FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatorytrade secretsIPconfidentialityInformation governance

The Inevitability of Insider Misuse: An AI Risk Framework Built Around It

By Basel IsmailMay 22, 2026

The Inevitability of Insider Misuse: An AI Risk Framework Built Around It

Every information governance policy I have ever read assumes good faith. Employees will classify documents correctly. They will not copy trade secrets to personal drives. They will use AI tools only for authorized purposes. The policies are well written, carefully reviewed by counsel, and almost entirely disconnected from how people actually behave.

The Ponemon Institute's 2023 Cost of Insider Threats Global Report put the average annual cost of insider incidents at $16.2 million per organization, up 40% from 2020. That number includes negligent insiders, compromised credentials, and malicious actors. But here is what should concern you most if you are deploying AI tools internally: the negligent category accounts for 55% of all incidents. People are not trying to steal your trade secrets. They are just dragging and dropping them into a chatbot prompt without thinking about it.

The Policy Compliance Fallacy

Traditional information governance frameworks treat insider misuse as an edge case. You write the acceptable use policy, you run the annual training, you get the signed acknowledgment form, and you move on. The implicit assumption is that most employees will comply, and the ones who do not can be dealt with through disciplinary action after the fact.

This was always a shaky assumption. With generative AI, it collapses entirely.

When an employee pastes a proprietary algorithm, a client list, or an M&A term sheet into an AI assistant, the information governance failure is instantaneous and potentially irreversible. Unlike emailing a document to a personal account, which at least leaves a clear forensic trail, AI interactions can be ephemeral, unlogged, and difficult to reconstruct. The 2023 Samsung semiconductor leak, where engineers pasted proprietary source code and internal meeting notes into ChatGPT on at least three separate occasions within a single month, was not a failure of policy. Samsung had policies. It was a failure of architecture.

Why Trade Secrets Are Uniquely Vulnerable

Trade secret protection under the Defend Trade Secrets Act of 2016 (DTSA) and the Uniform Trade Secrets Act (UTSA, adopted in some form by 48 states) requires that the owner take "reasonable measures" to maintain secrecy. Courts have interpreted this requirement with increasing specificity. In Compulife Software Inc. v. Newman (11th Cir. 2020), the court examined whether the plaintiff's security measures were sufficient to maintain trade secret status. In Epic Systems Corp. v. Tata Consultancy Services, a jury awarded $940 million (later reduced to $420 million) based in part on inadequate access controls.

The "reasonable measures" standard is not static. It evolves with available technology. If your competitors are deploying AI governance controls and you are not, a court may find that your measures were not reasonable for the period in question. This is where information governance meets litigation risk directly.

And the problem compounds. Under the DTSA, once a trade secret is disclosed, even inadvertently, the owner bears the burden of showing the disclosure did not destroy secrecy. If an employee feeds your proprietary pricing model into a third-party LLM, and that model's training data is later used to generate outputs for other customers, good luck establishing continued secrecy in front of a judge.

Building the Framework Around Inevitable Misuse

So what does an AI risk framework look like when you start from the assumption that some percentage of your workforce will, intentionally or not, misuse the tools?

1. Classification Before Access

Most organizations classify data after creation, if they classify it at all. An AI risk framework needs to invert this. Data classification should determine which AI tools, if any, a given piece of information can interact with. This means automated classification at the point of creation or ingestion, not a manual tagging exercise that nobody actually does.

2. Architectural Containment

Policy says "do not paste trade secrets into external AI tools." Architecture makes it impossible, or at least difficult and detectable. This includes DLP integration with AI interfaces, network-level controls that prevent data exfiltration to unauthorized endpoints, and sandboxed AI environments where sensitive data can be processed without leaving the controlled perimeter. The Samsung situation could have been mitigated by routing all AI interactions through an internal proxy with content inspection.

3. Graduated Access Controls

Not every employee needs the same AI capabilities. An engineer working on proprietary designs has a different risk profile than someone in marketing drafting social media copy. Role-based access to AI tools, calibrated to the sensitivity of the data each role typically handles, reduces the surface area for accidental disclosure. This is not a new concept; it is just rarely applied to AI tooling with the same rigor we apply to database access.

4. Continuous Monitoring With Context

Logging AI interactions is necessary but not sufficient. You need contextual analysis: what data was submitted, what classification does it carry, does this interaction pattern deviate from the user's baseline? NIST's AI Risk Management Framework (AI RMF 1.0, released January 2023) emphasizes the need for ongoing monitoring as a core governance function, not a periodic audit exercise. The framework specifically calls out the need to "regularly assess and monitor AI system behavior" in its GOVERN and MEASURE functions.

5. Incident Response That Accounts for AI-Specific Scenarios

Your incident response plan probably covers data breaches, ransomware, and unauthorized access. Does it cover an employee who fed six months of client data into a third-party AI tool? Do you know how to assess whether that data was incorporated into model training? Do you have contractual provisions with your AI vendors that address this? The answers matter because regulators are starting to ask. The FTC's enforcement action against Rite Aid in December 2023, while focused on facial recognition AI, established that the Commission views inadequate AI governance as an unfair practice under Section 5 of the FTC Act.

The Regulatory Direction Is Clear

The EU AI Act, which entered into force in August 2024, imposes specific obligations around high-risk AI systems that include requirements for data governance, transparency, and human oversight. The Colorado AI Act (SB 24-205), signed in May 2024, creates obligations for "deployers" of high-risk AI systems that include risk management and impact assessments. At the federal level, Executive Order 14110 on AI safety (October 2023) directed agencies to develop guidelines for AI use that include information security considerations.

None of these frameworks assume that policy compliance alone is sufficient. They all require technical and organizational measures. If your AI risk framework still relies primarily on employee training and signed acknowledgments, you are building on a foundation that regulators have already moved past.

Where FirmAdapt Fits

FirmAdapt's architecture was designed around the assumption that sensitive data will encounter AI systems, and that the governance layer needs to be structural rather than aspirational. The platform enforces data classification at the point of interaction, applies role-based access controls to AI capabilities, and maintains audit trails that map to the "reasonable measures" standard under the DTSA and comparable state statutes. Content inspection and containment are handled at the infrastructure level, not delegated to user judgment.

For organizations managing trade secrets, client confidences, or other high-sensitivity information, FirmAdapt provides the architectural controls that make an insider misuse framework operational rather than theoretical. The monitoring and logging capabilities are designed to produce the kind of evidence that matters in both regulatory inquiries and trade secret litigation, where showing what controls were in place, and that they were actually enforced, can determine the outcome.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free