FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatorytrade secretsIPconfidentialityPolicy

Why Your AI Acceptable Use Policy Should Be Three Pages Not Three Sentences

By Basel IsmailMay 23, 2026

Why Your AI Acceptable Use Policy Should Be Three Pages, Not Three Sentences

I keep seeing the same thing when companies share their AI acceptable use policies. It is some variation of: "Employees may use approved AI tools for business purposes. Do not input confidential information. Use good judgment." That is the whole policy. Three sentences, maybe bolded in an employee handbook appendix, and everyone moves on.

If you are in a regulated industry, this is roughly equivalent to having a data classification policy that says "keep the important stuff safe." It technically exists. It will not survive first contact with a regulator, an incident, or a departing employee who spent six months feeding your proprietary methodology into ChatGPT.

The Trade Secret Problem Specifically

Let me get to the core issue for this audience. Under the Defend Trade Secrets Act (DTSA, 18 U.S.C. 1836), and under virtually every state's version of the Uniform Trade Secrets Act, you must demonstrate that you took "reasonable measures" to keep your trade secrets secret. Courts have been interpreting this requirement for decades, and the bar is not theoretical. In Compulife Software Inc. v. Newman (11th Cir. 2020), the court examined the specific protective measures the plaintiff had in place. In Epic Systems Corp. v. Tata Consultancy Services, a jury awarded $940 million (later reduced to $420 million) partly because Epic could demonstrate robust protections around its proprietary information.

A three-sentence AI policy creates a gap in your reasonable measures argument. If an employee pastes trade secret material into a generative AI tool, and your policy did not specifically prohibit that, you have weakened your own position. Opposing counsel will point to the policy, note its vagueness, and argue that you did not actually treat this information as secret in the context of AI tools. The fact that you had a general confidentiality agreement does not fully close that gap, because courts increasingly expect policies to address the specific risk vectors that exist at the time.

And generative AI is very much a specific risk vector that exists right now.

What a Complete AI AUP Actually Covers

A serious AI acceptable use policy for a regulated company should address at least the following areas. This is not exhaustive, but it is the floor.

1. Scope and Definitions

Define what counts as an "AI tool" under the policy. This includes public generative AI services, enterprise AI platforms, AI features embedded in existing software (Copilot in Microsoft 365, Gemini in Google Workspace, AI summarization in Zoom), and custom or fine-tuned models. Most three-sentence policies do not account for embedded AI features at all, which means employees are using AI without realizing the policy applies.

2. Data Classification Mapping

Your AI policy should explicitly map to your existing data classification scheme. If you classify data into tiers (public, internal, confidential, restricted), specify which tiers can interact with which categories of AI tools. For example: restricted data never enters any AI tool, including enterprise-licensed ones, without explicit approval from the CISO or data governance lead. Confidential data may only be used with tools that have a signed DPA and contractual commitments against training on customer inputs. Internal data may be used with approved enterprise tools. Public data is unrestricted.

If you do not have a data classification scheme, you need one before you write this policy. There is no shortcut here.

3. Approved Tools and Procurement

List the specific AI tools approved for use, the approved configurations, and the process for requesting new tools. Shadow AI is a real procurement and security problem. A 2024 survey by Salesforce found that more than half of generative AI users at work were using unapproved tools. Your policy needs to make clear that using an unapproved AI tool is a policy violation, full stop, and that there is a lightweight process for getting new tools evaluated and approved.

4. Prohibited Uses, with Specificity

Go beyond "do not input confidential information." Spell out the categories:

No input of trade secrets, proprietary algorithms, client lists, pricing models, or unpublished financial data
No input of protected health information (for HIPAA-covered entities)
No input of material nonpublic information (for SEC-regulated firms)
No input of CUI or classified information (for CMMC/DFARS-covered contractors)
No use of AI-generated output in regulatory filings, legal briefs, or client deliverables without human review and verification
No use of AI tools to make or inform employment decisions without HR and legal review

Specificity matters here because it demonstrates to a court or regulator that you actually thought about the risks. It also gives employees clear guidance instead of asking them to exercise "good judgment" about things they may not fully understand.

5. Output Review and Accountability

Require human review of AI-generated work product before it is used externally. This is not just good practice; it is increasingly a regulatory expectation. The SEC's 2024 marketing rule enforcement actions have flagged AI-generated content that was not adequately supervised. Colorado's SB 24-205, effective February 2026, will require deployers of high-risk AI systems to implement oversight and review processes. Your policy should establish who is responsible for reviewing AI outputs and what that review entails.

6. Logging, Monitoring, and Audit

State whether AI tool usage is logged and monitored. If you are subject to FINRA, OCC, or FDIC oversight, you likely need to retain records of AI-assisted communications and decisions. If you are a defense contractor, NIST SP 800-171 Rev. 3 controls around system use notification (AC-8) and audit logging (AU-2) apply to AI tools just as they apply to any other information system. Your policy should make employees aware that their AI usage may be monitored and retained.

7. Training and Acknowledgment

Require employees to complete training on the policy before accessing AI tools, and require annual acknowledgment. This is basic, but it matters for enforcement. If you ever need to terminate someone for a policy violation, or if you need to demonstrate reasonable measures in a trade secret case, you want a signed acknowledgment on file.

8. Incident Response

Define what constitutes an AI-related incident (e.g., accidental input of restricted data into a public AI tool) and require reporting through your existing incident response process. Include specific steps: who to notify, what to document, and how to assess whether a breach notification obligation has been triggered under HIPAA, state breach notification laws, or contractual commitments.

The Cost of Vagueness

Samsung learned this the hard way in early 2023 when engineers pasted proprietary source code into ChatGPT on at least three separate occasions within a single month. Samsung's response was to ban generative AI tools entirely, then walk that back, then develop internal tools. The reputational and operational cost of that cycle was significant, and it stemmed from not having a clear, detailed policy before the tools became ubiquitous.

For companies holding trade secrets, the risk is not just operational embarrassment. It is the potential loss of trade secret protection itself. Once information is disclosed without reasonable protective measures, it may no longer qualify as a trade secret. That is a permanent loss, not a recoverable one.

How FirmAdapt Addresses This

FirmAdapt's architecture is built around the principle that AI interactions in regulated environments need guardrails at the platform level, not just the policy level. The platform enforces data classification rules programmatically, so restricted information categories are blocked from AI processing before a human can make a mistake. Audit logging, access controls, and retention policies are built into the workflow rather than bolted on after the fact.

This does not replace the need for a written AUP. You still need the policy document for legal defensibility and employee accountability. But FirmAdapt gives you the technical enforcement layer that makes the policy more than words on a page, which is exactly what "reasonable measures" looks like when a court or regulator comes asking.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free