When do export controls apply to artificial intelligence (AI) algorithms, training data and models? This question might have sounded foreign only 10 years ago but has become a central one at a time of geopolitical and geoeconomic competition for AI leadership. AI has become ubiquitous in business, science and everyday life. It is also increasingly finding applications in weapons systems, surveillance and intelligence tools, and other military and security systems. In this context, states and arms manufacturers are increasingly looking to ‘civilian’ software, data and technology to use in the development of military and security systems and for integration into complete systems.
With the growing role of AI in national and international security, states are increasingly exploring potential governance instruments to reduce security risks, gain or maintain military advantage, and protect the competitiveness of their own AI ecosystems. One type of instrument commonly deployed to govern transfers of AI and other data-intensive technologies is export controls.
However, the applicability of multilateral export control standards to AI algorithms, training data and models is open to interpretation and many states are not clear about how they should be applied at the national level. This also makes it challenging for exporters of AI systems to understand which software and technology is subject to controls and to comply with licensing obligations. Many AI models are multi-purpose and open source, but they are also increasingly in demand for use in data-intensive military and security systems.
This topical backgrounder discusses how export controls currently apply to AI algorithms, training data and models and how exporters can approach the task of classification. It then takes a step back to examine some of the challenges in implementation and enforcement of export controls and to reflect on the lack of conventions and norms on what constitutes misuse of AI in security applications. Finally, it suggests some steps that could be taken at national and international levels to make export controls more effective in governing the transfer of AI algorithms, data and models.
What are AI algorithms, training data and models?
The term ‘algorithm’ is often loosely applied to describe the computational procedures used by a machine to learn patterns, make predictions and take decisions based on input data, without explicit programming. One category of algorithm particularly relevant to AI is deep learning, derived from neural networks, which plays a key role in enabling current machine learning and large language models (LLMs) at the frontier of AI development. These algorithms are multi-purpose and a building block of any AI system and are therefore usually open source and shared widely among the AI community.
To develop a fully trained AI model usually requires a process that in one way or another involves four stages. The first is defining the goals the model is intended to fulfil. The second involves acquiring and preparing data sets that will be used to ‘train’ the model. The third involves choosing the machine-learning approach that will be used and the ‘classifiers’ (the algorithms the model will use to classify input data into different categories) it deploys. Fourth and finally, the model is trained to optimize model weights (the weighting of connections it makes based on recognizing errors; essentially the ‘knowledge’ of the model) using structured data to create an AI system that can then be integrated into software and deployed, for example, in military and security equipment.
Applying export controls to AI
Export control lists identify dual-use and military items that—when they meet specific technical specifications—are subject to export licensing requirements. Export controls may also apply to non-listed items based on their end use or end user. AI models, and the algorithms and training data used to create them, may be controlled as ‘software’ or as ‘technology’. The structure of dual-use control list entries includes subcategories of software and technology for each controlled dual-use item. On control lists for military items, software and technology have their own entries (ML21 and ML22, respectively, in the Wassenaar Arrangement Munitions List).
Software may be controlled either if it is specifically listed and described using technical parameters, or, generally, if the software is ‘specially designed or modified’ for the ‘development, production or use’ of the controlled item. For example, this criterion applies if the software enables a specific function or achieving specific technical parameters in a controlled item.
Determining whether software meets this criterion is not always straightforward—for exporters or for national authorities—and there are differences in the way states interpret and apply the concept, leading to a stricter or more lenient application of controls. It is also important to note that software that is generally available to the public through retail without restrictions or is ‘in the public domain’ is generally exempt from controls.
Technology is defined by the Wassenaar Arrangement as ‘specific information necessary for the development, production or use of a product’, and can take the form of either ‘technical data’ or ‘technical assistance’. Technical data ‘may take forms such as blueprints, plans, diagrams, models, formulae, tables, engineering designs and specifications, manuals and instructions’ and could thus conceivably include AI algorithms, training data and fully trained models.
