National Security and Dual-Use AI Risk Assessment
Establish a risk assessment process for AI systems and AI research activities that could constitute dual-use technology — with applications in both commercial and national security or weapons contexts — addressing BIS export control obligations, ITAR compliance for defense applications, dual-use research of concern protocols, and foreign adversarial misuse monitoring.
Objective
Prevent inadvertent export control violations, ITAR non-compliance, and foreign adversarial exploitation of AI capabilities developed or operated by the organization, by identifying AI systems and research with dual-use potential and applying appropriate controls before dissemination, licensing, or commercial deployment.
Maturity Levels
Initial
The organization does not systematically assess AI systems or AI research outputs for dual-use potential. Export control compliance for AI is handled under general technology export control procedures not specifically designed for AI capabilities.
Developing
Legal or compliance team reviews AI exports and foreign national access to AI systems when flagged, but there is no systematic dual-use screening process for AI development activities or research publications involving AI capabilities.
Defined
A dual-use AI risk assessment process screens all AI systems and research outputs against BIS export control classification criteria (specifically ECCN categories relevant to AI), ITAR applicability for defense applications, and dual-use research of concern criteria. AI systems with military, surveillance, CBRN-applicable, or critical infrastructure attack potential are assessed before commercial deployment, licensing, or publication.
Managed
Export control jurisdiction and classification determination is documented for each AI system in the portfolio. Foreign national access controls are implemented for AI research and systems with export-controlled components. AI capability monitoring assesses whether model capability advances trigger new export control classification requirements. Government contractor AI governance requirements (DFARS, CMMC) are tracked for applicability.
Optimizing
The organization engages with BIS on emerging AI export control policy and maintains relationships with legal counsel specializing in AI export controls. Dual-use assessments are updated when AI capabilities materially advance (capability jumps that could change ECCN classification). Foreign adversarial AI misuse monitoring is conducted using OSINT and CISA threat intelligence to identify whether organizational AI products or research outputs are being misused.
Evidence Requirements
What an auditor or assessor would expect to see for this control.
- —Dual-use screening process documentation covering criteria for identifying AI systems and research with dual-use potential.
- —Export control jurisdiction and ECCN classification determinations for AI systems in the portfolio, with legal counsel review for any with dual-use potential.
- —ITAR applicability determination for AI systems with any defense application, documented by qualified ITAR counsel.
- —Foreign national access control records for AI research and systems with export-controlled components.
- —Documentation of any government notification or voluntary pre-release consultation conducted for high-capability model releases.
Implementation Notes
The dual-use AI regulatory landscape
AI capabilities have characteristics that make them uniquely challenging for export control frameworks designed for physical technologies. A physical weapon has a fixed capability; an AI model's capability depends on the computational infrastructure running it, the data it is trained on, and the prompting and fine-tuning applied to it. The same base model that functions as a customer service assistant can, with appropriate infrastructure and prompting, assist in tasks with national security implications.
Bureau of Industry and Security (BIS) — Export Administration Regulations (EAR):
BIS controls exports of dual-use items under the Export Administration Regulations. AI-specific controls have evolved significantly:
- ECCN 4E091 (software for the "development" of AI systems with specified characteristics) may apply to AI training frameworks
- ECCN 4D090 and related categories may apply to AI model weights with certain capabilities
- ECCN 3A090 / 3B090 apply to advanced computing chips used to train AI systems — the October 2023 and subsequent BIS chip export rules directly affect AI compute exports
- Foundational model weights may require EAR classification analysis if they meet certain capability thresholds
The practical implication: organizations developing or deploying powerful AI models need export control jurisdiction and classification determinations, even for commercial software products.
