Vetting Foreign AI Talent: Security Without Exclusion #AI


Two recent Trump Administration actions have sent mixed messages about whether foreign-person employees can keep contributing to frontier AI development at U.S. companies.

On June 12, 2026, the Commerce Department’s Bureau of Industry and Security (BIS) informed Anthropic that a license would be required to export, reexport, or transfer its Claude Mythos 5 and Fable 5 models to all destinations worldwide and all foreign persons, wherever located, including the release of the model to a foreign person in the United States. Unable to screen its users by nationality, Anthropic suspended global access to both models, including preventing its own foreign-person employees from accessing the models. On June 30, after two weeks of negotiation, the Commerce Department lifted the controls, and Anthropic began restoring access. But the resolution was specific to those models. The threat of similar action against future models, from any lab, remains.

The Information reported that the June 12 letter revived industry-wide concern over a crackdown on foreign AI talent, and that administration officials had earlier floated barring foreign employees at U.S. labs from frontier-model access before industry pushback kept the idea out of the June executive order. 

A week before the Anthropic letter, however, National Security Presidential Memorandum 11 directed the Pentagon, the Department of Energy, and the intelligence community to build partnerships with willing AI companies to secure the most advanced models, and it listed “assisting with personnel vetting” among the forms that assistance may take. Vetting assistance would be particularly valuable for ensuring that foreign-person employees can continue contributing to AI development efforts at U.S. frontier labs. 

In previous research, we have shown that frontier-model outputs can, in some cases, constitute export-controlled technology or technical data on a transaction-by-transaction basis. This risk is heightened for foreign-person employees in sensitive roles who have access to powerful unreleased models, model weights, source code, and evaluation workflows. For example, a pre-deployment chemical, biological, radiological, and nuclear (CBRN) or cyber evaluation could release controlled information to whoever runs it. Thus, even if the model itself is not controlled, access to the model raises export control compliance questions. To the extent that the administration decides to control mere access to models, independent of particular outputs, access by foreign-person employees becomes even more central.

The right response is neither to wave the problem away nor to bar foreign talent. U.S. labs can keep recruiting the world’s best researchers while safeguarding national security. For decades, firms that handle export-controlled technology in other sectors have managed foreign-person access through technology control plans (TCPs), and frontier labs can adapt that template. 

Personnel vetting is a key element of a TCP for ensuring that foreign-person employees can continue to do their jobs. Robust implementation of the administration’s pledge to provide the private sector with assistance in vetting employees would help ease the challenges of conducting it confidentially. This article describes the guidance BIS and DDTC already provide on personnel vetting, the employment and privacy constraints that complicate it, and a calibrated approach to address the national security risks. With TCPs anchored in risk-based personnel vetting, labs can manage such risks while competing for the world’s best AI talent.

Foreign Talent Built America’s AI Lead

The United States leads in AI partly because it attracts the people who build the best models, and many of them come from abroad. The Center for Security and Emerging Technology determined that, as of July 2023, roughly 70 percent of leading U.S.-based AI researchers were foreign-born or foreign-educated. Company-level figures are not public, but Anthropic, OpenAI, and other labs have all recruited heavily from this pool. MacroPolo’s Global AI Talent Tracker found that 38 percent of researchers who published at NeurIPS 2024 and other leading AI conferences received their undergraduate education in China, up from 29 percent five years earlier, and that 72 percent of China-educated AI researchers now work at U.S. institutions. 

The competition for these researchers is global, and China is the principal alternative destination. Beijing recruits actively through programs such as Qiming and has targeted top international researchers with no ties to China. President Xi Jinping has declared a national goal of achieving “competitive advantages in talent competition” by 2035, and China’s targets likely include defense-relevant fields like AI. Policies that make U.S. labs unwilling to hire foreign persons, or that signal to prospective researchers that their work here will be hemmed in, will push talent abroad. A vetting regime that treats every foreign national as a presumptive risk would undercut the advantage it was meant to protect.

Deemed-Export Risk Is Not a New Problem

Releasing controlled technology or source code to a foreign person inside the United States is itself an export under the U.S. government’s Export Administration Regulations (EAR), treated as an export to that person’s country of nationality. Defense contractors, semiconductor manufacturers, aerospace firms, and research universities have lived with this deemed-export rule for decades. To employ foreign persons while reducing the risk of uncontrolled technology transfer and insider threats, they use TCPs, documented procedures governing who may access controlled technology and under what conditions.

BIS’s deemed-export guidance lists the elements it looks for in a TCP: management commitment, physical security, information security, personnel screening, training, and self-evaluation. Done well, a TCP gives most employees the access their work requires while isolating the narrow cases that require a license or other control.

We have argued that frontier labs can and should use TCPs to manage their internal deemed-export risks. At times, these risks may look somewhat different than in other contexts. For example, a foreign-person employee working with an internal AI model—typically more capable and less constrained than the public version—could elicit outputs that themselves qualify as controlled technical data or technology. Information security must therefore adapt. In other industries, access logs track who reached stored files. Because internal models can generate controlled information on demand, AI labs should instead log model inputs and outputs. Logging deters misuse, helps detect violations, and creates the records needed for any voluntary disclosures. Yet most employees will never need to access or generate controlled information. 

