FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatorytrade secretsIPconfidentialityDLP

Data Loss Prevention in the AI Era: Why DLP Tools From 2019 Cannot Help You

By Basel IsmailMay 24, 2026

Data Loss Prevention in the AI Era: Why DLP Tools From 2019 Cannot Help You

Your DLP system is probably very good at catching someone emailing a spreadsheet full of Social Security numbers to a Gmail address. It can flag credit card numbers in outbound messages using regex patterns. It might even catch someone uploading a file marked "Confidential" to Dropbox. And for about fifteen years, that was enough.

Then your employees started pasting proprietary source code, client strategy documents, and M&A deal terms into ChatGPT. And your DLP tool saw absolutely nothing wrong with it.

The Pattern Matching Problem

Traditional DLP operates on a straightforward principle: scan data in motion, data at rest, and data in use for patterns that match known sensitive formats. Credit card numbers follow predictable structures (Luhn algorithm validation). Social Security numbers are nine digits in a specific format. HIPAA identifiers map to an enumerated list of 18 data types. The tooling got good at catching these because the targets are structurally consistent.

AI prompts break this model completely. When a product manager pastes a competitive analysis into Claude and asks "how should we position against this," there is no regex pattern that flags it. When outside counsel drops a draft merger agreement into an AI tool to "clean up the language," the text looks like any other legal document. When an engineer asks an AI assistant to optimize a function and includes the function itself, the DLP system sees plaintext code with no classification markers.

The Samsung incident in early 2023 made this concrete. Engineers used ChatGPT for code review and debugging, inadvertently exposing proprietary semiconductor source code. Samsung's response was to ban generative AI tools entirely, at least temporarily. That response tells you something important about how unprepared existing security infrastructure was.

Why This Is a Trade Secrets Problem, Specifically

Under the Defend Trade Secrets Act of 2016 (18 U.S.C. 1836), maintaining trade secret protection requires that the owner take "reasonable measures" to keep the information secret. Courts have been interpreting this requirement with increasing specificity. In Compulife Software Inc. v. Newman (11th Cir. 2020), the court scrutinized whether the plaintiff's security measures were adequate to sustain trade secret status. In Epic Systems Corp. v. Tata Consultancy Services, a jury awarded $940 million (later reduced to $420 million) partly based on evidence about how trade secrets were accessed and exfiltrated.

Here is the problem for AI-era trade secret protection: if your employees are routinely inputting proprietary information into third-party AI systems, and your DLP infrastructure cannot detect or prevent it, you may be failing the "reasonable measures" test. A 2024 Cyberhaven report found that 27.4% of data employees put into AI tools is sensitive. If opposing counsel in a trade secrets case can show that your organization had no mechanism to prevent proprietary data from flowing into AI platforms, your trade secret claim gets significantly harder to sustain.

The Uniform Trade Secrets Act, adopted in some form by 48 states, has a similar "reasonable efforts" requirement. So does the EU Trade Secrets Directive (2016/943). This is not a jurisdictional edge case. It is the baseline expectation everywhere.

What Modern DLP Actually Needs to Do

Effective DLP for AI interactions requires a fundamentally different approach from pattern matching on structured data. Several capabilities matter:

Context-aware content classification. The system needs to understand that a block of text is proprietary strategy, not just that it contains or lacks specific data patterns. This requires semantic analysis, not regex. A prompt containing "our Q3 pricing model for the Northeast region assumes a 12% margin on the enterprise tier" is clearly sensitive, but no traditional DLP rule would catch it.
Prompt-level inspection. DLP needs to operate at the point of AI interaction, inspecting what goes into the model, not just what comes out. This means integration with or mediation of AI tool access, whether that is a browser extension, an API gateway, or a managed AI interface.
Policy granularity beyond binary allow/block. Blocking all AI use is the Samsung approach, and it does not hold. People route around blanket bans. Effective controls let you permit AI use for general productivity while preventing specific categories of sensitive content from reaching external models. A developer should be able to ask an AI to explain a Python library without triggering the same controls that should prevent them from pasting proprietary algorithms.
Audit trails that satisfy legal requirements. If you ever need to demonstrate "reasonable measures" in court, you need logs showing what was submitted, what was blocked, what policies were in effect, and when those policies were last updated. The DTSA reasonable measures analysis is fact-intensive, and judges want to see specifics.
Classification of unstructured data in real time. Most trade secrets live in unstructured formats: strategy decks, engineering specs, legal memoranda, financial models. A 2023 Gartner estimate suggested that by 2025, organizations using AI without proper data governance guardrails would face 25% more data breaches. The unstructured data problem is central to that risk.

The Regulatory Trajectory

Regulators are catching up. The SEC's cybersecurity disclosure rules (effective December 2023) require public companies to disclose material cybersecurity incidents and describe their risk management processes. If AI-related data exposure constitutes a material incident, you are on the hook for disclosure. The NYDFS Cybersecurity Regulation (23 NYCRR 500), amended in November 2023, now requires covered entities to implement enhanced access controls and monitoring, which logically extends to AI tool access. NIST's AI Risk Management Framework (AI RMF 1.0, January 2023) explicitly addresses data integrity and confidentiality in AI contexts.

In healthcare, the HHS Office for Civil Rights issued guidance in December 2023 warning that HIPAA-regulated entities using AI tools must ensure PHI is not improperly disclosed through AI interactions. Financial services firms operating under GLBA, SOX, or sector-specific requirements face analogous obligations. The common thread across all of these frameworks is that regulators expect you to control data flows into AI systems with the same rigor you apply to email and cloud storage.

The Gap Is Organizational, Not Just Technical

One underappreciated dimension: most organizations have no AI-specific data handling policies. A 2024 ISACA survey found that only 28% of organizations had formal policies governing employee use of generative AI. Without a policy, there is nothing for DLP to enforce. The technical controls and the governance framework have to develop together. A DLP tool that can inspect AI prompts is useless if the organization has not defined what constitutes sensitive content in the AI context. And a beautifully written AI acceptable use policy is useless if nothing enforces it at the point of interaction.

This is where the compliance function and the security function need to be in the same room. The compliance team understands what data categories carry regulatory or legal risk. The security team understands what is technically enforceable. Neither can solve this alone.

How FirmAdapt Addresses This

FirmAdapt's architecture routes AI interactions through a compliance layer that applies organization-specific policies before data reaches any model. This means sensitive content, whether it is structured PII or unstructured trade secret material, is evaluated in context and either permitted, redacted, or blocked according to rules the compliance team defines. The system maintains detailed audit logs of every interaction, providing the documentation necessary to demonstrate reasonable measures under the DTSA, HIPAA, GLBA, and other applicable frameworks.

Because FirmAdapt is designed for regulated industries from the ground up, these controls are not bolted onto a general-purpose AI tool. They are the foundation. Organizations get the productivity benefits of AI without creating the evidentiary gaps that undermine trade secret protection or trigger regulatory exposure.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free