Aligning Export Controls with National Security Priorities
James A. Lewis, Rachel S. Wolkowitz, Evelyn L. Remaley
September 2025
Executive Summary:
Rescinding the AI Diffusion rule provides a significant opportunity to strengthen U.S. leadership in the global AI market while protecting national security. Other nations around the world are developing their own AI capabilities and they will do so with or without the U.S. We argue that there is a strategic necessity to ensure that U.S. companies, rather than competitors from China, lead the global market for AI services and infrastructure.
We propose replacing the administratively intensive licensing requirements embodied in the AI Diffusion rule with a streamlined system based on transparency and “Know Your Customer” (KYC) and “due diligence” principles. This would allow American companies to rapidly deploy AI technology globally while maintaining robust oversight through reporting and monitoring systems.
The new framework emphasizes transparency and accountability over licensing processes and draws on successful precedents from export controls for encryption and weapons of mass destruction, and takes advantage of new technology. Exporters would provide monitoring data to the Bureau of Industry and Security (BIS) through digital dashboards that would track GPU deployments, their utilization and security status, and end-user/end use compliance.
The proposed rule would significantly tighten restrictions on China and other adversarial nations, using bans on advanced AI technology exports, enhanced foreign-direct product rules, and restrictions on exports of U.S. data center facilities in denied countries. It would extend controls beyond GPUs to include chipmaking technologies and access to sensitive cloud computing. We propose a new licensing category “D-6” for these destinations.
Our proposal is that exports would be allowed to any unproscribed destination without a license, subject to KYC and “is informed” rules and reporting and transparency requirements. Exports to proscribed destinations by any exporter would still require a case-by-case review, subject to a presumption of denial.
Our goal is to deny adversaries access to the latest and most critical AI capabilities while ensuring American companies can compete effectively in global markets. Market leadership will promote American influence over AI governance and international standards-setting while securing leadership in the global digital economy. National security requires building America’s technological advantage and export control must adjust to a different world where tech competition has become global. Leading global markets rather than trying to deny access is the way to do this.
Aligning Export Controls with National Security Priorities
The decision to rescind the AI Diffusion Rule removed an immense obstacle to U.S. leadership in AI and its ability to work with partners in building the global digital economy.[i] The next step is to replace the Diffusion Rule with a new regulatory procedure. The goal should be to develop policies and regulations that allow U.S. companies to lead in global markets for AI infrastructure and services. AI is developing around the world, and national security dictates that the U.S. ensure AI is built on an American tech stack.
Specifically, a new rule should allow for faster AI deployment to allies and safe destinations, achieving the twin goals of limiting access to advanced AI by adversaries and ensuring American companies will outcompete China on the global stage. The framework should take into account the successes and failures of the past, and have measurable objectives that can be monitored and enforced in real time. Outcompeting China is not a given, as the Huawei/5G story shows, and trying to remove an adversary’s technology after the fact is expensive. China built most of the world’s 5G telecom infrastructure, and we do not want something similar to happen with AI infrastructure because of American regulation.
A new regulatory framework for AI export regulation can further restrict China’s access to emerging and foundational technologies and expand restrictions on countries where there is a risk of diversion to China, without choking legitimate markets. Revised regulations would help deny our adversaries access to critical elements of AI technology, including advanced chips and infrastructure, as well as training, inferencing, and related AI technology development. New regulations must be clear and pragmatic to allow practitioners and policymakers to ensure implementation and compliance across the public and private sectors. Reducing complexity will increase compliance, while also providing U.S. firms the space needed to advance U.S. leadership in AI technologies globally.
Building the world’s AI infrastructure will ensure that U.S. firms drive the global AI economy, benefiting national security. It also means that the U.S. can work with partner countries to develop the policies and standards for governing AI use, and adversarial nations like China will not have the ability to use their AI market power and infrastructure control as a lever to influence business and security in their favor.
