Emerging Risk: Export Controls Compliance in New Technologies

Companies on the vanguard of artificial intelligence, semiconductors and large-scale data infrastructure are confronted with a growing responsibility to protect innovation and keep their products out of adversarial hands. Export controls face a new frontier in emerging technologies and are increasingly being used to protect national security. Companies that traditionally were not subjected to export controls are now in the crosshairs of regulators, requiring an acknowledgement of this new reality and developing appropriate risk management 1

Staying constant, though, is the practice of governments effectively deputizing companies to police the control of sensitive goods and information in support of their national security efforts. At their core, export controls aim to achieve the objective of advancing foreign policy and national security interests by restricting sensitive exports that could be misused by nation-states and threat actors. Controls extend well beyond hardware to include technical data, software, services and other intellectual property.

The evolving regulatory landscape presents challenges for companies to keep pace. Regulations are changing, some may not be consistently enforced and some may not seem applicable, but that could all change in an instant. With limited time, resources and control over the situation, companies must develop an agile and adaptable playbook for responding to new risks and new obligations.

New Threats and Compliance Challenges

Emerging technologies flagged by regulators as bearing dual-use or strategic potential are especially sensitive.2 Similarly, adversaries — or even countries with tepid relations — are constantly seeking ways to gain a competitive edge. A breakthrough chip or AI model can be like a high-octane engine: capable of extraordinary performance, but dangerous if used improperly. Companies cannot afford to cut a corner short on risk and compliance. This is especially true regarding diversion risks, which occur when exports are rerouted to an unauthorized user, violating certain regulations or export controls. Without proper due diligence and compliance programs that account for diversion risks, exporters face damaging financial, reputational and legal implications.

Internal access can be as risky as international shipment. Deemed export violations can occur when a foreign adversary or bad actor gains insight of controlled technology inside the company, making personnel a potential release valve along a high-pressure pipeline. Businesses must relentlessly enforce access controls, vet employees and their roles and document approvals. Insider threats, whether by design or accident, can quickly turn small lapses into huge leaks. Essential lines of defense include marrying export control considerations with cybersecurity programs and holding regular audits.

The obligation, however, doesn’t stop with the primary company; responsibility extends downstream in the supply chain. Partners, distributors and resellers are all on the hook, too — and the absence of contractual safeguards, strong vetting and other due diligence can spell disaster. Companies should regularly invoke their right to audit clauses in their customer or partner agreements to test their third parties’ compliance controls and use their leverage to drive compliance enhancements that reduce risk exposure. Regulators no longer allow original equipment manufacturers (“OEMs”) and hyperscalers to simply blame their partners or suppliers for compliance violations. It is critical to understand and control the risk your counterparties are putting on your company.

Beyond internal controls, companies are also confronted with the escalating threat of diversion networks, which are increasingly sophisticated, often state-sponsored channels that can redirect controlled products and sensitive technology across jurisdictions to foreign adversaries and other unauthorized end users. Such networks might rely on shell companies or dubious third-party brokers in an attempt to circumvent controls. Troublingly, compliant or otherwise well-intentioned shipments can still run off course. For companies working with data centers, semiconductors or AI, diversion networks may be particularly insidious given how quickly they can be replicated or applied in a manner that’s tough to trace.

Enhancing Compliance

Export compliance in what used to be a nascent space is now non-negotiable. In a fractured regulatory landscape with overlapping, yet sometimes competing policies emerging from the United States, European Union, UK and other jurisdictions, a sound, risk-based export controls compliance program can serve as a company’s GPS tool. This is doubly true for new terrain like emerging tech.

Developing a compliance risk management framework requires a risk assessment first. Identify what risks exist, including those that are most critical, what regulatory threats are applicable, and then build a plan to mitigate those risks accordingly. This process can be aided by mapping which products, software and technical data are controlled, and then implementing controls and allocating resources like people, governance processes, analytics, training and auditing where exposure risk is highest. Advanced AI algorithms, chip designs, high-end computing components and sensitive cloud infrastructure require the greatest scrutiny.

Regulators expect proactive risk spotting, efficient mitigation and nonstop tracking of technology transfers — which can’t happen without sponsorship from leaders and a broader culture of compliance buy-in. Companies that implement and maintain flexible, risk-based programs, control internal access points and responsibly oversee their supply chains, are better positioned to protect both their own interests and potentially even national security objectives. Properly managing export controls becomes a differentiator because these compliance frameworks provide guidance for how a company should respond to a specific incident and offer a solid foundation for enterprise-wide risk management.

What’s Next

Determining what a government is truly focused on can be achieved by analyzing the common themes of related regulation — chief among those in the United States is preventing adversaries from obtaining certain goods, services and technologies. This is the premise behind the design of export controls. Knowing that the ultimate objective is keeping advanced U.S. technology from reaching prohibited end users, companies should therefore build compliance programs with that end goal in mind. How each company chooses to do that depends on their risk tolerance, but the foundational tools of export controls and sanctions compliance provide a proven playbook.

While simple in theory, the best way to prevent controlled products and technology from ending up in the wrong hands is to know who you are doing business with, who the ultimate end user of your product or service is and what they are using it for. Confidently answering those questions and clearly articulating the steps taken to reach that conclusion can help mitigate risk. In today’s business environment characterized by complexity and heightened geopolitical risk, operating without a modern export controls compliance program is like flying blind through zero visibility and without the instruments needed to navigate risk safely.

Footnotes:

1. Bureau of Industry and Security, U.S. Department of Commerce, “Emerging Technology Division

2. Ibid.

Related Insights

Published

January 06, 2026

temp Key Contacts

Breck Heidlberg

Managing Director

Most Popular Insights

  1. Navigating Tariffs: 10 Strategies to Protect the Bottom Line
  2. The Hidden Risk for Data Centers That No One is Talking About
  3. It’s La La Land Again in Financial Markets
  4. Geopolitical Risk Management: No Longer Just a “Nice to Have”, But a Corporate Imperative
  5. Corporate Sustainability Report

Sign up to get access to FTI Consulting Insights

Subscribe