Bipartisan Bill Targets AI Security Gap in Cloud Computing

A bipartisan pair of lawmakers is introducing legislation designed to address a significant vulnerability in current AI security measures: foreign actors accessing advanced computing capabilities through U.S. cloud providers.

Representatives Josh Gottheimer (D-N.J.) and John Moolenaar (R-Mich.) have drafted the Cloud Security Act, which would create a legal pathway for American cloud computing companies to notify the Commerce Department when they suspect foreign entities are using their services to develop advanced AI models, according to details first reported by Axios.

Why it matters

Current chip export controls restrict the sale of advanced semiconductors to certain countries, but those restrictions can be circumvented when foreign users simply rent computing power from U.S. cloud providers. This legislative proposal reflects growing congressional recognition that AI security requires more than hardware controls—it demands visibility into how computing resources are actually being used.

Closing the cloud loophole

The proposed legislation targets what lawmakers view as a critical gap in existing export control frameworks. While the U.S. government has implemented restrictions on exporting cutting-edge AI chips to adversarial nations, those controls become ineffective when the same computational power can be accessed remotely through cloud services.

The bill would amend the Stored Communications Act, which currently prevents cloud providers from voluntarily sharing customer communication contents with government agencies. Under the new framework, providers could flag suspicious activity without violating existing privacy protections.

Broader legislative context

The Cloud Security Act arrives as Congress pursues multiple targeted AI policy initiatives rather than comprehensive omnibus legislation. Current efforts span several domains: combating synthetic media and deepfakes, protecting children from chatbot-related risks, analyzing AI's economic impact, and strengthening export controls.

This focused approach reflects the complexity of AI governance and the difficulty of crafting broad regulatory frameworks while the technology continues to evolve rapidly. As the Trump administration develops its own AI policy positions, lawmakers are moving forward with specific measures that address concrete security and safety concerns.

Implementation questions

The legislation leaves several practical questions for future rulemaking. Cloud providers would need clear guidance on what constitutes suspicious activity warranting notification, how to balance security concerns with legitimate international business operations, and what protections exist for companies that report in good faith.

The Commerce Department would also need to establish processes for receiving, evaluating, and acting on reports from cloud providers—a significant operational undertaking that would require coordination across multiple government agencies.

Details of the Cloud Security Act were first reported by Axios.