Reps. Josh Gottheimer (D-N.J.) and John Moolenaar (R-Mich.) introduced the Cloud Security Act on June 26, 2026. The measure lets U.S. cloud providers flag suspected foreign misuse of advanced AI computing power to the Commerce Department. Axios first reported the exclusive details from a bill draft.
Adversaries no longer need to buy restricted chips. They rent time on them through American platforms. Providers such as Amazon Web Services, Microsoft Azure, and Google Cloud host the hardware. Foreign customers gain equivalent training capacity without taking physical possession.
Current rules block direct chip sales to countries of concern. They leave cloud access largely untouched. The Stored Communications Act adds another barrier. It generally bars voluntary disclosure of customer records or content to the government. Companies face legal exposure if they report suspicious activity anyway.
The new bill amends that statute. It creates a safe harbor for voluntary reports tied to U.S. adversaries. Providers can notify Commerce when patterns suggest misuse for advanced AI model development. The change removes the chilling effect that has kept firms silent.
Gottheimer and Moolenaar framed the effort around national security and competitiveness.
“We can’t let our adversaries — especially China — dodge our export controls by simply renting what they can’t buy,” Gottheimer said in a statement released by his office. “This bill gives American companies the legal clarity they need to do the right thing and report when bad actors are trying to use our own cloud infrastructure to threaten our national security.” Gottheimer.house.gov
Moolenaar, chairman of the House Select Committee on the China, added: “In the AI race, China will buy what it can and steal the rest, which is why it is actively trying to get backdoor access to U.S. data centers and train its AI models via cloud computing. U.S. cloud platforms have a role to play in stopping China’s AI buildup, which fuels its military and surveillance ambitions. This bipartisan commonsense legislation will require them to protect their products and American national security by simply verifying the identity of their users.” Select Committee on the CCP
The proposal arrives amid broader export-control modernization. Earlier this year the House passed the Remote Access Security Act. That measure expands Commerce authority to cover remote access to controlled items through networks or cloud services. Congress.gov It addresses the same underlying gap but focuses on licensing requirements rather than provider reporting.
Industry observers note the timing. Frontier AI models demand enormous compute clusters. Export controls on physical chips have tightened steadily since 2022. Cloud access offers a workaround that regulators now aim to close. The Cloud Security Act stays narrow. It creates an optional reporting channel rather than new mandates or licensing regimes.
Questions remain about implementation. Commerce would receive the tips. Follow-up investigations could involve other agencies. Providers would still need robust customer screening and monitoring programs to spot red flags. False positives could strain relationships with legitimate international clients.
Related efforts continue on Capitol Hill. A separate bipartisan bill from last year directs the NSA to produce an AI security playbook. That measure targets data-center vulnerabilities and foreign tech theft. Nextgov The White House issued an executive order in early June on advanced AI innovation and security, emphasizing voluntary industry-government collaboration on cyber defenses. Whitehouse.gov
Cloud providers have not issued public reactions yet. Many already maintain know-your-customer processes for high-risk workloads. The legislation would reduce legal friction around sharing certain indicators with authorities. It stops short of compelling reports or expanding surveillance obligations.
Enactment would mark another incremental step in adapting export controls to cloud-era realities. Physical shipments dominated earlier regimes. Compute access now happens over networks. Lawmakers from both parties see the need to align rules with that shift.
Supporters argue the measure strengthens deterrence without broad new regulation. Critics may question whether voluntary reporting will generate enough actionable intelligence or whether it invites selective enforcement. The bill text has not been formally introduced in legislative form as of the announcement, leaving room for refinements during the committee process.
Gottheimer and Moolenaar have collaborated before on China-related technology issues. Their joint effort signals continued bipartisan focus on AI supply-chain security. The Cloud Security Act targets one specific workaround. It fits into a wider pattern of tightening controls while preserving U.S. leadership in cloud infrastructure and model development.
WebProNews is an iEntry Publication