US Congress Introduces Bipartisan Bill to Close Cloud Computing Loophole in AI Chip Export Controls
A new bipartisan proposal aims to prevent foreign entities from bypassing US hardware restrictions by renting advanced AI computing power through American cloud providers. The legislation would require cloud companies to verify foreign customers and restrict access for training large-scale artificial intelligence models.
By Factlen Editorial Team
- National Security Advocates
- Argue that hardware export bans are ineffective if adversaries can simply rent the same computing power from US data centers.
- Cloud Industry Representatives
- Warn that strict monitoring rules violate data privacy and will drive global customers to foreign cloud competitors.
- Chinese Tech Sector
- Views the legislation as an aggressive containment strategy, accelerating their push for total domestic silicon independence.
What's not represented
- · European Cloud Providers
- · Open-Source AI Developers
Why this matters
If passed, this legislation would fundamentally alter how global cloud providers operate, forcing companies like Amazon, Microsoft, and Google to implement strict 'know your customer' protocols for computing power and potentially reshaping the global AI development race.
Key points
- A new bipartisan bill aims to close the 'cloud loophole' that allows foreign entities to bypass US AI chip export controls.
- The legislation would force US cloud providers like AWS, Azure, and Google Cloud to implement 'Know Your Customer' verification.
- The rules target massive AI training runs exceeding 10^26 FLOPs, exempting routine cloud computing tasks.
- The cloud industry warns the rules could violate enterprise privacy and drive international clients to foreign competitors.
US lawmakers have introduced a sweeping bipartisan bill designed to close a significant loophole in Washington’s technology containment strategy: the ability of foreign entities to rent advanced artificial intelligence computing power through American cloud providers. The proposed legislation, introduced Thursday, marks the most aggressive attempt yet to extend physical hardware export controls into the digital realm of Infrastructure-as-a-Service (IaaS). If passed, the bill would mandate that US-based cloud companies implement rigorous tracking and verification protocols for foreign clients training large-scale AI models.[1][2]
The legislation addresses a structural gap in the Commerce Department’s existing export control regime. Since October 2022, the US has strictly limited the sale of cutting-edge semiconductors—such as Nvidia’s H100 and AMD’s MI300X—to China and other nations deemed national security risks. However, those restrictions only apply to the physical transfer of hardware. A Chinese technology firm or research institute cannot legally purchase a server rack of restricted GPUs, but they can legally log into Amazon Web Services, Microsoft Azure, or Google Cloud and rent the exact same computing power by the hour.[3][6]
This dynamic has created what national security analysts call the "cloud compute loophole." Advanced AI development does not require physical possession of silicon; it only requires access to the processing power that silicon generates. By spinning up virtual machines hosted in US or allied data centers, foreign developers can train frontier AI models without ever importing a single restricted microchip. The new bipartisan bill aims to sever this digital supply chain by placing the compliance burden directly on the cloud providers themselves.[4][6]
At the heart of the proposed legislation is a "Know Your Customer" (KYC) mandate, a regulatory framework borrowed from the banking and financial sectors. Under the bill's provisions, US cloud providers would be required to verify the identity, location, and ultimate beneficial ownership of any foreign entity renting compute resources. Furthermore, providers would have to actively monitor and report instances where foreign clients are utilizing massive clusters of computing power to train dual-use foundation models that could have military or cyber-warfare applications.[3][7]
The threshold for what constitutes a "dual-use foundation model" aligns with previous executive orders, targeting training runs that exceed 10^26 floating-point operations (FLOPs). This astronomically high benchmark ensures that routine cloud computing tasks—such as hosting websites, running enterprise software, or training small-scale machine learning models—remain unaffected. The focus is strictly on the massive, resource-intensive training runs required to build systems comparable to OpenAI’s GPT-4 or Anthropic’s Claude 3, which require thousands of advanced GPUs running in tandem for months.[6][7]
Implementing KYC in the cloud, however, presents profound technical and privacy challenges. Unlike a bank tracking a wire transfer, a cloud provider tracking compute usage must navigate the complex layers of modern software infrastructure. Cloud companies argue that peering into a customer's virtual machine to determine exactly what kind of AI model they are training fundamentally violates data privacy and enterprise security agreements. The industry has historically operated on a "shared responsibility" model, where the provider secures the infrastructure, but the customer's data and workloads remain opaque and encrypted.[4]
Implementing KYC in the cloud, however, presents profound technical and privacy challenges.
