U.S. Sanctions and AI: A Practitioner's Guide.
This content is provided for educational and informational purposes only and is not intended and should not be construed as legal advice.
U.S. sanctions administered by the Treasury Department's Office of Foreign Assets Control (OFAC) are the second trade-control regime an AI company has to manage, alongside BIS export controls. They work differently. Export controls are item-based and destination-based licensing requirements. Sanctions are prohibitions on dealing with blocked persons and with comprehensively sanctioned jurisdictions. OFAC does not license most AI activity. It prohibits providing anything of value to a blocked person or a sanctioned jurisdiction, with general or specific licenses as the exception rather than the route. This guide covers when OFAC reaches an AI business, the programs that matter, and what to do.
When OFAC reaches your business
OFAC jurisdiction runs to U.S. persons, meaning citizens, permanent residents, entities organized under U.S. law, and anyone physically in the United States. A U.S. person may not provide anything of value, including model access, hosted inference, API keys, compute, or technical support, to a blocked person. Jurisdiction also attaches through a U.S. nexus even where no U.S. person is a party: transactions in U.S. dollars cleared through the U.S. financial system, the involvement of U.S.-origin goods, software, or services, or the participation of U.S. persons, can pull activity that occurs entirely abroad into OFAC's reach. Unlike export controls, there is generally no license to apply for. The transaction is simply prohibited unless a general or specific license authorizes it.
The programs that matter for AI
| Program | What it restricts | Relevance to AI |
|---|---|---|
| SDN List and the 50 Percent Rule | No provision of anything of value to persons on the Specially Designated Nationals List, or to entities owned 50 percent or more in aggregate by them | An SDN, or a 50-percent-owned affiliate, obtaining API access, hosted inference, or model downloads |
| Comprehensive jurisdiction programs | Broad prohibition on providing services to Cuba, Iran, North Korea, and the Crimea, Donetsk, and Luhansk regions of Ukraine (the comprehensive Syria program was terminated in 2025) | Users or IP addresses from these jurisdictions reaching hosted endpoints |
| Russia program (E.O. 14024) | Extensive SDN blocking of Russian persons and entities, plus financing restrictions (Directive 3 on new debt and equity of listed entities; Directive 2 on correspondent and payable-through accounts) | Providing to blocked Russian parties; financing and payment dealings |
| Cyber and surveillance designations | SDN designations of malicious cyber actors and firms that enable surveillance or repression | AI tools or access used by a designated cyber or surveillance actor |
| CMIC investment prohibition (E.O. 13959, as amended by E.O. 14032) | U.S. persons may not transact in publicly traded securities of listed Chinese Military-Industrial Complex Companies. This is an investment restriction, not a services prohibition, and the 50 Percent Rule does not apply to it | Cap-table, fund, and investment exposure, not model provision |
| Secondary sanctions (e.g., CAATSA Section 231) | Non-U.S. persons can themselves be sanctioned for significant transactions with Russia's defense or intelligence sectors, and under other authorities for dealings with sanctioned parties | A foreign cloud or compute provider routing U.S.-origin model access to a sanctioned end user |
The 50 Percent Rule
Under OFAC's August 2014 guidance, an entity owned 50 percent or more, directly or indirectly, in the aggregate, by one or more blocked persons is itself blocked, whether or not it appears on the SDN List. The rule is self-executing, so screening the named list alone is not enough. A company has to run beneficial-ownership analysis to identify entities that are blocked by operation of the rule. The threshold is ownership rather than control, though since 2025 OFAC has signaled that control by blocked persons can also create exposure, so an entity controlled but not majority-owned by an SDN should be treated as a serious risk even if the rule does not automatically reach it.
Model access, hosted inference, and open weights
OFAC does not control AI models the way BIS controls items. The exposure arises when your technology benefits a blocked person, a prohibited jurisdiction, or a prohibited end use. Public release of open-weight models is the lower-risk case, because making weights publicly available is not the provision of something of value to a specific blocked person. Hosted inference, API access, paid compute, custom fine-tuning, and technical support are the higher-risk cases, because each is a provision of value to a counterparty whose status you are responsible for knowing. Providing model access to a person located in a comprehensively sanctioned jurisdiction is prohibited regardless of intent, which is why location and access controls matter as much as name screening.
