FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatorytrade secretsIPconfidentialityInsurance

Cyber Insurance Exclusions for AI-Related Incidents Are Showing Up Everywhere

By Basel IsmailMay 21, 2026

Cyber Insurance Exclusions for AI-Related Incidents Are Showing Up Everywhere

If you haven't looked closely at your cyber insurance policy since your last renewal, now would be a good time. Carriers are quietly inserting exclusions, sublimits, and restrictive endorsements targeting AI-related incidents, and the language is broad enough to catch a lot of companies off guard. This is especially relevant if your organization handles trade secrets, proprietary models, or confidential data that touches any AI system, even indirectly.

What Is Actually Changing in the Policies

Starting in late 2023 and accelerating through 2024, several major cyber insurers began amending policy forms to address what they see as unquantifiable AI risk. Lloyd's of London was early here. Their Market Bulletin Y5381, issued in August 2023, required syndicates to explicitly address AI-related exposures in cyber policies. That guidance didn't mandate exclusions per se, but it created a framework where underwriters felt pressure to carve out or sublimit AI risk rather than price it in.

Since then, we've seen a few patterns emerge across carriers:

Broad AI exclusion endorsements. Some policies now include endorsements that exclude coverage for any claim "arising out of, based upon, or attributable to" the use of artificial intelligence or machine learning systems. The phrase "arising out of" is doing enormous work in that sentence, and courts have historically interpreted it very broadly.
Trade secret and IP sublimits. Even where AI isn't explicitly excluded, carriers are adding sublimits for intellectual property and trade secret losses connected to AI tools. We've seen sublimits as low as $250,000 on policies with $5 million aggregate limits. If an employee feeds proprietary formulas or client data into a third-party LLM and that data leaks, you may find your coverage is a fraction of your actual exposure.
Failure-to-secure exclusions tied to AI governance. This one is newer. Some carriers are adding conditions that void coverage if the insured failed to implement "reasonable AI governance controls." The problem is that "reasonable" is undefined, and there's no universally accepted standard for AI governance yet. NIST AI RMF 1.0 is the closest thing we have, and carriers are starting to reference it, but compliance with a voluntary framework is a moving target.
Exclusions for AI-generated output errors. If your AI system produces an output that causes harm, whether it's a flawed risk assessment, an incorrect legal summary, or a biased hiring recommendation, some policies now treat that as a technology errors and omissions issue and exclude it from cyber coverage entirely.

Why Trade Secrets Are the Pressure Point

The trade secret angle is where this gets particularly uncomfortable for regulated companies. Under the Defend Trade Secrets Act of 2016 (18 U.S.C. 1836), a trade secret loses its protected status if the owner fails to take "reasonable measures" to keep it secret. Courts have been consistent on this point; see Waymo LLC v. Uber Technologies, Inc. (N.D. Cal. 2017) for a high-profile example of how seriously courts take the "reasonable measures" requirement.

Now layer AI into that analysis. If employees are using generative AI tools, whether sanctioned or shadow IT, and proprietary information enters those systems, you have two problems at once. First, you may have compromised the trade secret status of that information under DTSA. Second, your cyber insurer may argue that the loss arose from AI use and is therefore excluded, or that you failed to implement reasonable AI governance and therefore breached a policy condition.

Samsung learned this the hard way in early 2023 when engineers reportedly entered proprietary source code into ChatGPT on at least three separate occasions. While the insurance implications of that specific incident aren't public, the scenario illustrates the risk perfectly. Confidential information entered into a third-party AI system is, from an insurer's perspective, a voluntary disclosure. Good luck arguing that's a covered "cyber incident."

What to Watch for at Renewal

Renewal season is where these changes land, and they often arrive in the form of endorsements attached to otherwise familiar policy language. Here's what to scrutinize:

New definitions. Look for newly added definitions of "artificial intelligence," "machine learning," "automated decision system," or "generative AI." If these terms appear in the definitions section for the first time, something in the coverage has changed. Follow the defined term through the policy to find the exclusion or limitation.
Endorsement stacking. Carriers sometimes add multiple endorsements that interact in ways that aren't obvious on first read. An AI exclusion endorsement combined with a revised intellectual property sublimit endorsement can effectively eliminate coverage for your most significant AI-related trade secret exposure.
Warranty language around AI governance. If the policy includes warranties or conditions requiring you to maintain specific AI use policies, data classification protocols, or employee training programs, understand that a breach of warranty can void coverage entirely. This is not hypothetical; it's standard insurance contract law under most state frameworks.
Retroactive date changes. Some carriers are resetting retroactive dates on claims-made policies specifically for AI-related claims. If your retroactive date moves forward, you lose coverage for incidents that occurred before the new date, even if the claim is made during the policy period.
Consent-to-use clauses. A few carriers are now requiring insureds to obtain written consent before deploying new AI systems or materially changing existing ones. Missing this requirement could be treated as a material misrepresentation.

The Regulatory Backdrop Makes This Worse

The insurance market isn't operating in a vacuum. The EU AI Act, which entered into force in August 2024, creates compliance obligations that will ripple into insurance underwriting for any company with EU exposure. Colorado's SB 21-169, effective in 2025, specifically regulates AI in insurance underwriting and claims decisions, but it also signals a broader regulatory trend that insurers themselves are watching closely when they assess their own risk.

At the federal level, the FTC has been active. Their enforcement actions against companies like Rite Aid (December 2023, resulting in a five-year ban on facial recognition use) demonstrate that AI governance failures carry real regulatory consequences. Insurers see those enforcement actions and adjust their risk models accordingly.

For companies in healthcare, HIPAA's existing "minimum necessary" standard creates additional friction. If an AI system processes PHI in ways that exceed the minimum necessary standard, you potentially have both a HIPAA violation and an insurance coverage gap, since the AI-related exclusion may apply to the cyber claim while the HIPAA violation triggers regulatory penalties that the policy may also exclude.

Practical Steps Right Now

Before your next renewal, get your broker, your GC, and your CISO in the same room. Map every AI system in use across the organization, including shadow IT. Document your AI governance framework, even if it's basic, and align it to NIST AI RMF 1.0 so you have a defensible baseline. Classify which systems touch trade secrets, regulated data, or client confidential information. Then bring that inventory to the insurance negotiation and push back on overbroad exclusions with evidence of your controls.

If your carrier insists on AI exclusions, negotiate for explicit carve-backs that cover defensive AI uses like threat detection and incident response automation. These are risk-reducing technologies, and a blanket AI exclusion that penalizes you for using them is counterproductive. Some carriers will negotiate on this point if you can demonstrate mature governance.

How FirmAdapt Addresses This

FirmAdapt's architecture was built around the assumption that AI governance would become an insurance and compliance requirement, not just a best practice. The platform enforces data classification at the point of ingestion, maintains auditable logs of every interaction between AI systems and sensitive data, and applies policy-based access controls that align with frameworks like NIST AI RMF and HIPAA's minimum necessary standard. When an insurer asks whether you have "reasonable AI governance controls," FirmAdapt gives you documented, auditable evidence that you do.

For trade secret protection specifically, FirmAdapt's compliance-first design prevents proprietary information from being processed by external AI systems without explicit authorization and logging. This directly addresses the "reasonable measures" requirement under DTSA and gives your legal team a defensible record if coverage disputes arise. It also gives your broker concrete documentation to present at renewal, which is increasingly the difference between getting meaningful coverage and getting an exclusion-laden policy that covers very little.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free