Keeper CEO pushes access controls into AI export licensing

MeriTalk published a bylined argument from Keeper Security CEO Darren Guccione urging the government to treat AI export controls as an operational access-control problem. The shift he wants is from destination to administration: who can install, configure, maintain, remotely manage and decommission covered AI hardware, under what privileges, from what locations and with what logs.

That is the strongest version of the argument. Export controls aimed at advanced chips can be evaded through credential compromise, insider misuse or unauthorized administrator access if the licensed system remains reachable under weak controls. Guccione's proposed proof layer includes identity governance, zero-trust architecture, privileged access management, encryption, annual audits, independent validation and retained session records. He also points to FedRAMP, the [NIST AI Risk Management Framework](https://www.deepfathom.ai/glossary#nist-ai-rmf), FIPS 140-3, ISO 27001/27017/27018 and SOC 2 Type 2 as verification frameworks, with quantum-resistant cryptography added for long-lived export data.

The affected perimeter would be bigger than exporters. It would include manufacturers, integrators, cloud operators, data center administrators, maintenance providers and any remote-management personnel with operational control over licensed systems. MeriTalk is publishing a vendor CEO's policy argument, not reporting that an agency has added these conditions to export licenses. For practitioners, the takeaway is conditional: if licenses start absorbing cybersecurity terms, teams will need access rosters, privileged-session logs, admin-location evidence, audit attestations and encryption validation ready for review.