FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatorytrade secretsIPconfidentialityAwareness training

Why Your Information Security Awareness Training Probably Does Not Mention AI

By Basel IsmailMay 24, 2026

Why Your Information Security Awareness Training Probably Does Not Mention AI

I just reviewed the security awareness training programs from three major vendors. Combined, they serve something like 40,000 organizations. Every single one had extensive modules on phishing, password hygiene, social engineering, and removable media. Not one had a dedicated module on AI-related data exposure. In 2025. When employees at those organizations are copying sensitive data into large language models every single day.

This is a real gap, and it has specific consequences for trade secret protection that most compliance teams have not fully worked through yet.

The Phishing Curriculum Is Fine. It Is Also Incomplete.

Let me be clear: phishing training works. KnowBe4's 2024 Phishing by Industry Benchmarking Report found that organizations reduced their phish-prone percentage from 34.3% to 4.6% after 12 months of combined training and simulated phishing. That is a meaningful reduction in risk. Nobody is arguing you should stop doing it.

The problem is that phishing training addresses a threat model from 2015. The dominant vector for inadvertent data exposure in 2025 is not a spoofed email from "IT Support." It is a well-meaning engineer pasting proprietary source code into ChatGPT to debug a function. It is a paralegal uploading a draft merger agreement to Claude to summarize key terms. It is a product manager feeding customer data into a spreadsheet plugin powered by GPT-4 to generate a competitive analysis.

Samsung learned this the hard way in April 2023 when engineers leaked semiconductor source code through ChatGPT on at least three separate occasions within 20 days of the company allowing access to the tool. The company ultimately restricted internal ChatGPT use, but the data was already out.

A Cyberhaven study from early 2024 found that 8.6% of employees had pasted company data into ChatGPT, and 3.1% had pasted data the researchers classified as sensitive. Scale that across a 10,000-person organization and you are looking at hundreds of potential exposure events per quarter, none of which your phishing module addresses.

The Trade Secret Problem Is Specific and Legal

Here is where it gets concrete for legal and compliance teams. Under the Defend Trade Secrets Act of 2016 (18 U.S.C. 1836), and under virtually every state's version of the Uniform Trade Secrets Act, a trade secret only qualifies for protection if the owner has taken reasonable measures to keep it secret. That is the statutory language, and courts take it seriously.

In Compulife Software Inc. v. Newman (11th Cir. 2020), the court found that failure to implement adequate security measures contributed to the determination that the information at issue did not qualify as a trade secret. The "reasonable measures" inquiry is fact-intensive, and courts look at the totality of what a company did and did not do.

Now think about what a plaintiff's attorney will argue in 2025 or 2026 when your former employee walks out the door with proprietary data they already shared with three different AI tools during their employment. They will argue that you knew employees were using generative AI, that you knew these tools could retain or learn from input data, and that you failed to train your workforce on the risk. If your security awareness program has zero AI content, that argument writes itself.

The reasonable measures standard evolves with the threat landscape. What was reasonable in 2020 is not sufficient in 2025. Courts will eventually catch up to the reality that AI-driven data leakage is a foreseeable risk, and the question will be whether your training program reflected that.

What an AI Module Should Actually Cover

If you are building or procuring an AI-specific training module, here is what it should address at minimum:

Data classification before input. Employees need to understand which categories of information can never go into external AI tools. This means your data classification policy needs to exist, be current, and be referenced explicitly in the training. Vague guidance like "use good judgment" is not a reasonable measure.
How LLM data retention works. Most employees do not understand the difference between a tool that processes data ephemerally and one that retains inputs for model training. OpenAI's default data retention policy changed multiple times in 2023 and 2024. Your training should explain the basics without requiring a PhD in machine learning.
Approved vs. unapproved tools. Shadow AI is the new shadow IT. A 2024 Salesforce survey found that more than half of generative AI users at work were using unapproved tools. Your training module needs to clearly identify which AI tools are sanctioned, under what conditions, and what the consequences are for using unapproved alternatives.
Prompt injection and output risks. This is newer territory, but employees using AI-generated outputs in client deliverables or regulatory filings need to understand hallucination risk and the possibility that outputs may contain fragments of other users' data. The FTC has been vocal about AI-generated deception since at least its February 2023 guidance, and the consequences flow downstream to the companies that rely on AI outputs without verification.
Incident reporting for AI exposure. If an employee realizes they pasted sensitive data into an external AI tool, what do they do? Most incident response plans do not have a specific workflow for this. The training should establish one and make it easy to follow.

Regulatory Tailwinds Are Building

This is not just a best-practice argument. Regulatory frameworks are starting to require AI-specific training. The EU AI Act (Regulation 2024/1689), which entered into force in August 2024, requires in Article 4 that organizations ensure AI literacy among staff who operate or are affected by AI systems. The NIST AI Risk Management Framework (AI 100-1), published in January 2023, identifies workforce training as a key governance function. Colorado's SB 24-205, the first comprehensive state-level AI law in the U.S., signed in May 2024, includes requirements around risk management that implicitly demand workforce education.

For regulated industries specifically, the expectations are even higher. The OCC, FDIC, and Federal Reserve's June 2023 interagency statement on AI in banking emphasized governance and risk management. HIPAA's administrative safeguard requirements under 45 C.F.R. 164.308(a)(5) already mandate security awareness training, and HHS has signaled that AI-related risks fall within scope. If your training program has not been updated to reflect these developments, you are accumulating compliance debt.

How FirmAdapt Addresses This

FirmAdapt's platform is designed around the principle that AI adoption and compliance are not sequential activities. The architecture enforces data classification and access controls at the point of AI interaction, which means sensitive information is governed before it reaches a model, not after an employee makes a judgment call. This reduces the surface area that training alone has to cover, though it does not eliminate the need for training.

For organizations building out their AI awareness programs, FirmAdapt provides audit trails and interaction logs that feed directly into compliance reporting. This gives legal and compliance teams concrete evidence of reasonable measures, the kind of documentation that matters when the trade secret inquiry turns on what you actually did versus what your policy said you would do.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free