I. Building AI Leadership
Data centers are the backbone of artificial intelligence. They provide the infrastructure and connectivity required to develop, train, deploy, and run AI applications. Data centers house thousands (if not tens of thousands) of specialized processors called graphical processing units (GPUs) designed to handle computationally intensive tasks more efficiently than conventional processors. GPUs are often grouped into large clusters within a data center, allowing for significantly better performance. U.S. national security and economic growth are best served by building data centers and providing the commodities and services needed for the AI infrastructure the world will demand.[ii]
Other countries will build AI and data infrastructures with or without the U.S., and the U.S. cannot use control of its GPU exports to manage this global buildout. The Diffusion Rule mistakenly assumed a U.S. monopoly on advanced chips and that access to those chips is the only relevant mechanism for limiting China’s AI advancements. The AI products and services[iii] of foreign suppliers like China may not be as good as those of American companies, but they are good enough to meet demand if American technology is unavailable or encumbered with regulatory obstacles. This is where the AI Diffusion Rule failed. It undercut U.S. leadership in the global digital economy by weakening the country’s role in building the world’s AI capacity. The longer the Diffusion Rule remains in effect without revision, even if not enforced, the more it risks eroding U.S. leadership while incentivizing other nations to buy alternatives.
One precedent for understanding why leading the AI and data center infrastructure boom is essential comes from the 19th century, when Britain built the global infrastructure for telecommunications.[iv] This provided it with strategic advantage and helped grow both Britain’s economy and that of other trading nations.[v] The world is more complicated now than in 1900 and AI is a much more complex tool than telegraphy, but being the infrastructure builder remains a compelling source of national power. Note that Britain relied on innovation and exports, not export controls, for its success. Applying the lessons of British dominance in telecommunications infrastructure of a century ago and the experience of export controls[vi] over the past thirty years creates a roadmap for U.S. leadership. But to allow U.S. companies to capture global markets, as Britain did in telegraphy, the Administration must rethink export controls.
The heyday of case-by-case licensing for export controls was in the 1980s, focused on military uses;[vii] since 2000, the U.S. has increasingly relied on alternatives to requiring individual licenses for technologies that affect security.[viii] National security risk is now much more complex and connected to economic security, requiring a more sophisticated approach to our control regime.
A more efficient alternative relied on transparency and accountability rather than on filling out paper licensing forms. The best example is the very successful rule developed for encryption in the late 1990s that required exporters to notify BIS of exports and provide technical details on the software being exported.[ix] The rule used self-reporting by exporters for licenses for encryption products (except for recipients on a proscribed list or when BIS decided a proposed export deserved additional scrutiny) instead of licensing.[x] This flexible, license-free approach removed a major impediment to U.S. companies seeking to compete in the rapidly emerging global market for internet software and locked in the dominance of American tech companies while still protecting national security.
The encryption rule was based on an approach developed earlier for items related to the production of weapons of mass destruction (WMD).[xi] Many otherwise harmless technologies can contribute to WMD if exported to dangerous end-users. Requiring a license for all such exports would be substantially burdening legitimate trade and overwhelming the U.S. government’s review capabilities. Another example is the foundry due diligence rule, which creates a rebuttable presumption of AI chip capability by using public lists of vetted chip designers and outsourced semiconductor test and analysis companies. These rules show that BIS can streamline regulatory processes to increase American competitiveness without putting national security at risk.
Know Your Customer Innovations
The alternative approach replaces licensing[xii] and uses “know your customer” (KYC) requirements for exports and “know or is informed” authorities that allow BIS to require a license when it is believed a proposed export was problematic.[xiii] KYC has been used successfully for years to prevent exports to the wrong end-users or uses.[xiv] KYC rules ensure that American technologies are not used in ways that threaten national security and cuts the risk of diversion. KYC requires that exporters become knowledgeable about their customers, transactions, and potential risks of misuse before making an export.[xv] A license is required when an exporter knows or has reason to believe that an export will be used for prohibited purposes, or if the exporter has been informed by the Department of Commerce that an export would present an unacceptable risk.[xvi] In making this decision, BIS actions are guided by open source and intelligence information to identify problematic transactions and address national security concerns. To aid their compliance efforts, the private sector created supporting advisory and private intelligence firms to help companies identify and avoid risky transactions.
