Branchoria AI Doom AI Doom

Clear, balanced answers on advanced AI, loss of control and existential risk.

Within Cloud Oversight

Should AI clouds know their customers?

AI compute KYC would make cloud providers verify who is buying major AI infrastructure and report high-risk training activity.

On this page

  • What AI compute KYC would require
  • How reporting thresholds could trigger oversight
  • Why identity checks raise privacy and confidentiality concerns
Preview for Should AI clouds know their customers?

Introduction

Know Your Customer (KYC) rules for AI compute are a proposal to require major cloud providers to verify who is using large amounts of computing power and to report especially significant AI training activity to regulators. The idea is borrowed from banking, where financial institutions must identify customers to help prevent money laundering and other illicit activity.

Compute KYC illustration 1 Within debates about AI doom and existential risk, compute KYC is attractive because frontier AI development is unusually dependent on large-scale computing infrastructure. If governments are worried that a highly capable and potentially dangerous AI system could be developed without oversight, cloud providers may be one of the few places where such activity can be observed. Supporters argue that identity verification and reporting requirements could make advanced AI development more visible. Critics argue that the approach may be intrusive, difficult to implement globally, and only partially effective against determined actors. [governance.ai]governance.aiw-Your-Customer (KYC) schemes…

What AI compute KYC would require

Most proposals do not envision cloud providers inspecting every computation or monitoring ordinary users. Instead, KYC obligations would apply primarily to customers undertaking unusually large AI projects.

A typical compute KYC regime would require cloud providers to:

  • Verify the identity of customers renting substantial AI infrastructure.
  • Identify the beneficial owners of companies purchasing large quantities of compute.
  • Maintain records of high-end compute usage.
  • Monitor whether activity exceeds defined regulatory thresholds.
  • Report specified high-risk activities to government authorities.
  • Retain information that would allow later investigation if a serious incident occurred. [cdn.governance.ai]cdn.governance.aiOversight for Frontier AI through a Know-Your-CustomerOctober 23, 2023 — by J Egan · 2023 · Cited by 19 — with compute providers, KYC requirements for advanced AI cloud compute might include…Published: October 23, 2023

Researchers who have developed detailed proposals often compare the system to anti-money-laundering controls in finance. The goal is not to judge every customer individually but to ensure that regulators can connect major AI development efforts to identifiable organisations and responsible individuals. [governance.ai]governance.aiw-Your-Customer (KYC) schemes…

One frequently discussed motivation is attribution. If a dangerous model were later involved in a catastrophic incident, authorities would be better able to determine who trained it, where the training occurred, and what infrastructure was used. Supporters argue that this visibility could discourage reckless behaviour and improve accountability. [robots.ox.ac.uk]robots.ox.ac.ukHeim et al. 2024 Governing Through the Cloud The Intermediary RoleTHE INTERMEDIARY ROLE OF COMPUTE PROVIDERS…26 Mar 2024 — Increases visibility into AI development, links customers and their usage to…

How reporting thresholds could trigger oversight

The most important design question is usually not identity verification itself but the threshold that determines when additional oversight begins.

Most compute governance proposals assume that only a small fraction of AI projects would cross the relevant threshold. Regulators would define a level of compute consumption associated with frontier or potentially high-risk development. Crossing that level could trigger reporting obligations, audits, evaluations, or other scrutiny. [Institute for Law & AI]law-ai.orgInstitute for Law & AIThe Role of Compute Thresholds for AI GovernanceFebruary 20, 2025 — This article discusses the role of training compute thresholds, which use training compute to determine which potenti…Published: February 20, 2025

The logic is straightforward. Training compute is not a perfect measure of risk, but it is one of the few measurable indicators that tends to correlate with the capabilities of advanced AI systems. As models become larger and more capable, they generally require greater quantities of specialised computing resources. Regulators therefore use compute thresholds as an initial filter rather than as proof that a system is dangerous. [Institute for Law & AI]law-ai.orgInstitute for Law & AIThe Role of Compute Thresholds for AI GovernanceFebruary 20, 2025 — This article discusses the role of training compute thresholds, which use training compute to determine which potenti…Published: February 20, 2025

