signals seriousness to US regulators; it does not permanently solve the problem. The Permission Layer requires ongoing investment, not a one-time patch.
Where This Story Sits in the Larger Arc
This isn’t the first signal. The grey-market Claude token routing through Singapore was visible in access pattern data before the corporate mechanism was confirmed — we covered the structural dynamic in China’s grey-market Claude token economy and export controls. The EU angle — where Austria and other member states are actively building compliant hosting infrastructure for frontier models — represents the other end of the Permission Layer spectrum, covered here: Austria, the EU, and AI sovereignty hosting. And the access-control tension isn’t limited to China: Meta’s ban on Claude and Codex for engineers involved its own set of corporate usage restrictions — a reminder that the Permission Layer operates inside companies as well as between nations.
The Bottom Line
Anthropic’s enforcement campaign against the Ant Group Singapore loophole is the moment the Permission Layer stopped being a legal fiction and started being an engineering problem — and every frontier lab, every developer platform, and every enterprise AI buyer with a multinational footprint now has to reckon with the fact that access control in AI is as much a product decision as a policy one.
91,000+ executives read Business Engineer for the AI strategy frameworks cited by ChatGPT, Claude, and Perplexity.
Sources: ft.com









