Dual-Use Edge AI and Export Control: ITAR Basics for Hardware Startups

We made the decision to operate under ITAR constraints before we had a product. That's not a common choice for a bootstrapped hardware startup — ITAR registration, compliance infrastructure, and the restrictions on who you can hire and what you can share add real cost and operational friction. But for a company building edge-AI inference hardware explicitly intended for defense ISR platforms, operating outside ITAR was never a realistic option. This article covers the basics of how ITAR and EAR apply to dual-use edge-AI hardware companies, where the classification lines fall, and what early-stage companies need to get right before they have a customer conversation.

ITAR and EAR: The Two Regulatory Frameworks

Export controls on defense-relevant technology in the United States operate under two primary frameworks:

• ITAR (International Traffic in Arms Regulations) — administered by the State Department's Directorate of Defense Trade Controls (DDTC). Governs items on the United States Munitions List (USML). ITAR controls are strict: export requires a license from State, and the controls follow the technology regardless of where it goes or who handles it.
• EAR (Export Administration Regulations) — administered by the Commerce Department's Bureau of Industry and Security (BIS). Governs dual-use items on the Commerce Control List (CCL) under Export Control Classification Numbers (ECCNs). EAR controls are generally less restrictive than ITAR, with license requirements that vary by destination country and end use.

The critical question for any hardware company is which list their technology falls on — and that question is not always easy to answer. ITAR's USML is organized into 21 categories. EAR's CCL has 10 categories with subcategories. Many technologies fall on neither list and are classified as EAR99 — the lowest control level, with no license required for most destinations. But hardware developed with defense end-use in mind often falls somewhere in the controlled space, and assuming EAR99 without a formal classification analysis is a compliance risk.

USML Categories Relevant to Edge-AI ISR Hardware

For ISR-related edge-AI hardware, three USML categories are most relevant:

• Category XI — Military Electronics — Covers electronic equipment "specifically designed or modified" for military application, including navigation, fire control, and signal processing systems. Embedded processors and inference modules designed for integration into military platforms are frequently classifiable under Category XI if they were designed specifically for that end use — not merely adaptable to it.
• Category XII — Fire Control, Range Finder, Optical and Guidance and Control Equipment — Covers electro-optical sensors, FLIR systems, targeting systems, and associated equipment. An EO/IR gimbal payload designed for airborne ISR may fall here, and an inference module that is specifically designed to process output from such a system could be considered a component thereof.
• Category XV — Spacecraft Systems and Associated Equipment — Less commonly applicable for Group-2 UAV payloads, but relevant for companies whose technology extends to higher-altitude platforms or space-based ISR sensors.

The operative phrase in most USML categories is "specifically designed or modified." This is the demarcation between an ITAR-controlled item and a dual-use item that might fall under EAR instead. A general-purpose NPU evaluation board that can run inference workloads is almost certainly not ITAR-controlled on its own. An NPU module that was designed with MIL-STD-1553 interfaces, MIL-DTL-38999 connectors, a secure boot chain designed for defense supply chains, and form factor optimized for ISR payload bays — that's an item where a "specifically designed" argument becomes credible.

EAR ECCN Classification for AI Hardware

If a technology isn't ITAR-controlled, it may still require EAR licensing for export to certain destinations. The relevant ECCNs for AI inference hardware include:

• ECCN 3A001.z — Added to the CCL in 2022 to cover advanced computing integrated circuits with neural network acceleration capability, subject to certain processing performance thresholds. Specific parameters include peak performance values measured in Weighted TeraOPS (WTOPS); current thresholds are subject to BIS updates.
• ECCN 4A003 — Digital computers and related equipment with various performance parameters. An edge-AI module with significant compute capability may fall here if it doesn't meet a more specific ECCN.
• ECCN 9A515 — Unmanned aerial vehicles and associated equipment. An ISR payload module specifically designed for UAV integration could fall under 9A515.x for items not elsewhere specified on the CCL.

Companies that determine their product falls under EAR rather than ITAR have meaningfully more flexibility — EAR licenses are easier to obtain, there are more license exceptions available (notably License Exception ENC for encryption and License Exception STA for strategic trade), and the compliance infrastructure requirements are less burdensome. But EAR is not uncontrolled. License requirements vary by destination and end user, and the EAR's deemed export rules apply: sharing controlled technology with a foreign national in the United States requires an export license if that national is a citizen or resident of a country where export would require a license.

The Deemed Export Rule and Hiring

The deemed export rule is the compliance issue that catches early-stage defense hardware companies most by surprise. Under EAR (15 CFR §734.2(b)(2)(ii)) and ITAR (22 CFR §120.17), sharing controlled technology with a foreign national inside the United States is treated as an export to that person's country of origin. For ITAR-controlled technology, this means that employing a foreign national — even a US permanent resident — in a role where they would access controlled technical data requires either a license from State (a Technical Assistance Agreement or TAA) or a Controlled Technology qualification exception.

For a small team where engineers share technical information freely, this creates real constraints. You cannot have a foreign national engineer working on ITAR-controlled design documentation, source code for firmware that controls ITAR-controlled hardware, or manufacturing specifications for ITAR-controlled components without the proper authorization in place. The penalty for violations — even unintentional ones — includes civil fines up to $1.3 million per violation and potential criminal exposure.

Practical implication: if you're building toward ITAR registration, work with export counsel before making hiring decisions, not after. The cost of a TAA application is manageable. The cost of an ITAR violation is not.

ITAR Registration and Compliance Infrastructure

Any company that manufactures, exports, or brokers defense articles on the USML must register with DDTC under ITAR Part 122. Registration is not a license — it's a prerequisite for applying for licenses. The registration fee is $2,750 per year for manufacturers. Registration takes 60-90 days and requires a statement of the categories of defense articles the company intends to manufacture or export.

Beyond registration, a credible ITAR compliance program requires:

• An Empowered Official — a US Person (citizen or green card holder) with authority to sign export license applications, designated in writing and formally notified to DDTC
• A Technology Control Plan (TCP) — a written document describing the physical and procedural controls the company uses to prevent unauthorized access to ITAR-controlled technical data
• Export classification determination for every product — documented, defensible, and updated when products change
• Training records for all personnel with access to controlled technical data

The Technology Control Plan is particularly important for companies that work with external partners — contract manufacturers, test laboratories, integration partners. Any facility that accesses ITAR-controlled technical data on your behalf needs to be covered by your TCP or by a separate agreement (a Technical Assistance Agreement or Manufacturing License Agreement).

When to Engage Export Counsel

The right time to engage export counsel is before you determine whether your product is ITAR-controlled, not after you've already made that determination internally. Self-classification is permitted, but it carries risk. An incorrect classification in the wrong direction — treating an ITAR item as EAR or EAR99 — is a compliance violation regardless of intent.

For a company at the pre-seed or seed stage building hardware for defense ISR applications, the minimum viable compliance infrastructure is: export counsel on retainer for classification questions, ITAR registration if there's any plausible USML nexus, an Empowered Official designated before the first government customer conversation, and a written TCP before any contract manufacturer or integration partner accesses controlled design documentation.

None of this is optional for companies in this space. And in our experience, government program offices and prime integrators specifically ask about ITAR compliance posture early in the evaluation process. Coming to that conversation without registration and a TCP in place is a significant red flag that can disqualify you from opportunities regardless of the technical merit of your product.

We built our compliance infrastructure before we needed it, and that discipline has made every customer conversation simpler. The up-front cost is real. The alternative — building it reactively under program pressure — costs more and carries more risk.