KYC reduces administrative burdens without increasing technology transfer risk. Exporters must maintain accurate and complete records of their transactions, including customer information, end-use statements, and screening results. Exporters who fail to adequately exercise KYC face, as is the case with nonproliferation, the loss of export privileges in addition to substantial monetary penalties—a severe punishment. The threat of this is enough to ensure compliance.
New rules based on KYC and transparency would let the U.S. retain insight in global AI and the ability to deny essential post-export services that are critically important for data centers to keep running, whether they are owned and operated by the exporter, collocated in a third-party facility, or utilize cloud services. Post-export connectivity, since data centers and GPUs are usually digitally connected to the exporter or even managed by them, and require updates and patches on a regular basis—also provides a strong safeguard for U.S. national security.
Preventing Diversion
Diversion is not a new problem. The U.S. has dealt with diversion successfully in the past by imposing transparency and reporting requirements, establishing end-use and end-user restrictions, and providing additional export enforcement resources to ensure these restrictions are observed. Managing diversion risk requires regular reporting from exporters to BIS on exports (on destination and quantity). It also requires ensuring BIS has access to robust global trade data and analytical tools, and the staff to monitor the reported data and related dashboards, issue “is informed” letters, and otherwise implement the framework. The precedent for managing diversion comes from export controls designed for non-proliferation, where diversion (of missile parts, for example), was brought under control using a combination of diplomatic pressure, law enforcement, intelligence, and regulatory tools. A similar approach can minimize GPU diversion to prevent risks to national security.
Concerns that China or others will use foreign data centers to run sensitive military or intelligence applications reflect a lack of real-world experience. Few nations, and certainly not the U.S. or China, will allow sensitive applications like weapons design to be performed outside their national territory or on infrastructure located in another country. This would violate the most basic tenets of counterintelligence, and the Chinese are even more paranoid than most on such matters. Chinese commercial enterprises will use foreign data centers and AI services for business purposes, but unless the goal is to attempt to stifle the Chinese economy, commercial use does not pose a threat to national security. A few analysts fear China is using foreign data centers and AI resources – perhaps through proxies – to gain access to high powered chips and train AI models for use in China. There is limited evidence to support this charge, but it is a near term problem given China’s indigenous capabilities. Importantly, it is best addressed by creating KYC and “is informed” rules for AI.
As with WMD proliferation, active monitoring can prevent diversion. If diversion occurs (due to either criminal intent or lax corporate compliance), it should be punished, but rules to prevent diversion cannot be written to also prevent America from working closely with allies and partners to create a new global infrastructure. The robust application and enforcement of KYC and “is informed” rules, combined with a continued ban on exports of the most advanced chips to China and Chinese entities, minimizes risk. This is because, with or without licensing, China will find ways to access AI, and trying to prevent Chinese access to widely available technology is not a recipe for success. The best approach to diversion is to support U.S. market leadership using transparency and accountability for U.S. vendors.
U.S. companies provide AI in other countries using a variety of business models, often determined by the AI services being offered, the target market, and the regulatory landscape. Cloud services are one approach. Cloud providers offer AI tools that allow companies to obtain GPU capacity and ensure reliable access. Cloud-based services like Software-as-a-Service (SaaS) or Platform-as-a-Service (PaaS) are perhaps the most common methods.
Some companies license their AI software to be deployed directly on the customer’s own servers in their country. Others will offer partnerships and joint ventures, collaborating with local companies and governments. Larger U.S. AI companies may establish a direct presence in key markets. It is in America’s best interest to encourage this diversity, since it helps make American companies the centerpiece of the global digital economy and establishes U.S. companies as the AI infrastructure providers and operators. New regulations should be written to strengthen digital economic activity and interdependence to support U.S. national interests.
