Managing Export Controls Compliance Across Advanced Technology Sectors

For manufacturing and technology companies, navigating U.S. export controls has become a strategic imperative. The U.S. Commerce Department’s Bureau of Industry and Security (BIS) has continued to expand the reach of the Export Administration Regulations (EAR) across a growing range of advanced and dual-use technologies — with new licensing obligations emerging around artificial intelligence, semiconductors, and quantum computing. These measures reflect a broader U.S. strategy to protect sensitive capabilities from adversary acquisition, reshaping compliance obligations for global technology companies across sectors.

Companies that design, manufacture, or supply dual-use goods face added complexity. As AI chips and quantum processors increasingly serve both civilian and military applications, determining whether a transaction requires a license has become a defining compliance challenge — one driven not by the apparent purpose of a sale, but by the specific end-use, end-user, and destination controls that govern each transaction under the EAR.

Effective export controls compliance extends beyond checking just your direct buyers, since third-party distributors or front companies may be used to mask the final destination of sensitive technologies. Diversion risks can arise from transshipment networks, resellers, and entities with undisclosed military affiliations.

The Evolving Landscape Around Export Controls

In a concerted effort to safeguard national security, BIS has introduced a series of updates to its export controls framework in recent years. These changes directly affect compliance leads, legal teams, and product security officers at companies building or exporting advanced chips, AI models, cloud services, or computing infrastructure.

In September 2024, BIS issued an interim final rule extending controls to quantum computing items and Gate-All-Around Field-Effect Transistor (GAAFET) technology, meaning organizations must assess whether their products fall under a broader range of technology controls. Under the "Implemented Export Controls" (IEC) framework, BIS introduced new classifications — such as ECCN 4A906 for quantum computers and ECCN 3E905 for GAAFET production technology — to harmonize controls with key international partners.

A January 2025 BIS interim final rule imposed controls on AI “model weights,” the numerical parameters that determine how advanced AI models function, with the new classification ECCN 4E091. These items now require licenses for exports worldwide, with only narrow exceptions for close U.S. allies. The rule also applies a new Foreign Direct Product Rule (FDPR), subjecting even foreign-produced AI model weights trained on U.S. technology to U.S. jurisdiction. This marks a significant step in U.S. AI export control efforts to prevent adversaries from accessing frontier models. In the interim final rule, BIS also established a worldwide license requirement for integrated circuits and computers containing integrated circuits controlled under ECCNs 3A090 and 4A090.

Alongside these updates, BIS has continued to expand its Entity List to include firms involved in advanced chip design, foundry operations, and AI development. Due to the “presumption of denial” license review policy for most listed parties, these listings effectively cut off access to critical technologies unless a license is granted.

This risk is further complicated by the BIS Affiliates Rule. Although enforcement of this rule is currently paused until late 2026, it signals a fundamental shift in regulatory expectations. Once fully implemented, the rule will mirror OFAC's 50 Percent Rule, automatically extending licensing restrictions to unlisted foreign parties that are majority-owned by parties on the BIS Entity List or Military End-User (MEU) List, or by Specially Designated Nationals (SDNs) designated under specific programs. Despite the pause, many organizations are currently using this window to gain visibility into ownership structures, as diversion involving non-listed affiliates remains a primary tactic for evasion.

For leaders at chipmakers, AI firms, quantum research labs, cloud providers, and beyond, the result is a regulatory regime with global reach, strict presumptions of denial, and heightened due diligence expectations. The expanding scope of BIS controls has added considerable complexity to longstanding compliance obligations to monitor evolving rules, identify reseller diversion risks, and scrutinize parties such as freight forwarders, logistics companies, and other service providers involved in transshipment networks.

AI, Semiconductor, and Quantum Export Controls Compliance Challenges

Technology companies today face a complex compliance environment shaped by both regulatory expansion and the increasing sophistication of evasion networks.
While many organizations are proficient at screening against obvious risks, they may fail to detect when buyers in traditionally "low risk" jurisdictions act as resellers. U.S. authorities have identified cases where entities in certain third countries are used as diversion points, reselling restricted advanced technology components to prohibited end-users. These evasion networks exploit global distribution relationships, often using intermediary or front companies to procure U.S.-origin technology through complex transshipment routes that obscure the ultimate destination.

The Technical Classification Burden

Organizations also struggle with the extreme technical granularity of the new controls. Determining whether a product requires a license is not a simple checkbox exercise; it may require deep technical or engineering input.

• For AI (ECCN 4E091): Classifying "model weights" requires knowing if the model was trained using more than 1026 computational operations.
• For semiconductors (ECCN 3E905): Exporters must identify technology specific to GAAFET structures.

For quantum (ECCN 4A906): Teams must assess whether systems exceed specific qubit counts and gate error rate thresholds. 