In practice, a reporting system might work like this:

Sean Neville, Catena Labs | theCUBE + NYSE Wired: Mixture of Experts AI AGENT Conference 2026

Channel: SiliconANGLE theCUBE · Views: 5.7K · Uploaded: May 2026 · Length: 15 minutes

Open on YouTube

  1. A customer reserves a very large cluster of AI accelerators.
  2. The provider verifies the customer’s identity and ownership structure.
  3. The training run exceeds a legally defined threshold.
  4. The provider files a report containing specified information.

Amazon book picks

Further Reading

Books and field guides related to Should AI clouds know their customers?. Use these as the next step if you want deeper reading beyond the article.

Browse more on Amazon: Human Compatible The Oxford of AI Governance books The Age of Surveillance Capitalism

As an Amazon Associate I earn from qualifying purchases.

eBay marketplace picks

Marketplace Samples

Example marketplace items related to this page. Use the search link to explore similar finds on eBay.

Using USA
Browse more on eBay.com

Example items shown for inspiration; availability and pricing can change. Branchoria may earn a commission if you purchase through outbound eBay links.

Browse more on eBay.co.uk

Example items shown for inspiration; availability and pricing can change. Branchoria may earn a commission if you purchase through outbound eBay links.

  1. Regulators decide whether further evaluation or monitoring is required. [Bureau of Industry and Security]bis.govBureau of Industry and SecurityCommerce Proposes Reporting Requirements for Frontier…9 Sept 2024 — Proposed rule would help Department…

For AI doom advocates, the value of such a system is that warning signs could become visible before a powerful model is publicly deployed. Rather than discovering a frontier capability only after release, governments might receive advance notice that a major training effort is underway. [arXiv]arxiv.orgSource details in endnotes.

Why some researchers see compute KYC as an existential-risk measure

Arguments for compute KYC are closely tied to concerns about loss of control, dangerous autonomy, and rapid capability advances.

Many AI-risk researchers believe that if transformative or potentially catastrophic AI systems emerge, they are likely to require enormous computing resources during development. If that assumption is correct, then cloud providers become natural monitoring points. A relatively small number of companies supply much of the world’s frontier AI infrastructure, making oversight more feasible than attempting to monitor every developer directly. [robots.ox.ac.uk]robots.ox.ac.ukHeim et al. 2024 Governing Through the Cloud The Intermediary RoleTHE INTERMEDIARY ROLE OF COMPUTE PROVIDERS…26 Mar 2024 — Increases visibility into AI development, links customers and their usage to…

Supporters commonly make four claims:

  • Visibility: large frontier training runs are easier to detect than software development alone.
  • Early warning: governments may receive notice before highly capable systems are deployed.
  • Accountability: developers cannot as easily hide behind shell companies or anonymous accounts.
  • Targeted intervention: regulators can focus on a small number of high-risk activities rather than imposing broad restrictions on all AI development. [robots.ox.ac.uk]robots.ox.ac.ukHeim et al. 2024 Governing Through the Cloud The Intermediary RoleTHE INTERMEDIARY ROLE OF COMPUTE PROVIDERS…26 Mar 2024 — Increases visibility into AI development, links customers and their usage to… [Blog - Lennart Heim]blog.heim.xyzLennart HeimThe Intermediary Role of Compute Providers in AI Regulation13 Mar 2024 — Using AI Executive Order 14110 as a case study, we o…

Importantly, advocates generally do not argue that KYC by itself solves AI doom. Instead, it is usually presented as supporting infrastructure for other measures such as capability evaluations, incident reporting, licensing schemes, export controls, and model governance. [arXiv]arxiv.orgSource details in endnotes.

Compute KYC illustration 2

Why identity checks raise privacy and confidentiality concerns

The strongest objections to compute KYC are often not technical but political and legal.

