Why Do Export Controls Matter for AI Companies?
AI technologies are increasingly subject to export controls restricting international transfer, deployment, and collaboration. U.S. export control regimes including the Export Administration Regulations (EAR) and International Traffic in Arms Regulations (ITAR) now specifically address AI, machine learning, and related technologies due to national security concerns about military applications, economic competitiveness with strategic rivals, and dual-use technologies serving both civilian and military purposes.
Export controls affect AI companies in multiple ways including restrictions on exporting AI chips and hardware, controls on sharing AI software and algorithms, limitations on technical collaboration with foreign nationals, and compliance requirements for international deployments. Violations can result in severe civil and criminal penalties, loss of export privileges, and reputational damage affecting business operations.
For AI companies operating globally, collaborating with international researchers, or deploying systems internationally, understanding export control obligations is essential for legal compliance and strategic planning.
Overview of U.S. Export Control Frameworks
Export Administration Regulations (EAR)
The EAR, administered by the Department of Commerce’s Bureau of Industry and Security (BIS), controls export of commercial and dual-use items. The EAR applies to items on the Commerce Control List (CCL), exports to certain countries and end users, and activities involving U.S.-origin items worldwide.
Recent updates specifically address AI and machine learning technologies.
International Traffic in Arms Regulations (ITAR)
ITAR, administered by the State Department’s Directorate of Defense Trade Controls, controls defense articles and services on the U.S. Munitions List (USML). While most commercial AI falls under EAR, AI for military applications or integrated into defense systems may trigger ITAR.
ITAR imposes strict licensing requirements and registration obligations for manufacturers and exporters.
Key Definitions: Export and Deemed Export
“Export” includes not just physical shipment abroad but also electronic transmission of controlled information, providing access to foreign nationals in the U.S. (“deemed exports”), and deploying systems in foreign countries.
Cloud-based AI services may constitute exports if foreign users access controlled technology.
AI-Specific Export Control Classifications
ECCN 3E001 – Neural Network Software
Export Control Classification Number (ECCN) 3E001 covers technology for development or production of items controlled under Category 3, including certain neural network and deep learning software.
This classification can apply to proprietary AI algorithms, custom neural network architectures, and specialized training methodologies.
ECCN 4A090 and 4D090 – Facial Recognition
Facial recognition technology is specifically controlled under ECCN 4A090 (systems) and 4D090 (software), with restrictions on exports to certain countries due to human rights concerns.
Semiconductor and Computing Hardware Controls
Advanced AI chips and high-performance computing systems face export restrictions. Recent rules restrict exports of chips exceeding certain performance thresholds to China and other countries of concern.
Companies like NVIDIA and AMD have created export-compliant chip variants meeting performance limitations.
Emerging and Foundational Technologies
BIS maintains authority to control “emerging and foundational technologies” essential to national security. AI technologies potentially subject to future controls include advanced machine learning algorithms, autonomous systems and robotics, AI for cybersecurity applications, and quantum computing for AI.
Country-Based Restrictions
Comprehensive Embargoes
Certain countries face comprehensive trade embargoes prohibiting most exports without specific authorization, including Cuba, Iran, North Korea, Syria, and Russia (with expanding restrictions).
AI companies generally cannot provide services or technology to these countries.
Entity List Restrictions
The Entity List identifies foreign parties subject to specific license requirements due to national security or foreign policy concerns. Chinese AI companies and research institutions appear prominently on recent Entity List additions.
Exports to Entity List parties require BIS licenses, which are often denied.
Military End-User (MEU) and Military Intelligence End-User (MIEU) Rules
Exports of certain items to military end users or military intelligence end users in China, Russia, and Venezuela require licenses regardless of item classification.
AI companies must screen customers to identify military connections.
Licensing Requirements and Exceptions
When Licenses Are Required
Export licenses are required when exporting controlled items to restricted countries or end users, transferring controlled technology to foreign nationals, or reexporting U.S.-origin items from third countries.
License Exceptions
BIS provides license exceptions allowing certain exports without individual licenses including Technology and Software – Unrestricted (TSU) for publicly available technology, Encryption Commodities, Software, and Technology (ENC) for certain encryption items, and Authorized Cybersecurity Exports (ACE) for some cybersecurity technologies.
Evaluate whether exceptions apply before assuming licenses are required.
License Application Process
When required, license applications must describe the technology comprehensively, identify end users and end uses clearly, and explain why exports serve U.S. interests.
BIS reviews applications for proliferation, terrorism, and policy concerns.
Deemed Export Compliance
Foreign National Access in U.S.
Providing foreign nationals in the U.S. with access to controlled technology constitutes a “deemed export” to their countries of nationality.
This affects hiring foreign researchers, collaborating with international students, and sharing technical information with foreign-national employees.
Exemptions for Fundamental Research
The “fundamental research” exclusion exempts certain academic research from deemed export controls when research is published and shared openly, conducted by university faculty and students, and not subject to proprietary restrictions.
