One ITAR Violation Starts With One Query to the Wrong AI

One ITAR Violation Starts With One Query to the Wrong AI

Defense and ITAR-Compliant AI Architecture

An engineer finishes a defense proposal at 11 PM. Before sending it to their manager, they paste the executive summary into an AI writing tool for a final grammar pass. Forty seconds later, controlled technical data about a guidance system component sits on commercial cloud infrastructure accessible to foreign nationals in 14 countries. The engineer didn't break a rule they understood—the compliance program didn't cover the tool they used.

This scenario has stopped being hypothetical. Defense contractors are discovering inadvertent ITAR violations through AI every month now. The pattern is always the same: the tool works, the violation is real, and nobody's compliance team had accounted for it. Unlike traditional data loss vectors that require intent, ITAR violations need only the transfer of controlled technical data to infrastructure where foreign nationals can access it. Under 22 CFR Part 120—the Code of Federal Regulations section governing ITAR enforcement—transmitting controlled technical data to a location where it can be accessed by foreign employees counts as export. No actual foreign recipient needs to request it. No knowledge of the violation is required.

The cost of discovery ranges from hidden to catastrophic. Boeing paid $17 million in ITAR fines in 2006 for 165 violations—an average of $103,000 per violation—all stemming from transferring data to foreign employees inside Boeing's own U.S. facilities. Raytheon Technologies settled a $8 million ITAR case in 2013 covering 595 violations, averaging $13,445 per count. Harris Corporation (now L3Harris) paid $13 million for 49 violations. DRS Technologies paid $13 million for 92 violations. None of these companies demonstrated intent to violate export controls. None of the executives involved needed to be hostile actors. They simply used infrastructure their compliance teams hadn't classified as a controlled-data risk.

What changed in the past 18 months is velocity. Employees now have access to AI tools they can query instantly, without download, without review, and without visibility to compliance teams. Microsoft Copilot is the leading example—already licensed in Microsoft 365, already reading every document in SharePoint, already summarizing content. A compliance officer doesn't need to approve Copilot's presence because it shipped inside the productivity suite. A security team didn't need to flag it during procurement because Microsoft 365 was already approved. The engineer using Copilot on a document marked CONTROLLED/TECHNICAL DATA has no warning light, no prompt, no friction.

Grammarly operates on the same principle. It's a browser extension. It processes text through servers accessible to a global workforce. A defense engineer using Grammarly to check spelling on an ITAR document while that document sits in a private SharePoint folder has, under DDTC interpretation, begun the export process. The document never left the company network. The engineer had no hostile intent. Grammarly has no direct connection to foreign governments. And yet, the transfer of controlled technical data to third-party infrastructure where foreign nationals can be positioned represents, by statute, an export violation.

DDTC audits have begun asking AI-specific questions. Late 2025 onward, audits now include items like: "Which AI tools have access to your controlled documents? How do you prevent queries to those tools from containing technical data?" Most defense contractors operate on a 2-3 year audit cycle. The next cycle for many firms is already visible on a calendar somewhere. The window to detect and fix AI-driven control failures is measured in months, not years.

The technical data in question isn't always a weapons schematic. ITAR reaches further than most compliance officers initially assume. A defense contractor's internal presentation analyzing test tolerances for a controlled component qualifies as technical data. A vendor performance scorecard that includes specifications for a sonar array qualifies. A design review meeting note documenting why a particular manufacturing approach was rejected qualifies. The scope is broad. The definition of "controlled technical data" in 22 CFR Part 120 includes any data, document, or communication containing information about the development, production, or use of a controlled item—which, for defense contractors, encompasses items manufactured under ITAR license, items on the U.S. Munitions List, or items designed to perform functions related to defense. That's most of what a defense business makes.

Samsung experienced a public warning in this space. Samsung employees uploaded confidential data to ChatGPT in 2023, assuming commercial AI services were isolated from external access. Samsung lost control of trade secrets. For a defense contractor, the identical action crosses the line into federal criminal liability. Officers can face up to 20 years in prison per violation under 22 U.S.C. § 2778. DDTC civil penalties have no statutory cap. Debarment from federal contracting can be imposed before any finding of guilt—simply during the investigation phase, which can last years.

The compliance failure isn't usually negligence. It's architecture. A security awareness program can't reliably prevent an inadvertent ITAR violation to a commercial AI because most employees cannot identify whether a given document is ITAR-controlled. Training works for employees who understand the rule. It fails for employees who face ambiguity. A document titled "Q3 Supplier Performance Review" sitting in a shared folder doesn't announce itself as ITAR-controlled technical data—even though a column titled "Dimensional Tolerance" and another called "Flight Test Results" make it exactly that.

Netskope reported in January 2026 that companies across all sectors experience an average of 223 sensitive data incidents per month. For a defense contractor, every incident involving controlled data triggers federal notification and investigation requirements. Every incident creates DDTC reporting obligation. The math is grim: a company with 2,000 engineers using 8-10 AI tools each, across 40 different software subscriptions, creates 223 × 40 = roughly 9,000 potential exposure points per month. Most organizations lack the instrumentation to measure this. All of them face liability for what they can't see.