Controls on technology are attached to a specific controlled item and apply only when the technology is ‘required’ ‘for achieving or exceeding the controlled performance levels, characteristics or functions’ of the item. Information that constitutes ‘basic scientific research’ and information ‘in the public domain’ are generally exempt from controls.
Finally, export controls may also apply to transfers of unlisted software and technology—via so-called catch-all controls—if they are destined for an end use in nuclear, chemical or biological weapons or their delivery systems, or a military end use in a destination that is under a United Nations arms embargo.
How exporters can approach the classification of AI algorithms, training data and models
Determining whether particular AI algorithms, training data or models are subject to export controls can be difficult. A particular challenge in this classification process is operationalizing the ‘specially designed or modified’ and ‘required’ criteria. One possible approach is to look for possible indicators at the different stages in the development of an AI system.
Basic machine-learning algorithms generally enable the training of an AI model, but they have such a broad range of applications that in most cases they would not meet the ‘required’ criterion even if the finished model that uses them would be controlled.
Training data is not inherently enabling, but to achieve desirable quality in outcomes raw data needs to be structured, labelled packaged, reduced and augmented (except in the case of unstructured learning algorithms, which use large sets of unlabelled data). These processes mean there is often a growing degree of intentionality implicit in the data set, reflecting the goals and desired capabilities of the trained model.
Adding classifiers to a machine-learning algorithm can improve performance and increase the model weights and thus shape the final model. The characteristics embedded through these processes can therefore be used to assess the degree to which specific training data or the trained model enable certain parameters or technical characteristics in the development, production or use of a controlled item. They can also help to determine if the integration of the AI model into a system specifically enables it to perform tasks that have a high potential for misuse—for example, in ways that could violate human rights or international humanitarian law (IHL).
One factor that works in favour of the effectiveness of export controls is that many arms producers opt to acquire, label and curate their training data themselves or task someone to create a specific proprietary data set for them, making it easier to determine whether the data or model is required or the resulting software ‘specially designed’.
However, using this approach to export control classification for AI algorithms, training data and models also has its limitations and does not replace a traditional assessment of items to be exported. While some training data sets and models are highly specific to narrow use cases, others that are intentionally designed for a wide variety of applications and offered as off-the-shelf products might still be used in sensitive military and security systems. The coverage of export controls cannot include all transfers of widely applicable training data and models without causing serious disruption to AI development and commercial trade.
Practical challenges in controlling transfers of AI algorithms, training data and models
The implementation of export controls at the national level can be challenging because of the nature of transfers of software and technology. Even when it is clear how the definitions in export control regulations apply to AI algorithms, training data and models and the range of proscribed end uses, transfers of AI algorithms, training data and models almost always take the form of intangible transfers of software or technology. Such intangible transfers are naturally much less visible to national export control authorities, meaning that enforcement of controls has to rely on specific investigative and other procedures, such as specialized audits using digital forensics to detect and prove violations.
Exporters’ ability to comply with applicable licensing requirements depends on awareness, proper data and access control management, and other procedures embedded in the exporters’ internal compliance programmes. Some companies and researchers might not even realize that they may be exporters or that the algorithms, training data or models they work with are captured by export control lists or catch-all controls.
Gaps in international frameworks providing the basis for export controls on AI
Zooming out from the implementation of controls, it is also important to consider whether current international frameworks provide sufficiently clear norms and standards for which uses of AI are particularly sensitive and should be treated with specific degrees of oversight and potentially restrictiveness. Current non-proliferation and disarmament treaties and multilateral export control regimes provide a normative and legal framework that is implemented through national legislation. Export controls therefore already cover transfers of AI algorithms, training data and models destined for nuclear, chemical and biological weapon end uses and provide clear guidance on when to deny licences to prevent the proliferation of such weapons.
When it comes to conventional arms, the 2013 Arms Trade Treaty (ATT) sets certain standards for export controls and the Wassenaar Arrangement provides de facto international standards for the application of export controls to military items. All states further have obligations stemming from the Geneva Conventions to ‘respect and ensure respect for’ IHL, and the ATT lays out criteria for states to assess licence applications in order to minimize the risk of transfers contributing to grave violations of human rights and IHL.