A cloud provider that knows exactly who is training major AI systems will inevitably hold sensitive information about research programmes, commercial strategy, and intellectual property. Companies may worry that mandatory reporting exposes confidential projects to regulators or creates new cybersecurity risks if records are compromised. [robots.ox.ac.uk]robots.ox.ac.ukHeim et al. 2024 Governing Through the Cloud The Intermediary RoleTHE INTERMEDIARY ROLE OF COMPUTE PROVIDERS…26 Mar 2024 — Increases visibility into AI development, links customers and their usage to…

Privacy advocates raise a related concern. KYC systems work by reducing anonymity. While this may help identify dangerous actors, it also increases the amount of information collected about legitimate users. Critics worry that systems introduced for frontier AI governance could gradually expand beyond their original purpose. [Default]Lawfareknow your customer is coming for the cloud the stakes are highDefaultKnow-Your-Customer Is Coming for the Cloud—The…29 Apr 2024 — The new cloud KYC rules will build on these initiatives by requiri…

There is also a practical question about proportionality. If thresholds are set too low, many ordinary research and commercial activities could be swept into a reporting regime. If thresholds are set too high, genuinely significant frontier projects might escape attention. Determining the correct threshold is therefore one of the most contested aspects of compute governance. [Institute for Law & AI]law-ai.orgInstitute for Law & AIThe Role of Compute Thresholds for AI GovernanceFebruary 20, 2025 — This article discusses the role of training compute thresholds, which use training compute to determine which potenti…Published: February 20, 2025

Could determined actors evade the system?

A recurring criticism is that KYC works best against visible and law-abiding organisations, not against actors actively attempting to conceal their activities.

Potential evasion routes include:

  • Distributing training across multiple providers.
  • Using intermediaries and resellers.
  • Training on privately owned hardware rather than public cloud infrastructure.
  • Operating in jurisdictions that do not adopt comparable rules.
  • Exploiting loopholes in compute-threshold definitions. [arXiv]arxiv.orgSource details in endnotes. ChinaTalk Researchers have highlighted a related problem known as [chinatalk.media]chinatalk.mediaChina Talk Can BIS Control the Cloud?Can BIS Control the Cloud? - by Nicholas Welch31 Jan 2024 — This regulation makes it possible for cloud providers to implement “Know Your…“compute structuring”, analogous to financial structuring. Just as financial transactions can be divided into smaller pieces to avoid reporting requirements, AI developers could potentially spread workloads across systems to remain below regulatory thresholds. Whether such behaviour can be reliably detected remains an active research question. [arXiv]arxiv.orgSource details in endnotes.

Because of these limitations, even supporters usually describe compute KYC as a risk-reduction measure rather than a complete solution. The goal is to make frontier AI development harder to hide, not to guarantee perfect visibility. [arXiv]arxiv.orgSource details in endnotes.

Trust is Now Infrastructure: Governing Cloud and AI Under Pressure (CloudFest 2026)

Channel: CloudFest · Views: 27 · Uploaded: April 2026 · Length: 30 minutes

Open on YouTube

What real-world policy efforts look like

Although comprehensive AI-compute KYC systems do not yet exist at global scale, the concept is no longer purely theoretical.

The United States has already developed cloud customer-identification rules in the context of malicious cyber activity and foreign use of Infrastructure-as-a-Service (IaaS) platforms. Proposed and developing regulations have required cloud providers to verify customer identities and report certain high-risk AI training activities involving foreign actors. These efforts are not identical to broader AI-doom-oriented compute governance proposals, but they demonstrate that cloud-based KYC mechanisms are technically and legally plausible. [Reuters]reuters.comThe 'ICTS' rules: Technology supply chain regulation has arrived The U.SDepartment of Commerce has significantly increased regulatory actions under its Information and Communications Technology and Services (I… [Federal Register]federalregister.govFederal RegisterProposed Rule29 Jan 2024 — Foreign malicious cyber actors have utilized U.S. IaaS products to commit intellectual propert… [Bureau of]bis.govBureau of Industry and SecurityCommerce Proposes Reporting Requirements for Frontier…9 Sept 2024 — Proposed rule would help Department… Industry and Security

