The Hormuz risk question has changed and compliance frameworks haven't caught up

The question everyone has been asking about the Strait of Hormuz is the wrong one.

Can vessels pass? For most of the past three months, the answer has technically been yes. But that binary framing — open or closed — is now the least useful way to think about Hormuz risk. And the organisations still building their assessments around it are already behind.

The 2026 Hormuz crisis has produced something more complex and more durable than a blockade. It has produced a passage environment where vessels may move but their movements cannot always be trusted, verified or defended. Where insurance coverage technically exists but its commercial terms may make transit economically irrational. Where sanctions exposure can begin before a payment is made or a contract is signed. And where the most important risk indicators are not what diplomatic channels are saying, but how vessels are actually behaving.

‍

What changed, and when

The contrast with the June 2025 Twelve-Day War is instructive. During that conflict, Iran did not close the Strait. Vessel crossings dipped briefly and rebounded quickly. The market absorbed it. Risk teams logged it as a volatility event and moved on.

The 2026 crisis is structurally different. After Operation Epic Fury — the US-led campaign against Iranian military and IRGC infrastructure that opened on 28 February — visible crossings fell from 147 the day before the campaign to 78 on Day 0, 33 on Day 1, 13 on Day 2 and just 6 by Day 3. Across the first twelve days, Kpler recorded 189 crossings. During the equivalent period of the June 2025 conflict, there had been 2,310. That is a decline of around 92%.

‍

‍

The disruption has since hardened rather than eased. On 12 April, a US-led naval cordon began enforcing tighter restrictions on Strait transit, opening a blockade phase that has redefined the operating environment. At the time of publishing, around 500 vessels remain trapped within the Middle East Gulf.

This is not a brief interruption. It is a structural shift in what Hormuz passage means — commercially, legally and operationally.

‍

The risk that travels with the voyage

Here is what that shift looks like in practice.

A vessel may be able to transit the Strait. But if its movement cannot be reliably observed, because GNSS spoofing has degraded or manipulated its positioning data, then its voyage record is compromised. Port-call verification fails. Exposure mapping breaks down. Voyage reconstruction becomes contested.

That matters because the downstream consequences do not stay at the waterway. They follow the cargo into sanctions screening. They appear in insurance claim disputes. They surface in charterparty arguments about whether a deviation was commercially justified or operationally necessary. They generate questions from banks and counterparties about what the vessel was actually doing and where.

The evidentiary burden has increased for every party in the chain. Risk and compliance teams are no longer only asking whether a vessel transited Hormuz. They are asking whether that transit can be documented, explained and defended — in real time, and after the fact.

Why "open" is no longer enough

The language of open and closed has always been a simplification. Chokepoints do not switch cleanly between states. But the 2026 crisis has made that simplification actively dangerous for risk professionals.

The Strait is not closed. But consider what characterises the vessels continuing to operate through it. More than half are aged 20 years or older. The majority are outside International Group P&I cover. Nearly half operate without IACS classification. More than a quarter have unidentifiable ISM manager information. Sanctioned vessels, shadow fleet traffic and lower-risk commercial tonnage are increasingly moving through the same corridors, often via the same routing patterns.

In that environment, "open" tells you almost nothing. The relevant questions are who is crossing, when they are crossing, under what risk profile, and whether that profile creates exposure for the parties connected to the voyage — owner, charterer, insurer, bank, cargo counterparty.

‍

The compliance framework problem

Most maritime risk and compliance processes were not built for this environment. They were built for a world where:

• Physical access to a waterway is the primary risk variable
• AIS data is broadly reliable as a record of vessel movement
• The TSS provides a clear behavioural benchmark
• Insurance availability is a reasonable proxy for insurability
• Sanctions risk begins when a sanctioned party receives payment

None of those assumptions hold consistently in Hormuz right now.

Kpler data shows that GNSS spoofing at scale means AIS records can reflect manipulated positions, peaking at over 3,000 vessels affected in a single day in early March. The IMO Traffic Separation Scheme has become a theoretical reference point: between 1 March and 19 May, only 6.4% of observed vessel crossings used the IMO-designated route. And sanctions risk under the OFAC 1 May 2026 advisory can crystallise at the point of coordination with Iranian authorities — sharing ship details, requesting clearance, accepting an escort — not just when payment is made.

Compliance frameworks that check the list of sanctioned parties, confirm insurance coverage and verify AIS continuity are doing the minimum. In the current Hormuz environment, the minimum is not enough.

‍

What forward-looking risk assessment looks like

The organisations managing Hormuz exposure most effectively right now have shifted from reactive incident monitoring to forward-looking passage assessment. That means treating vessel behaviour as the primary signal, not political or diplomatic announcements.

The most reliable early-warning indicators are operational. Are vessels waiting longer than expected before entering the Strait? Are they moving outside expected lanes? Are there AIS or GNSS anomalies in their recent history? Are they clustering around what appear to be escort windows? Are they changing behaviour near the Strait ahead of any official announcement of restrictions?

These signals are available in AIS data. They are visible before incidents happen, before official notifications are issued, and before the commercial consequences are locked in. But they require the analytical infrastructure to detect and interpret them, and the compliance process to act on them.

That is the gap the 2026 crisis has exposed. Not a gap in vessel tracking technology, but a gap between the data that is available and the frameworks organisations have built to use it.