AI Sanctions Compliance Analyst Interview Questions

A great answer identifies OFAC (US Treasury), EU Restrictive Measures (European Council), and UN Security Council sanctions, explaining the primary authority and scope of each.

Should cover that the SDN list identifies blocked persons/entities, that US persons cannot transact with them, and that AI models/technology are considered 'property' subject to blocking.

Answer should explain Export Control Classification Numbers, the Commerce Control List structure, and reference ECCNs like 3A090 for advanced integrated circuits or 4A090 for computers with AI capabilities.

A strong answer distinguishes shipping goods from the US (export), shipping US-origin items between foreign countries (re-export), and sharing controlled technology with foreign nationals (deemed export).

Should address that model weights may encode restricted data, that training data provenance must be verified, and that inference from such models could facilitate sanctions evasion.

A great answer covers ECCN classification, license exception eligibility, end-use and end-user screening, and the license review policy for the destination country.

Should explain that entities 50% or more owned by SDN-listed persons are themselves treated as blocked, even if not explicitly named on the list.

Covers fuzzy matching algorithms, false positive management, escalation workflows, audit logging, and integration with tools like Dow Jones or World-Check APIs.

Should address geo-fencing, data residency requirements, cloud provider shared responsibility models, and jurisdictional export control triggers.

Strong answer covers that sharing controlled technical data with foreign nationals constitutes an export to their home country, requiring classification and potentially a license.

Should describe modeling entities as nodes and relationships as edges, identifying shell company chains, shared directors, and indirect ownership paths to sanctioned parties.

Covers restrictions on advanced chips to China, the 'performance density' thresholds, end-use controls, and the Entity List additions affecting major Chinese AI firms.

Should explain that model weights may constitute 'technology' under EAR Part 774 and that their classification determines licensing requirements for transfers.

Covers end-user certificates, restricted party screening, end-use statements, red flag indicators, and ongoing monitoring commitments.

Should explain CFIUS reviews of foreign investment in US AI companies, mandatory filings for critical technology, and overlap with sanctions screening of investors.

Covers open-source license obligations vs. sanctions law, the BIS 'publicly available' exception limitations, potential secondary sanctions exposure, and practical enforcement challenges.

Should cover IP geolocation services, VPN detection, WAF rules, latency-based location verification, override procedures for false positives, and audit trail requirements.

Covers data residency mapping, model weight export classification at each node, deemed export analysis for foreign national researchers, and coordination with local counsel.

Covers data provenance tracing, model weight 'contamination' analysis, potential blocking obligations, legal analysis of whether the model constitutes SDN-derived property, and voluntary self-disclosure considerations.

Should discuss the policy debate around open-source AI, BIS proposed rules on frontier model weights, the Wassenaar Arrangement, and practical risk-based frameworks for compliance.

Covers the anti-circumvention provisions, the 'knowledge' standard, aggregation analysis for multiple shipments, and end-use verification requirements.

Covers RAG architecture with verified regulatory sources, confidence scoring, mandatory human review for determinations, citation requirements, and guardrails against hallucinated case law or regulations.

Covers the deemed export rule, the 'release' definition under EAR §734.15, technical access controls, and the distinction between cloud computing and traditional exports.

Should address continuous screening, adverse media monitoring, transaction pattern analysis, re-screening triggers (list updates, corporate changes), and tiered escalation procedures.

Covers the EU AI Act's transparency and risk management obligations, how they interact with EU Restrictive Measures, dual compliance requirements, and enforcement coordination between authorities.

Should walk through beneficial ownership analysis, the 50 Percent Rule, enhanced due diligence, document requests, legal consultation, and potential contract termination if risk is unacceptable.

Covers immediate data access restriction, deemed export analysis, incident documentation, access control remediation, and potential voluntary self-disclosure evaluation.

Covers OFAC Russia sanctions analysis, deemed export review, contributor screening, repository access restriction, legal consultation, and assessment of prior code contributions.

Should cover CFIUS filing analysis, technology provenance tracing, EAR classification of acquired IP, Entity List screening of the Chinese subsidiary's contacts, and integration risk assessment.

Covers IP intelligence analysis, additional identity verification steps, temporary account restriction, legal risk assessment, and escalation criteria for account termination.

Covers data provenance investigation, assessment of whether model weights constitute SDN-derived property, risk of continued use, potential model retraining, and voluntary self-disclosure analysis.

Covers EU and US sanctions list screening, sectoral sanctions analysis, end-use verification, end-user certificate requirements, defense article classification, and dual-use screening.

Covers transaction analysis, blocking report filing obligations, OFAC compliance framework review, automated trading system safeguards, and remediation timeline.

Covers enhanced due diligence, end-use statement requirements, government agency screening, red flag analysis for transshipment risks, and business risk vs. compliance risk assessment.

Covers understanding that sanctions apply regardless of delivery method, analysis of whether the exemption claim has legal basis, competitive pressure vs. compliance integrity, and whether a tip to OFAC is warranted.

Should cover document ingestion from regulatory sources, chunking strategy, embedding model selection, retrieval configuration, citation generation, and hallucination prevention guardrails.

Covers fine-tuning a BERT-based NER model on annotated sanctions documents, training data creation, evaluation metrics (precision/recall for compliance), and deployment via API.

Should describe node/relationship modeling, Cypher queries for path traversal, shortest-path algorithms, degree-of-separation thresholds, and visualization for compliance reporting.

Covers pre-commit hooks, secret scanning customization, pattern matching for controlled technical specifications, automated pull request blocking, and alert routing to compliance team.

Covers data source integration (Dow Jones, corporate registries, news APIs), scoring methodology design, weighting factors, threshold-based escalation, and dashboard visualization in Tableau/Looker.

Covers custom entity recognition training, document classification model design, integration with ticketing systems, and feedback loop for model improvement.

Should cover API gateway configuration (Kong, AWS API Gateway), IP geolocation integration, risk-based throttling, request/response logging, and compliance reporting endpoints.

Covers NLP pipeline design, custom entity patterns for sanctions-specific red flags (front companies, transshipment hubs), rule-based + ML hybrid approach, and output formatting for analyst review.

Covers schema design for compliance data, ETL pipelines from screening tools, incremental refresh strategies, role-based access controls, and analytical views for regulatory reporting.

Covers function definition for screening APIs, multi-tool orchestration, result synthesis, conversation memory for context, and disclaimers about AI-assisted vs. human compliance decisions.

Should demonstrate assertiveness with diplomacy, data-driven risk presentation, escalation judgment, and ultimately prioritizing compliance over revenue pressure.

Shows attention to detail, proactive problem-solving, ability to articulate risk to leadership, and follow-through on remediation.

Should reference specific sources (OFAC updates, Federal Register, BIS notices), professional networks, and a concrete example of applying new knowledge to a real situation.

Covers ability to translate legal jargon into actionable engineering requirements, use of examples/analogies, documentation skills, and follow-up verification.

Should demonstrate risk-based thinking, appropriate escalation, documentation of reasoning, and willingness to be conservative when uncertainty is high.