Representatives from the US cloud industry have expressed deep reservations about the feasibility of the mandate. Beyond the technical hurdles of monitoring encrypted workloads, industry lobbyists warn that overly stringent KYC rules could severely damage the global competitiveness of American cloud giants. If foreign companies—even those in allied nations—fear that US cloud providers are monitoring their proprietary AI development, they may migrate their workloads to European, Middle Eastern, or domestic cloud alternatives that offer greater privacy guarantees.[2][4]
The geopolitical stakes of this migration are significant. The Middle East, particularly the United Arab Emirates and Saudi Arabia, has been aggressively investing in sovereign AI infrastructure, purchasing tens of thousands of advanced GPUs to build independent cloud hubs. If the US locks down its domestic cloud ecosystem too tightly, it risks accelerating the growth of these alternative compute hubs, potentially pushing global AI development outside the jurisdictional reach of US regulators entirely.[2][6]
From the perspective of Beijing, the proposed legislation is viewed as another escalation in Washington's broader technology containment strategy. Chinese state media and technology analysts have characterized the move as an attempt to stifle China's legitimate scientific and economic development. In response to the looming threat of cloud restrictions, Chinese technology giants like Alibaba, Tencent, and Baidu have been accelerating their investments in domestic cloud infrastructure and indigenous AI chips, such as Huawei's Ascend series, to insulate themselves from US policy shifts.[5]
Enforcement of the cloud loophole closure also faces the persistent challenge of shell companies and proxy networks. In the digital realm, masking one's true identity and location is relatively trivial. A Chinese entity could theoretically establish a shell company in Singapore or the European Union, use a virtual private network (VPN) to obscure its origin, and rent US cloud compute through that proxy. Security researchers note that while KYC rules raise the barrier to entry, determined state-backed actors will likely find ways to obfuscate their digital footprints.[3][6]
Despite these enforcement challenges, national security advocates argue that the legislation is a necessary step. They contend that export controls are not meant to be airtight blockades, but rather friction-inducing mechanisms designed to slow down adversaries and increase the cost of their AI development. By forcing foreign entities to rely on slower domestic chips or navigate complex proxy networks to access US cloud compute, the US can maintain its relative lead in the global AI race.[1][6]
The bill now heads to committee for markup, where it is expected to face intense lobbying from the technology sector. Lawmakers will have to carefully thread the needle between protecting national security and preserving the dominance of the US cloud computing industry. As artificial intelligence continues to blur the lines between commercial software and strategic military assets, the debate over how to regulate the digital ether of cloud computing is only just beginning.[1][3][7]
How we got here
Oct 2022
The US Commerce Department implements sweeping export controls on advanced AI semiconductors to China.
Oct 2023
Export controls are tightened to include more chips, but cloud computing access remains unrestricted.
Jan 2024
The Commerce Department proposes initial rules requiring cloud providers to track foreign AI developers.
Jun 2026
Lawmakers introduce a bipartisan bill to codify and enforce strict cloud computing export controls.
Viewpoints in depth
National Security Advocates
Argue that hardware export bans are ineffective if adversaries can simply rent the same computing power from US data centers.
Defense analysts and foreign policy hawks argue that the current export control regime is fundamentally flawed because it treats physical hardware and digital compute as separate entities. They point out that modern AI development is entirely cloud-native; an adversary does not need to own a server farm to train a cyber-warfare model, they only need a credit card and an internet connection. By implementing KYC rules, advocates believe the US can introduce necessary friction, forcing foreign actors to rely on slower, less efficient domestic hardware rather than leveraging America's state-of-the-art data centers.
