DepChain
Home · Guides
Deemed export & AI tools

Can you put ITAR drawings in the cloud — or run them through ChatGPT?

Short answer: often no — and it's the kind of mistake that doesn't feel like exporting anything. Here's the plain-English version for a shop that doesn't have a compliance department.

Updated June 2026~6 min readDecision support, not legal advice

You've got a print stamped ITAR on your bench. You also have a normal modern shop: files in Google Drive, a Dropbox you share with a vendor, maybe you've started pasting tricky things into ChatGPT to save time. Reasonable question nobody warns you about: is any of that a problem?

It can be — and it's worth understanding why, because the rule that makes it risky doesn't look anything like "exporting."

The one rule that makes this dangerous: "deemed export"

Under ITAR, letting a foreign person access controlled technical data counts as an export — a "deemed export" — even if nobody leaves the building and nothing ever ships overseas. No border crossing required. Access is the export.

"Foreign person" is broader than people assume. It's anyone who isn't a U.S. citizen, a green-card holder, or a protected person (asylee/refugee). Someone here on a work or student visa is a foreign person for ITAR purposes. And — this is the part that catches shops — it isn't only your employees. It's anyone who could get to the data, including the people running the services you store it on.

Why the cloud is the trap
A controlled drawing sitting in consumer Google Drive, Dropbox, or OneDrive lives on servers maintained by staff who aren't all U.S. persons, often spread across multiple countries. The moment a non-U.S. person on the provider's side could access it, that can count as an unauthorized export. Note the word: could, not did. You don't have to prove anyone looked.

Why AI tools are the sharper version of the same problem

Pasting a controlled drawing, spec, or model into ChatGPT, Microsoft Copilot, or the cloud features of a CAD tool sends that data off to servers you don't control, processed by infrastructure and people who were never vetted as U.S. persons. Same deemed-export problem as the cloud — plus the tool may keep the data, train on it, or hand it to subprocessors.

Two things make this worse than it feels. There's no "I didn't mean to" defense — intent isn't required for the underlying violation. And there's no minimum size — one paste of one controlled drawing can be the whole violation.

"But it says ITAR-compliant…"

Some platforms genuinely are built for this — they keep your data inside a U.S. boundary, accessible only by U.S. persons, usually on something like FedRAMP High or a GovCloud region. That's a real thing and it's fine. But a marketing badge on a consumer tool is not that, and "we're ITAR-compliant" on a website doesn't automatically mean your use of it is. The shop owners who get this right treat consumer cloud and general AI tools as off-limits for controlled data until proven otherwise — which is why you'll see machinists say flatly that cloud CAD is a no-go for ITAR work.

What actually keeps a small shop clear

You don't need to go back to paper and an air-gapped PC for everything. You need to fence the controlled stuff and work normally with the rest. Four steps:

  1. Know what's actually controlled. Half the prints that come in stamped ITAR aren't really on the Munitions List — the prime blanket-marks everything to cover itself. Sort out what's genuinely controlled before you lock down your whole shop. (Our classification guide walks the USML vs EAR vs EAR99 call; the registration guide covers what you owe once a part is ITAR.)
  2. Keep controlled files off consumer cloud and general AI tools. No controlled drawings in regular Drive/Dropbox/OneDrive, and don't paste them into ChatGPT, Copilot, or a CAD tool's cloud. Segregate them somewhere local or U.S.-person-controlled.
  3. U.S. persons only on the controlled data. Physical and digital. Mind who's around a shared or home shop, too.
  4. Keep a dead-simple log. Who has copies of which controlled files, plus a one-page Technology Control Plan. The record is what proves you took it seriously.
The stakes, briefly
The maximum ITAR civil penalty is $1,271,078 per violation (2025), with criminal exposure on top, no minimum-size exception, and no intent requirement. The point isn't to scare you — it's that the cheap insurance (know what's controlled, keep it off consumer cloud/AI, log it) handles most of the real risk without a five-figure consultant.
Built for shops like yours

Stop guessing which files are controlled — and where they're allowed to go.

DepChain reads your drawings and BOMs, tells you which export rules apply to each part with the reasoning shown and the regulation cited, and flags the moment controlled data lands somewhere it shouldn't — a foreign-person login, a non-US service, or a general AI tool. Join the waitlist for early access.

Bay Area shops get early access first. No spam, ever. Or email [email protected].

This guide is general information to help you ask the right questions — it is not legal advice and isn't a substitute for qualified export-control counsel. Regulations change; verify specifics against primary sources (DDTC for ITAR, BIS for EAR) or your customer's requirements before you act.