Export Controls in the Age of “Good Enough” AI and Drones

Interagency friction, industrial reality, and the hard craft of “securely guided proliferation”

by ChatGPT-5.2

The RAND report on export controls for artificial intelligence (AI) and uncrewed aircraft systems (UAS) is ultimately a study in strategic humility. It starts from an uncomfortable premise: the United States is no longer regulating from a position of overwhelming technological monopoly in either AI or drones, and that changes everything about how export controls work—what they can plausibly achieve, what they might break, and how quickly they can backfire. The authors frame this as a “balanced system” problem: controls must protect national security while not undermining domestic competitiveness, not accelerating foreign substitution, and not creating perverse security externalities (including allies turning to competitors for capability).

What makes the report valuable is that it refuses the simplistic fantasy of export controls as a neat “chokepoint switch.” Instead, it treats controls as a dynamic system with feedback loops—capable of either reinforcing a lead or triggering a regulatory “death spiral” that erodes the very industrial base the policy is meant to protect.

The key issues RAND highlights

1) The “technology edge” assumption is weaker than policymakers often admit

A core finding is that the United States defense industrial base lacks a significanttechnology edge over adversaries’ industrial bases in AI and UAS, and that while the U.S. retains leadership in important areas, it is no longer operating from the pre-2018 “monopolistic” position. This matters because the stricter you make controls, the more you gamble that your lead is big enough—and durable enough—to survive the collateral damage.

My view: I agree with this framing, and I think it is the necessary starting point for any serious export control regime in 2026+. When capabilities diffuse quickly and “good enough” systems proliferate, the marginal benefit of blocking the top tier can be real—but the marginal cost of pushing competitors and third parties into rapid substitution can be larger than expected. RAND’s emphasis on feedback loops is the right mental model.

2) Overregulation can weaken you—economically and strategically

RAND argues that overregulation risks dampening domestic competitiveness, accelerating advances abroad, and creating security risks—particularly if restrictive policies cause allies and partners to procure from competitors (including China) or if targeted states retaliate through resource access, market restrictions, or punitive industrial policies.

The report also grounds this in private-sector effects: export controls can cut into revenue, threaten market share, and incentivize reconfiguration of supply chains, offshoring, or “design-out” of U.S. technology. The authors cite examples and industry concerns consistent with that pattern—loss of sales, reduced forecasts, and strategic repositioning.

My view: I agree with the core risk, but would sharpen it further: export controls are not merely “constraints,” they are industrial policy instruments—and if you don’t pair them with domestic capacity-building, you risk turning your own controls into an accelerant for foreign ecosystems. RAND gestures at this through the innovation-leadership and resourcing recommendations; I think that pairing is not optional.

3) Interagency governance is a bottleneck—and a strategic vulnerability

One of the report’s most concrete contributions is its diagnosis of interagency friction across U.S. Department of Commerce (via Bureau of Industry and Security), U.S. Department of Defense (including Defense Technology Security Administration), and U.S. Department of State (including the ITAR ecosystem). Disputes can delay licensing; roles and responsibilities can be blurry; and implementation details can create de facto policy.

RAND also emphasizes a mismatch between policy timelines and technology timelines: regulation is “playing catch-up,” and the system lacks the flexibility to adjust at the speed demanded by AI and fast-evolving UAS markets.

My view: Strong agreement. This is one of those “unglamorous” findings that is actually strategic. If your adversary can iterate faster than your licensing and classification process, then your system becomes predictable, gameable, and easily circumvented. Interagency dysfunction is not just inefficiency—it becomes a national-security surface area.

4) Resourcing and expertise are not “nice to have”—they are the regime

RAND repeatedly returns to a practical constraint: BIS (and the broader system) is understaffed and underfunded relative to the scale, complexity, and pace of the challenge, and the gap is likely to grow as diversion/circumvention methods improve and as AI-enabled UAS adds new regulatory dimensions. That includes expertise gaps: DTSA needs deeper understanding of the AI industry’s infrastructure and ecosystem; BIS would need new competence if it ever tries to regulate training data or model-related artifacts.

My view: Agree—and this point generalizes to other countries even more strongly. Many governments want “U.S.-style” export control outcomes without U.S.-scale institutional machinery. RAND is essentially saying: you cannot buy strategic control on the cheap.

5) The most interesting frontier: “military training data” and model-derived controls

A standout theme is data regulation for autonomous UAS. RAND argues that while hardware controls (chips, compute thresholds) may miss many autonomy use cases—because autonomy often runs on hardware below current thresholds—there might be leverage in controlling specialized training data and potentially models derived from such data. The report is careful that this is speculative and future-oriented, but it identifies why it’s appealing: genuinely military-relevant training data (e.g., for GPS-denied operations, dodging fire, adversarial maneuvering) has fewer legitimate commercial dual uses and may be less available through normal markets.

The problem, RAND notes, is definitional and operational: governments would need criteria for what counts as “military training data,” methods to identify it, and ways to distinguish resulting models from other operational data/models—plus expertise and sustained engagement with developers.

My view: I agree with the direction (data/model governance is where some of the future leverage is), but I think it’s even harder than the report implies for three reasons:

1. Commingling and derivative ambiguity: training runs mix sources; provenance can be partial; and model capability is rarely attributable to a single dataset.

2. Replication and leakage: once data is observed, captured, or re-collected, the control point moves.

3. Enforcement practicality: even if you define a category, auditing and proving violations is nontrivial without intrusive compliance mechanisms.

That said, RAND’s underlying point stands: if you can’t credibly control “autonomy hardware,” you will eventually look for other control surfaces—data, models, and integration pathways.