Meanwhile, frontier AI governance discussions increasingly connect cloud-provider reporting requirements with compute thresholds and model-risk oversight. Proposed reporting regimes would allow regulators to receive information about exceptionally large training runs while avoiding direct supervision of most AI development. [Bureau of Industry and Security]bis.govBureau of Industry and SecurityCommerce Proposes Reporting Requirements for Frontier…9 Sept 2024 — Proposed rule would help Department… 2arXiv

Scaling Trusted AI Infrastructure

Channel: Open Compute Project · Views: 111 · Uploaded: May 2026 · Length: 11 minutes

Open on YouTube

The central debate

The debate over compute KYC ultimately reflects a broader disagreement about how seriously society should treat the possibility of advanced AI causing catastrophic harm.

People concerned about AI doom often see cloud providers as one of the few realistic governance choke points available before highly capable systems are deployed. From this perspective, requiring providers to know who is training frontier models is a modest and potentially valuable precaution. If warning signs of dangerous capability development emerge, governments would at least have some visibility into who is conducting the work. [arXiv]arxiv.orgSource details in endnotes. [2robots.ox.ac.uk]robots.ox.ac.ukHeim et al. 2024 Governing Through the Cloud The Intermediary RoleTHE INTERMEDIARY ROLE OF COMPUTE PROVIDERS…26 Mar 2024 — Increases visibility into AI development, links customers and their usage to…

Sceptics accept that visibility may be useful but question whether the benefits justify the costs. They worry about privacy, commercial secrecy, international competitiveness, regulatory overreach, and the possibility that sophisticated actors will simply evade the rules. They also note that knowing who trained a model does not by itself solve the deeper problems of alignment, control, or misuse. [Default]Lawfareknow your customer is coming for the cloud the stakes are highDefaultKnow-Your-Customer Is Coming for the Cloud—The…29 Apr 2024 — The new cloud KYC rules will build on these initiatives by requiri… [Sidley Austin]sidley.comnew know your customer and reporting rules proposed for cloud providersSidley AustinNew Know-Your-Customer and Reporting Rules Proposed…Feb 8, 2024 — The IaaS Rule seeks to strengthen the US government's a…

As a result, compute KYC is best understood not as a complete answer to existential AI risk, but as a proposal for making frontier AI development less invisible. Whether that visibility would materially reduce p(doom) remains uncertain, but it is one of the most concrete and actively discussed governance mechanisms within the broader effort to monitor and govern advanced AI systems. [arXiv]arxiv.orgSource details in endnotes. [2robots.ox.ac.uk]robots.ox.ac.ukHeim et al. 2024 Governing Through the Cloud The Intermediary RoleTHE INTERMEDIARY ROLE OF COMPUTE PROVIDERS…26 Mar 2024 — Increases visibility into AI development, links customers and their usage to…

Compute KYC illustration 3

Endnotes

  1. Source: governance.ai
    Link: https://www.governance.ai/research-paper/oversight-for-frontier-ai-through-kyc-scheme-for-compute-providers
    Source snippet

    w-Your-Customer (KYC) schemes...

  2. Source: arxiv.org
    Link: https://arxiv.org/abs/2310.13625

  3. Source: robots.ox.ac.uk
    Title: Heim et al. 2024 Governing Through the Cloud The Intermediary Role
    Link: https://www.robots.ox.ac.uk/~mosb/public/pdf/3343/Heim%20et%20al.%20-%202024%20-%20Governing%20Through%20the%20Cloud%20The%20Intermediary%20Role.pdf
    Source snippet

    THE INTERMEDIARY ROLE OF COMPUTE PROVIDERS...26 Mar 2024 — Increases visibility into AI development, links customers and their usage to...

  4. Source: cdn.governance.ai
    Title: Oversight for Frontier AI through a Know-Your-Customer
    Link: https://cdn.governance.ai/Oversight_for_Frontier_AI_through_a_KYC_Scheme_for_Compute_Providers.pdf
    Source snippet

    October 23, 2023 — by J Egan · 2023 · Cited by 19 — with compute providers, KYC requirements for advanced AI cloud compute might include...

