FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatorylegallaw firmsABAPrivilege

Law Firm Data Rooms, M&A Practice, and the Shadow AI Problem

By Basel IsmailMay 25, 2026

Law Firm Data Rooms, M&A Practice, and the Shadow AI Problem

A second-year associate at a midsize firm is reviewing 400 documents in a virtual data room for a buy-side acquisition. The deal is moving fast. The partner wants a first-pass memo on material contracts by morning. The associate copies a batch of vendor agreements, pastes them into ChatGPT, and asks it to flag change-of-control provisions and assignment restrictions. The memo comes back sharp. The partner is impressed. Nobody asks how it got done.

This is happening constantly. Not at one firm. Across the industry. And the exposure it creates is genuinely alarming once you trace the threads.

What Actually Gets Pasted

M&A data rooms are concentrated repositories of the most sensitive information a target company possesses. We are talking about unredacted financial statements, employee compensation data, pending litigation summaries, IP licensing terms, customer contracts with pricing, regulatory correspondence, and sometimes privileged legal memoranda that made it into the room by mistake (which happens more than anyone admits).

When an associate pastes even a subset of these documents into a consumer AI tool, the information leaves the firm's control entirely. OpenAI's terms of service for free and Plus tier accounts historically allowed use of inputs for model training, though they changed this default in March 2023. But "changed the default" and "guaranteed contractual protection suitable for attorney-client privileged material" are very different things. Enterprise agreements offer better terms, but the associate using a personal account at 1 a.m. is not on the enterprise plan.

The categories of data typically flowing through these prompts include:

Target company trade secrets and proprietary financial data
Third-party confidential information subject to NDAs between the target and its counterparties
Attorney work product and privileged analysis mixed into data room folders
Personally identifiable information of employees, customers, and sometimes patients or financial account holders
Material nonpublic information relevant to securities laws

Each of these categories triggers a different regulatory or contractual obligation. The aggregate exposure from a single paste-and-prompt session can be staggering.

The Privilege Problem

Attorney-client privilege requires confidentiality. That is a foundational element, not a nice-to-have. Under Restatement (Third) of the Law Governing Lawyers Section 79, privilege can be waived by disclosure to third parties outside the scope of the privileged relationship. Courts have been inconsistent about what constitutes "reasonable precautions" to maintain privilege in digital contexts, but voluntarily uploading privileged material to a third-party AI service is a hard fact pattern to defend.

The In re Careemark Int'l Inc. Derivative Litigation line of cases established that boards and officers have oversight duties. Law firms advising those boards now face a recursive problem: if the firm's own associates are creating privilege waiver risks through shadow AI use, the firm may be breaching its duty of competence under Model Rule 1.1 and its duty of confidentiality under Model Rule 1.6.

The ABA issued Formal Opinion 477R in 2017, which requires lawyers to make "reasonable efforts" to prevent unauthorized access to client information. That opinion was written with email encryption and cloud storage in mind, but its logic applies directly to AI tools. Several state bars have since weighed in more explicitly. The Florida Bar issued Ethics Opinion 24-1 in January 2024 addressing generative AI use, and the New York City Bar's Formal Opinion 2024-1 specifically flagged confidentiality risks of inputting client data into AI systems.

If privileged M&A analysis ends up in a training dataset, the waiver argument becomes available to opposing counsel in any subsequent litigation. And in contested acquisitions or post-closing disputes, that is exactly where someone will look.

NDA Chains and Third-Party Exposure

Here is where it compounds. The data room NDA in a typical M&A transaction restricts use and disclosure of the target's confidential information. These NDAs almost always limit disclosure to representatives of the potential buyer who "need to know" the information for purposes of evaluating the transaction. A large language model operated by a third-party AI company is not a representative with a need to know.

Breach of the data room NDA exposes the buy-side client to liability. But it also exposes the law firm. Many engagement letters incorporate the firm's obligation to comply with transaction NDAs. A firm whose associate breaches the NDA by uploading documents to an AI tool has potentially created liability for the client, the firm, and the individual attorney.

The target company and its counsel may never discover the breach. Or they might. Discovery in post-closing indemnification disputes routinely includes requests about how due diligence was conducted. If a firm has to answer interrogatories about whether AI tools were used to review data room materials, and the honest answer is "yes, via consumer-grade ChatGPT," the resulting motion practice will be unpleasant.

Securities Law Overlay

For public company targets or acquirers, the information in a data room frequently constitutes material nonpublic information under Section 10(b) of the Securities Exchange Act of 1934 and Rule 10b-5. The SEC has not yet brought an enforcement action based on AI-related MNPI leakage, but the theory is straightforward. If confidential deal information enters a system where it could be accessed or reconstructed by unauthorized parties, the chain of custody is broken in a way that implicates insider trading prevention obligations.

The SEC's 2023 cybersecurity disclosure rules (effective December 2023) also require registrants to describe their processes for managing cybersecurity risks. A law firm that handles public company M&A work and lacks any policy on AI use is a cybersecurity risk that the client may need to disclose, or at minimum evaluate.

The Scale of the Problem

A Thomson Reuters survey from mid-2023 found that 51% of law firm professionals believed generative AI should be integrated into legal work. A separate Lexis survey from early 2024 indicated that roughly one-third of associates were already using AI tools, with many doing so without firm approval or oversight. The gap between usage and policy is enormous.

Large firms have started issuing internal AI policies. Allen and Overy's partnership with Harvey AI was announced in early 2023. Davis Polk, Latham, and others followed with various approved-tool approaches. But policy adoption at midsize and smaller firms, where a significant volume of middle-market M&A work gets done, lags considerably. And even at firms with policies, enforcement depends on monitoring capabilities that most firms simply do not have.

The result is a firm-wide exposure that partners may not even be aware of. One associate on one deal creates a potential privilege waiver, NDA breach, and securities law issue. Multiply that across every active transaction, and the risk profile is substantial.

What Firms Should Be Doing Now

Written AI use policies are necessary but insufficient. Firms need to provide approved tools that actually work for the tasks associates are trying to accomplish, because prohibition without alternatives just drives behavior underground. Training needs to be specific to practice areas, not generic "be careful with AI" guidance. And there needs to be some mechanism for monitoring or at minimum auditing how data room materials are handled.

The harder structural question is how to give associates AI-assisted review capabilities without routing confidential data through systems the firm does not control.

How FirmAdapt Addresses This

FirmAdapt is built for exactly this kind of problem. The platform provides AI-powered document review and analysis within a compliance-first architecture, meaning client data stays within controlled environments that satisfy confidentiality obligations under Model Rules 1.1 and 1.6, NDA restrictions, and data handling requirements that regulated industries impose on their outside counsel. The system is designed so that firms can offer associates genuinely useful AI tools without creating the shadow AI problem in the first place.

For M&A practice specifically, FirmAdapt allows first-pass data room review with configurable access controls, audit logging, and privilege-aware handling, so the work gets done efficiently and the firm can actually demonstrate compliance if questioned. It replaces the incentive to use consumer AI tools by providing a better, sanctioned alternative that the firm controls.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free