RAND’s recommendations (and why they matter)

RAND’s recommendations cluster into a coherent program rather than a grab bag:

1. Invest to lead (not merely to restrict): DoD should strengthen innovation leadership through R&D in AI and UAS, including deeper relationships with smaller/nontraditional firms.

2. Increase industry engagement (especially on AI infrastructure/ecosystems):DTSA should engage more deeply with the AI industry to understand how systems are built, trained, deployed, and integrated.

3. Shift from reactive to proactive governance: DTSA and DOC should do forecasting and forward-looking risk analysis (3–10 years) to anticipate dual-use inflection points before they become crises.

4. Create an adaptive regulatory framework: improve the ability of DOC/DoD/DOS to adjust controls rapidly as conditions change; reduce time from threat identification to implementation.

5. Resource the regime: expand BIS resources for expertise, engagement, and compliance capacity.

6. Codify roles and process: publish clearer doctrine and responsibilities to reduce ambiguity and “blurred lines.”

7. Measure outcomes, not just activity: DOC should lead methods to track effectsand perceived effectiveness across agencies; create a more systematic evaluation loop.

8. Break stovepipes: expand interagency technology assessments and forecasting that explicitly consider intersections (AI + UAS) rather than regulating them in isolation.

A compact way to view this is RAND’s road map table (using a DOTmLPF lens): doctrine and organization reforms (adaptive framework + codified roles + measurement), personnel and capacity (BIS resourcing), and materiel/analysis (forecasting + cross-technology assessment).

My view: Broadly agree. The strongest idea in practice is the pivot from “rules as static text” to “regulation as an adaptive capability.” In fast-moving domains, a control regime that cannot learn quickly will either (a) become symbolic, or (b) become destructively overbroad because it tries to compensate for uncertainty with blanket restrictions.

What I think is missing (or underweighted)

Even a strong report can leave gaps—often because the missing pieces are politically thorny or analytically under-instrumented.

1) A clearer theory of victory: what is export control success supposed to look like?

RAND discusses balancing, tradeoffs, and feedback loops, but there’s room for a more explicit “success metric stack.” For example: Are controls meant to delay, to degrade, to deter transfer, to shape ally markets, to create bargaining leverage, or to force substitution costs? Different goals imply different designs and evaluation metrics. Without that clarity, “measure effectiveness” risks devolving into counting licenses and denials.

2) Enforcement realism: detection, auditability, and the compliance perimeter

The report emphasizes resources and expertise (rightly), but it could go further on enforcement mechanics: how you detect diversion at scale, how you audit supply chains, what the minimum viable compliance program looks like for exporters, and what data-sharing infrastructure is needed across agencies and with trusted allies.

3) The multilateral layer as a first-class design constraint

RAND notes multilateral considerations, but the deeper problem is structural: if allies do not align, controls leak; if allies align unevenly, burdens concentrate; if competitors offer turnkey alternatives, allies may defect. For AI + UAS, the multilateral design challenge is arguably the main event, not a supporting chapter.

4) The “services” and “integration” vector (beyond goods)

Modern capability transfer often happens through services: model fine-tuning, MLOps pipelines, sensor fusion integration, and training/maintenance. A tighter treatment of “defense services” analogues in AI-enabled systems—especially when capabilities can be delivered as updates—would strengthen the operational picture.

My recommendations for other countries facing similar challenges

If other governments are looking at the same tensions—security vs competitiveness, tech diffusion vs proliferation risk, unilateral controls vs alliance cohesion—RAND’s lessons generalize well, but with some practical adaptations:

1. Build an adaptive export-control capability, not just a rulebook.
   Treat export controls as a living system: rapid update pathways, scenario-based triggers, and a standing “controls engineering” function that can iterate as the technology changes.

2. Start with institutional design: clarify ownership, roles, and escalation paths.
   Avoid fragmented authority where disputes become de facto vetoes. Publish clear responsibilities across commerce/economy, defense, foreign affairs, and intelligence functions.

3. Resource the “center”: expertise, data, and enforcement capacity.
   If you can’t staff technical assessors and compliance analysts, your regime will either (a) become porous, or (b) become overly blunt and economically damaging.

4. Measure outcomes and second-order effects—not just compliance throughput.
   Track: substitution abroad, market-share shifts, R&D relocation incentives, ally procurement substitution, retaliatory regimes, and the downstream security externalities.

5. Prioritize multilateral alignment early, even if imperfect.
   For many mid-sized economies, unilateral controls without trusted-partner coordination are largely symbolic—especially in AI supply chains and UAS component ecosystems.

6. Differentiate control surfaces: hardware, data, models, integration, and services.
   Don’t assume chips are the only lever. But be honest about enforceability and proof standards when you move into data/model territory.

7. Pair restrictions with domestic industrial capacity-building.
   Export controls without a competitiveness strategy can become self-harm. If you restrict outbound transfer, you should simultaneously invest in domestic ecosystems—talent, R&D, manufacturing resilience, and secure supply chains.

8. Adopt “securely guided proliferation” as a policy posture, not a slogan.
   Many countries will need to export and collaborate while managing risk. That implies tiered partner frameworks, end-use monitoring, and incentives for compliant ecosystems—rather than pretending you can freeze diffusion.

Closing thought

RAND’s message is bracing: export controls for AI and UAS are no longer about guarding a single crown jewel. They are about managing an evolving, contested ecosystem—where your own industrial health is part of national security, and where regulatory agility is as important as regulatory strictness. In that world, the real differentiator is not who writes the toughest rules; it’s who can run the most adaptive, well-resourced, and internationally coordinated control regime—without accidentally subsidizing the competitor’s next leap.