Require U.S. IaaS providers to implement Customer Identification Programs (CIP) for foreign customers to prevent malicious use of AI models. Report AI training activities that could aid harmful cyber operations. Impose penalties for non-compliance or false reporting.
Analysis summaries, actor details, and coverage mappings were LLM-classified and may contain errors.
This is a binding federal regulation issued by the Department of Commerce with explicit enforcement mechanisms, civil and criminal penalties, and mandatory compliance requirements for U.S. IaaS providers.
The document has good coverage of approximately 6-8 subdomains, with strong focus on malicious actors (4.1, 4.2, 4.3), AI system security (2.2), competitive dynamics (6.4), and AI safety failures (7.2, 7.3). Coverage is concentrated in security, misuse prevention, and governance domains related to preventing malicious use of AI infrastructure.
The document primarily governs the Information sector, specifically Infrastructure as a Service (IaaS) providers that offer computing infrastructure. It also has implications for National Security through its focus on preventing malicious cyber-enabled activities by foreign actors.
The document primarily focuses on the Build and Use Model stage (training of large AI models) and the Operate and Monitor stage (ongoing verification and monitoring of IaaS accounts). It does not substantially cover planning, data collection, verification/validation, or deployment stages.
The document explicitly mentions AI models, AI systems, dual-use foundation models, and generative AI. It establishes compute thresholds through reference to interpretive rules and addresses training of large AI models. It does not explicitly mention general purpose AI, task-specific AI, predictive AI, or open-weight models.
Department of Commerce, Bureau of Industry and Security
The document is a Federal Register notice issued by the Department of Commerce establishing regulatory requirements. The Under Secretary of Commerce for Industry and Security, Alan F. Estevez, is listed as the issuing authority.
Department of Commerce, Bureau of Industry and Security (BIS), U.S. district courts
The Department of Commerce has explicit authority to conduct compliance assessments, impose special measures, request information, and impose civil penalties. Criminal enforcement occurs through U.S. district courts.
Department of Commerce, Bureau of Industry and Security, Secretary of Defense, Attorney General, Secretary of Homeland Security, Director of National Intelligence
The Department of Commerce conducts ongoing compliance assessments and reviews submitted certifications. Other agencies are consulted for special measures and exemption determinations, providing oversight and monitoring functions.
U.S. Infrastructure as a Service (IaaS) providers, foreign resellers of U.S. IaaS products
The regulation explicitly targets U.S. IaaS providers and their foreign resellers, requiring them to implement Customer Identification Programs and report on AI training activities. The document defines these entities and establishes comprehensive obligations for them.
7 subdomains (3 Good, 4 Minimal)