* [Blog](https://www.paloaltonetworks.com/blog) * [SASE](https://www.paloaltonetworks.com/blog/sase/) * [Product Features](https://www.paloaltonetworks.com/blog/sase/category/product-features/) * A New Approach to Export ... # A New Approach to Export Control Compliance in a Borderless World [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsase%2Fa-new-approach-to-export-control-compliance-in-a-borderless-world%2F) [](https://twitter.com/share?text=A+New+Approach+to+Export+Control+Compliance+in+a+Borderless+World&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsase%2Fa-new-approach-to-export-control-compliance-in-a-borderless-world%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsase%2Fa-new-approach-to-export-control-compliance-in-a-borderless-world%2F&title=A+New+Approach+to+Export+Control+Compliance+in+a+Borderless+World&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/sase/a-new-approach-to-export-control-compliance-in-a-borderless-world/&ts=markdown) \[\](mailto:?subject=A New Approach to Export Control Compliance in a Borderless World) Link copied By [Cristian Raducanu](https://www.paloaltonetworks.com/blog/author/cristian-raducanu/?ts=markdown "Posts by Cristian Raducanu"), [Roopesh Pavithran](https://www.paloaltonetworks.com/blog/author/roopesh-pavithran/?ts=markdown "Posts by Roopesh Pavithran"), [Vinit Adkar](https://www.paloaltonetworks.com/blog/author/vinit-adkar/?ts=markdown "Posts by Vinit Adkar") and [Isabel Jiang](https://www.paloaltonetworks.com/blog/author/ijiang/?ts=markdown "Posts by Isabel Jiang") Jul 07, 2026 7 minutes [Product Features](https://www.paloaltonetworks.com/blog/sase/category/product-features/?ts=markdown) [Zero Trust Security](https://www.paloaltonetworks.com/blog/network-security/category/zero-trust-security/?ts=markdown) [Prisma Access](https://www.paloaltonetworks.com/blog/tag/prisma-access/?ts=markdown) [Prisma SASE](https://www.paloaltonetworks.com/blog/tag/prisma-sase/?ts=markdown) [SASE](https://www.paloaltonetworks.com/blog/tag/sase/?ts=markdown) [Zero Trust](https://www.paloaltonetworks.com/blog/tag/zero-trust/?ts=markdown) ## **Introduction** In the modern IT environment, an "export" is triggered not only by physical shipment but also by the electronic transmission of controlled data across territorial boundaries. Some regulations impose limitations on how some technologies and data are accessed based on user location and nationality. As workforces become increasingly mobile and applications move to the cloud, compliance with these regulations has become significantly more complex. To achieve export compliance, organizations must understand the entire lifecycle of data access. The challenge extends beyond where the application is hosted---it requires visibility into every location where data may be exposed or accessed. In any standard cloud architecture, data is exposed in three critical places: * **On the User Device:** Where users view, download and interact with information. * **Within the SASE Gateway:** Where traffic is decrypted for security inspection and policy enforcement. * **At the Application Layer:** Where the data is hosted, processed, and stored. For organizations subject to export control and data residency requirements, all three elements may need to remain within a specific jurisdiction. If controlled data is exposed outside the approved geographic boundary at any point along this path, the organization risks a compliance violation. As a result, enforcing export compliance requires a comprehensive approach that considers the entire data access lifecycle---not just the application itself. ## **Dynamic and continuous compliance challenges:** ### **Granular Access Segmentation Complexity** Modern enterprises must provide secure access to a diverse ecosystem of employees, contractors, partners, and third parties, each requiring different levels of access to applications and sensitive data. Ensuring that users can access only the resources appropriate to their role is increasingly challenging as organizations adopt cloud services and distributed work models. Enforcing least-privilege access across these groups is no longer solely an identity challenge- it requires precise, context-driven network enforcement. This not only increases the risk of compliance violations but also introduces significant operational overhead, as teams attempt to manage segmentation through fragmented tools and manual policies. ### **Mobile Traveler Compliance Challenge** In a globally mobile workforce, compliance risk is no longer static---it moves with the user. An employee who is fully compliant while accessing controlled data from within the U.S. can instantly fall out of compliance when traveling abroad. The moment that same user connects from a different country, access to controlled data may constitute an export violation. To address these challenges, organizations often rely on fragmented controls including VPN concentrators, firewalls, Virtual Routing and Forwarding (VRFs), and IP Network Access Control Lists (IP NACLs)---resulting in