Export Controls Added to Your Bucket in 2026?

Many in-house lawyers inherit export controls without warning. One day it is contracts or IP; the next day someone tells you engineering, HR, and IT are now an “export risk.” That is not an exaggeration. EAR and ITAR regulate who inside your company is legally allowed to know what.

Export controls are not mainly about shipping products. They are about information. Design drawings, source code, test data, manufacturing processes, and technical manuals can all become regulated exports if the wrong person gains access to them. Your job is to make sure controlled knowledge does not flow to unauthorized people, whether they are down the hall or on the other side of the world.

Most of this law exists because modern technology is rarely purely civilian or purely military. Much of what U.S. companies build is dual-use: it has perfectly legitimate commercial applications, but it can also be used for military, intelligence, or surveillance purposes. Advanced materials, sensors, navigation systems, encryption, AI models, and high-performance manufacturing processes are classic examples. They power everyday products, but they also power weapons systems and strategic infrastructure.

That is why export controls are counterintuitive. A product that looks completely commercial may still be regulated, not because of who buys it, but because of what the underlying technology enables.

What the new role looks like in practice

The first thing you need is a picture of what the company actually has that might be controlled. Engineers already know what would be dangerous in the wrong hands. You need to capture that in a way legal can govern. That usually means pulling together design files, software, and key process documents and identifying what really gives the company its technical edge.

Classification. Once you know what technology the company actually has, each meaningful item has to be given a legal status. That status is not based on how the product is marketed, but on what the underlying technology can do. The question is whether it is inherently military (ITAR), commercially available but strategically sensitive (EAR under a specific ECCN), or generally uncontrolled (EAR99). This classification is a legal judgment about technical capability, and it becomes the foundation for every downstream decision about access, storage, sharing, and licensing.

Marking. Once technology is classified, that status has to travel with the data. Files, drawings, source code, and test results should be labeled so their legal status is obvious—ITAR-controlled, EAR-controlled with an ECCN, or unrestricted. Those markings are what allow engineers, IT systems, and compliance tools to recognize what they are dealing with. Without marking, classification exists only in legal memos and spreadsheets and cannot be enforced.

People. Export controls are ultimately about who may see what. Access turns on whether someone is a U.S. person, their citizenship, and whether a license applies. This is where HR and onboarding become part of compliance. Every employee, contractor, and offshore team member must be mapped against the categories of data they are legally allowed to access.

Systems. The rules have to live in the company’s actual infrastructure. Controlled data cannot sit in open drives or unrestricted collaboration tools. Source-code repositories, document management systems, and cloud storage must enforce access based on the markings and the user’s status. Regulators look first at whether your systems prevent unauthorized access, not at how many policies you have written.

Licensing. Licenses are used only when the business genuinely needs a foreign national to work on controlled technology. A license creates a narrow, documented exception that specifies who may receive what data, for what purpose, and for how long. Everything outside that scope remains prohibited.

Training and auditing. Employees must be able to recognize controlled data and understand when to stop and ask. Legal and compliance then verify, through training records, access logs, and periodic audits, that the controls are actually working. This is what makes the program credible to regulators.

Why lawyers end up owning this

If you have done IP, trade secrets, or government contracts, you already understand this work. It is about defining protected information, controlling access to it, and documenting the legal boundaries around its use. EAR and ITAR simply add federal enforcement behind those boundaries.

In-house, export controls matter because the downside is existential. One mistake can mean criminal exposure, loss of defense work, and serious board-level consequences. The lawyer who understands how the technology, the people, and the systems fit together becomes one of the most important risk managers in the company.

You are not becoming a technical specialist. You are becoming the person who decides which knowledge is allowed to move—and which must stay put.