AI Export Control Compliance Analyst Interview Questions

A strong answer covers BIS's role, the EAR's scope over dual-use items, and its distinction from ITAR.

Answer should define deemed exports under EAR §734.13 and give a concrete AI-company example.

Cover the Commerce Control List structure, the self-classification process, and when a formal CCATS request is needed.

Should mention at least OFAC SDN, BIS Entity List, and Unverified List with distinct purposes.

Explain its multilateral nature, control list structure, and how member states implement its commitments domestically.

Great answer discusses model weights as technology, parameter thresholds, ECCN 3E001/4E001 considerations, and the BIS interim final rule on advanced AI models.

Should cover the shift from performance-only thresholds to combined parameters, the addition of the AIA/AIM license exceptions, and country-tiering.

Cover know-your-customer red flags, screening, end-use statements, and how cloud/SaaS models complicate the analysis.

Should discuss TSR (technology and software under restriction), publicly available information exclusion, and recent BIS guidance on open-source AI.

Answer should cover physical and logical access controls, visitor protocols, data compartmentalization, and monitoring.

Should clarify that EAR99 items can still be controlled based on end-use, end-user, or destination (military/intelligence end-use rules).

Cover BIS vs. Treasury/OFAC jurisdiction, license requirements vs. prohibitions, and the different scope of transactions affected.

Discuss deemed exports, the concept of 'release' of technology, cloud-specific BIS guidance, and IP-based geolocation limitations.

Should mention regulatory tracking tools, BIS Federal Register notifications, industry associations, and networking with compliance peers.

Cover the VSD process, its mitigating effect in enforcement, and give an example scenario involving an AI technology transfer.

Should address the tension between the publicly available information exclusion and recent BIS rulemaking on advanced AI models, including the 'weights-as-technology' debate.

Strong answer covers whether model weights are controlled technology, the distinction between training and inference hardware requirements, deemed re-export considerations, and applicable license exceptions.

Cover red flag indicators from BIS guidance, the obligation not to proceed with 'knowledge' of prohibited end-use, escalation procedures, and VSD considerations.

Should discuss the Entity List FDPR, the Footnote 1/4 FDPR for semiconductor items, and practical implications for AI chip supply chains.

Cover harmonization vs. jurisdiction-specific requirements, local compliance officers, training cadences, audit programs, and escalation hierarchies.

Should address whether synthetic data derived from controlled original data remains controlled, the 'direct product' analog for data, and ethical compliance boundaries.

Compare catch-all clauses, autonomous sanctions regimes, the EU Cyber Surveillance Regulation, and divergences in AI model weight controls.

Discuss 'mixed' provenance analysis, the role of the primary training jurisdiction, technology 'contamination' doctrine, and practical documentation approaches.

Cover defense services vs. dual-use technology, advisory vs. tangible technology transfers, and the 'technical assistance' provision under EAR.

Should discuss IP geolocation, usage pattern analysis, integration with denied party screening APIs, tiered escalation logic, and false positive management.

Assess deemed export risk, evaluate whether the technology is publicly available (fundamental research exclusion), determine if specific controlled parameters are disclosed, and coordinate with the researcher and legal team.

Apply BIS red flag guidance, conduct enhanced due diligence, request additional end-use documentation, and escalate to management and legal before proceeding.

Immediate quarantine of technology, legal assessment, VSD preparation to BIS, remediation plan, and root cause analysis for process improvement.

Analyze the source of funding as a potential 'knowledge' indicator of prohibited end-use, examine whether compute credits constitute controlled technology, and assess military/intelligence end-use restrictions.

Explain that EAR defines 'technology' broadly, that BIS has explicitly considered AI model weights as potentially controlled, and provide the regulatory basis for classification.

Apply the aggregate Advanced Computing Chips performance thresholds from ECCN 3A090, explain the 'aggregate adjusted peak performance' calculation, and determine if the chip exceeds the threshold.

Consider U.S. EAR controls, Japan's Foreign Exchange and Foreign Trade Act, end-use restrictions, the U.S.-Japan defense relationship, and whether license exceptions apply.

Cover immediate takedown assessment (publicly available information analysis), VSD evaluation, engineer interview, access control review, and updated training program.

Address service vs. export distinction, customer screening, data classification requirements, technology transfer to the platform, and monitoring for prohibited end-uses.

Balance government contract obligations against export control restrictions, explore redacted or summarized disclosures, involve legal counsel, and consider whether a license is required for the disclosure.

Describe RAG architecture: document chunking of regulatory PDFs, embedding with a suitable model, retrieval pipeline, prompt engineering for compliance-specific answers, and guardrails for hallucination.

Cover named entity recognition with HuggingFace models, custom fine-tuning on trade regulation corpora, and structured output for integration with a compliance database.

Discuss API integration with Visual Compliance or similar, pandas for data normalization, async processing for volume, exception handling, and audit logging.

Describe nodes (suppliers, components, jurisdictions, end-users) and edges (supply relationships, re-export paths, licensing dependencies), with queries to identify high-risk pathways.

Cover custom entity recognizer training, classification model for inquiry routing, integration with ticketing systems, and continuous model improvement from analyst feedback.

Mention data sources (screening results, license status, shipment logs, regulatory change feeds), risk heat maps by country/product, trend analysis, and automated alert thresholds.

Discuss structured prompting with CCL context, retrieval augmentation with internal classification precedents, human-in-the-loop review, confidence scoring, and the critical importance of not relying solely on LLM output for regulatory decisions.

Cover web scraping / RSS for regulatory feeds, NLP change detection, mapping changes to internal product/ECCN matrices, and automated briefing generation for the compliance team.

Discuss GitHub repositories for policies, branch-per-jurisdiction strategy, pull request review workflows for policy changes, automated linting for required sections, and CI/CD for policy distribution.

Cover the formula from the October 2023 rule, parameter inputs (TOPS, interconnect bandwidth, bit-length), threshold comparison logic, and output formatting for classification records.

Look for empathy, clear communication of regulatory rationale, alternative solution orientation, and relationship preservation.

Should demonstrate intellectual rigor, courage to escalate, constructive framing, and evidence of systemic remediation rather than blame.

Look for risk-based prioritization frameworks, stakeholder communication, time management skills, and knowing when to escalate for additional resources.

Strong answers include self-directed learning, engagement with technical communities, hands-on experimentation with AI tools, and applying technical knowledge to compliance decisions.

Seek evidence of respectful advocacy, data-driven argumentation, willingness to document dissent, and ultimate alignment with the decision-making hierarchy while maintaining professional integrity.