    Published: October 23, 2023

  5. Source: blog.heim.xyz
    Link: https://blog.heim.xyz/governing-through-the-cloud/
    Source snippet

    Lennart HeimThe Intermediary Role of Compute Providers in AI Regulation13 Mar 2024 — Using AI Executive Order 14110 as a case study, we o...

  6. Source: law-ai.org
    Title: Institute for Law & AIThe Role of Compute Thresholds for AI Governance
    Link: https://law-ai.org/the-role-of-compute-thresholds-for-ai-governance/
    Source snippet

    February 20, 2025 — This article discusses the role of training compute thresholds, which use training compute to determine which potenti...

    Published: February 20, 2025

  7. Source: arxiv.org
    Title: arXiv Training Compute Thresholds: Features and Functions in AI Regulation
    Link: https://arxiv.org/abs/2405.10799

  8. Source: arxiv.org
    Link: https://arxiv.org/html/2604.04712v1
    Source snippet

    arXivHardware-Level Governance of AI Compute: A Feasibility...6 Apr 2026 — US Executive Order 14110 (October 2023) imposed reporting req...

    Published: October 2023

  9. Source: sidley.com
    Title: new know your customer and reporting rules proposed for cloud providers
    Link: https://www.sidley.com/en/insights/newsupdates/2024/02/new-know-your-customer-and-reporting-rules-proposed-for-cloud-providers
    Source snippet

    Sidley AustinNew Know-Your-Customer and Reporting Rules Proposed...Feb 8, 2024 — The IaaS Rule seeks to strengthen the US government's a...

  10. Source: arxiv.org
    Title: arXiv Defending Compute Thresholds Against Legal Loopholes
    Link: https://arxiv.org/abs/2502.00003

  11. Source: chinatalk.media
    Title: China Talk Can BIS Control the Cloud?
    Link: https://www.chinatalk.media/p/can-bis-control-the-cloud
    Source snippet

    Can BIS Control the Cloud? - by Nicholas Welch31 Jan 2024 — This regulation makes it possible for cloud providers to implement “Know Your...

  12. Source: reuters.com
    Title: The ‘ICTS’ rules: Technology supply chain regulation has arrived The U.S
    Link: https://www.reuters.com/legal/legalindustry/icts-rules-technology-supply-chain-regulation-has-arrived-2024-10-30/
    Source snippet

    Department of Commerce has significantly increased regulatory actions under its Information and Communications Technology and Services (I...

  13. Source: datamatters.sidley.com
    Link: https://datamatters.sidley.com/2024/02/09/new-know-your-customer-and-reporting-rules-proposed-for-cloud-providers-five-key-takeaways/
    Source snippet

    Know-Your-Customer and Reporting Rules Proposed for...9 Feb 2024 — The IaaS Rule seeks to strengthen the US government's ability to trac...

  14. Source: bis.gov
    Link: https://www.bis.gov/press-release/commerce-proposes-reporting-requirements-frontier-ai-developers-compute-providers
    Source snippet

    Bureau of Industry and SecurityCommerce Proposes Reporting Requirements for Frontier...9 Sept 2024 — Proposed rule would help Department...

  15. Source: Lawfare
    Title: know your customer is coming for the cloud the stakes are high
    Link: https://www.lawfaremedia.org/article/know-your-customer-is-coming-for-the-cloud-the-stakes-are-high
    Source snippet

    DefaultKnow-Your-Customer Is Coming for the Cloud—The...29 Apr 2024 — The new cloud KYC rules will build on these initiatives by requiri...

  16. Source: federalregister.gov
    Link: https://www.federalregister.gov/documents/2024/01/29/2024-01580/taking-additional-steps-to-address-the-national-emergency-with-respect-to-significant-malicious
    Source snippet

    Federal RegisterProposed Rule29 Jan 2024 — Foreign malicious cyber actors have utilized U.S. IaaS products to commit intellectual propert...

