FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatorydefenseITARCMMC

Aerospace Engineering, CAD Files, and the Public AI Tool That Becomes an Export

By Basel IsmailMay 10, 2026

Aerospace Engineering, CAD Files, and the Public AI Tool That Becomes an Export

An engineer at a defense contractor is working late on a turbine blade geometry problem. The internal knowledge base is thin on this particular alloy behavior at high temperatures. So they open ChatGPT, paste in a portion of the CAD file metadata along with some thermal stress parameters, and ask for help optimizing the design. They get a useful answer. They move on with their night.

They have also, in all likelihood, just committed a violation of the International Traffic in Arms Regulations.

Why Pasting Technical Data into a Public AI Is a Deemed Export

ITAR, administered by the Directorate of Defense Trade Controls under the State Department, controls the export of defense articles and defense services. But it also controls technical data, which is defined broadly under 22 CFR 120.33 to include information required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of defense articles. That includes blueprints, drawings, photographs, plans, instructions, and documentation.

CAD file data, thermal performance specifications, material composition details for controlled components; all of this qualifies as technical data when it relates to items on the United States Munitions List.

Here is where it gets interesting. Under 22 CFR 120.17 (now restructured under 22 CFR 120.54 following the 2020 ITAR rewrite), a "deemed export" occurs when technical data is disclosed to a foreign person, regardless of whether that disclosure happens inside the United States. The concept is straightforward: if a foreign national accesses controlled technical data, it is treated as an export to that person's country of nationality.

Now apply that to a public AI tool. When an engineer submits a prompt containing ITAR-controlled technical data to a cloud-based large language model, that data is transmitted to servers operated by a commercial entity. The engineer does not control where those servers are located. They do not control who has access to the infrastructure. They do not control whether the data is used for model training, stored in logs, or processed in a jurisdiction outside the United States. OpenAI, for instance, uses a global cloud infrastructure. Even if primary processing occurs domestically, the engineer has no contractual or technical guarantee that foreign persons are excluded from every layer of the data pipeline.

DDTC does not require proof that a foreign person actually accessed the data. The loss of control over the technical data is itself the problem. You have released controlled information into an environment where you cannot demonstrate that access is restricted to U.S. persons. That is sufficient to trigger a deemed export analysis, and without an applicable license or exemption, it is sufficient to constitute a violation.

The EAR Side of This

Not everything in aerospace falls under ITAR. Dual-use technologies, commercial satellite components, certain propulsion technologies, and many electronics are controlled under the Export Administration Regulations, administered by the Bureau of Industry and Security at the Commerce Department. The EAR has its own deemed export rule under 15 CFR 734.13(b), which similarly treats the release of controlled technology or source code to a foreign person in the United States as an export to that person's home country.

The analysis is the same. If an engineer submits EAR-controlled technology into a public AI system without knowing who processes or accesses that data, they have potentially made an unauthorized export. BIS has been increasingly active on enforcement. In fiscal year 2023, BIS secured $3.18 billion in penalties across its enforcement actions, a figure driven partly by semiconductor-related cases but reflective of a broader posture of aggressive enforcement across all controlled technology categories.

Real Consequences, Real Cases

If you think this is theoretical, consider the trajectory of enforcement. In 2023, DDTC reached a $200 million consent agreement with L3Harris Technologies for ITAR violations that included unauthorized exports of technical data and defense services. The violations involved, among other things, inadequate controls over who accessed controlled technical data. The specific mechanisms differed from the AI scenario, but the principle is identical: you must know where your controlled data goes and who can access it.

In 2022, DDTC settled with Raytheon for $20 million over unauthorized exports of technical data related to integrated air and missile defense systems. Again, the core issue was loss of control over technical data flows.

Individual liability is real too. ITAR violations can carry criminal penalties of up to $1 million per violation and 20 years imprisonment under the Arms Export Control Act, 22 U.S.C. 2778. EAR violations can reach $300,000 per violation or twice the transaction value, plus up to 20 years imprisonment under 50 U.S.C. 4819. These are not hypothetical maximums that never get imposed. DOJ has prosecuted individuals for deemed export violations.

The Practical Problem: Engineers Are Not Thinking About This

The core challenge is behavioral. Engineers use AI tools because they are genuinely useful. A well-crafted prompt to a large language model can accelerate problem-solving, surface relevant research, and help debug complex simulations. The productivity gain is real, and pretending otherwise does not help your compliance program.

But most engineers are not trained to think of a ChatGPT prompt as an export transaction. Their mental model of "export" involves shipping hardware overseas or emailing documents to a foreign partner. The idea that typing a question into a text box constitutes a potential ITAR violation is not intuitive, and most compliance training programs have not caught up to this reality.

Blanket bans on AI tools are one approach, and some defense contractors have implemented them. But blanket bans tend to drive usage underground. Engineers use personal devices, personal accounts, and workarounds. You end up with the same risk exposure plus zero visibility.

What a Reasonable Compliance Approach Looks Like

Classify before you prompt. Any AI acceptable use policy needs to start with data classification. Engineers need a fast, practical way to determine whether the data they are about to input is ITAR-controlled, EAR-controlled, or unrestricted. This cannot be a 45-minute process or it will not happen.
Provide a controlled alternative. If you want engineers to stop using public AI tools for controlled data, you need to give them something that works. An AI environment that processes data entirely within a U.S.-person-controlled infrastructure, with no data retention for training, and with access controls that satisfy ITAR and EAR requirements.
Implement technical controls, not just policies. DLP tools that can detect and block the submission of controlled technical data to unauthorized AI endpoints. Network-level controls that restrict access to public AI APIs from systems that handle controlled data. These are not optional extras; they are the baseline for demonstrating a reasonable compliance program.
Train specifically on AI-related export scenarios. Generic ITAR training is not sufficient. Engineers need concrete examples of how AI tool usage intersects with export controls. Use the actual tools they use. Show them what a violation looks like in practice.
Audit and monitor. Log AI tool usage. Review prompts submitted to approved internal tools for classification errors. Conduct periodic assessments of whether controlled data is leaking to unauthorized platforms.

How FirmAdapt Addresses This

FirmAdapt was built for exactly this kind of problem. The platform provides AI capabilities within a compliance-first architecture, meaning data classification, access controls, and jurisdictional constraints are built into the infrastructure rather than layered on after the fact. For ITAR and EAR-controlled environments, FirmAdapt ensures that technical data submitted to the AI never leaves a U.S.-person-controlled processing environment, is not retained for model training, and is subject to access controls that align with the specific regulatory requirements of the data being processed.

The goal is to give engineers a tool that is actually useful for their work while giving compliance and legal teams the audit trail and technical controls they need to demonstrate that controlled data is being handled appropriately. FirmAdapt does not require engineers to become export control experts; it builds the guardrails into the tool itself so that the compliant path is also the easiest path.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free