FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatorydefenseITARCMMC

Aerospace and Defense M&A Due Diligence: The AI Compliance Section

By Basel IsmailMay 12, 2026

Aerospace and Defense M&A Due Diligence: The AI Compliance Section

Defense M&A deal volume hit roughly $45 billion in 2023, and the pace through 2024 stayed aggressive as primes continued rolling up mid-tier suppliers to consolidate supply chains. If you have been involved in any of these transactions on the buy side, your data room request list probably runs 200+ line items. Export controls, facility clearances, DD-254s, DCAA audit history, cybersecurity posture. All the usual suspects.

What most acquirer teams have not yet added, and urgently need to, is a dedicated AI compliance section. If the target company has deployed any AI or machine learning tools in its operations, engineering workflows, or business processes, you have a set of ITAR and CMMC exposure questions that traditional due diligence checklists simply do not cover.

Why AI Creates Unique Risk in Defense Targets

The core issue is straightforward. AI tools, especially large language models and cloud-based ML services, can create unauthorized exports of technical data under ITAR (22 CFR Parts 120-130) and can blow holes in the controlled unclassified information (CUI) protections required under CMMC. These are not theoretical risks. The State Department's Directorate of Defense Trade Controls (DDTC) has been increasingly clear that uploading ITAR-controlled technical data to a cloud service that processes it on foreign servers, or that is accessible by foreign persons, constitutes an export or deemed export under 22 CFR 120.17.

When a target company's engineer pastes a specification into ChatGPT to help draft a technical proposal, that is potentially an unauthorized export of defense articles. When a contracts team uses an AI summarization tool hosted on infrastructure outside the United States, the same analysis applies. And under the 2024 CMMC final rule (32 CFR Part 170, effective December 16, 2024), any AI tool touching CUI needs to satisfy the NIST SP 800-171 Rev 2 controls, which means you need to understand the data flows, access controls, and hosting architecture of every AI system in the target's environment.

The AI Questions That Should Be in Your Data Room Request

Here is what I would add to the diligence checklist, organized by risk category.

AI Tool Inventory and Authorization

Complete inventory of all AI and ML tools deployed across the organization, including commercial SaaS products, open-source models, internally developed systems, and any tools employees use informally (shadow AI). This includes tools like Copilot, ChatGPT, Grammarly, Jasper, and any domain-specific engineering AI.
Approval and vetting records for each tool. Was there a security review? Who approved deployment? Is there a written policy governing AI tool usage?
Data classification protocols specific to AI usage. Does the target have a policy that explicitly addresses whether ITAR-controlled data or CUI may be input into AI tools?

ITAR Export Control Exposure

Architecture documentation for every AI tool that touches or could touch technical data. Where are the servers? Who operates them? Are any foreign persons (as defined under 22 CFR 120.16) involved in development, maintenance, or administration of the AI systems?
Training data provenance. If the target has fine-tuned or trained any models internally, what data was used? If ITAR-controlled technical data was used to train a model, the model weights themselves may be controlled. This is an area where DDTC guidance is still evolving, but the conservative and correct position is to treat model weights trained on controlled data as controlled.
Voluntary disclosure history. Has the target filed any voluntary disclosures with DDTC (per 22 CFR 127.12) related to AI tool usage? If not, has anyone assessed whether disclosures should have been filed?
Technology Control Plan (TCP) coverage. Do existing TCPs address AI tools, or were they written before AI adoption and never updated?

CMMC and CUI Protection

System Security Plan (SSP) coverage of AI tools. Are AI tools included in the target's CUI boundary as documented in their SSP? If AI tools process CUI but sit outside the assessed boundary, you have a gap that could affect CMMC certification.
Access control and logging. For any AI system that handles CUI, can the target demonstrate compliance with NIST SP 800-171 controls, particularly AC-2 (account management), AC-3 (access enforcement), AU-2 (audit events), and SC-28 (protection of information at rest)?
Flow-down to AI vendors. If the target uses third-party AI services that process CUI, are those vendors subject to appropriate flow-down clauses under DFARS 252.204-7012? Do those vendors meet FedRAMP Moderate equivalent or higher?
Plan of Action and Milestones (POA&M). Are there any open POA&M items related to AI tools? Under the CMMC final rule, certain POA&M items are permissible at Levels 2 and 3 but must be closed within 180 days of certification assessment.

Organizational and Governance Risk

Acceptable use policies that specifically address generative AI. A generic IT acceptable use policy written in 2019 does not count.
Training records. Have employees with access to controlled data received training on the intersection of AI tools and export controls? When was the last training?
Incident history. Any known instances of controlled data being input into unauthorized AI tools. How were they discovered, and what remediation occurred?
Empowered Official involvement. Has the target's Empowered Official (required under 22 CFR 120.25) been involved in AI governance decisions?

Valuation and Deal Structure Implications

These are not just compliance hygiene questions. They directly affect deal economics. An ITAR violation can result in civil penalties up to $500,000 per violation under the Arms Export Control Act (22 U.S.C. 2778), and criminal penalties up to $1 million and 20 years imprisonment. The Raytheon consent agreement in 2022 involved $200 million in penalties and remedial measures. While that case involved traditional export control failures rather than AI specifically, the legal framework applies identically to AI-enabled unauthorized exports.

On the CMMC side, a target that cannot achieve or maintain its required CMMC level risks losing contract eligibility. If the acquisition thesis depends on a specific contract pipeline, and the target's AI practices create CMMC gaps, you need to price remediation into the deal or restructure accordingly. Remediation timelines for AI-related CMMC gaps can run six to twelve months depending on how deeply embedded the tools are in workflows.

From a deal structure perspective, consider whether AI compliance representations and warranties need to be broken out separately from general regulatory compliance reps. A specific indemnity for pre-closing AI-related export control violations is worth discussing with deal counsel, particularly if the diligence reveals shadow AI usage that nobody at the target has fully mapped.

The Broader Trend

DoD is paying attention to this. The Department's Responsible AI Strategy and Implementation Pathway, updated in 2024, and the AI governance frameworks being developed by the Chief Digital and Artificial Intelligence Office (CDAO), signal that AI-specific compliance requirements for defense contractors are going to become more granular, not less. Acquirers who build AI compliance into their diligence process now will avoid painful surprises when those requirements formalize.

It is also worth watching the proposed updates to the National Industrial Security Program Operating Manual (NISPOM, 32 CFR Part 117) for any AI-specific provisions related to cleared contractor operations. Nothing has been finalized on that front yet, but the direction of travel is clear.

How FirmAdapt Addresses This

FirmAdapt was built for exactly this kind of problem. The platform's architecture keeps all data processing within controlled boundaries, with no data sent to third-party model providers and full auditability of every interaction. For defense companies subject to ITAR and CMMC, this means AI adoption that does not create the export control and CUI protection gaps described above. The access controls, logging, and data isolation are designed to satisfy NIST SP 800-171 requirements out of the box.

For acquirers running defense M&A diligence, a target that has deployed FirmAdapt rather than ad hoc commercial AI tools presents a fundamentally cleaner compliance profile. The audit trail exists, the data flows are documented, and the architecture was designed with ITAR and CMMC constraints as first-order requirements rather than afterthoughts. That is the difference between a target with a manageable AI compliance posture and one that needs six months of remediation before you can close.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free