Create Real-Time Awareness With Dashboards
A new generation of export controls can take advantage of the immense increases in connectivity and processing power now available to create a new way to manage risk by using “dashboards” to track and manage exports. A dashboard is a visual representation of searchable and sortable data on key performance indicators and data (like use and location) that provides an overview of GPU performance, leveraging modern-day connectivity. Sharing the kind of information visible in a dashboard is a common practice for sectors like telecom, energy, aviation, and robotic manufacturing. Vendors already retain a high degree of connectivity with customers and products, who provide information to ensure reliable operations, provide maintenance and updates, and detect problems early on.
An AI export dashboard could consolidate data submitted by different exporters into a single, accessible location (best located in the Department of Commerce). Companies would provide export data on a regular basis to create continuous monitoring and enable intervention. BIS would aggregate and review exporter data to provide the U.S. with insights and control it does not currently have. Unauthorized use would be detectable, and the ability to deny updates would provide control. This would provide visibility to the end-user and intended end-use, expose diversion risk in ways that licensing cannot, and create an ability to intervene in a way that license requirements do not.
Exports Do Not Create Shortages
AI exports are in America’s best interest, but some worry that expanding the market could lead to shortages. While recent years have seen occasional periods of high demand and tight supply for GPUs, a widespread shortage of AI-capable GPUs is unlikely, especially one created by exports. Chipmakers are spending billions of dollars to expand their production capabilities, including in the U.S. These investments are aimed at meeting the soaring demand for AI chips and strengthening the supply chain. While a few companies currently dominate the AI chip market, their competitors are investing heavily and developing their own AI-optimized chips.
Technologies that aim to reduce computing costs and maximize GPU utilization while reducing the number of chips needed also help eliminate the risk of shortages. Tools for software optimization can enable efficient use of GPU resources, effectively doing more with fewer chips. Companies are aggressively scaling up to meet demand. This investment, diversification, and optimization collectively make a shortage of GPUs for AI improbable. Increasing competition and diversification of hardware makers reduces the risk of shortages. The U.S. is best placed to take advantage of larger markets that provide AI leadership. AI is reshaping the digital economy, and, with this, U.S. strategy and regulation must also change if it is to ensure leadership in building the global infrastructure for the 21st-century economy. The metrics for success are market share, revenue, presence, and partnerships, and export regulations should be judged by how they affect these metrics.
II. A New Rule Can Enable U.S. Firms to Compete Globally
The President’s Executive Order 14179, Removing Barriers to American Leadership in Artificial Intelligence, declared that it is U.S. policy “to sustain and enhance America’s global AI dominance in order to promote human flourishing, economic competitiveness, and national security.”[xvii] Subsequently, the America First Investment Policy sets out a policy for “fast-tracking” technology investments involving “allied and partner sources” based on their “verifiable distance and independence from the predatory investment and technology-acquisition practices of the PRC and other foreign adversaries or threat actors.”[xviii] Together, these two policies create a foundation for a new AI export control regime that fast-tracks deployment to trusted partners with transparency and KYC requirements, while placing greater scrutiny and controls on known adversaries and their partners.
Building on the principles described in the previous section, a new rule would allow the export of AI compute, GPUs, etc. (but not certain means of production) with advance notification to BIS, provided the export was not to an identified country of concern or a denied end user. The exporter would be required to notify BIS 30 days in advance of export. If BIS did not notify the exporter of an objection within 30 days, the export would be permitted. If BIS required more time to consider the export, it would inform the exporter of this within the thirty-day period. Exports to either a Denial Country or a denied end user would require a license, with a presumption of denial.
Bans on Entities and Countries That Pose Unacceptable Risks
A new rule would impose more restrictions than the AI Diffusion Rule on access to advanced AI technology by a group of countries that either are considered adversaries or represent a substantial risk of diversion to adversaries (Denial Countries). BIS would identify Denial Countries in a new Country Group, a new “D6 – AI Control,” when foreign nations pose specific risks with respect to AI. As the AI risk goes beyond weapons systems to include technology dominance, critical infrastructure disablement, and economic disruption, creating a new control class will ensure that BIS controls are neither overly broad nor under-inclusive, but instead targeted at countries that present specific AI risk.
