FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatorydefenseITARCMMCEAR

EAR vs ITAR for AI Workloads: Knowing Which Regime Applies

By Basel IsmailMay 11, 2026

EAR vs ITAR for AI Workloads: Knowing Which Regime Applies

If you are running AI workloads that touch anything related to defense, aerospace, or dual-use technology, the classification question between EAR and ITAR is not academic. It determines which agency has jurisdiction over your data, which countries and persons you can share it with, which cloud infrastructure you can use, and what happens to you if you get it wrong. The penalties under ITAR can reach $1.3 million per violation (civil) or $1 million and 20 years imprisonment per violation (criminal) under 22 U.S.C. 2778. EAR violations under ECRA (50 U.S.C. 4819) can hit $330,947 per violation or twice the transaction value, whichever is greater. These numbers were updated in 2024 for inflation adjustments. Getting the classification wrong is expensive.

Two Regimes, Two Agencies, Two Lists

The International Traffic in Arms Regulations (ITAR), administered by the State Department's Directorate of Defense Trade Controls (DDTC), covers defense articles and services on the United States Munitions List (USML). The Export Administration Regulations (EAR), administered by the Commerce Department's Bureau of Industry and Security (BIS), cover dual-use and commercial items on the Commerce Control List (CCL), plus EAR99 items that are subject to EAR but not specifically listed on the CCL.

The key distinction: USML items are inherently military. CCL items have both civilian and military applications, or are controlled for reasons like national security, anti-terrorism, or regional stability. If your AI system is processing, training on, or generating outputs derived from USML-controlled technical data, you are in ITAR territory. If it involves CCL-listed technology or software, you are under EAR. And if your data touches both, congratulations, you have a classification problem that requires careful commodity jurisdiction analysis.

Commodity Jurisdiction: Where the Confusion Lives

When it is unclear whether an item falls under USML or CCL, you can submit a Commodity Jurisdiction (CJ) request to DDTC under 22 CFR 120.4. DDTC consults with BIS and the Department of Defense, and they make the call. This process can take 60 days or more. During that time, the conservative approach is to treat the item as ITAR-controlled, because ITAR is the more restrictive regime.

There has been meaningful movement on this boundary over the past decade. The Export Control Reform (ECR) initiative, which ran from roughly 2011 to 2020, moved significant categories of items from the USML to the CCL. For example, certain military vehicles, vessels, and related components shifted from USML Categories VII and VI to CCL categories under the "600 series" ECCNs. The 600 series items are still controlled more tightly than typical dual-use items on the CCL, but they benefit from license exceptions that ITAR simply does not offer.

For AI workloads, the practical question is usually about technical data and software, not hardware. And here the distinction matters enormously.

Why This Gets Complicated for AI

AI systems interact with controlled data in ways that traditional export control frameworks were not designed to anticipate. Consider a few scenarios:

Training data. If you fine-tune a model on ITAR-controlled technical data (say, specifications for a missile guidance subsystem listed under USML Category IV), the resulting model weights may themselves constitute ITAR-controlled technical data. DDTC has not issued definitive guidance on this, but the definition of "technical data" under 22 CFR 120.33 is broad enough to encompass information "required for the design, development, production, manufacture" of defense articles. A model that has internalized those parameters arguably qualifies.
Inference outputs. If an AI system generates outputs that reveal controlled technical data, the output itself may be controlled. This applies under both regimes. Under EAR, "technology" is defined in 15 CFR 772.1 as information necessary for development, production, or use of items on the CCL.
Cloud processing. Running AI workloads on cloud infrastructure located outside the United States, or accessible by non-U.S. persons, can constitute an export or deemed export under both ITAR (22 CFR 120.50, 120.52) and EAR (15 CFR 734.13, 734.14). This includes situations where a foreign national employee at your company accesses the data domestically.

The Deemed Export Problem

Deemed exports are where organizations most frequently stumble with AI workloads. Under both ITAR and EAR, releasing controlled technology to a foreign person in the United States is treated as an export to that person's home country. If your AI engineering team includes foreign nationals, and they have access to controlled technical data or controlled source code, you need either a license or a valid exemption/exception.

Under EAR, the Fundamental Research Exclusion (15 CFR 734.8) can help if the work qualifies, but it has limits. It applies to basic and applied research at accredited institutions, not to proprietary commercial development. Under ITAR, the fundamental research exclusion is narrower still, codified at 22 CFR 120.34(a)(8), and it does not apply to research that has been restricted by the sponsor or that results in information subject to access or dissemination controls.

For commercial AI development in the defense sector, these exclusions rarely apply. You are almost certainly going to need a Technology Control Plan (TCP) and possibly individual licenses.

Practical Steps for Classification

Here is a reasonable framework for determining which regime applies to your AI workloads:

Start with the USML. Review all 21 categories. If the underlying data, the end-use application, or the system being supported is specifically enumerated on the USML, you are under ITAR. Do not skip this step and assume EAR applies because your item feels "dual-use."
Check for 600 series ECCNs. If the item was transitioned from USML to CCL under ECR, it likely sits in a 600 series ECCN. These carry "Significant Military Equipment" designations and have more restrictive licensing policies than standard CCL items, but they do allow some license exceptions (such as STA under 15 CFR 740.20).
Evaluate derived data. If your AI model was trained on or processes controlled data, assess whether the model itself, its weights, or its outputs constitute controlled technology or technical data under the relevant definitions.
Map your personnel. Identify every person with access to the workload, their citizenship and permanent residency status, and determine whether deemed export licenses are needed.
Assess your infrastructure. Confirm that cloud providers, data storage locations, and processing environments meet the requirements of the applicable regime. For ITAR, this often means U.S.-only data centers with access restricted to U.S. persons.

If there is genuine ambiguity after this analysis, file a CJ request. Do not guess. The cost of a wrong assumption is measured in seven figures and potential debarment.

Recent Enforcement Context

BIS has been increasingly active. In FY2023, BIS reported 832 investigations initiated and secured significant penalties, including the $300 million settlement with Seagate Technology in April 2023 for shipping hard drives to Huawei in violation of Entity List restrictions. On the ITAR side, DDTC's consent agreements have included cases like the $13 million settlement with Honeywell in May 2023 for unauthorized exports of engineering drawings related to defense articles. Neither case involved AI specifically, but both underscore that technical data violations are a priority for enforcement.

As AI becomes more central to defense applications, expect enforcement attention to follow. The October 2023 BIS semiconductor export controls update (which restricted advanced AI chips to China) signals that AI-specific export control enforcement is accelerating, not slowing down.

How FirmAdapt Addresses This

FirmAdapt's architecture was built with these classification boundaries in mind. The platform enforces access controls that align with both ITAR and EAR requirements, including person-level access restrictions based on citizenship and authorization status, data residency controls that keep workloads within compliant infrastructure, and audit logging that supports the recordkeeping requirements of both 22 CFR 122.5 (ITAR) and 15 CFR 762 (EAR). Classification metadata travels with the data, so controls follow the content rather than relying on users to remember which regime applies.

For organizations that handle both USML and CCL-controlled data, FirmAdapt provides workload segregation that prevents commingling and maintains separate compliance postures for each regime. This is particularly relevant for AI workloads where training data, model artifacts, and inference outputs may each carry different classification requirements. The platform does not make the classification decision for you, but once you have made it, FirmAdapt enforces it consistently across your AI operations.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free