Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Governing Through the Cloud: The Intermediary Role of Compute Providers in AI Regulation

Lennart Heim, Tim Fist, Janet Egan, Sihao Huang, Stephen Zekany, Robert Trager, Michael A Osborne, Noa Zilberman

TL;DR

The paper tackles how frontier AI risks can be mitigated by treating compute providers as regulatory intermediaries who secure infrastructure, keep records, verify compliance, and enforce rules. It analyzes four governance capacities, demonstrates technical feasibility with privacy-preserving approaches, and uses the US AI Executive Order 14110 as a case study to illustrate potential implementation steps and next actions. The authors argue that international coordination and careful privacy design are essential to prevent regulatory evasion and to ensure scalable, global oversight without stifling innovation. If realized, this intermediary- regulation model could provide targeted, verifiable, and enforceable oversight of high-risk AI development and deployment at scale.

Abstract

As jurisdictions around the world take their first steps toward regulating the most powerful AI systems, such as the EU AI Act and the US Executive Order 14110, there is a growing need for effective enforcement mechanisms that can verify compliance and respond to violations. We argue that compute providers should have legal obligations and ethical responsibilities associated with AI development and deployment, both to provide secure infrastructure and to serve as intermediaries for AI regulation. Compute providers can play an essential role in a regulatory ecosystem via four key capacities: as securers, safeguarding AI systems and critical infrastructure; as record keepers, enhancing visibility for policymakers; as verifiers of customer activities, ensuring oversight; and as enforcers, taking actions against rule violations. We analyze the technical feasibility of performing these functions in a targeted and privacy-conscious manner and present a range of technical instruments. In particular, we describe how non-confidential information, to which compute providers largely already have access, can provide two key governance-relevant properties of a computational workload: its type-e.g., large-scale training or inference-and the amount of compute it has consumed. Using AI Executive Order 14110 as a case study, we outline how the US is beginning to implement record keeping requirements for compute providers. We also explore how verification and enforcement roles could be added to establish a comprehensive AI compute oversight scheme. We argue that internationalization will be key to effective implementation, and highlight the critical challenge of balancing confidentiality and privacy with risk mitigation as the role of compute providers in AI regulation expands.

Governing Through the Cloud: The Intermediary Role of Compute Providers in AI Regulation

TL;DR

The paper tackles how frontier AI risks can be mitigated by treating compute providers as regulatory intermediaries who secure infrastructure, keep records, verify compliance, and enforce rules. It analyzes four governance capacities, demonstrates technical feasibility with privacy-preserving approaches, and uses the US AI Executive Order 14110 as a case study to illustrate potential implementation steps and next actions. The authors argue that international coordination and careful privacy design are essential to prevent regulatory evasion and to ensure scalable, global oversight without stifling innovation. If realized, this intermediary- regulation model could provide targeted, verifiable, and enforceable oversight of high-risk AI development and deployment at scale.

Abstract

As jurisdictions around the world take their first steps toward regulating the most powerful AI systems, such as the EU AI Act and the US Executive Order 14110, there is a growing need for effective enforcement mechanisms that can verify compliance and respond to violations. We argue that compute providers should have legal obligations and ethical responsibilities associated with AI development and deployment, both to provide secure infrastructure and to serve as intermediaries for AI regulation. Compute providers can play an essential role in a regulatory ecosystem via four key capacities: as securers, safeguarding AI systems and critical infrastructure; as record keepers, enhancing visibility for policymakers; as verifiers of customer activities, ensuring oversight; and as enforcers, taking actions against rule violations. We analyze the technical feasibility of performing these functions in a targeted and privacy-conscious manner and present a range of technical instruments. In particular, we describe how non-confidential information, to which compute providers largely already have access, can provide two key governance-relevant properties of a computational workload: its type-e.g., large-scale training or inference-and the amount of compute it has consumed. Using AI Executive Order 14110 as a case study, we outline how the US is beginning to implement record keeping requirements for compute providers. We also explore how verification and enforcement roles could be added to establish a comprehensive AI compute oversight scheme. We argue that internationalization will be key to effective implementation, and highlight the critical challenge of balancing confidentiality and privacy with risk mitigation as the role of compute providers in AI regulation expands.
Paper Structure (35 sections, 15 figures, 4 tables)

This paper contains 35 sections, 15 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Compute Providers' Intermediary Role
  3. Regulatory Intermediaries
  4. Focus on Frontier AI
  5. Overview of our Contributions
  6. Limitations and Future Research Directions
  7. Governance Capacities of Compute Providers
  8. Compute Providers in the AI Compute Supply Chain
  9. Governance Capacities
  10. I. Security
  11. II. Record Keeping
  12. III. Verification
  13. IV. Enforcement
  14. Technical Feasibility of Compute Providers' Governance Role
  15. Security
  16. ...and 20 more sections

Figures (15)

  • Figure 1: The intermediary role of compute providers in relation to AI companies and regulators.
  • Figure 2: Additional measures, implemented by the Department of Commerce, would strengthen the intermediary role of compute providers and enable a compute oversight scheme.
  • Figure 3: The compute supply chain including compute providers in the middle. Like the production of state-of-the-art AI chips, compute providers' market shares are concentrated. (Figure from sastryComputingPowerGovernance2024.)
  • Figure 4: Overview of the different governance capacities and how they relate to three actors: customers (the AI developers and deployers), compute providers, and regulators.
  • Figure 5: The security measures implemented by compute providers to help protect AI company's models, intellectual property, and confidential data.
  • ...and 10 more figures