However, even after many years of discussion there is no specific codification of which military and security applications of AI pose overriding risks and might warrant a particularly restrictive application of export controls, nor of when AI algorithms, training data and models should be treated like any other dual-use software and technology with possible military applications. For example, there is ongoing debate about the integration of AI to achieve increasing degrees of autonomy in weapon systems, in target selection (as seen in Israel’s Lavender) and in decision support. Nevertheless, there are still no conventions or clear norms that directly translate into export control obligations and operationalize common standards in this area.
Suggestions for strengthening export controls on AI algorithms, training data and models
If export controls on algorithms, training data and models are to play a useful role in preventing AI being diverted and misused, there needs to be greater clarity about what they cover and greater transparency about the way states interpret and apply them at the national level.
One way to do this could be for states to set out clearer positions on which types of end use of AI should trigger controls, including those that should be subject to particularly restrictive control. These might include, for example, integration in fully autonomous weapon systems.
Guidance clarifying states’ interpretation of when algorithms, training data and models meet the thresholds of ‘required’ technology or ‘specially designed or modified’ software could also help to improve compliance and to better harmonize controls.
Another possible step is to add new control list items in the Wassenaar Arrangement or at European Union level for specific sensitive AI technologies, for example facial recognition systems, and to include parameters in their software and technology controls that could help simplify classification of training data and models.
Finally, states could expand military end-use controls to cover certain high-risk destinations and end users where there is a risk that AI models could be misused or diverted, or even be used in committing systematic and grave violations of human rights and IHL.
Export controls are just one type of instrument—alongside responsible innovation frameworks, responsible procurement practices, research security and sanctions—that can help prevent diversion and misuse of AI algorithms, training data and models. They can be an effective tool but also have limitations. As AI becomes an ever more integral part of technology and everyday life, strengthening export control will be increasingly important.
This paper forms part of SIPRI’s contribution to a project on the militarization of technology led by Privacy International with funding provided by Luminate.
ABOUT THE AUTHOR(S)
Kolja Brockmann is a Senior Researcher in the SIPRI Dual-Use and Arms Trade Control Programme.
When do export controls apply to artificial intelligence (AI) algorithms, training data and models? This question might have sounded foreign only 10 years ago but has become a central one at a time of geopolitical and geoeconomic competition for AI leadership. AI has become ubiquitous in business, science and everyday life. It is also increasingly finding applications in weapons systems, surveillance and intelligence tools, and other military and security systems. In this context, states and arms manufacturers are increasingly looking to ‘civilian’ software, data and technology to use in the development of military and security systems and for integration into complete systems.
With the growing role of AI in national and international security, states are increasingly exploring potential governance instruments to reduce security risks, gain or maintain military advantage, and protect the competitiveness of their own AI ecosystems. One type of instrument commonly deployed to govern transfers of AI and other data-intensive technologies is export controls.
However, the applicability of multilateral export control standards to AI algorithms, training data and models is open to interpretation and many states are not clear about how they should be applied at the national level. This also makes it challenging for exporters of AI systems to understand which software and technology is subject to controls and to comply with licensing obligations. Many AI models are multi-purpose and open source, but they are also increasingly in demand for use in data-intensive military and security systems.
This topical backgrounder discusses how export controls currently apply to AI algorithms, training data and models and how exporters can approach the task of classification. It then takes a step back to examine some of the challenges in implementation and enforcement of export controls and to reflect on the lack of conventions and norms on what constitutes misuse of AI in security applications. Finally, it suggests some steps that could be taken at national and international levels to make export controls more effective in governing the transfer of AI algorithms, data and models.
What are AI algorithms, training data and models?
The term ‘algorithm’ is often loosely applied to describe the computational procedures used by a machine to learn patterns, make predictions and take decisions based on input data, without explicit programming. One category of algorithm particularly relevant to AI is deep learning, derived from neural networks, which plays a key role in enabling current machine learning and large language models (LLMs) at the frontier of AI development. These algorithms are multi-purpose and a building block of any AI system and are therefore usually open source and shared widely among the AI community.
