Know-Your-Customer Rules for AI Compute

If you sell cloud GPUs, the US government may soon require you to verify who your customers are. Know-your-customer rules from finance are being ported into AI infrastructure.

36 min · Reviewed 2026

The Proposed Rules

In January 2024, the US Department of Commerce released a notice of proposed rulemaking requiring US Infrastructure-as-a-Service providers — AWS, Google Cloud, Microsoft Azure, Lambda, CoreWeave, and others — to verify foreign customers' identities and report large AI training runs. The rule was finalized in January 2025 as the IaaS rule.

What it requires

Verify identity of foreign customers opening new accounts (name, address, ID documents)
Retain records for five years
Report to Commerce when foreign customers train models above specific compute thresholds
Report transactions that could enable cyberattacks
Certify CIP (Customer Identification Program) annually

Why this is contested

Compliance cost falls hardest on small cloud providers
Definition of 'training run' is technical and can be circumvented with chunked jobs
Enforcement relies on providers knowing what customers are doing with the compute
Privacy and civil liberties concerns from international customers
Coordinated action needed with EU, UK, Singapore to avoid arbitrage

If you can buy unlimited compute anonymously, no frontier model regulation is enforceable.
— Common argument in export-control policy circles

The big idea: governments are treating compute like a strategic resource on par with uranium or semiconductors. Expect the rules to keep tightening and keep changing.

End-of-lesson check

15 questions · take it digitally for instant feedback at tendril.neural-forge.io/learn/quiz/end-safety2-kyc-ai-labs-creators

Under the IaaS rule, what specific information must foreign customers provide to verify their identity when opening new accounts?
1. Name, address, and identity documents such as passports or national IDs
2. Credit history and financial statements
3. Social media profiles and online activity logs
4. Programming certifications and employment verification
For how long must IaaS providers retain customer records under the finalized rule?
1. Five years
2. One year
3. Ten years
4. Two years
What does the acronym CIP stand for in the context of the IaaS rule?
1. Customer Identification Program
2. Computational Infrastructure Protocol
3. Cyber Incident Prevention
4. Certified Identity Provider
Which entity issued the proposed rule that eventually became the IaaS rule?
1. US Department of Commerce
2. Department of Defense
3. Federal Communications Commission
4. Securities and Exchange Commission
When was the IaaS rule officially finalized?
1. January 2025
2. January 2024
3. December 2024
4. March 2024
What is a primary criticism of the IaaS rule raised by opponents?
1. The rule allows anonymous GPU purchases legally
2. The rule applies only to domestic customers
3. Small cloud providers bear disproportionate compliance costs
4. The rule has no enforcement mechanisms
How could a customer potentially circumvent reporting requirements under the rule?
1. By training models on personal hardware
2. By using only domestic cloud providers
3. By paying in cryptocurrency
4. By splitting a large training run into smaller chunked jobs
The IaaS rule ports an existing framework from which industry to AI compute?
1. Automotive manufacturing
2. Pharmaceuticals
3. Banking and financial services
4. Telecommunications and cable
What is the stated rationale for treating compute as a regulated resource?
1. Compute is cheaper than traditional export controls
2. Compute is the new strategic resource enabling frontier AI models
3. Compute is the primary cause of climate change
4. Compute is the only resource China lacks
Which of the following is explicitly required to be reported under the IaaS rule?
1. All customers' electricity usage
2. Foreign customers training models above specific compute thresholds
3. Employees' personal computer specifications
4. Domestic customers' model architectures
The lesson draws an analogy comparing compute to what traditional strategic resource?
1. Oil and gas
2. Gold and silver
3. Water and timber
4. Uranium or semiconductors
Which hardware components are specifically restricted under the broader US export control regime mentioned in the lesson?
1. Networking equipment and cables
2. CPU processors and hard drives
3. H100 and H200 GPUs and HBM memory
4. RAM modules and motherboards
What concern do privacy and civil liberties advocates raise about the IaaS rule?
1. The rule will make AI too expensive
2. The rule does not go far enough to prevent AI harm
3. International customers may have their data monitored by US authorities
4. The rule applies only to US citizens
The quote 'If you can buy unlimited compute anonymously, no frontier model regulation is enforceable' emphasizes what point?
1. Without identity verification, export controls on AI models can be bypassed
2. Compute purchases cannot be monitored
3. Anonymous computing is a fundamental right
4. Frontier models should not be regulated
What is required annually under the IaaS rule?
1. Payment of a compliance fee
2. Certification of the Customer Identification Program
3. Renewal of all customer accounts
4. Submission of customer genetic data

← Back to interactive lesson

Tendril · Creators · Ethics & Society

Know-Your-Customer Rules for AI Compute

If you sell cloud GPUs, the US government may soon require you to verify who your customers are. Know-your-customer rules from finance are being ported into AI infrastructure.

