FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatorydefenseITARCMMC

ITAR Voluntary Disclosures After an AI-Related Incident

By Basel IsmailMay 14, 2026

ITAR Voluntary Disclosures After an AI-Related Incident

A developer at your company uses an internal AI coding assistant to debug a piece of software that happens to be classified as a defense article under ITAR. The model is hosted by a third-party cloud provider with servers in a region you didn't vet. Or maybe a generative AI tool used by your engineering team ingests a technical data package and sends fragments of it to an API endpoint outside the United States. Nobody meant to export anything. But under ITAR, intent is largely irrelevant. If controlled technical data left the country or was made accessible to a foreign person, you likely have an unauthorized export on your hands.

The question then becomes: what do you do in the next 24 to 72 hours, and how do you structure a voluntary disclosure to the Directorate of Defense Trade Controls (DDTC)?

Why Voluntary Disclosure Matters Here

DDTC has been remarkably consistent on one point: voluntary disclosures are treated as a significant mitigating factor. Under ITAR Section 127.12, any person who knows or has reason to know of a violation is encouraged to disclose it. The DDTC's own guidelines, reinforced in the 2023 update to the Consent Agreement framework, make clear that companies that self-disclose generally receive penalties 30% to 50% lower than those that get caught through other means. In some cases, DDTC has resolved voluntary disclosures with no civil penalty at all, opting instead for remedial compliance measures.

Compare that with the alternative. DDTC civil penalties can reach $1,234,028 per violation as of the 2024 inflation adjustment. Criminal penalties under 22 U.S.C. 2778 go up to $1 million per violation and 20 years imprisonment. When you are dealing with AI systems that may have processed and transmitted thousands of records, each individual transmission could theoretically constitute a separate violation. The math gets ugly fast.

Recognizing the Trigger Event

The hardest part of AI-related ITAR incidents is often recognizing that a violation occurred. Traditional export control violations tend to be tangible: someone ships a part, emails a document, or gives a presentation to a foreign national. AI-related violations are more subtle.

Cloud processing: If your AI tool sends ITAR-controlled technical data to a server outside the U.S. for processing, that is an export under 22 CFR 120.50, even if the data comes right back.
Model training: If ITAR-controlled data was used to train or fine-tune a model hosted by a foreign entity or accessible to foreign persons, you may have a deemed export issue under 22 CFR 120.52.
Retrieval-augmented generation (RAG): If your RAG pipeline indexes ITAR-controlled documents and a foreign-person employee queries the system, the system's response could constitute a disclosure of technical data to a foreign person.
Third-party APIs: Many AI tools call external APIs for embeddings, inference, or other functions. If ITAR data passes through those APIs and the provider has foreign-person employees with access, you have a potential violation.

Your compliance team needs to understand the data flows in your AI stack at a granular level. If you cannot map where data goes when it enters an AI tool, you cannot assess whether a violation has occurred.

Structuring the Voluntary Disclosure

DDTC's voluntary disclosure process is outlined in 22 CFR 127.12. There are two phases: the initial notification and the full disclosure.

Initial Notification

You should file the initial notification as soon as you have a reasonable basis to believe a violation occurred. DDTC does not specify a hard deadline, but industry practice and DDTC's own informal guidance suggest filing within 60 days of discovery. Sooner is better. If you are still investigating, that is fine; the initial notification can be brief. It should include:

A description of the suspected violation
The ITAR categories and USML entries potentially involved
The approximate date range of the conduct
A statement that a full investigation is underway

Send it to DDTC's Compliance and Enforcement Division. As of 2024, DDTC accepts electronic submissions through its online portal, though many practitioners still follow up with hard copies for significant matters.

Full Disclosure

The full narrative typically follows within 60 to 90 days of the initial notification, though DDTC will grant extensions if you communicate proactively. The full disclosure should cover:

Technical specifics: What data was involved, what USML categories apply, and what classification level the data carries.
AI system architecture: How the AI tool processed the data, where the data was sent, which third parties were involved, and whether foreign persons had access at any point in the chain.
Scope of exposure: How many records, how many transmissions, over what time period. DDTC will want to understand the scale.
Root cause analysis: Why it happened. Was it a failure of technical controls, a gap in policy, inadequate training, or a vendor issue?
Remedial measures: What you have already done to stop the violation and prevent recurrence. This is where DDTC pays close attention. Strong remediation can be the difference between a warning letter and a consent agreement.

A Note on Concurrent Notifications

If the incident also involves classified information (CUI or higher), you may have parallel obligations under NISPOM (32 CFR Part 117) and potentially DFARS 252.204-7012, which requires reporting cyber incidents to the DoD within 72 hours. An AI-related data exposure could trigger both ITAR voluntary disclosure and DFARS cyber incident reporting simultaneously. Coordinate with your FSO and your cybersecurity team early.

What DDTC Looks for in AI-Related Cases

DDTC has not published formal guidance specifically addressing AI-related ITAR violations, but enforcement trends from 2022 through 2024 suggest they are paying attention to technology-mediated exports more broadly. The 2023 consent agreement with Honeywell International, which involved unauthorized exports of technical drawings and other defense articles to multiple countries (resulting in a $13 million penalty), highlighted DDTC's focus on systemic control failures. AI tools that handle ITAR data without proper access controls represent exactly the kind of systemic gap DDTC targets.

In your disclosure, demonstrate that you understand the data flows, that you have isolated the problem, and that your remediation addresses the root cause rather than just the symptom. If the root cause is "we deployed an AI tool without understanding where it sends data," say that. DDTC responds better to candor than to euphemism.

Practical Steps for the First 72 Hours

When you first suspect an AI-related ITAR incident:

Immediately restrict the AI tool's access to ITAR-controlled data. Do not wait for the investigation to conclude.
Preserve all logs, API call records, and system configurations. AI tools can be updated or reconfigured quickly, and you need the state of the system at the time of the incident.
Engage outside ITAR counsel. Voluntary disclosures are legal documents that DDTC will scrutinize, and the framing matters.
Begin mapping the data flow. Identify every endpoint the data touched, every third party involved, and every person (domestic or foreign) who may have had access.
Assess whether parallel reporting obligations exist under DFARS, NISPOM, or state breach notification laws.

How FirmAdapt Addresses This Problem

FirmAdapt's architecture is designed to prevent these incidents from occurring in the first place. The platform processes data entirely within controlled environments, with no external API calls, no third-party model hosting, and no data leaving the boundaries you define. For ITAR-regulated organizations, this means technical data never enters a pipeline where it could be inadvertently exported through cloud inference, external embeddings, or foreign-accessible endpoints.

FirmAdapt also maintains detailed audit logs of every data interaction within the platform, which directly supports the kind of forensic analysis DDTC expects in a voluntary disclosure. If an incident does occur elsewhere in your AI stack, having a compliant baseline system with full traceability makes your remediation narrative significantly stronger. The platform was built for exactly these regulatory constraints.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free