To develop a fully trained AI model usually requires a process that in one way or another involves four stages. The first is defining the goals the model is intended to fulfil. The second involves acquiring and preparing data sets that will be used to ‘train’ the model. The third involves choosing the machine-learning approach that will be used and the ‘classifiers’ (the algorithms the model will use to classify input data into different categories) it deploys. Fourth and finally, the model is trained to optimize model weights (the weighting of connections it makes based on recognizing errors; essentially the ‘knowledge’ of the model) using structured data to create an AI system that can then be integrated into software and deployed, for example, in military and security equipment.
Applying export controls to AI
Export control lists identify dual-use and military items that—when they meet specific technical specifications—are subject to export licensing requirements. Export controls may also apply to non-listed items based on their end use or end user. AI models, and the algorithms and training data used to create them, may be controlled as ‘software’ or as ‘technology’. The structure of dual-use control list entries includes subcategories of software and technology for each controlled dual-use item. On control lists for military items, software and technology have their own entries (ML21 and ML22, respectively, in the Wassenaar Arrangement Munitions List).
Software may be controlled either if it is specifically listed and described using technical parameters, or, generally, if the software is ‘specially designed or modified’ for the ‘development, production or use’ of the controlled item. For example, this criterion applies if the software enables a specific function or achieving specific technical parameters in a controlled item.
Determining whether software meets this criterion is not always straightforward—for exporters or for national authorities—and there are differences in the way states interpret and apply the concept, leading to a stricter or more lenient application of controls. It is also important to note that software that is generally available to the public through retail without restrictions or is ‘in the public domain’ is generally exempt from controls.
Technology is defined by the Wassenaar Arrangement as ‘specific information necessary for the development, production or use of a product’, and can take the form of either ‘technical data’ or ‘technical assistance’. Technical data ‘may take forms such as blueprints, plans, diagrams, models, formulae, tables, engineering designs and specifications, manuals and instructions’ and could thus conceivably include AI algorithms, training data and fully trained models.
Controls on technology are attached to a specific controlled item and apply only when the technology is ‘required’ ‘for achieving or exceeding the controlled performance levels, characteristics or functions’ of the item. Information that constitutes ‘basic scientific research’ and information ‘in the public domain’ are generally exempt from controls.
Finally, export controls may also apply to transfers of unlisted software and technology—via so-called catch-all controls—if they are destined for an end use in nuclear, chemical or biological weapons or their delivery systems, or a military end use in a destination that is under a United Nations arms embargo.
How exporters can approach the classification of AI algorithms, training data and models
Determining whether particular AI algorithms, training data or models are subject to export controls can be difficult. A particular challenge in this classification process is operationalizing the ‘specially designed or modified’ and ‘required’ criteria. One possible approach is to look for possible indicators at the different stages in the development of an AI system.
Basic machine-learning algorithms generally enable the training of an AI model, but they have such a broad range of applications that in most cases they would not meet the ‘required’ criterion even if the finished model that uses them would be controlled.
Training data is not inherently enabling, but to achieve desirable quality in outcomes raw data needs to be structured, labelled packaged, reduced and augmented (except in the case of unstructured learning algorithms, which use large sets of unlabelled data). These processes mean there is often a growing degree of intentionality implicit in the data set, reflecting the goals and desired capabilities of the trained model.
Adding classifiers to a machine-learning algorithm can improve performance and increase the model weights and thus shape the final model. The characteristics embedded through these processes can therefore be used to assess the degree to which specific training data or the trained model enable certain parameters or technical characteristics in the development, production or use of a controlled item. They can also help to determine if the integration of the AI model into a system specifically enables it to perform tasks that have a high potential for misuse—for example, in ways that could violate human rights or international humanitarian law (IHL).
One factor that works in favour of the effectiveness of export controls is that many arms producers opt to acquire, label and curate their training data themselves or task someone to create a specific proprietary data set for them, making it easier to determine whether the data or model is required or the resulting software ‘specially designed’.
