AI Vendor Compliance Risk Explained

Meta’s US$2 billion acquisition of AI agent startup Manus has become every enterprise CTO’s cross-border compliance risk lesson. China’s Ministry of Commerce announced on January 9 that it would assess whether the deal violated export controls, technology transfer rules, and overseas investment regulations, despite Manus relocating from Beijing to Singapore in 2025.

The investigation exposes an uncomfortable reality for enterprise AI buyers: your vendor’s corporate domicile tells you nothing about their regulatory exposure.

“The AI agent developed by Manus was definitely something that Chinese regulators could subject to export controls,” Dai Menghao, Shanghai-based partner at King & Wood Mallesons specialising in export controls and sanctions, told the South China Morning Post. The technology, not the corporate registration, determines jurisdiction.

When relocation doesn’t equal regulatory freedom

Manus appeared to check every box for regulatory independence. The company relocated its 105-person team from Beijing to Singapore in summer 2025, laid off 80 mainland employees, established operations in Singapore, Tokyo, and San Francisco, and secured US$75 million in US funding from Benchmark.

Meta insisted in December that “there will be no continuing Chinese ownership interests in Manus AI following the transaction, and Manus AI will discontinue its services and operations in China.”

Yet Ministry of Commerce spokesperson He Yadong made clear that corporate structure alone won’t determine compliance. “The Chinese government consistently supports enterprises in conducting mutually beneficial transnational operations and international technological cooperation in accordance with laws and regulations,” he said at a January 9 press briefing.

“But it should be noted that the external investment, technology exports, data exports and cross-border acquisitions by companies must comply with Chinese laws and regulations and go through due process.”

The investigation will examine when, how, and which technologies Manus transferred abroad from its China-based entities, according to Cui Fan, professor at the University of International Business and Economics and chief expert at the China Society for World Trade Organisation Studies.

If regulators determine that Manus should have obtained export licenses before transferring technology or talent, the company’s founders could face criminal charges under Chinese law.

The regulatory framework that enterprise buyers must understand

China updated its technology export control rules in 2020, expanding coverage to include certain algorithms – changes widely interpreted as giving Beijing stronger legal grounds to intervene in deals involving strategic technology.

The updates gained prominence after the US pressured ByteDance to divest TikTok’s US operations, prompting China to assert authority over outbound tech transfers. The framework covers three important areas that enterprise AI buyers should understand when evaluating vendor risk:

Export controls: Advanced AI agents, models, and related intellectual property qualify as strategic assets subject to licensing requirements. Beijing maintains jurisdiction over technology developed in China, regardless of where companies later incorporate.

Data security rules: Cross-border data transfers require regulatory approval, particularly for datasets used to train or fine-tune AI models. The location where training occurred matters more than where inference happens.

Overseas investment regulations: When Chinese nationals transfer technology assets abroad, even through legitimate corporate restructuring, authorities assess whether the transfer requires government clearance.

Wang Yiming, partner at Beijing Xinzheng law firm, estimates the Manus review could take up to six months – matching the timeline for similar technology transfer assessments. “This could become a high-profile test case for China’s equivalent of the Committee on Foreign Investment in the United States,” Winston Ma, adjunct professor at New York University School of Law who focuses on AI and the digital economy, told SCMP.

What this means for AI vendor due diligence

The Manus case exposes gaps in how enterprise buyers assess AI vendor regulatory risk. Standard procurement processes focus on data residency, service level agreements, and contractual liability.

Few evaluate whether their vendor’s technology development history creates ongoing compliance exposure in multiple jurisdictions.

Enterprise buyers should now ask AI service providers:

Technology origin questions:

• Where was the core AI model or agent developed?
• Which jurisdictions’ export control regimes might claim authority?
• Were any team members involved in the development of Chinese nationals?

Transfer compliance:

• If the company relocated, what regulatory approvals were obtained?
• Can the vendor demonstrate export license compliance for technology transfers?
• What contingency exists if regulators challenge past transfers?

Operational continuity:

• How would a regulatory investigation impact service delivery?
• What customer notification obligations exist during review periods?
• Does the vendor maintain insurance or reserves for regulatory risk?

“The most likely outcome I see is a lengthier approval process and potential conditions around how Manus technology developed in China can be used, rather than an outright block,” Nick Patience, AI lead at The Futurum Group, told CNBC. “But the threat of stricter action gives Beijing bargaining power in a high-profile, US-led acquisition.”

The precedent risk for enterprise AI strategy

The investigation matters beyond Meta’s specific deal. If Beijing determines it can effectively assert jurisdiction over Chinese-origin AI technology regardless of corporate restructuring, it establishes precedent for ongoing regulatory reach into enterprise AI supply chains.

Enterprise buyers using AI agents for market research, coding assistance, or data analysis – precisely what Manus offered before Meta’s acquisition – now face questions about provider stability during geopolitical disputes. The company reached US$100 million in annual recurring revenue in eight months of launch, demonstrating both rapid enterprise adoption and how quickly mission-important dependencies can form.

Winston Ma noted that smooth approval could “create a new path for young AI startups in China” – physical relocation paired with foreign acquisitions to bypass technology transfer restrictions.

Conversely, regulatory intervention signals that Beijing will pursue Chinese-origin AI companies even after they relocate, potentially closing what appeared to be an escape route for startups navigating US-China tensions.

For enterprise AI buyers, the lesson is about recognising that AI vendor compliance risk extends beyond contractual terms into murky jurisdictional questions about where and by whom technology was originally developed. That’s a due diligence requirement most procurement teams haven’t yet built the capacity to assess.

See also: Manus AI agent: breakthrough in China’s agentic AI

Want to learn more about AI and big data from industry leaders? Check out AI & Big Data Expo taking place in Amsterdam, California, and London. This comprehensive event is part of TechEx and co-located with other leading technology events. Click here for more information.

AI News is powered by TechForge Media. Explore other upcoming enterprise technology events and webinars here.