Aerospace AI Governance Series · Article 3 of 5

ITAR in the Age of AI —
The Export Control Time Bomb Inside Every Aerospace AI System

Monte Fisher
Monte Fisher, CPA (Ret.), CFE · Lean Six Sigma Green Belt
Forensic Analytics · AI Governance · Former Shell GRC & Assurance Manager | Motiva Enterprises (Saudi Aramco/Shell JV) | SOX Compliance | $36B Payments · US Citizen · VCAnalytics.ai
June 2026· Aerospace AI Governance Series· 11 min read
ITAR
The single most dangerous compliance exposure for a public SpaceX
$350B+
Valuation at risk from a single undocumented AI decision
3
Simultaneous regulators — DOJ, State Dept, SEC — in one ITAR violation
19yrs
Shell multi-jurisdiction compliance experience behind this analysis

Most people think ITAR is a hardware problem. Missiles. Satellite components. Launch vehicle specifications. Physical items on the United States Munitions List that cannot be exported without State Department authorization. That understanding was accurate in 1976 when ITAR was codified. It is dangerously incomplete in 2026, when the most significant ITAR exposure for a company like SpaceX is not a physical component — it is an AI system making autonomous decisions about data that touches defense-related infrastructure.

I spent 19 years at Shell managing compliance across multiple jurisdictions, including export control environments where a single documentation failure could trigger regulatory consequences disproportionate to the underlying act. I have seen what happens when organizations moving fast treat compliance frameworks as post-growth problems. I have also seen what forensic rigor applied to data flows can do to identify and contain exposure before regulators find it first.

What I am about to describe is not hypothetical. Every element of this risk profile exists today, inside SpaceX's operational infrastructure, and will become dramatically more visible the moment the company files an S-1 and subjects itself to public market accountability.

What ITAR Actually Covers — And Why AI Changes Everything

The International Traffic in Arms Regulations control the export of defense articles, defense services, and related technical data. The United States Munitions List includes spacecraft systems, satellites, launch vehicles, guidance systems, and the technical data related to any of the above.

Technical data is the critical category. ITAR defines technical data as information required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of defense articles. That definition, applied to 2026 AI systems, covers an enormous and largely unmapped territory.

The AI ITAR gap: When a Starlink routing algorithm makes an autonomous decision about which ground station handles traffic from a conflict zone, that decision may involve technical data related to a defense article. When a launch sequencing AI processes telemetry from a payload with military applications, that processing may constitute a defense service. When an AI model trained on Starship trajectory data is accessed by a non-US employee, that access may constitute an unauthorized export. None of these scenarios require a physical component to cross a border. All of them can trigger ITAR scrutiny.

The traditional ITAR compliance framework was not designed to govern autonomous AI systems making thousands of decisions per second about data that may or may not touch defense-related infrastructure. The gap between what ITAR requires and what most aerospace AI governance programs actually document is the time bomb this article is about.

The Four AI ITAR Exposure Categories SpaceX Cannot Ignore

1. Starlink Routing Decisions in Conflict Zones

Starlink is active communications infrastructure in active conflict zones. Every time a Starlink AI system makes a routing decision that affects communications in a region with active US military operations or sanctions exposure, that decision potentially touches ITAR-controlled technical data.

The question is not whether the decision was correct. The question is whether it was documented. Whether the AI system's decision logic was recorded. Whether a compliance officer reviewed the parameters governing routing decisions in conflict-adjacent regions. Whether there is an audit trail demonstrating the decision was made within a documented ITAR compliance framework rather than autonomously, without human oversight.

If the answer to any of those questions is no — that is a material ITAR compliance gap that becomes a public company disclosure obligation the moment SpaceX files its S-1.

2. AI Models Trained on ITAR-Controlled Data

Every AI model trained on data related to launch vehicle performance, reentry trajectories, guidance system telemetry, or satellite constellation management is potentially trained on ITAR-controlled technical data. The model itself — the weights, the architecture, the inference outputs — may constitute a defense article or technical data under ITAR, regardless of whether the underlying training data was properly licensed.

The State Department has issued guidance making clear that AI models and software incorporating ITAR-controlled technical data inherit ITAR controls. Sharing those models with non-US persons — employees, contractors, partners, researchers — without appropriate authorization may constitute an unauthorized export.

3. Foreign National Access to AI Systems

ITAR's deemed export rule treats the transfer of technical data to a foreign national inside the United States as an export to that person's home country. A non-US engineer at SpaceX's Hawthorne facility accessing an AI system that processes ITAR-controlled technical data may require an export license — regardless of the fact that the access occurred on US soil.

Managing deemed export compliance for a workforce of SpaceX's size and technical complexity is already a significant undertaking for physical technical data. Extending that compliance framework to AI systems requires a governance layer that most aerospace companies have not built.

4. Third-Party AI Vendors in the Supply Chain

Every third-party AI vendor integrated into SpaceX's operational infrastructure is a potential ITAR exposure vector. A cloud AI provider processing telemetry data. A machine learning platform used to optimize launch parameters. Any of these vendors may be routing data through infrastructure in jurisdictions that create ITAR exposure — and most vendor contracts do not contain adequate ITAR compliance representations.

