I think ITAR is mostly just to stop the outright sale of controlled items to foreign entities, not necessarily to prevent IP theft or corporate espionage.
I worked on an ITAR-controlled camera once and it was drilled into me than even allowing a non-US person to view the output images of the camera constituted an ITAR violation.
Right, which is all well and good if you're a benevolent actor, but ITAR really doesn't do anything at all to stop you from intentionally committing (corporate or actual) espionage if you want to. There should still be controls to prevent you from violating ITAR either accidentally or on purpose.
The controls are you go to jail if you get caught. At least this is what one is told in the mandatory ITAR compliance trainings. That seems to be how the law works for most crimes.
It's an incentive but it's certainly not a control. Controls stop something from happening, they don't respond to it after the fact. Controls would be things like security checkpoints, network monitoring, random searches, that sort of thing.
"You will go to jail if you kill someone" isn't a control against murder.