However, industry-sponsored research with publication restrictions may not qualify.
Technology Control Plans
Companies can implement Technology Control Plans limiting foreign national access to controlled technologies, segregating controlled and non-controlled work, and maintaining documentation of access restrictions.
Cloud and SaaS Export Considerations
When Cloud Services Are Exports
Providing cloud-based AI services to foreign users may constitute exports if services involve controlled technology, users access source code or algorithms, or services enable prohibited end uses.
Encryption and Cloud Services
AI services using encryption face additional considerations under ENC controls. Many cloud encryption implementations qualify for exceptions, but companies should verify classifications.
Geographic Service Restrictions
Many AI SaaS providers geofence services, blocking access from embargoed countries and Entity List parties.
Open Source AI and Publication
Public Domain Exclusion
Information in the “public domain” through publication or unrestricted availability is generally excluded from export controls. However, simply posting code online doesn’t automatically qualify as public domain for export purposes.
BIS requires that publicly available technology be made available to the public through fundamental research, published in certain formats, or arises during undergraduate teaching.
Risks of Open-Source AI Models
Open-sourcing AI models can implicate export controls if models incorporate controlled technology, were developed with export-controlled information, or have military or intelligence applications.
Consult export counsel before open-sourcing potentially controlled AI.
Academic Publication Review
Universities and research institutions often require prepublication export control reviews for research potentially involving controlled technology, collaboration with foreign nationals, or sponsor restrictions on publication.
International Collaboration and Research
Screening Foreign Collaborators
Before collaborating with foreign researchers or institutions, screen for Entity List designation, military or intelligence affiliations, locations in restricted countries, and histories of export violations.
Structuring Compliant Collaborations
Structure research to avoid transferring controlled information, limit foreign national access to sensitive technology, document that research qualifies as fundamental research, and obtain necessary licenses for controlled transfers.
Visiting Researchers and Students
Universities and companies hosting foreign visiting researchers must assess deemed export implications, implement access controls for controlled areas, and maintain records of technology access.
Due Diligence and Compliance Programs
Know Your Customer Screening
Implement screening processes for customers and partners against Entity List, Denied Persons List, Specially Designated Nationals List, and Military End-User List.
Automated screening tools can facilitate compliance.
End-Use and End-User Certifications
Obtain certifications from customers about intended uses, end-user identities, and commitments not to retransfer without authorization.
Recordkeeping Requirements
Maintain records of export classifications, license applications and determinations, customer screening results, and compliance training for five years.
Red Flags and Enhanced Due Diligence
Warning Signs
Red flags warranting enhanced due diligence include customers unwilling to provide end-use information, delivery addresses to freight forwarders, purchases inconsistent with customer’s business, and involvement of countries of concern.
Responding to Red Flags
When red flags arise, conduct additional investigation, request clarifying information, consult export counsel, and file Voluntary Self-Disclosures if violations are discovered.
Recent Regulatory Developments
Advanced Computing Chips Controls
BIS implemented controls on advanced semiconductors for AI in 2022, expanded controls in 2023 to address performance thresholds, and continues updating rules to address circumvention.
Outbound Investment Restrictions
The U.S. is developing outbound investment screening for AI and other sensitive technologies in countries of concern, potentially restricting U.S. investment in Chinese AI companies.
Allied Export Control Coordination
The U.S. coordinates with allies through mechanisms like the Wassenaar Arrangement to harmonize controls on AI and emerging technologies.
Penalties for Violations
Civil Penalties
Export control violations can result in fines up to the greater of $300,000 or twice the transaction value, denial of export privileges, and exclusion from government contracting.
Criminal Penalties
Willful violations can result in criminal prosecution with fines up to $1 million per violation and imprisonment up to 20 years for individuals.
Voluntary Self-Disclosure
Companies discovering violations should consider Voluntary Self-Disclosure (VSD) to BIS, which can result in reduced penalties, settlement opportunities, and demonstration of compliance culture.
Conclusion: Navigating Complex Export Compliance
Export controls for AI technologies are complex and rapidly evolving. Companies must classify AI products and technologies correctly, screen customers and end users comprehensively, implement robust compliance programs, monitor regulatory developments, and consult specialized counsel for complex transactions.
Proactive compliance prevents costly violations and positions companies to navigate geopolitical technology competition successfully.
Contact Rock LAW PLLC for Export Control Compliance
At Rock LAW PLLC, we help AI companies navigate export control requirements.
We assist with:
- Export control classification analysis
- License application preparation and strategy
- Compliance program development
- Customer screening procedures
- Deemed export planning
- Voluntary Self-Disclosure representation
Contact us to ensure your AI international activities comply with U.S. export control regulations.
Related Articles:
- International AI Regulations Compliance
- IP Issues in AI Research Collaborations
- Privacy Laws and AI Training Data
Rock LAW PLLC
Business Focused. Intellectual Property Driven.
www.rock.law/