FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatorydefenseITARCMMC

Why Defense Contractors Should Treat AI Procurement Like They Treat ITAR Compliance

By Basel IsmailMay 14, 2026

Why Defense Contractors Should Treat AI Procurement Like They Treat ITAR Compliance

Defense contractors already know how to buy things carefully. If you are procuring a component that touches ITAR-controlled technical data, you do not just grab whatever is cheapest on the market. You vet the supplier. You check their export licenses. You verify country of origin. You document everything. You build a compliance trail that can survive a DDTC audit or, worse, a voluntary disclosure that lands on the State Department's desk alongside a potential civil penalty of $500,000 per violation under 22 U.S.C. § 2778.

So why are some of the same companies treating AI tool procurement like they are buying office supplies?

The Procurement Discipline You Already Have

ITAR compliance, governed by the Arms Export Control Act and implemented through 22 CFR Parts 120 through 130, forces a level of procurement rigor that most industries would find exhausting. Before a defense contractor can share technical data with a foreign person, or even a domestic subcontractor who might have foreign persons on staff, they need to work through a structured set of questions. Is this technical data on the United States Munitions List? Does the recipient have proper clearances? Is there a Technical Assistance Agreement or Manufacturing License Agreement in place? Are we logging access?

This discipline extends deep into supply chain management. Prime contractors routinely flow down ITAR obligations to sub-tier suppliers through contract clauses. They maintain approved supplier lists. They conduct periodic audits. When Raytheon (now RTX) paid $20 million in 2020 to settle ITAR violations related to unauthorized exports to foreign nationals, it reinforced something the industry already knew: the compliance infrastructure around procurement is not optional, and gaps in your supply chain are your problem.

The muscle memory is there. The processes exist. The question is whether companies are applying the same rigor when the thing being procured is a software tool that uses machine learning to process, summarize, or analyze data that may include controlled technical information.

Where AI Procurement Creates ITAR Risk

Consider a common scenario. An engineering team at a defense contractor adopts a commercially available AI tool to help with document summarization or code generation. The tool is cloud-based. The vendor's terms of service allow them to use input data for model training. The servers might be located overseas, or the vendor might employ engineers in countries that are restricted under ITAR.

You can see where this goes. If an engineer pastes a snippet of ITAR-controlled technical data into that tool, and the tool processes it on a server in a non-exempt country, or if a foreign national employed by the vendor can access that data, you may have just committed an unauthorized export. Under ITAR, an export includes disclosing technical data to a foreign person, regardless of whether that disclosure happens inside the United States. This is the "deemed export" concept under 22 CFR § 120.17, and it applies just as much to AI platforms as it does to handing someone a physical document.

The penalties are real. The State Department's Consent Agreements over the past decade have included penalties ranging from tens of millions to the $79 million settlement with Honeywell in 2022 for unauthorized exports of technical drawings related to multiple defense platforms. These cases did not involve AI specifically, but the underlying violation, unauthorized access to controlled data by unauthorized parties, maps directly onto the risks created by careless AI procurement.

The Specific Gaps

Data residency and routing. Most commercial AI vendors do not guarantee that data stays within the United States, let alone within environments that meet ITAR requirements. Even vendors that offer U.S.-based hosting may route data through global CDNs or use third-party sub-processors in other jurisdictions.
Model training on input data. If a vendor retains the right to use your inputs for model improvement, controlled technical data could end up embedded in model weights accessible to the vendor's global workforce. This is a novel vector for deemed exports that most ITAR compliance programs have not yet addressed.
Foreign person access at the vendor. ITAR restricts disclosure to foreign persons. If the AI vendor employs foreign nationals who can access your data, even for debugging or system maintenance, you have a potential violation. Your standard ITAR screening processes for subcontractors need to extend to SaaS vendors.
Lack of audit trails. ITAR compliance depends on documentation. Many AI tools do not provide the kind of granular access logs and data handling records that a DDTC investigation would require.

Extending Your Existing Framework

The good news is that you do not need to invent a new compliance framework from scratch. You need to extend the one you already use for ITAR-controlled procurements to cover AI tools. Here is what that looks like in practice.

Treat AI Vendors Like ITAR Sub-Tier Suppliers

Add AI tool vendors to your approved supplier evaluation process. Before onboarding any AI tool that might touch controlled data, run the same due diligence you would for a supplier manufacturing a component for a defense article. Where are they incorporated? Where are their servers? Who has access to customer data? Do they employ foreign persons in roles that could access your inputs? Get this in writing, not just in a terms of service document that the vendor can change unilaterally.

Flow Down ITAR Obligations Contractually

Your contracts with AI vendors should include the same ITAR flow-down clauses you use with other suppliers. The vendor should acknowledge that they may receive ITAR-controlled data, agree not to export it, and agree to restrict access to U.S. persons only. If the vendor will not sign those terms, that tells you something important about whether they can safely handle your data.

Implement Technical Controls, Not Just Policy Controls

Policy alone does not prevent an engineer from pasting controlled data into a chatbot. You need technical guardrails: network-level restrictions on which AI tools can be accessed from systems that handle ITAR data, DLP rules that flag controlled markings before data leaves the environment, and approved AI tools deployed within your controlled infrastructure rather than accessed via public endpoints.

Update Your Technology Control Plans

Most defense contractors maintain Technology Control Plans (TCPs) that govern how ITAR data is stored, accessed, and transmitted within their facilities. These plans need to be updated to address AI tools explicitly. Which AI tools are approved for use with controlled data? What classification of data can be input into which tools? Who approves exceptions? If your TCP was last updated before your teams started using generative AI, it has a gap.

Build an AI Procurement Review Board

Some contractors have started adding AI tool evaluations to their existing export control review processes. This makes sense. Your Empowered Official or export compliance team should have visibility into any AI tool procurement that could involve controlled data. Pair them with your CISO's team to evaluate the technical security posture of the vendor alongside the regulatory risk.

The CMMC Angle

It is worth noting that CMMC 2.0, which the DoD finalized in October 2024 with the 32 CFR Part 170 rule, adds another layer. Contractors handling CUI under DFARS 252.204-7012 need to ensure that AI tools processing that data meet the security requirements mapped to NIST SP 800-171. An AI vendor that cannot demonstrate compliance with those 110 controls is a liability for both your ITAR posture and your CMMC certification. The procurement evaluation should address both simultaneously.

How FirmAdapt Addresses This

FirmAdapt was built for exactly this kind of regulated environment. The platform's architecture keeps data within controlled boundaries, provides granular audit logging for every interaction, and does not use customer data for model training. For defense contractors, this means you can deploy AI capabilities without creating the data residency, foreign person access, or training data risks that make commercial AI tools problematic under ITAR.

FirmAdapt also supports the documentation and access control requirements that ITAR and CMMC demand. Rather than trying to retrofit a consumer AI product into a compliance framework it was never designed for, defense contractors can procure FirmAdapt the same way they procure any other controlled-environment tool, with confidence that the vendor's architecture was designed around the regulatory constraints from the start.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free