As the goal is to increase U.S. market share in AI technologies, it will be necessary to tailor the controls to active threats. The new rule would expand the list of items not permitted for export to the Denial Countries related to the development and use of AI technology. In addition, sales and exports to those identified on the BIS Entities List would also be prohibited, including by imposing the foreign-direct product rule (as advanced AI chips are manufactured outside the U.S.). In both cases, the provision of services, sales, and exports would be available via individual license with a presumption of denial. These controls would act as a much-needed brake to slow China’s technology advances.
The new rule should replace the current benchmarks that use metrics like Total Processing Power (TPP), the 1026 closed model operations weights, and TPP allocation/country cap restrictions. Revised export controls can include other enabling technologies such as chip making technologies, aggregations of lower capacity chips used to train AI models (e.g., those more sophisticated than H20 chips), cloud computing, and SaaS, to prevent access to or easy assembly of large quantities of and lower performance AI-enabling technology. For example, the replacement would build on existing controls on U.S. chipmaking technology. Equipment most critical for advanced chips and all U.S. equipment for Chinese fabs seeking to produce advanced AI chips is already controlled. It should also reinforce allies’ controls on comparable foreign technology and ensure that current rules adequately cover controlled GPUs (meaning integrated circuits, electronic assemblies, and servers with ECCN 3A090.a), advanced CPUs, and data center compute services.
With respect to chipmaking technology, the new Rule would continue to restrict the export and reexport of lithography and other machines used to create advanced chips. BIS would continue to work with key suppliers in other countries to mirror these controls, such as Japanese, Dutch, and German firms that produce key components of the chip production supply chain. To the extent key suppliers cannot fully mirror U.S. controls, BIS should extend the foreign-direct product rule[xix] to restrict additional foreign-made tools to ensure effectiveness. The regulation would apply to controlled GPUs above a certain threshold. These new controls would complement recent rules—such as the Department of Justice’s Bulk Sensitive Data Rule—focused on placing controls on the flow of U.S. sensitive data to entities with a nexus to a foreign adversary. Finally, this would prohibit U.S. firms from building, operating, or offering data center services in Denial Countries.
American companies already operate data centers in China. This is actually beneficial for the U.S. global market share. These pose minimal risk when accompanied by restrictions on end-use and end-users, and by the use of dashboards to provide transparency for BIS. American companies operating data centers in China should be among the first to implement real-time dashboard monitoring. Exports of new or additional GPUs to these American companies would be allowed under individual licensing.
Real-Time Reporting and Awareness for BIS
To mitigate the key BIS concern of the diversion of sophisticated AI capabilities to adversaries, all exporters would report the export and deployment of AI capabilities above a certain threshold, such as energy consumption over 2500 KW, on a quarterly basis to permit real-time awareness. To streamline this requirement, BIS should create a government dashboard and portal where companies will report to BIS.
Until the government dashboard is operational, companies and exporters could create their own dashboards and either provide access to BIS or supply information to BIS, so that the creation and deployment of a BIS dashboard does not delay the implementation of the new rule. It is critical that this new process move at the speed of business. The dashboard would provide real-time status of AI-related exports, including data centers, GPUs, customers, and workload type (e.g., training, inferencing, etc.) to BIS. The Controlled GPU Dashboard’s design will allow a human to read and understand the status in addition to having organization and data for sufficient machine readability. A Security Dashboard could demonstrate continuous compliance based on NIST 800-53 “Security and Privacy Controls for Information Systems and Organizations.”