  17. Source: bis.gov
    Link: https://www.bis.gov/press-release/commerce-proposes-rule-advance-u.s.-national-security-interests-implement-biden-harris-administrations-ai
    Source snippet

    Commerce Proposes Rule to Advance US National...29 Jan 2024 — The NPRM outlines proposed requirements to address the risk of foreign mal...

Additional References

  1. Source: trumpwhitehouse.archives.gov
    Link: https://trumpwhitehouse.archives.gov/presidential-actions/executive-order-taking-additional-steps-address-national-emergency-respect-significant-malicious-cyber-enabled-activities/
    Source snippet

    Order on Taking Additional Steps to Address the...19 Jan 2021 — (A) evidence that foreign malicious cyber actors have obtained United St...

  2. Source: cybereason.com
    Link: https://www.cybereason.com/blog/last-hurrah-executive-order-to-protect-iaas-platforms-from-malicious-actors
    Source snippet

    Last Hurrah: Executive Order to Protect IaaS Platforms from...President Donald Trump signed an executive order to prevent foreign malici...

  3. Source: steptoe.com
    Link: https://www.steptoe.com/en/news-publications/international-compliance-blog/us-infrastructure-as-a-service-providers-iaas-new-know-your-customer-requirements.html
    Source snippet

    US Infrastructure as a Service Providers (IaaS)1 Feb 2021 — The EO identifies a number of factors to be applied in deciding whether a for...

  4. Source: longtermwiki.com
    Title: U S Executive Order on Safe, Secure, and Trustworthy AICloud Compute Governance
    Link: https://www.longtermwiki.com/wiki/E366
    Source snippet

    The order introduced "Know Your Customer" (KYC) requirements for Infrastructure-as-a-Service (IaaS) providers, mandating that cloud...

  5. Source: visualcompliance.com
    Title: u s proposes kyc rules for cloud infrastructure providers
    Link: https://www.visualcompliance.com/blog/u-s-proposes-kyc-rules-for-cloud-infrastructure-providers/
    Source snippet

    Proposes KYC Rules for Cloud Infrastructure ProvidersFeb 7, 2024 — The U.S. is requiring cloud infrastructure providers to use KYC rules...

  6. Source: kelleydrye.com
    Link: https://www.kelleydrye.com/viewpoints/blogs/trade-and-manufacturing-monitor/bis-proposes-kyc-and-other-cybersecurity-requirements-on-cloud-services-and-ai-training
    Source snippet

    critical infrastructure or national security posed by malicious, cyber-enabled...Read more...

  7. Source: futureoflife.org
    Title: bis rule for establishment of reporting requirements
    Link: https://futureoflife.org/document/bis-rule-for-establishment-of-reporting-requirements/
    Source snippet

    Input on Federal AI Reporting Requirements11 Oct 2024 — There is precedent for implementing KYC requirements for foreign purchasers of hi...

  8. Source: researchgate.net
    Title: (PDF) Oversight for Frontier AI through a Know-Your
    Link: https://www.researchgate.net/publication/375393992_Oversight_for_Frontier_AI_through_a_Know-Your-Customer_Scheme_for_Compute_Providers
    Source snippet

    training runs above a certain (very high) threshold. 3. Requiring compute providers to have “Know Your Customer (KYC)” processes. 4. Faci...

  9. Source: home.treasury.gov
    Title: outbound investment program
    Link: https://home.treasury.gov/policy-issues/international/outbound-investment-program
    Source snippet

    Investment Security ProgramOn October 28, 2024, the Treasury Department issued a final rule (the Outbound Rules) implementing the Outboun...

    Published: October 28, 2024

  10. Source: govinfo.gov
    Title: Administration of Donald J
    Link: https://www.govinfo.gov/link/cpd/executiveorder/13984
    Source snippet

    Trump, 2021 Executive Order...19 Jan 2021 — Foreign malicious cyber actors aim to harm the United States economy through the theft of in...

Topic Tree

Follow this branch

Parent topic

Cloud Oversight Can Cloud Providers Police Frontier AI Training?

Related pages 2