36 min · Reviewed 2026

The Proposed Rules

What it requires

Verify identity of foreign customers opening new accounts (name, address, ID documents)
Retain records for five years
Report to Commerce when foreign customers train models above specific compute thresholds
Report transactions that could enable cyberattacks
Certify CIP (Customer Identification Program) annually

Why this is contested

Compliance cost falls hardest on small cloud providers
Definition of 'training run' is technical and can be circumvented with chunked jobs
Enforcement relies on providers knowing what customers are doing with the compute
Privacy and civil liberties concerns from international customers
Coordinated action needed with EU, UK, Singapore to avoid arbitrage

If you can buy unlimited compute anonymously, no frontier model regulation is enforceable.
— Common argument in export-control policy circles

The big idea: governments are treating compute like a strategic resource on par with uranium or semiconductors. Expect the rules to keep tightening and keep changing.

End-of-lesson check

15 questions · take it digitally for instant feedback at tendril.neural-forge.io/learn/quiz/end-safety2-kyc-ai-labs-creators

Under the IaaS rule, what specific information must foreign customers provide to verify their identity when opening new accounts?
1. Name, address, and identity documents such as passports or national IDs
2. Credit history and financial statements
3. Social media profiles and online activity logs
4. Programming certifications and employment verification
For how long must IaaS providers retain customer records under the finalized rule?
1. Five years
2. One year
3. Ten years
4. Two years
What does the acronym CIP stand for in the context of the IaaS rule?
1. Customer Identification Program
2. Computational Infrastructure Protocol
3. Cyber Incident Prevention
4. Certified Identity Provider
Which entity issued the proposed rule that eventually became the IaaS rule?
1. US Department of Commerce
2. Department of Defense
3. Federal Communications Commission
4. Securities and Exchange Commission
When was the IaaS rule officially finalized?
1. January 2025
2. January 2024
3. December 2024
4. March 2024
What is a primary criticism of the IaaS rule raised by opponents?
1. The rule allows anonymous GPU purchases legally
2. The rule applies only to domestic customers
3. Small cloud providers bear disproportionate compliance costs
4. The rule has no enforcement mechanisms
How could a customer potentially circumvent reporting requirements under the rule?
1. By training models on personal hardware
2. By using only domestic cloud providers
3. By paying in cryptocurrency
4. By splitting a large training run into smaller chunked jobs
The IaaS rule ports an existing framework from which industry to AI compute?
1. Automotive manufacturing
2. Pharmaceuticals
3. Banking and financial services
4. Telecommunications and cable
What is the stated rationale for treating compute as a regulated resource?
1. Compute is cheaper than traditional export controls
2. Compute is the new strategic resource enabling frontier AI models
3. Compute is the primary cause of climate change
4. Compute is the only resource China lacks
Which of the following is explicitly required to be reported under the IaaS rule?
1. All customers' electricity usage
2. Foreign customers training models above specific compute thresholds
3. Employees' personal computer specifications
4. Domestic customers' model architectures
The lesson draws an analogy comparing compute to what traditional strategic resource?
1. Oil and gas
2. Gold and silver
3. Water and timber
4. Uranium or semiconductors
Which hardware components are specifically restricted under the broader US export control regime mentioned in the lesson?
1. Networking equipment and cables
2. CPU processors and hard drives
3. H100 and H200 GPUs and HBM memory
4. RAM modules and motherboards
What concern do privacy and civil liberties advocates raise about the IaaS rule?
1. The rule will make AI too expensive
2. The rule does not go far enough to prevent AI harm
3. International customers may have their data monitored by US authorities
4. The rule applies only to US citizens
The quote 'If you can buy unlimited compute anonymously, no frontier model regulation is enforceable' emphasizes what point?
1. Without identity verification, export controls on AI models can be bypassed
2. Compute purchases cannot be monitored
3. Anonymous computing is a fundamental right
4. Frontier models should not be regulated
What is required annually under the IaaS rule?
1. Payment of a compliance fee
2. Certification of the Customer Identification Program
3. Renewal of all customer accounts
4. Submission of customer genetic data

← Back to interactive lesson