How research institutions deploy AI for federally funded research while meeting EAR and ITAR export control requirements, IRB approvals, and federal grant compliance obligations.
Research institutions sit at the intersection of two competing imperatives: the open exchange of scientific knowledge, which has driven American innovation for decades, and national security concerns that restrict the international sharing of certain technologies and data. When research institutions adopt AI systems — particularly cloud-based AI services — they may inadvertently trigger export control violations by transferring controlled technical data across borders without appropriate licenses.
The problem is particularly acute in research environments where:
Federal export control regulations are complex, heavily enforced, and carry severe penalties for non-compliance. Violations can result in civil penalties up to $300,000 or twice the value of the violation per violation, criminal penalties including imprisonment, debarment from federal contracts, and reputational damage that can destroy institutional research programs.
The Export Administration Regulations (EAR), administered by the Bureau of Industry and Security (BIS), control the export of "dual-use" items — commercial products and technologies that have both civilian and military applications. Most AI-related exports fall under the EAR rather than ITAR.
| EAR Concept | Definition | AI Research Implication |
|---|---|---|
| Export | Physical shipment abroad, or release of technology/source code to foreign nationals within the US. | Loading controlled AI code onto a cloud server in another country = export. A Chinese graduate student accessing controlled AI tools in your lab = export to China. |
| ECCN (Export Control Classification Number) | A five-character alphanumeric code that identifies the reason for control (national security, anti-terrorism, etc.). | Many AI algorithms, encryption tools, and cybersecurity tools have ECCNs. Determine the classification before deploying any AI system. |
| Deemed Export Rule | A foreign national's access to controlled technology in the US is "deemed" an export to their home country. | Foreign students, postdocs, and visiting scholars must be screened before accessing controlled AI systems. Training is often required before access is granted. |
| License Requirement | Some exports require a license from BIS based on the ECCN, destination country, end use, and end user. | Exporting AI software with ECCN 5A992 (advanced encryption) to China likely requires a license. Publicly available fundamental research generally does not. |
| Public Domain Exclusion | Technology that is published or otherwise publicly available is excluded from EAR controls. | If your AI research is published openly (papers, preprints, GitHub repos), it may be considered public domain and exempt from EAR controls. But this excludes collaborative work with industry partners or government funding. |
| University Technical Assistance Agreement (UTAA) | A mechanism for providing technical assistance to foreign entities without requiring individual licenses. | If your institution provides AI training or technical assistance to foreign entities under a government contract, a UTAA may be required instead of individual licenses. |
The EAR imposes near-total embargo on exports to Cuba, Iran, North Korea, Syria, and the Crimea, Donetsk, and Luhansk regions of Ukraine. Exports to China, Russia, Venezuela, and Myanmar face significant licensing requirements. Using cloud AI systems that operate in these jurisdictions may constitute illegal exports.
The International Traffic in Arms Regulations (ITAR), administered by the Directorate of Defense Trade Controls (DDTC), controls the export of defense articles and services listed on the United States Munitions List (USML). While most AI falls under EAR, defense-related AI systems fall under ITAR and are subject to stricter controls.
| Defense Article Category (USML) | Examples | AI Application |
|---|---|---|
| Category XI — Guidance and Control Systems | Guidance systems for missiles, rockets, drones | Autonomous navigation AI for unmanned systems, target tracking algorithms, missile guidance machine learning models. |
| Category XII — Military Electronics | Radar, electronic warfare systems, communications jamming | Cybersecurity AI for classified networks, adversary detection systems, electronic warfare signal processing AI. |
| XIII — Cyber Technologies | Cyber tools designed to attack computer systems | Offensive cyber AI, vulnerability discovery automation, exploit generation AI systems. |
| XIV — Unmanned Systems | UAVs, UUVs, and related systems | Autonomous drone AI, swarm coordination algorithms, autonomous mission planning systems. |
| XV — Space Systems | Satellites, launch vehicles, space-based weapons | Orbital trajectory AI, satellite autonomy, space situational awareness systems. |
Dual-use research refers to biological, chemical, physical, or computational research that could be used for beneficial civilian purposes but also could be misused to cause harm. The Biden administration has issued guidance on managing dual-use research of concern (DURC), and AI amplifies the dual-use nature of many research projects.
Federal funding agencies have increasingly specific requirements for AI-related research, extending beyond standard human subjects and data protection protocols.
| Requirement | Details |
|---|---|
| Data Management Plans (DMP) | Describe how data will be collected, stored, shared, and protected. For AI projects, describe data sources, preprocessing, and potential biases. |
| AI-specific guidelines | NSF's AI for Science initiative emphasizes responsible AI practices, including fairness, transparency, and societal impact assessments. |
| Computing infrastructure disclosure | Describe computing resources used for AI training, including whether cloud services were employed and their geographic location. |
| Human subjects protection | If AI uses human-generated data (text, images, sensor data), ensure proper consent and IRB coverage. |
Before deploying any AI system in a research environment, you must determine whether it requires export control review. The classification process involves identifying the technology, determining applicable controls, and documenting the analysis.
| Classification Step | Action Required | Typical Timeline |
|---|---|---|
| Is it EAR or ITAR? | Determine if the technology is on the US Munitions List (ITAR) or has commercial/dual-use applications (EAR). | 1 day — Review USML and CCL classifications. |
| Identify the ECCN | For EAR items, find the appropriate Export Control Classification Number in the Commerce Control List. | 1-3 days — May require consultation with vendor or BIS resources. |
| Check License Requirements | Determine if the ECCN + destination country combination requires a license. Use the BIS Country Chart. | 1 hour — Use online licensing tool if ECCN is known. |
| Apply License Exceptions | If a license is required, check if any license exceptions apply (e.g., ENC, TSR, TMP for temporary imports). | 1-2 hours — Documentation of exception justification needed. |
| File if Required | Submit License Exception Report (LBR) or formal license application to BIS or DDTC. | LBR: Immediate; Formal license: 30-90 days minimum. |
On-premise AI deployment provides research institutions with the control and flexibility needed to navigate complex export control regimes while maintaining research productivity.
Export control compliance is not optional in research environments — violations carry severe civil and criminal penalties. Begin by engaging your institutional export control office, classifying your AI systems, and implementing controls that satisfy EAR, ITAR, and grant requirements.
BPI helps research institutions deploy AI that satisfies export control requirements from day one. Our Privacy-First AI engagements include export control analysis and compliant architecture design. Learn more about our education and research AI services. Book a consultation to discuss your specific regulatory requirements.
Privacy-first AI for universities and research institutions. Federally-funded research support, compliance-first architecture.
Learn More →Compliant infrastructure design for export control, CMMC, and other regulatory frameworks.
Explore Service →Talk to our team about your export control requirements and AI use cases.
Get Started →Book a free 30-minute consultation. We'll discuss your funding sources, export control obligations, and how on-premise AI enables compliant research. No pressure. No pitch deck.
Book a Free ConsultationNo commitment. No sales pitch. Just a conversation. We respond within 24 hours.