Another major obstacle lies in uncovering complex ownership structures, where subsidiaries may be used for procurement purposes. This challenge is compounded by the upcoming implementation of the BIS Affiliates Rule. Even during the current enforcement pause, the inability to map these subsidiaries represents a significant dormant risk. Forward-looking companies are collecting data on these ownership links before the rule fully activates in late 2026, recognizing that the existing BIS “knowledge” standard creates an affirmative obligation to identify diversion risks, rather than ignoring or wilfully avoiding relevant information.

Finally, the rapidly shifting rule landscape adds to the complexity. Frequent updates from BIS necessitate agile businesses that can adjust their screening and due diligence practices as regulations change.

What Recent Enforcement Actions Reveal About Hidden Risk

While physical diversion grabs headlines, recent enforcement actions reveal that the most difficult-to-detect risks often lie in intangible technology transfers and rapid corporate restructuring.

Intangible Transfers and Deemed Exports
A July 2025 BIS settlement involving Cadence Design Systems Inc. serves as a critical warning for the software and semiconductor design sectors. The company paid over $140 million to resolve violations for allowing a restricted Chinese military university to access its chip design software. This case highlights a pervasive blind spot: even well-established firms can overlook red flags when the "export" is not a physical good, but a software license or server access granted to entities with military affiliations.

The "Whac-A-Mole" of Subsidiary Evasion
Simultaneously, corporate structures can shift rapidly. As Kharon analysis revealed, Chinese firms like Shanghai Biren Technology Co., Ltd. have demonstrated a pattern of responding to Entity List designations by rapidly spinning up new, unlisted subsidiaries to sidestep controls. By the time regulators identify and list these new entities, critical technology has often already changed hands.

These evasive maneuvers illustrate why static list screening is no longer sufficient. Businesses must now track evolving ownership structures in real time, anticipating that a new counterparty may be a recently incorporated affiliate of a restricted parent entity.

AI, Semiconductor, and Quantum Export Controls Best Practices

To effectively manage an increasingly complex and expanding export controls landscape, technology companies should adopt a comprehensive, intelligence-driven compliance approach. The regulatory dynamics driving controls on advanced computing, AI, and quantum technologies reflect broader enforcement trends that apply across dual-use sectors — and the best practices below are designed with that wider scope in mind.

• Maintain an up-to-date compliance program: Regularly review and update your internal controls to reflect the latest BIS rule changes and listings.
  
  
• Conduct proactive end-use/end-user checks: Go beyond transactional screening to perform in-depth due diligence on all potential customers, including reseller risks. Kharon’s platform provides the insights you need to identify and manage these risks.
  
  
• Move past list-based screening: Rely on network and ownership analysis to reveal the true parties behind a transaction. Diversion risk extends well beyond unlisted subsidiaries of designated entities — it runs through front companies, general trading companies, and intermediaries operating in jurisdictions that have become established conduits for controlled technology. Kharon’s BIS Affiliates Rule data provides the ownership and network insights needed to surface these risks before a transaction is completed.
  
  
• Conduct regular training: Educate your teams not just on the rules, but on the reality of evasion. Training should cover the latest red flags related to transshipment (e.g., freight forwarders in known circumvention hubs) and the specific definitions of controlled items under the EAR.
  
  
• Leverage advanced data and screening solutions: In the fields of AI, semiconductor development, and quantum, the line between civilian and defense applications is often blurred. Utilize specialized MEU data to detect hidden affiliations.

How Kharon Helps Technology Companies Navigate Compliance

Kharon’s advanced risk analytics platform addresses the complexities of modern export controls compliance. By going beyond conventional watchlist screening and entity verification, Kharon reveals the true risk behind a transaction by connecting the dots that traditional due diligence may miss.
Kharon helps technology companies by:

• Uncovering hidden military affiliations: We provide deep insights into the commercial networks of technology buyers to reveal links to military end-users — including opaque "civilian" research institutes often used to acquire advanced technologies, including quantum, semiconductor, and AI capabilities.
  
  
• Flagging evasive procurement strategies: Kharon’s platform surfaces parties involved in export controls circumvention, including through corporate and trade networks.
  
  
• Incorporating continuous risk enrichment: Kharon continuously updates the commercial intelligence surrounding both new and legacy BIS listings. By tracking changes in ownership, leadership, and operational behavior, we ensure that your screening captures the full scope of risk — not just the names published by regulators.
  
  
• Supporting enhanced due diligence: Our platform provides visibility beyond direct buyers, allowing you to evaluate the risk of diversion to potential military end-users before a transaction occurs.

By leveraging Kharon’s investigative tool, ClearView, and Kharon’s export controls data, companies can confidently move from a reactive to a proactive compliance posture.

Export Controls Compliance with Kharon

The evolving landscape of export controls related to AI, semiconductors, and quantum presents a significant challenge, but it is a challenge that can be navigated with the right tools and intelligence. As regulators sharpen their focus on sensitive industries, restrictions on the export of emerging technologies have become central to compliance planning.

By combining advanced data science and AI with expert analysis, Kharon provides the deeper, network-based insights required to surface hidden risks—from military affiliations to transshipment networks—and gives your organization the confidence it needs to operate in this complex geopolitical environment.

Request a demo to stay ahead of the curve »