The standard response—policy strengthening—creates the illusion of control without changing the underlying risk. Adding a line to the security handbook that reads "Do not input ITAR documents into third-party AI tools" is accurate. It's also insufficient. Employees cannot reliably distinguish ITAR documents from non-ITAR documents because the company hasn't implemented the classification infrastructure to tell them. Asking employees to follow a rule they lack the tools to verify has a well-documented failure rate. It's how 165 Boeing employees violated ITAR in their own facilities. It's how Raytheon's 595 violations accumulated. The policy existed. Compliance awareness existed. Architecture did not.

A different approach starts with the assumption that architecture is the only thing that makes ITAR compliance automatic. Policy makes it aspirational.

This means treating AI-driven data exposure as a network security problem, not a training problem. It means segregating controlled-data workflows from commercial AI infrastructure at the routing layer, not at the user's decision point.

One model uses Symmetric Intelligence Architecture (SIA) Level 2 deployment. The architecture operates as follows: when a user submits a query to any AI tool, the query is first processed by an on-premises inference classifier—a small, specialized language model trained to recognize ITAR markers, controlled keywords, specification formats, and technical data signatures. This classifier never sends the query to the cloud. It evaluates the query locally. If the query is tagged as potentially containing controlled data, the router blocks the path to commercial cloud AI and instead directs the query to a locally-deployed or government-approved inference endpoint. If the query is tagged as non-controlled, the router permits transmission to the employee's preferred commercial AI tool. A recorder logs every interaction—query, classification decision, and routing destination—creating the audit trail that DDTC now requires.

This architecture has several properties that policy cannot achieve. First, the decision happens automatically, with zero user discretion—an employee cannot override the control. Second, the control operates upstream of the user interface, preventing queries from ever reaching commercial infrastructure. Third, the technology is transparent to the employee; the routing happens in the background, and the employee sees results regardless of destination. Fourth, the audit trail is complete and forensic-grade, showing exactly when a query might have contained controlled data and where it was routed. Fifth, the system can evolve: as new AI tools are adopted or new signature patterns emerge, the classifier can be updated without retraining employees or revising policy.

Defense contractors implementing this model report several outcomes. First, they identify employees using commercial AI on documents they didn't realize were ITAR-controlled—visibility that policy-only approaches never achieved. Second, they quantify the scale: some organizations discover they have 40-60 instances per week of controlled-data queries hitting commercial AI before control was in place. Third, they demonstrate to auditors that they have a technical control, not a behavioral one. Fourth, they reduce investigation costs: when DDTC asks about exposure, the contractor can pull logs and show exactly which queries were blocked, what their content was, and where they were routed instead.

The cost of implementation is lower than most compliance teams assume. A Level 2 SIA deployment typically costs $150K-$300K in initial engineering and $40K-$60K annually in maintenance for a company with 1,000-3,000 technical employees. The cost of a single ITAR violation investigation runs into six figures immediately. Debarment from federal contracting—which can be temporary or permanent—can eliminate tens of millions in revenue. The financial justification is straightforward. The organizational justification is clearer: DDTC is now asking these questions. Contractors without architecture to answer them are beginning their audit cycle with a visible control gap.

Deployment steps are sequential. First: map the set of AI tools employees can access without IT approval—Copilot inside 365, Grammarly, ChatGPT, Claude, Gemini, and the 20-30 others now available as browser extensions. Second: audit which of these tools are already touching controlled data—this requires query logging at the network gateway and analysis of what was sent. Third: identify the classification signals that distinguish controlled data from ordinary business communication; most contractors can map these in 2-4 weeks by reviewing their own document library and controlled-item specifications. Fourth: procure or build the inference router. Fifth: deploy the router as a proxy between employee machines and cloud AI services. Sixth: validate in a pilot—typically a single office or business unit—before rolling out company-wide.

Technical barriers are not the barrier. Adoption obstacles are not the barrier. Organizational visibility is the real barrier. Most compliance officers don't have a full list of which AI tools are deployed or how often employees query them. Most CISOs haven't been asked by their compliance peers what data is transiting to cloud AI services. Most CIOs haven't been tasked with building the instrumentation to show this. The first step is not deployment. It's asking the question: right now, today, which controlled-data queries are hitting commercial AI infrastructure that the organization hasn't authorized?

For many contractors, the answer is: they don't know. That unknown is the real control failure.

DDTC has signaled that the next audit cycle will test this. The question won't be "Do you have a policy against sending ITAR documents to cloud AI?" Everyone has that. The question will be "Show me your technical control. Show me the logs. Show me how an employee's query to an AI tool was classified, blocked or routed, and recorded."

Contractors who can answer that question in the next 12 months will be the ones who prevent a Boeing-scale violation, maintain their DDTC authorization without interruption, and avoid the debarment risk that comes with investigation. Contractors without that answer will discover it during the audit, at the moment when DDTC's team is reviewing four years of access logs.

In the next audit cycle, DDTC will ask whether the organization's AI interacted with controlled technical data. What will you show them?