Due Diligence and Know Your Customer (KYC) processes
All exporters would be prohibited from exporting to any entities designated for export control on the Consolidated Control List, and they would require contractors to attest to compliance requirements. A brightline list of prohibited and authorized entities provides the most assurance for exporters to avoid high-risk transactions. BIS would also work with its partners in the Intelligence Community to improve information sharing between the Intelligence Community and vendors and to assist industry in detecting and avoiding sophisticated diversion networks that rely on investment strategies and complex corporate structures to defeat commercial KYC efforts.
Enabling Smaller Transactions
The new rule would provide a general authorization for controlled GPUs. Companies could export controlled GPUs up to 2500 KW of energy consumption while reporting those exports to BIS without the quarterly reporting and dashboard requirements discussed above. Server-class GPUs would be permitted with reporting irrespective of energy consumption. BIS would permit exports provided (i) the export was not to a Denial Country, (ii) the export notified BIS 30 days ahead of the export, and (iii) BIS did not object. If BIS objects and requires more time to review the export, BIS must adhere to a timeline for further examination, such as an additional 60 days for review.
Advisory Opinions and Compliance
As a key component of the new rule, AI technology exporters could request an advisory opinion from BIS in advance if questions arise regarding the regulatory risks of a transaction. BIS would provide guidance to industry so that companies have a sense of (i) entities or countries that have been banned, (ii) who presents risk based on assessment of policy/data to date, and (iii) who BIS has approved for licenses/transactions. This transparency can create a market for services to aid planning, compliance, and the identification of risk. BIS would periodically reexamine the thresholds and appropriately increase the levels consistent with the evolution of AI technology.
Revising Export Requirements
The new framework streamlines the needlessly burdensome reporting and third-party audit requirements of the AI Diffusion Framework. This will create an expedited path for AI technology vendors and strengthen export controls against China and other prohibited end users and end uses, prevent diversion of controlled AI technology, and permit the government to have real-time information on AI deployments around the world. Data center location is based on many elements, including electric power, bandwidth, supply chains, tariffs, and governance. American companies should be able to rapidly deploy AI data centers based on market conditions. Each vendor would need to report regularly and certify annually that they have met certain requirements, such as having physical, cybersecurity, and supply chain risk mitigation plans, and avoidance of transactions with consolidated screening list entities. A revised program would allow U.S. firms to ship designated items under a general authorization instead of individual export licenses. BIS will schedule and update a list of classes of entities and specific entities that fall under the general authorization in the Federal Register, similar to BIS’s approach to the foundry due diligence rule. This would better guide BIS as well as industry resources to adopt holistic compliance rather than cumbersome, one-off, case-by-case
[i] Press Release, Bureau of Industry & Security, Department of Commerce Announces Rescission of Biden-Era Artificial Intelligence Diffusion Rule, Strengthens Chip-Related Export Controls (May 13, 2025), bis.gov/press-release/department-commerce-announces-recission-biden-era-artificial-intelligence-diffusion-rule-strengthens-chip.
[ii] In addition to export control rules, factors such as access to energy, land, connectivity, ease of the permitting/regulatory environment, cost of labor, etc. will also affect the locations and disbursement of data center development across the globe, making it essential for U.S. players to partner early with allied nations and suppliers to ensure security is baked in from the outset and U.S. origin technology prevails.
[iii] BIS created a new EAR section 744.6(b)(5) in 2021 to implement ECRA authorities. The EAR now prohibits U.S. persons, wherever located, from “supporting” without a license a “military-intelligence end use” or a “military-intelligence end user.” BIS also expanded the scope of the EAR’s end-use controls; activity is now controlled when a U.S. person “knows that its activities will support a covered military-intelligence application.” (The previous standard was “will directly assist”). ECRA section 4813(d)(1)(B) authorized BIS to implement controls on “activities that may support covered applications” and has been interpreting the new definition of “support” to include services.
[iv] See Elizabeth Bruton, British cable telegraphy in World War One: The All-Red Line and secure communications, University of Leeds & Oxford Museum of the History of Science: Innovating in Combat: Telecommunications and Intellectual Property in the First World War (Aug. 19, 2014), https://blogs.mhs.ox.ac.uk/innovatingincombat/british-cable-telegraphy-world-war-one-red-line-secure-communications/index.html.
