Why and How to Regulate Cloud Computing

If you view the AI supply chain as a stack – (1) applications, (2) models, (3) cloud computing, (4) chips – you realize that the AI policy debates have focused on the top and bottom layers. For example, lawmakers have prohibited deepfake nudes (application layer) and infused the semiconductor market with $52 billion (chips layer). The middle of the AI tech stack, including the cloud computing industry, has received comparatively little policy attention. This oversight is a serious mistake because cloud computing is rife with market failures and national security risks.

Government regulators in North America, Europe, and Asia have separately investigated how the cloud market is uncompetitive. First is market concentration: Amazon Web Services (AWS), Microsoft Azure, and Google Cloud make up two-thirds of the $600 billion cloud computing market. Second are switching costs – while it’s free to move data into a cloud; it can cost thousands to move your data out.

Third is vertical integration. Each hyperscaler designs chips, sells access to their own models, and controls applications where AI is used. These companies are simultaneously suppliers, customers, competitors, and investors of their cloud customers, creating unavoidable conflicts of interest. Hyperscalers further vertically integrate through investments, acquisitions, and other acquisition-like partnerships. While OpenAI and Anthropic once seemed like promising challengers to Big Tech, each now has a Big Tech company as one of its largest investors.

Here’s how these problems play out. Let’s say you’re developing an AI application. If you have investment from a prominent VC, you likely got “cloud credits”– effectively a free trial – to AWS. You built your software on AWS, using their custom tooling, and moved in relevant datasets. You notice that only Anthropic’s models are available as natively integrated in Bedrock, the AWS service that allows developers to deploy AI models. This limits you since you want your customers to have access to Anthropic’s Claude, OpenAI’s GPT-5, and Google Gemini. You consider moving to Azure but AWS charges an “egress fee” to move your data out of (but not into) its cloud services, so you’re locked in. These features are common across AWS, Azure, and Google Cloud. Perhaps worse, you may not know it as a developer, the FTC has even found hyperscalers prioritizing access to scarce chip supply for large companies in which they invested over the needs of smaller startups .

Market concentration is also a national security issue because businesses, government agencies – including the Defense Department) – and critical infrastructure providers all depend on cloud providers, and because the cloud is a necessary input to developing AI, which is central to the U.S. geopolitical competition with China.

Venture capitalists openly talk about the cloud market as an “oligopoly,” and even nonpartisan analysts recognize the industry as “analogous” to “electricity, water, and other utilities.” Throughout American history, when large oligopolistic utility-like markets take hold, policymakers apply sectoral regulations. In a paper released today, I detail a legislative approach to regulate cloud computing using the tried and tested policy tools we’ve used to regulate utilities:

1. Structural separation

2. Neutrality requirements

3. Data portability and interoperability requirements

4. Designating cloud as a critical infrastructure sector

5. Restricting foreign adversary ownership or control of U.S. providers, and

6. Instituting “know-your-customer” requirements.

Combined, these policies will shape the market to be healthier, more competitive, and better aligned to American national security goals.