Skip to content

Artificial intelligence and sanctions

Briefing
28 October 2024
7 MIN READ
2 AUTHORS

Introduction

The implementation of sanctions measures continues to be the mechanism of choice for the UK, and its global counterparts, against targeted jurisdictions and regimes to accomplish foreign policy and national security aims. While these comprise restrictive measures on individuals and entities, such as asset freezes, they also include economic and trade sanctions, and export control regulations concerning the provision of specified goods and services. Such restrictions can extend to the provision of Artificial Intelligence (AI) software and technology which, in the rapidly evolving technological landscape, is becoming integral to a variety of sectors. It is therefore crucial for stakeholders to understand the sanctions risks regarding AI development and deployment.

Regulatory Landscape

AI software, and indeed software generally, is not easily classifiable under sanctions and export control regulations. Unlike physical goods, software lacks a clear and consistent classification system as it can be easily modified, digitally distributed and used in a multitude of applications, some of which may not have been anticipated by the original developers. This flexibility and adaptability make it challenging to apply conventional sanctions and export control processes to AI software, as those processes were largely designed with tangible goods in mind. As such, AI can be particularly high-risk from a sanctions perspective as it can be exploited in ways that circumvent existing regulations, thus increasing the risk of sanctions violations.

The UK, EU and US each aim to work in lock-step to ensure that the sanctions measures they implement against particular regimes, including Russia, are broadly consistent. Nonetheless, the various sanctions and export control regulations are complex and dynamic and there will naturally be nuances in the applicability, interpretation and implementation of these measures.

It is critical that providers of AI software and services consider the scope and capabilities of their AI platforms and, if necessary, obtain legal advice to ensure sanctions compliance and mitigate the risks of regulatory and reputational consequences of non-compliance.

Sanctions on AI Software

Typically, sanctions and export control regulations use commodity/harmonised system (HS) codes, an internationally standardised numerical code used to classify traded products, to identify products that are subject to restrictions.

However, AI software (as well as software that is provided by download or licence) does not readily fall within the scope of HS taxonomy. Instead, to identify whether a particular type of AI software is subject to restrictions, a careful review of the technical specifications and description of the technology against the list of restricted goods and/or technology is required. This review should include elements such as the functionality of the software, its algorithms, data processing capabilities and potential applications in sensitive sectors.

There are also various sanctions and export control regulations imposed by the EU, UK and US which restrict the provision of AI products depending on the specification and functionality of such products if they are (i) being provided to/used by designated entities and/or individuals; or (ii) being provided in jurisdictions subject to comprehensive and/or sectoral sanctions, including restrictions on certain types of software.  

This is particularly the case where the AI software has specific characteristics that align with controlled “dual-use” goods or technology, under the relevant dual-use regulations, such as advanced data analytic tools, machine learning processes and cybersecurity software (i.e. items that can have both civilian and military application).

Additional consideration should be given to AI software users in circumstances where inadvertent access may be provided to sanctioned entities or individuals.  Even where the user is not subject to sanctions, there is a risk that AI tools could be used in ways that directly or indirectly support activities that contravene sanctions regulations.

Recommended Mitigation Steps and Best Practice

An overall due diligence framework should be implemented by providers of AI products to ensure that there is a level of consideration of (i) the applicability of sanctions and export restrictions to relevant products; (ii) where and to whom their products are being marketed; (iii) who the end-users of the products are; and (iv) the intended end-use of the AI software.

To the extent possible, organisations should:

  1. seek to ensure that users are not individuals or entities that are directly or indirectly (by reason of ownership or control) subject to sanctions;
  2. restrict access to users within high-risk jurisdictions that are subject to comprehensive and/or sectoral sanctions; and
  3. ensure that processes are in place to verify that their AI products are not being used to support sectors/industries, or underlying trade, that may be subject to sanctions restrictions.

Practical steps can take the form of regular screening of users during onboarding and periodically thereafter, reviewing terms and conditions to incorporate contractual statements, requiring warranties and indemnities from consumers, or implementing geo-blocking technologies to restrict the functionality of the technology in locations that are considered to be high-risk from a sanctions perspective.

Additionally, providers should consider implementing periodic training programmes for their staff, conducting horizon scanning to stay ahead of regulatory changes, and engaging with counterparties, such as banks and financiers, to ensure comprehensive compliance and minimise bottle-necks.

Conclusion

The growth of advanced technologies and investment in AI products will continue at pace and, inevitably, so will the sanctions and export control risks associated with the provision of such products. While the sanctions regulatory landscape generally lags behind the advancement of technology, and AI in a sanctions context is still a novel area, it remains essential to adhere to the overarching expectations regarding sanctions aims and compliance.

Technology, alternative, and otherwise ‘disruptive’ industries cannot simply rely on this lag between reality and law to triage opportunities. Organisations will need to consider the general (and specific) mitigation strategies that they can employ to minimise the risk of sanctions breaches and wider reputational concerns.

HFW is experienced in advising on the application of sanctions to specific technologies and working with clients to recommend tailored mitigation measures to minimise the risk of sanctions exposure.