Enforcement in practice
Three OFAC actions show how these prohibitions reach technology and AI-adjacent conduct. The first is a settlement with a U.S. company, the kind of exposure an AI provider faces directly. The other two are designations of technology firms, which cut off any U.S.-nexus dealing with the named party the moment they are listed.
| Date | Party | Conduct | Outcome |
|---|---|---|---|
| Apr. 6, 2023 | Microsoft Corporation | Over a roughly seven-year period, more than $12 million of software and services were exported from the United States through Microsoft systems and servers to SDNs, blocked persons, and sanctioned jurisdictions, across the Cuba, Iran, Syria, and Ukraine/Russia programs. Voluntarily self-disclosed and treated as non-egregious | About $3 million OFAC civil penalty (1,339 apparent violations), part of a combined $3.3 million resolution with BIS |
| Mar. 5 and Sep. 16, 2024 | Intellexa Consortium (Predator commercial spyware) and associated persons | Developing, operating, and distributing commercial spyware used to target Americans, designated under the cyber sanctions authority, building on the consortium's initial July 2023 listing | SDN designations of multiple individuals and entities. In December 2025 OFAC removed three of the designated individuals from the SDN List, while other parties remain designated |
| Jan. 3, 2025 | Integrity Technology Group (Beijing) | Provided infrastructure used by the Flax Typhoon state-sponsored group in intrusions against U.S. critical infrastructure, designated under E.O. 13694 as amended by E.O. 13757 | SDN designation. All U.S. property blocked, and the 50 Percent Rule reaches majority-owned affiliates |
What a company should do
| Step | What to do |
|---|---|
| Screen | Run real-time screening of signups, API keys, downloads, and payments against the SDN List and other applicable lists, with beneficial-ownership analysis to catch entities blocked under the 50 Percent Rule. |
| Geofence | Block access from comprehensively sanctioned jurisdictions (Cuba, Iran, North Korea, and the Crimea, Donetsk, and Luhansk regions), and require location verification for higher-risk access. |
| End-use diligence | Ask what the model or compute will be used for. Treat military, intelligence, surveillance, and evasive answers as red flags. |
| Contract | Include sanctions representations, audit rights, and termination clauses in terms of service and enterprise agreements. |
| Block on a hit | No access, no downloads, and no payments to a blocked party until the match is resolved. |
| Disclose | Investigate a suspected breach promptly and assess whether a voluntary self-disclosure to OFAC is warranted. A voluntary disclosure earns significant mitigation. |
Bottom line
OFAC sits alongside export controls and is easy to underweight, because it has no license process to walk through and no list of approved transactions. The exposure is strict liability and runs to any provision of value to a blocked person or a sanctioned jurisdiction, including through hosted inference and API access. The controls that most often catch AI companies are the SDN List with the 50 Percent Rule, the comprehensive jurisdiction programs, and gaps in screening at self-serve signup and payment. Confirm a counterparty's status before providing access, not after.
Authorities
- OFAC, Revised Guidance on Entities Owned by Persons Whose Property and Interests in Property Are Blocked, the 50 Percent Rule (Aug. 13, 2014); see OFAC FAQ 399.
- Executive Order 14024 (Apr. 15, 2021), and Directive 3 thereunder, Prohibitions Related to New Debt and Equity of Certain Russia-related Entities (Feb. 24, 2022).
- Executive Order 13959 (Nov. 12, 2020), as amended by Executive Order 14032 (June 3, 2021); Chinese Military-Industrial Complex Companies; NS-CMIC List; 31 CFR Part 586.
- Countering America's Adversaries Through Sanctions Act, Section 231 (Pub. L. 115-44, Aug. 2, 2017).
- Executive Order 14312 (June 30, 2025), 90 FR 29395 (July 3, 2025), revoking the comprehensive Syria sanctions program; Syrian Sanctions Regulations, 31 CFR Part 542, removed.
- OFAC-administered comprehensive programs for Cuba, Iran, and North Korea, and the Crimea, Donetsk, and Luhansk region restrictions.
- OFAC Enforcement Release, Microsoft Corporation Settlement (Apr. 6, 2023); approximately $3 million OFAC civil penalty, part of a combined $3.3 million resolution with BIS.
- OFAC, Treasury Sanctions Members and Enablers of the Intellexa Commercial Spyware Consortium (Mar. 5, 2024 and Sep. 16, 2024); partial delistings (Dec. 2025).
- OFAC, Treasury Sanctions Technology Company for Support to Malicious Cyber Group, Integrity Technology Group (Jan. 3, 2025), under E.O. 13694 as amended by E.O. 13757.