International Traffic in Arms Regulations (ITAR):
ITAR controls defense articles and defense services, including software with direct military application. AI systems developed or modified for use in defense applications, or that constitute a significant component of a defense system, may be ITAR-controlled. This is particularly relevant for:
- AI systems used in autonomous weapons or weapons targeting
- AI systems for military C2 (command and control)
- AI systems for military intelligence, surveillance, and reconnaissance
- AI systems for cybersecurity in defense applications
ITAR violations carry severe criminal penalties. Organizations with any defense application AI must obtain a definitive ITAR jurisdiction and classification determination from the State Department before dissemination.
Dual-use research of concern (DURC):
AI research that could be misused to create biological, chemical, nuclear, or radiological threats (CBRN) is subject to dual-use research of concern policies if the organization receives federal funding. This includes AI research that could significantly advance the ability to:
- Synthesize, acquire, or enhance the dangerous properties of CBRN agents
- Disrupt immune defenses or degrade medical countermeasure effectiveness
- Increase transmissibility or other pandemic properties of biological agents
Foreign adversarial misuse monitoring
Beyond export controls, organizations should monitor whether their AI capabilities are being exploited by foreign adversaries. This is particularly relevant for:
Frontier model providers: AI models with broad capabilities may be accessed by foreign state-affiliated actors through commercial APIs. Terms of service prohibitions do not prevent misuse; monitoring usage patterns for indicators of misuse is an active security function.
Open-weight model releases: Organizations that release AI model weights publicly cannot control subsequent use. Before releasing model weights, organizations should assess what misuse is enabled by the release and document their dual-use risk assessment.
Research publication: AI research publications that describe capability advances may enable foreign actors to replicate those capabilities. Pre-publication dual-use review is standard practice at organizations receiving federal research funding and should be adopted more broadly.
Practical assessment process
For each AI system or significant research output, the dual-use assessment should answer:
-
Does this AI system or research output have capabilities that could be applied to: weapons development, military systems, surveillance of populations, attacks on critical infrastructure, or CBRN threat enhancement?
-
Is there a foreign national access risk? Who can access this AI system, its model weights, or its training infrastructure? Are there foreign nationals involved in development or deployment?
-
Does this activity involve defense applications that could bring it within ITAR jurisdiction?
-
What is the EAR classification of this AI system, model weights, or underlying training compute?
-
If released commercially or as open weight: what is the plausible misuse scenario, and does it reach the threshold for government notification or voluntary commitment?
Example Implementation
Dual-Use AI Risk Assessment — Product Pre-Launch Checklist
Product: [AI system name] | Assessment date: [Date] | Assessed by: Legal / Compliance
Step 1: Capability characterization
| Capability area | System capability? | Dual-use potential? |
|---|---|---|
| Biological synthesis assistance | No | N/A |
| Chemical process optimization | No | N/A |
| Cyberattack tool generation (code, exploit) | Limited — general code generation | Moderate — requires assessment |
| Military targeting or surveillance | No | N/A |
| Critical infrastructure control | No | N/A |
| Autonomous weapons | No | N/A |
| General language / reasoning | Yes | Low — widely available capability |
Step 2: Export control classification
EAR jurisdiction: Subject to EAR (US-origin software). ECCN determination: EAR99 (below threshold for 4D090/4E091 controls based on capability assessment). Rationale: [summarize]. Legal counsel confirmation: [name, date].
ITAR applicability: Not applicable — no defense system integration; no military application in product scope.
Step 3: Foreign national access
Development team: 3 foreign national employees with access to model training code. Citizenship: [countries]. EAR release review: EAR99 classification does not restrict access. No deemed export license required.
Commercial API access: Available globally. Terms of service prohibit: [list prohibited uses]. Monitoring: API usage monitoring in place; anomaly alerts to security team.
Step 4: Pre-launch determination
[ ] Government notification required (voluntary commitment program) — NOT APPLICABLE for this system at current capability level. [x] No export license required — EAR99 classification confirmed. [x] Terms of service prohibitions adequate — confirmed by legal review. [x] Monitoring plan in place — API usage monitoring confirmed.
Sign-off: Legal: [name] | Compliance: [name] | Date: [date]