Skip to content
Longterm Wiki
Back

Department of Commerce's proposed rule

web
dwt.com·dwt.com/blogs/artificial-intelligence-law-advisor/2024/02...

Legal blog analysis of a U.S. regulatory proposal to require cloud providers to vet foreign AI compute customers, relevant to compute governance and efforts to limit unauthorized access to frontier AI training resources.

Metadata

Importance: 52/100blog postanalysis

Summary

The U.S. Department of Commerce proposed a rule requiring Infrastructure-as-a-Service (IaaS) providers to implement Know Your Customer (KYC) verification for foreign users accessing cloud computing resources above certain thresholds. The rule aims to prevent adversarial actors from using U.S. cloud infrastructure to train advanced AI models. This legal analysis covers the regulatory implications for cloud providers and the AI industry.

Key Points

  • Proposed rule mandates IaaS providers verify identities of foreign customers using cloud compute above defined thresholds to prevent misuse
  • Targets national security concerns around foreign adversaries using U.S. cloud infrastructure to train frontier AI models
  • Establishes compliance obligations for major cloud providers (AWS, Azure, GCP) similar to financial sector KYC requirements
  • Compute thresholds define which transactions trigger reporting/verification requirements, linking to broader AI governance frameworks
  • Legal analysis highlights implementation challenges, jurisdictional questions, and potential burden on cloud service providers

Cited by 2 pages

PageTypeQuality
Compute MonitoringApproach69.0
US Executive Order on Safe, Secure, and Trustworthy AIPolicy91.0

Cached Content Preview

HTTP 200Fetched Apr 9, 202613 KB
Commerce Department Proposes Cybersecurity/AI Reporting and "KYC" Requirements for Certain Cloud Providers | Davis Wright Tremaine 
 
 
 
 


 
 
 
 

 

 
 
 
 

 

 
 

 

 


 

 

 


 
 



 
 
 
 
 
 
 

 
 
 

 
 
 
 
 


 
 
 Skip to content 
 
 
 
 
 
 
 
 
 People
 
 
 
 
 Services
 
 
 
 
 Insights
 
 
 
 
 
 
 About
 
 
 
 
 Offices
 
 
 
 
 Careers
 
 
 
 
 
 
 Menu Search 
 
 Search 
 
 
 
 
 Perform Search 
 
 
 
 
 
 
 
 
 
 
 

 
 
 
 
 
 
 
Insights 
 
 
 Communications
 
 
 
 
 
 Commerce Department Proposes Cybersecurity/AI Reporting and "KYC" Requirements for Certain Cloud Providers 
 


 
 
 IaaS providers would need to verify foreign users' identities (aka "know your customer") and report certain AI model training activities under the proposed rules 
 
 
 

 By Robert Stankey , K.C. Halm , Michael T. Borgia , Andrew M. Lewis , and Assaf Ariely 
 
 
 02.14.24
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 Share 
 
 
 
 
 
 
 
 
 Print this page
 
 
 
 
 
 
 
 
 The U.S. Department of Commerce's ("Commerce") Bureau of Industry and Security ("BIS") has issued a proposed rule (the "Proposed Rule") that would impose significant diligence, reporting, and recordkeeping requirements on U.S. providers of Infrastructure as a Service (IaaS) and their foreign resellers. IaaS is generally considered to be a cloud computing model that provides users with remote access to servers, storage, networking, and virtualization. 

 The Proposed Rule would require U.S. IaaS providers to: 

 
 Implement and maintain a "Customer Identification Program" (CIP), which must include detailed know-your-customer (KYC) procedures for identifying and reporting foreign customers to Commerce; and 

 Report transactions involving foreign persons that "could result in the training of a large AI model with potential capabilities that could be used in malicious cyber-enabled activity."

 
 BIS has requested public comment on "all aspects of the proposed rule" and specifically has requested comments on various topics. Comments are due by April 29, 2024, and may be submitted via the Federal eRulemaking Portal . 

 The Proposed Rule implements mandates from two Executive Orders: E.O. 13984, "Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities ," ("E.O. 13984"), and E.O. 14110, "Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence " ("E.O. 14110" or the "AI E.O."). The Proposed Rule also echoes a broader initiative by the Biden-Harris Administration to bring about "fundamental changes to the underlying dynamics of the digital ecosystem" as outlined in the Administration's National Cybersecurity Strategy ("NCS") released in Spring 2023 (for additional information on the NCS, see DWT's coverage here .). Among o

... (truncated, 13 KB total)
Resource ID: dc9c71640f5c01b3 | Stable ID: sid_KVBVzeNBYt