However, using this approach to export control classification for AI algorithms, training data and models also has its limitations and does not replace a traditional assessment of items to be exported. While some training data sets and models are highly specific to narrow use cases, others that are intentionally designed for a wide variety of applications and offered as off-the-shelf products might still be used in sensitive military and security systems. The coverage of export controls cannot include all transfers of widely applicable training data and models without causing serious disruption to AI development and commercial trade.
Practical challenges in controlling transfers of AI algorithms, training data and models
The implementation of export controls at the national level can be challenging because of the nature of transfers of software and technology. Even when it is clear how the definitions in export control regulations apply to AI algorithms, training data and models and the range of proscribed end uses, transfers of AI algorithms, training data and models almost always take the form of intangible transfers of software or technology. Such intangible transfers are naturally much less visible to national export control authorities, meaning that enforcement of controls has to rely on specific investigative and other procedures, such as specialized audits using digital forensics to detect and prove violations.
Exporters’ ability to comply with applicable licensing requirements depends on awareness, proper data and access control management, and other procedures embedded in the exporters’ internal compliance programmes. Some companies and researchers might not even realize that they may be exporters or that the algorithms, training data or models they work with are captured by export control lists or catch-all controls.
Gaps in international frameworks providing the basis for export controls on AI
Zooming out from the implementation of controls, it is also important to consider whether current international frameworks provide sufficiently clear norms and standards for which uses of AI are particularly sensitive and should be treated with specific degrees of oversight and potentially restrictiveness. Current non-proliferation and disarmament treaties and multilateral export control regimes provide a normative and legal framework that is implemented through national legislation. Export controls therefore already cover transfers of AI algorithms, training data and models destined for nuclear, chemical and biological weapon end uses and provide clear guidance on when to deny licences to prevent the proliferation of such weapons.
When it comes to conventional arms, the 2013 Arms Trade Treaty (ATT) sets certain standards for export controls and the Wassenaar Arrangement provides de facto international standards for the application of export controls to military items. All states further have obligations stemming from the Geneva Conventions to ‘respect and ensure respect for’ IHL, and the ATT lays out criteria for states to assess licence applications in order to minimize the risk of transfers contributing to grave violations of human rights and IHL.
However, even after many years of discussion there is no specific codification of which military and security applications of AI pose overriding risks and might warrant a particularly restrictive application of export controls, nor of when AI algorithms, training data and models should be treated like any other dual-use software and technology with possible military applications. For example, there is ongoing debate about the integration of AI to achieve increasing degrees of autonomy in weapon systems, in target selection (as seen in Israel’s Lavender) and in decision support. Nevertheless, there are still no conventions or clear norms that directly translate into export control obligations and operationalize common standards in this area.
Suggestions for strengthening export controls on AI algorithms, training data and models
If export controls on algorithms, training data and models are to play a useful role in preventing AI being diverted and misused, there needs to be greater clarity about what they cover and greater transparency about the way states interpret and apply them at the national level.
One way to do this could be for states to set out clearer positions on which types of end use of AI should trigger controls, including those that should be subject to particularly restrictive control. These might include, for example, integration in fully autonomous weapon systems.
Guidance clarifying states’ interpretation of when algorithms, training data and models meet the thresholds of ‘required’ technology or ‘specially designed or modified’ software could also help to improve compliance and to better harmonize controls.
Another possible step is to add new control list items in the Wassenaar Arrangement or at European Union level for specific sensitive AI technologies, for example facial recognition systems, and to include parameters in their software and technology controls that could help simplify classification of training data and models.
Finally, states could expand military end-use controls to cover certain high-risk destinations and end users where there is a risk that AI models could be misused or diverted, or even be used in committing systematic and grave violations of human rights and IHL.
Export controls are just one type of instrument—alongside responsible innovation frameworks, responsible procurement practices, research security and sanctions—that can help prevent diversion and misuse of AI algorithms, training data and models. They can be an effective tool but also have limitations. As AI becomes an ever more integral part of technology and everyday life, strengthening export control will be increasingly important.
This paper forms part of SIPRI’s contribution to a project on the militarization of technology led by Privacy International with funding provided by Luminate.
ABOUT THE AUTHOR(S)