At Shell, vendor due diligence for operations touching export control environments was forensic — not a checkbox. Every vendor touching sensitive data was evaluated for data residency, access controls, employee nationality screening, and export compliance certifications. That same standard applied to AI vendors in aerospace is what ITAR compliance at AI scale actually requires.

Why the Boeing Precedent Should Keep Every SpaceX Board Member Awake

Boeing's governance failures are instructive not because of what they did — but because of how the institutional response scaled relative to the underlying violation. The 737 MAX software governance failure was, at its core, a documentation and oversight failure. When the failure became undeniable, the institutional response was not proportional. It was existential — simultaneous FAA, DOJ, and congressional scrutiny, criminal charges, $20B+ in losses, and permanent reputational damage.

"When governance gaps intersect with national security or safety exposure, regulators do not apply proportional responses. They apply existential ones. The time to understand that is before the first incident — not during the congressional testimony that follows it."

An ITAR violation at SpaceX would trigger a response that makes the Boeing 737 MAX investigation look contained. Simultaneous DOJ, State Department, and SEC scrutiny — all at the moment the company is trying to manage its first public earnings call and demonstrate governance maturity to institutional investors.

That scenario is preventable. It requires building ITAR-aware AI governance infrastructure before it is needed, not retrofitting it after the first violation is discovered.

What ITAR-Aware AI Governance Actually Looks Like

01

AI system ITAR classification inventory

Every AI system in operational use classified by its ITAR exposure profile — what data it processes, whether that data includes or derives from ITAR-controlled technical data, which jurisdictions it operates in, and which users have access. This inventory does not exist at most aerospace companies. It needs to exist before the S-1 is filed.

02

Automated data classification for AI inputs and outputs

A governance layer classifying AI-generated outputs by ITAR sensitivity in real time — flagging outputs that contain or derive from controlled technical data before they are transmitted, shared, or accessed by users whose nationality creates deemed export exposure.

03

Deemed export compliance framework for AI access

A documented framework governing which AI systems foreign national employees can access, under what authorization, with what monitoring, and documented in what compliance record. This needs to be built before the IPO workforce disclosure requirements create a public record of the gap.

04

Vendor ITAR due diligence for AI supply chain

Every third-party AI vendor evaluated for ITAR compliance before integration — data residency, access controls, employee nationality screening, export compliance certifications, and contractual ITAR representations. Not a checkbox. A forensic review with documented findings and ongoing monitoring.

05

ITAR audit trail for AI decision points

Every significant AI decision in ITAR-adjacent systems documented with the data inputs, the model version, the output, the user who triggered the decision, and the compliance review record. The CFE evidentiary standard applied to export control compliance rather than financial fraud.

Training data ITAR inheritance
AI models trained on ITAR-controlled data may inherit those controls — making the model itself a controlled item requiring export authorization before sharing with non-US persons.
Autonomous routing decisions
AI systems making routing or allocation decisions involving conflict zone infrastructure may be making ITAR-relevant decisions without human oversight or documented compliance review.
Deemed export at AI scale
Foreign national employee access to AI systems processing ITAR-controlled data may constitute unauthorized deemed exports — multiplied across thousands of access events per day.
Vendor data residency gaps
Third-party AI infrastructure routing SpaceX data through non-US data centers may create unauthorized technical data exports with no visibility in the current compliance framework.
The forensic CPA perspective: I have spent my career tracing financial exposures through complex organizational structures and documenting findings that can survive adversarial review. The ITAR AI compliance gap at most aerospace companies is not a technical problem. It is a documentation problem — the same category of problem that destroyed Enron, crippled Boeing, and ended FTX. The exposure exists. The question is whether it gets documented and remediated before a regulator documents it first.
Also in this series: Article 1 — Why the SpaceX IPO Could Still Fail · Article 2 — Operator Genius vs Governance Architecture

Does your aerospace AI governance program address ITAR exposure at AI scale?

Free FAIG assessment — 15 questions, 5 minutes, scored against NIST AI RMF, COSO, and ISO 42001. Or message Monte directly to discuss ITAR AI compliance frameworks, aerospace governance advisory, or board-level GRC roles.

Take the Free FAIG Assessment → Message Monte · WhatsApp

US Citizen · Independent forensic CPA · No vendor agenda · 19 years Shell GRC · Board-level experience · Consulting and senior roles considered

Aerospace AI Governance Series — 2026

01 Why the SpaceX IPO Could Still Fail — And It Has Nothing to Do With Rockets Read it
02 Operator Genius vs Governance Architecture: Why DOGE Skills Don't Transfer to IPO Readiness Read it
03 ITAR in the Age of AI: The Export Control Time Bomb Inside Every Aerospace AI System · You are here Live
04 Starlink as National Security Infrastructure: The Data Governance Framework Nobody Is Building Coming
05 Building Governance for Multi-Planetary Missions: FAIG Applied to Aerospace at Scale Coming
Disclaimer: This article is for educational and informational purposes only and represents the independent professional opinion of Monte Fisher, CPA (Retired), CFE. It does not constitute legal, financial, or investment advice, and is not legal advice on ITAR or export control compliance. References to SpaceX, Boeing, Shell, and other organizations are for analytical and illustrative purposes only. Monte Fisher has no financial relationship with any company referenced and has no non-public information about any of these organizations. Always consult qualified legal, export control, compliance, and financial professionals before making governance or compliance decisions.