operational complexity, inconsistent enforcement, and significant compliance gaps. ### **A Unified, Policy-driven Approach by Palo Alto Networks** Organizations have long relied on existing security investments such as firewalls and Network Access Control (NAC) solutions to protect applications hosted in on-premises and cloud environments. As governments worldwide adopt stronger data localization mandates and export control policies in response to evolving geopolitical dynamics, regulatory requirements are becoming increasingly stringent. As a result, organizations now need more granular Policy Enforcement to meet modern export control standards. To support this shift, Palo Alto Networks is introducing **Context-Driven IP Address Manager** in Prisma Access. This new capability enables organizations to enforce fine-grained, policy-driven access controls by dynamically assigning IP addresses to end users based on the combination of **following three real-time factors** : * **User's Geo-Location:** The real-time physical location of the user's device. * **Prisma Access Location:** The specific Prisma Access gateway (e.g., US-East, US-West) the user connects through. * **User/Usergroup Membership:** The user's authenticated identity and role within the organization. This multi-faceted approach enables highly specific, context-driven policy enforcement that aligns directly with the strictest export control requirements, eliminating trade-off between compliance and workforce productivity. ## **Use Case 1: User or User Group Based allocation** In many modern organizations, high-value data for various departments often coexists within the same physical or cloud based data centers. To maintain zero-trust principles and meet compliance mandates, organizations must ensure that users are strictly limited to the specific applications required for their roles. Without granular control, it is difficult to ensure that a user's access is confined solely to their departmental resources. ![Use Case 1](https://www.paloaltonetworks.com/blog/wp-content/uploads/2026/06/CIAM-1-Group-Based-IP-Assignment.png) * **The Scenario:** A company hosts its Finance applications in subnet 10.1.10.0/24 and its Engineering environments in subnet 10.4.10.0/24. Corporate policy dictates that these two groups must remain strictly isolated. * **The Implementation:** Using the Context-Aware IP Address Manager, the network administrator configures a Client IP Pool Profile where users authenticated as "Group: Finance" are dynamically assigned a tunnel IP from the 10.1.10.0/24 pool. Simultaneously, those in "Group: Developer" receive IPs from the 10.4.10.0/24 pool. * **The Result:** Because the backend Firewall/Network Access Control (NAC) only allows traffic from specific IP ranges to reach their respective applications, the two groups are physically segmented at the network layer. A developer cannot even "see" the finance subnet, ensuring internal data integrity and preventing unauthorized access. ## **Use Case 2: Prisma Access Gateway Based allocation** Global organizations often use multiple Prisma Access Gateways to connect to their network. However, export control laws may mandate that controlled data only be accessed through Prisma Access Gateways in specific countries. ![Use Case 2](https://www.paloaltonetworks.com/blog/wp-content/uploads/2026/06/CIAM2-Geolocation-Based-IP-Assignment.png) * **The Scenario:** A U.S. based organization requires that all access to sensitive financial records be routed through U.S.-based gateways. * **The Implementation:** The network administrator configures Client IP Pool profile where users from "Group: Finance" connecting via the **"US East"** Prisma Access Gateway are granted a compliant IP address from the 10.1.10.0/24 subnet. If a user from "Group: Finance" connects via the **"Canada Central"** gateway, they are automatically assigned a non-privileged IP from a different pool (e.g., 10.2.10.0/24). * **The Result:** Even if a Finance employee has the correct credentials, their access is denied if they use a non-U.S. gateway. The data center firewall recognizes the IP from 10.2.10.0/24 subnet and triggers an immediate block, ensuring that sensitive data never traverses an unauthorized path. ## **Use Case 3: Prisma Access Geo location Based allocation** The most difficult challenge in export control is managing the "Mobile Traveler." A user who is compliant while sitting in an office in Virginia may become a compliance risk the moment they cross an international border. ![Use Case3](https://www.paloaltonetworks.com/blog/wp-content/uploads/2026/06/CIAM3-Gateway-Based-IP-Assignment.png) * **The Scenario:** To prevent "temporary exports" of controlled technology, an organization mandates that Finance applications are only accessible if the user is **physically located** within the United States. * **The Implementation:** The administrator configures a Client IP Pool profile where users from "Group: Finance" and "Geo-Location: US" are granted IP addresses from the dedicated IP pool (10.1.10.0/24). Similarly another