Risk-Based Personnel Vetting

Personnel vetting is a standard TCP element that determines which employees can be given access to sensitive information. Using risk-based vetting should let U.S. labs preserve their ability to employ top talent while managing the risk that the most sensitive access can be misused.

As with other elements of TCPs, decades of export-control practice provide useful models for what personnel vetting should cover, focusing on questions of access and diversion risk. The International Traffic in Arms Regulations (ITAR) section 126.18, for example, provides that nationality alone does not prohibit access to defense articles, including technical data. Instead, it permits certain transfers only where the entity uses a host-government clearance or screens employees for “substantive contacts” with certain countries: regular travel to those countries, continuing contact with their agents or nationals, ongoing business or financial ties, or other conduct signaling a diversion risk. DDTC’s compliance guidelines likewise advise organizations that possess technical data to screen any foreign-person employees involved in ITAR-controlled activities.

How much vetting is needed for a particular individual depends on the harm that could be caused by that person’s access. The government’s own personnel vetting already works this way, grading positions by potential damage and scaling investigations to match. Labs can use this same approach, scaling vetting to the sensitivity of an employee’s access. Most need no more than status and list screening; those who query unreleased models or run CBRN or cyber evaluations warrant a deeper substantive-contacts review; and the few who could move raw model weights or disable a model’s safeguards warrant even more rigorous scrutiny. For the most sensitive roles, labs can adapt the government’s SEAD-4 adjudicative guidelines, weighing factors such as foreign influence, foreign preference, and financial vulnerability, backed by a detailed questionnaire and continuous vetting. The Security Level 5 (SL5) Task Force’s SL5 Standard for AI Security similarly proposes graduated vetting, monitoring, and access controls.

The Employment Law Hurdle, and How to Overcome It

State employment law can complicate security vetting. Tensions arise because employment-screening rules are focused on ordinary positions, not those with national security implications. Employers face a patchwork of state privacy, consumer-reporting, and automated-decision rules. Because most frontier labs have their headquarters in California, the state’s Investigative Consumer Reporting Agencies Act (ICRAA) is especially relevant. If an employer uses a third-party “investigative consumer report” for employment purposes, ICRAA requires the employer to provide written disclosure of the nature and scope of the inquiry, obtain written authorization, and provide the right to request a copy of the report. Tom Lyons of the 2430 Group, a nonpartisan organization focused on countering economic espionage, testified to the Senate Judiciary Committee that ICRAA’s requirements can prevent companies from conducting foreign-influence checks, as “a counterintelligence assessment is not something that should be shared with the employment candidate.”

If NSPM-11 results in the federal government assisting AI companies with personnel vetting, such assistance could help reduce the friction with state procedural requirements. Counterintelligence-sensitive information could remain with the government, with the labs receiving recommendations regarding access. Congress could also enact narrow preemption of ICRAA and analogous laws, focused on the relevant state procedural requirements for defined sensitive AI roles and leaving those protections otherwise untouched. 

When a License Is Still Required

Personnel vetting will not resolve every case. Some roles reach controlled material, and a deemed-export license may be required. Existing license exceptions under the EAR allow release of certain controlled technology to nationals of partner countries without a license. But no comparable exception covers nationals of China, the largest source of foreign-trained elite AI researchers. Those hard cases will require license applications. Each application covers a single foreign person and includes a resume assessed for diversion risk, and approvals can be conditioned on TCP safeguards. The process takes time and resources, and while an application is pending, the employee must be kept from the controlled work. But a risk-based TCP confines that cost to a small set of roles.

The ITAR raises a harder problem. A lab cannot always know in advance whether an output will be EAR technology or ITAR technical data, and for Chinese nationals, the ITAR has a licensing policy of denial. Labs may need to wall off certain employees from the risk entirely. In practice, that would likely mean excluding them from work designed to elicit weapons-related outputs, such as certain CBRN evaluations, rather than from model access generally. A TCP’s access tiers and logging can help manage any residual risk. 

For everything else, agencies should allow an individual’s contacts and conduct to drive the outcome. That is far preferable to a policy that effectively bars foreign persons from frontier-model access outright. 

Match the Burden to the Risk

The risk created by sensitive foreign-person access to controlled or potentially controlled technology is not new. The standard tool to manage that risk is a TCP that includes risk-based personnel vetting. Every frontier lab with foreign-person employees who might access controlled or potentially controlled AI information should have one. Vetting should be graduated, scaling with the sensitivity of an employee’s access, so the burden on any given hire tracks the risk of that person reaching a given asset. 

The Anthropic letter showed that foreign-person access to models can become an export-control problem overnight. The U.S. government should not leave labs to infer from company-specific directives alone when that access requires a license. Nor should it respond by shutting foreign talent out of American AI, which would push the field’s best researchers toward foreign competitors. The better course is to publish a clear, risk-based framework for vetting sensitive foreign-person access, built on the TCP template the agencies already use and the partnerships between the government and industry that NSPM-11 envisions.

FEATURED IMAGE: The Herbert C. Hoover Federal Building which houses the U. S. Department of Commerce is seen from the Washington Monument on June 3, 2025 in Washington, DC. (Photo by Kevin Carter/Getty Images)



Click Here For The Original Source.

——————————————————–

..........

.

.

National Cyber Security

FREE
VIEW