[v] Id.
[vi] James Lewis, Comments on BIS-2025-0001: Framework for Artificial Intelligence Diffusion, Project on Technology and National Security (May 6, 2025), https://www.technologyandsecurity.org/framework-for-artificial-intelligence-diffusion/
[vii] See Christopher A. Casey & Paul K. Kerr, The U.S. Export Control System and the Export Control Reform Act of 2018, Congressional Research Service (June 7, 2021), https://www.congress.gov/crs-product/R46814 (providing a brief history of export controls) (CRS, The U.S. Export Control System and the Export Control Reform Act of 2018).
[viii] Id. at 4 (“A long-standing concern with export controls has been their effect on U.S. competitiveness when a comparable good is available abroad. In such situations the U.S. export control both fails to achieve its ends while also limiting the ability of U.S. firms to compete in the controlled market.”)
[ix] See Export Administration Regulation; Simplification of Export Administration Regulations, 61 Fed. Reg. 12714 (Mar. 25, 1996); Executive Order 13026, Administration of Export Controls on Encryption Products, 61 Fed. Reg. 58767 (Nov. 15, 1996); Encryption Items Transferred From the U.S. Munitions List to the Commerce Control List, Interim Rule, 61 Fed. Reg. 68573 (Dec. 30, 1996) (collectively, the “1996 Encryption Rule”).
[x] 1996 Encryption Rule; Encryption and Export Administration Regulations (EAR), Bureau of Industry and Security, U.S. Department of Commerce, https://www.bis.doc.gov/index.php/policy-guidance/encryption (last visited Sept. 29, 2025) (BIS Encryption Guidance).
[xi] See generally CRS, The U.S. Export Control System and the Export Control Reform Act of 2018; BIS Encryption Guidance.
[xii] BIS Encryption Guidance; Guidance on end-user and end-use controls and U.S. person controls, Bureau of Industry and Security, U.S. Department of Commerce, https://www.bis.gov/licensing/guidance-on-end-user-and-end-use-controls-and-us-person-controls (last visited Sept. 29, 2025) (BIS, Guidance on end-user and end-use controls and U.S. person controls).
[xiii] See generally 1996 Encryption Rule.
[xiv] Supplement No. 3 to Part 732 – BIS’s “Know Your Customer” Guidance and Red Flags, Bureau of Industry and Security, U.S. Department of Commerce, https://www.bis.gov/node/1533 (last visited Sept. 29, 2025); BIS, Guidance on end-user and end-use controls and U.S. person controls.
[xv] For example, exporters screen customers against various government lists, including the Denied Persons List of individuals and companies barred from export privileges, the Entity List of parties posing a risk of diverting items to prohibited activities, the Unverified List, parties BIS has been unable to conduct end-use checks, and the Specially Designated Nationals and Blocked Persons List. See Consolidated Screening List, International Trade Administration, https://www.trade.gov/consolidated-screening-list (last visited Sept. 29, 2025) (providing the public with a list of parties for which the United States Government maintains restrictions on certain exports, reexports, or transfers of items).
[xvi] See 15 C.F.R. 772.1 (defining “knowledge” for the purposes of the Export Administration Regulations).
[xvii] Executive Order 11179, Removing Barriers to American Leadership in Artificial Intelligence, 90 Fed. Reg. 8741 (Jan. 23, 2025).
[xviii] Memorandum on America First Investment Policy (Feb. 21, 2025), https://www.govinfo.gov/content/pkg/DCPD-202500292/pdf/DCPD-202500292.pdf.
[xix] The Foreign Direct Product Rule (FDPR) extends the reach of the Export Administration Regulations to foreign-produced items if they are the direct product of certain controlled U.S. technology or software. The U.S. has used the FDPR to restrict foreign companies from supplying certain advanced chips to specific Chinese entities by prohibiting the use of US-origin design software or manufacturing equipment without a license.