US Cloud Providers
Warn that strict monitoring rules violate data privacy and will drive global customers to foreign cloud competitors.
The technology sector views the proposed legislation as a fundamental misunderstanding of how cloud infrastructure operates. Providers argue that peering into a customer's virtual machine to determine if they are training a 10^26 FLOP AI model violates the core tenets of enterprise data encryption and privacy. Furthermore, industry lobbyists warn of severe economic blowback: if international clients—even those in allied nations—believe US cloud providers are acting as surveillance arms of the US government, they will migrate their lucrative workloads to emerging sovereign cloud hubs in Europe or the Middle East.
Chinese Tech Sector
Views the legislation as an aggressive containment strategy, accelerating their push for total domestic silicon independence.
Within China, the move to close the cloud loophole is seen as inevitable, confirming Beijing's long-held belief that reliance on Western technology infrastructure is a critical vulnerability. Rather than capitulating, Chinese technology giants and state-backed research institutes are using the threat of cloud restrictions to justify massive investments in indigenous AI ecosystems. By accelerating the development of domestic chips like Huawei's Ascend series and building out local cloud infrastructure, China aims to completely decouple its AI development pipeline from US jurisdictional reach.
What we don't know
- How cloud providers will technically monitor encrypted workloads to determine if an AI model exceeds the 10^26 FLOP threshold without violating privacy agreements.
- Whether foreign entities will successfully use shell companies and VPNs to bypass the proposed 'Know Your Customer' verifications.
- If the legislation will inadvertently accelerate the growth of rival cloud computing hubs in the Middle East and Europe.
Key terms
- Infrastructure-as-a-Service (IaaS)
- A cloud computing model where providers offer virtualized computing resources over the internet, allowing users to rent servers rather than buying physical hardware.
- Know Your Customer (KYC)
- A set of standards used in the financial industry to verify the identity of clients, now being proposed for the cloud computing sector to track who is renting AI servers.
- FLOPs (Floating-Point Operations)
- A measure of computer performance. The US government uses a threshold of 10^26 FLOPs to define massive, dual-use AI models that require regulatory oversight.
- Dual-Use Technology
- Technology that can be used for both peaceful commercial purposes and military applications.
Frequently asked
What exactly is the cloud compute loophole?
It is the ability for foreign companies to rent access to advanced AI chips (like Nvidia H100s) through US cloud providers, bypassing laws that prevent them from physically buying and importing those same chips.
Will this affect regular cloud users or small businesses?
No. The bill targets massive computing thresholds (10^26 FLOPs) used exclusively for training frontier AI models, leaving routine web hosting and standard enterprise software unaffected.
How will cloud providers enforce this?
The bill proposes 'Know Your Customer' (KYC) rules, requiring cloud companies to verify the identity and location of foreign users, though the industry argues this is technically difficult to do without violating data privacy.
Sources
Source coverage
7 outlets
3 viewpoints surfaced
[1]ReutersNational Security Advocates
US lawmakers introduce bill to block China from accessing AI via cloud
Read on Reuters →[2]BloombergCloud Industry Representatives
Congress Targets Cloud Loophole in Latest AI Export Control Push
Read on Bloomberg →[3]The Wall Street JournalCloud Industry Representatives
Bipartisan Bill Would Require 'Know Your Customer' Rules for Cloud Providers
Read on The Wall Street Journal →[4]TechCrunchCloud Industry Representatives
What the new cloud computing export control bill means for AWS and Azure
Read on TechCrunch →[5]South China Morning PostChinese Tech Sector
US moves to cut off Chinese access to American cloud computing for AI
Read on South China Morning Post →[6]Center for Strategic and International StudiesNational Security Advocates
Closing the Cloud Compute Loophole in US Export Controls
Read on Center for Strategic and International Studies →[7]Congress.govNational Security Advocates
H.R. 8842 - Cloud Computing National Security Act of 2026
Read on Congress.gov →
Every angle. Every day.
Get technology stories with full source coverage and perspective breakdowns delivered to your inbox.