FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatorydefenseITARCMMCDCSA

Foreign Ownership, Control, or Influence (FOCI) and the AI Vendor Question

By Basel IsmailMay 13, 2026

Foreign Ownership, Control, or Influence (FOCI) and the AI Vendor Question

If your company holds or is pursuing a facility security clearance (FCL), you already know that FOCI determinations can make or break your ability to perform on classified contracts. What gets less attention is how FOCI mitigation agreements interact with AI vendor selection, particularly as the Defense Counterintelligence and Security Agency (DCSA) sharpens its focus on supply chain risk in the software layer.

The short version: your FOCI mitigation agreement likely imposes constraints on your AI tooling that nobody in your procurement chain is thinking about carefully enough.

A Quick Refresher on FOCI Mechanics

Under the National Industrial Security Program Operating Manual (NISPOM, 32 CFR Part 117, effective February 24, 2021), any company seeking or maintaining an FCL must disclose foreign ownership, control, or influence. DCSA evaluates the disclosure on a spectrum. If the foreign interest is benign and minimal, you might get away with a Board Resolution or a simple annual certification. If the foreign interest is more substantial, you're looking at one of the heavier mitigation instruments: a Special Security Agreement (SSA), a Security Control Agreement (SCA), a Voting Trust Agreement (VTA), or a Proxy Agreement (PA).

Each of these instruments comes with specific governance requirements. SSAs and SCAs, for example, require a Government Security Committee (GSC) with cleared, independent board members who oversee security practices. VTAs and PAs go further, effectively severing the foreign owner's ability to influence business decisions related to classified work. DCSA published updated FOCI mitigation guidelines in 2023 that explicitly expanded the scope of "influence" to include technology dependencies, not just equity stakes and board seats.

Where AI Vendors Enter the Picture

Here is the problem that keeps surfacing in practice. A cleared contractor under an SSA selects an AI platform for document analysis, workflow automation, or even code generation. The AI vendor itself has foreign investors, foreign-national engineers with access to model weights, or infrastructure hosted through a cloud provider with overseas data centers. None of this necessarily triggers an obvious FOCI flag on the contractor's own SF-328 (Certificate Pertaining to Foreign Interests). But DCSA's adjudicators are increasingly looking at technology supply chain relationships as potential vectors of foreign influence.

This isn't theoretical. In 2022, DCSA denied an FCL to a mid-tier defense subcontractor in part because of its reliance on a SaaS platform whose parent company had significant investment from a sovereign wealth fund. The specifics were not published (these adjudications rarely are), but the case circulated widely among FOCI counsel and made the point clearly: your vendor's cap table can become your FOCI problem.

The "Control" Question in AI Is Genuinely Different

Traditional FOCI analysis focuses on governance control: who votes the shares, who sits on the board, who can direct business decisions. AI vendors introduce a different flavor of control that DCSA is still developing frameworks to assess. Consider:

Model training data provenance. If an AI model was trained on data curated or labeled by teams in foreign jurisdictions, does that constitute foreign influence over the tool's outputs? DCSA hasn't issued formal guidance, but internal risk assessment templates circulated in late 2023 include questions about training data sourcing.
Inference infrastructure. Where does the model actually run? If inference happens on servers in a jurisdiction covered by ITAR or EAR restrictions, you have an export control problem layered on top of a FOCI problem. These are distinct regulatory regimes, but DCSA considers both during adjudication.
Update and fine-tuning pipelines. AI models are not static. When the vendor pushes a model update, who decided what went into that update? If foreign-national ML engineers are making architectural decisions about a model you're running inside a cleared facility, that is a question your GSC should be asking.
Investor influence over product direction. A foreign investor with a board seat at your AI vendor may not have direct access to your classified data, but they may influence which features get built, which markets get prioritized, and which partnerships get formed. Under DCSA's expanded interpretation of "influence," this matters.

What Your Mitigation Agreement Actually Requires

If you're operating under an SSA or SCA, your Technology Control Plan (TCP) should already address how controlled information flows through your IT systems. The question is whether your TCP has been updated to account for AI-specific risks. Most TCPs written before 2022 were not drafted with large language models or generative AI in mind.

Specifically, your GSC should be evaluating AI vendors against the same criteria DCSA uses for FOCI adjudication on your own entity. That means reviewing:

The vendor's ownership structure, including VC and PE investors with foreign LP commitments
The nationality and clearance status of personnel with access to model internals
Data residency and processing locations for both training and inference
Contractual provisions that might give foreign entities rights over intellectual property or product decisions
The vendor's own subcontractor and cloud provider relationships

If you're under a VTA or PA, the requirements are even stricter. The proxy holders or voting trustees have an affirmative obligation to ensure that foreign influence does not reach classified programs, and a poorly vetted AI tool that processes or touches any data adjacent to classified work could be viewed as a breach of the agreement.

CFIUS Adds Another Layer

It's worth noting that the Committee on Foreign Investment in the United States (CFIUS) has been increasingly active in reviewing transactions involving AI companies. The CFIUS Final Rule effective February 13, 2024, expanded the definition of "covered transactions" to more explicitly capture technology licensing and data access arrangements, not just M&A. If your AI vendor undergoes a CFIUS-reviewable transaction after you've onboarded them, you may need to reassess your own FOCI posture. Your mitigation agreement likely requires you to report material changes in your supply chain to DCSA, and a CFIUS filing by a key technology vendor could qualify.

Practical Steps

For cleared contractors evaluating AI vendors, a few concrete recommendations:

Add AI vendor diligence to your GSC agenda. This should be a standing item, not a one-time review. Model updates, funding rounds, and infrastructure changes at your vendor can shift the risk profile.
Update your TCP. If your Technology Control Plan doesn't address AI model inference, training data provenance, and update pipelines, it's out of date.
Request SF-328-equivalent disclosures from AI vendors. They won't have an actual SF-328, but you can ask the same questions: foreign ownership percentages, foreign board members, foreign government contracts, and foreign-national access to core technology.
Coordinate with your DCSA Industrial Security Representative (IS Rep). If you're unsure whether a particular AI vendor relationship creates a reportable change, ask. IS Reps would rather hear from you proactively than discover an issue during a security review.

How FirmAdapt Addresses This

FirmAdapt was built with exactly these constraints in mind. The platform's architecture keeps all data processing within controlled, U.S.-based infrastructure with no foreign-national access to model internals or customer data. FirmAdapt maintains transparent documentation of its ownership structure, training data provenance, and inference pipeline, the kind of information a GSC needs to complete a vendor risk assessment without chasing down answers for weeks.

For companies operating under FOCI mitigation agreements, FirmAdapt provides the compliance artifacts and architectural transparency that make AI vendor diligence straightforward. The platform is designed so that adopting it does not create a new disclosure obligation or a gap in your TCP. If your IS Rep asks how your AI tooling fits within your mitigation framework, you should be able to answer clearly. FirmAdapt is built to make that answer simple.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free