client IP Pool profile is configured where users from Group: Finance and "Geo-Location: Mexico" gets assigned IP address from other pool (10.30.10.0/24) * **The Result:** Upon detecting the Mexico geo-location, Prisma Access dynamically allocates IP addresses to the user from a "Non-Compliant" IP pool (10.30.10.0/24). While those travelling users can still access general tools like corporate email, the sensitive Finance applications remain strictly off-limits. This provides a digital safety net that prevents accidental regulatory violations during international travel. ## **Prisma Access Enabling Export Compliance in a borderless world** **Context-Driven IP Address Manager** in Prisma Access extends the power of Prisma SASE security by enabling dynamic, context driven IP address assignment based on user identity, location, and policy. Designed to integrate seamlessly with existing security investments including firewalls and Network Access Control (NAC) solutions. This capability provides organizations with the granular control needed to enforce security and compliance requirements across distributed users and applications in today's mobile and regulated environments. If you are ready to discuss how [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) can solve the unique challenges of your environment, please [reach out to a sales representative](https://start.paloaltonetworks.com/sase-contact-us.html) today to begin the conversation. *** ** * ** *** ## Related Blogs ### [Product Features](https://www.paloaltonetworks.com/blog/sase/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/sase/category/use-cases/?ts=markdown), [Zero Trust Security](https://www.paloaltonetworks.com/blog/network-security/category/zero-trust-security/?ts=markdown) [#### Introducing Secure Agentless Access (SAA): A New Zero Trust Access Method for Any User on Any Device](https://www.paloaltonetworks.com/blog/sase/introducing-secure-agentless-access-saa-a-new-zero-trust-access-method-for-any-user-on-any-device/) ### [Product Features](https://www.paloaltonetworks.com/blog/sase/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown) [#### Bringing Zero Trust SASE to Your Doorstep with SASE Private Location](https://www.paloaltonetworks.com/blog/sase/bringing-zero-trust-sase-to-your-doorstep-with-sase-private-location/) ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/sase/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [SD-WAN](https://www.paloaltonetworks.com/blog/sase/category/sd-wan/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/sase/category/use-cases/?ts=markdown) [#### Introducing the Industry's First SD-WAN with Integrated IoT](https://www.paloaltonetworks.com/blog/sase/introducing-the-industrys-first-sd-wan-with-integrated-iot/) ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/sase/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown) [#### Extending Our SASE Leadership with Next-Gen CASB Innovations](https://www.paloaltonetworks.com/blog/2022/08/sase-leadership-with-next-gen-casb-innovations/) ### [Product Features](https://www.paloaltonetworks.com/blog/sase/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown) [#### SASE Solution: Why A Single Vendor Approach Needs a Next-Gen SD-WAN](https://www.paloaltonetworks.com/blog/sase/a-successful-sase-initiative-begins-with-a-next-generation-sd-wan/) ### [Product Features](https://www.paloaltonetworks.com/blog/sase/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown) [#### Accelerate Mean Time to Resolution with ADEM Segment Wise Insights](https://www.paloaltonetworks.com/blog/sase/accelerate-mean-time-to-resolution-with-adem-segment-wise-insights/) ### Subscribe to Sase Blogs! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/ai-security?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Next-Generation Identity Security](https://www.paloaltonetworks.com/idira?ts=markdown) * [Privileged Access Management](https://www.paloaltonetworks.com/idira/human/privileged-access-management?ts=markdown) * [Identity and Access Management](https://www.paloaltonetworks.com/idira/human/identity-and-access-management?ts=markdown) * [Endpoint Privilege Manager](https://www.paloaltonetworks.com/idira/human/endpoint-privilege-manager?ts=markdown) * [Identity Governance](https://www.paloaltonetworks.com/idira/human/identity-governance?ts=markdown) * [Workforce Password Management](https://www.paloaltonetworks.com/idira/human/workforce-password-management?ts=markdown) * [Agentic Identities](https://www.paloaltonetworks.com/idira/agentic?ts=markdown) * [Secrets Management](https://www.paloaltonetworks.com/idira/machine/secrets-management?ts=markdown) * [Unified Secrets Governance](https://www.paloaltonetworks.com/idira/machine/unified-secrets-governance?ts=markdown) * [Application Credentials Delivery](https://www.paloaltonetworks.com/idira/machine/application-credentials-delivery?ts=markdown) * [Vendor Privileged Access](https://www.paloaltonetworks.com/idira/human/vendor-privileged-access?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language