Expansive Reporting Requirements on AI Technologies: Understanding the Requirements and Potential Export Controls Implications
President Biden’s executive order (EO) on artificial intelligence (AI) directs the Secretary of Commerce to impose, within 90 days, expansive reporting requirements on dual-use foundation models and large scale computing clusters, as well as U.S. Infrastructure as a Service (IaaS) transactions involving foreign persons. These reporting requirements are extremely broad and would require, for example, companies to report on (1) not only ongoing but also planned activities related to training, developing, or producing dual-use foundation models; (2) ownership and possession of the model weights; (3) the results of the model’s performance in AI red-team testing; and (4) any acquisition, development, or possession of a potential large-scale computing cluster. U.S. IaaS providers would also be required to report on its transactions with foreign persons for training a large AI model with potential capabilities for use in malicious cyber-enabled activity. In addition, the EO also flows down the identity verification requirement to foreign resellers of U.S. IaaS products, taking one step further than Executive Order 13984 issued in January 2021.1
While the EO directs the Secretary of Commerce to define the technical conditions that would trigger the applicable reporting requirements, the EO also provides technical conditions that apply in the interim. The interim technical conditions utilize processing speed metrics in defining the scope of the requirements, in line with the U.S. government’s recent approach to controlling advanced computing chips with AI capabilities and supercomputers as reflected in the recently announced export control measures on semiconductor items. (Please refer to our Advisory for the discussion of the export control measures on semiconductor items announced in October 2023.) Importantly, while the EO does not require that the Secretary of Commerce promulgate any specific export control measures on AI, the reports that the U.S. government would receive under the EO implementing regulations would likely inform the Department of Commerce in refining or adding export control measures that may impact the AI sector.
President Biden invoked the Defense Production Act (DPA) for the reporting requirements on dual-use foundation models and large scale computing clusters, while relying on the International Emergency Economic Powers Act (IEEPA) with respect to the U.S. IaaS-related requirements that are intended to address malicious cyber-enabled activities. Reliance on the IEEPA to address malicious cyber-enabled activities is not new, as other presidents have similarly relied on the IEEPA and issued executive orders seeking to address malicious cyber-enabled activities.2 The DPA, on the other hand, was originally enacted to facilitate the production of goods and services necessary for national security in response to the Korean War. In recent years, the Executive Branch has invoked the DPA to provide funds for technological innovation, combat cyberespionage, produce ventilators and other products for combating the COVID-19 pandemic, and accelerate domestic production of green energy. The EO follows these more recent uses of the DPA, which some have criticized as being beyond the original intent of the DPA.3
© Arnold & Porter Kaye Scholer LLP 2023 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.
Executive Order 13984 required the Secretary of Commerce to propose regulations that would require U.S. IaaS providers to verify the identity of a foreign person obtaining an IaaS account, but did not specifically address the foreign reseller’s identity verification obligation.
See John Villasenor, Brookings Institution, Good for Growing an AI Workforce, but a Concerning Expansion of the Defense Production Act (Nov. 2, 2023).