FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatorydefenseITARCMMC

Naval Shipyards, Submarine Programs, and the Highest-Stakes AI Compliance Environment

By Basel IsmailMay 13, 2026

Naval Shipyards, Submarine Programs, and the Highest-Stakes AI Compliance Environment

If you work in defense and think ITAR compliance is already a headache, try layering Department of Energy Q-clearance requirements on top. That is the reality for anyone involved in naval nuclear propulsion, submarine programs, or the handful of shipyards that build and maintain the fleet. It is one of the most restrictive compliance environments in the U.S., and introducing AI tools into that environment raises questions that most vendors have never seriously considered.

The Regulatory Stack: ITAR Meets Restricted Data

ITAR (International Traffic in Arms Regulations, 22 CFR Parts 120-130) controls the export and sharing of defense articles and technical data on the U.S. Munitions List. Most defense contractors are familiar with it. You register with the Directorate of Defense Trade Controls, you classify your articles, you control access to technical data, and you do not share anything with foreign persons without a license. Violations are expensive. In 2023, L3Harris agreed to a $13 million consent agreement for ITAR violations. Raytheon paid $20 million in 2022. The penalties are real and they scale.

But ITAR is only the first layer for naval nuclear work. The Atomic Energy Act of 1954 (42 U.S.C. 2011 et seq.) created a separate classification regime for nuclear weapons and naval propulsion information. This information, called Restricted Data (RD) and Formerly Restricted Data (FRD), exists outside the standard classified national security information system governed by Executive Order 13526. It has its own rules, its own clearance requirements, and its own enforcement apparatus through the Department of Energy and Naval Nuclear Propulsion Program (NNPP, also known as Naval Reactors or NAVSEA 08).

Q-clearance is the DOE equivalent of a Top Secret clearance, and it is specifically required for access to RD. The vetting process is extensive; it typically takes 12 to 18 months and involves a full-scope background investigation by DOE. People who work on naval reactor design, submarine propulsion systems, or spent fuel handling at facilities like Huntington Ingalls Newport News Shipbuilding, General Dynamics Electric Boat, or the four public naval shipyards all operate under some combination of ITAR, RD/FRD controls, and NNPP-specific security requirements.

Why AI Tools Create Unique Problems Here

The fundamental tension is straightforward: modern AI tools, especially large language models and cloud-based analytics platforms, are designed to ingest, process, and learn from data. The entire regulatory framework around naval nuclear propulsion is designed to prevent exactly that kind of broad data access.

Consider a few specific scenarios:

Training data contamination. If an AI model is trained on or fine-tuned with data that includes ITAR-controlled technical data or Restricted Data, the model itself may become a controlled article. Under ITAR, technical data includes information required for the design, development, production, or use of defense articles. A model that has internalized such information arguably "contains" it, even if it cannot reproduce it verbatim. There is no clear regulatory guidance on this yet, which is itself a risk.
Foreign person access. ITAR prohibits disclosure of controlled technical data to foreign persons without authorization. Many AI platforms involve processing on infrastructure maintained by multinational teams. Even if the servers are in the U.S., if a foreign national engineer at a cloud provider can access the data during processing, you may have an unauthorized export. For RD, the restrictions are even tighter; the Atomic Energy Act imposes criminal penalties (up to life imprisonment under 42 U.S.C. 2274-2276) for unauthorized disclosure.
Inference and reconstruction. AI systems are remarkably good at inferring information from partial data. An LLM that processes unclassified maintenance logs from a submarine reactor compartment might, through aggregation and inference, produce outputs that cross into RD territory. This is the classic "mosaic theory" problem, but with a tool that performs mosaic analysis at machine speed.
Audit and accountability. Both ITAR and DOE Order 471.6 (Information Security) require robust access controls and audit trails. Many AI tools, particularly those using retrieval-augmented generation or agent-based architectures, make it difficult to trace exactly which data influenced a given output. If you cannot demonstrate that an output was derived only from appropriately cleared and controlled inputs, you have a compliance gap.

NNPP's Particular Culture of Control

Naval Reactors operates with a level of institutional rigor that is unusual even by defense standards. The program traces its culture directly to Admiral Hyman Rickover, who ran it from 1949 to 1982 and established a philosophy of absolute technical accountability. NAVSEA 08 still maintains direct authority over every aspect of naval nuclear propulsion, from reactor design to the training of individual sailors who operate the plants.

This culture means that NNPP tends to be conservative about adopting new technologies, and for good reason. The program's safety record is extraordinary; the U.S. Navy has operated nuclear-powered vessels since USS Nautilus in 1955 without a single reactor accident. When you have that kind of track record, the bar for introducing new tools into the workflow is justifiably high.

For AI specifically, NNPP's concerns go beyond data security. They extend to reliability, determinism, and explainability. A probabilistic model that gives slightly different answers to the same question is fundamentally at odds with a program that demands precise, repeatable, and fully documented engineering analysis. Any AI deployment in this space needs to account for that expectation.

The Compliance Gap in Current AI Offerings

Most enterprise AI platforms were not built with this regulatory environment in mind. Even "government cloud" offerings like AWS GovCloud or Azure Government, which meet FedRAMP High and ITAR requirements for data residency and access control, do not automatically solve the Restricted Data problem. RD requires processing within DOE-approved facilities under DOE-approved security plans. You cannot simply check a box on a cloud configuration page.

The Defense Counterintelligence and Security Agency (DCSA) and DOE Office of Enterprise Assessments conduct inspections that specifically look at how information systems handle classified and controlled information. If your AI tool processes data in ways that your System Security Plan does not describe, you are out of compliance. Full stop. And unlike some regulatory regimes where enforcement is sporadic, the nuclear security apparatus conducts regular, thorough inspections. Huntington Ingalls reported in its 2023 10-K that it operates under continuous security oversight from multiple federal agencies simultaneously.

There is also the question of supply chain risk. Executive Order 14028 (May 2021) on improving cybersecurity and the subsequent NIST guidance on software supply chain security apply here. If your AI tool incorporates open-source model components with unclear provenance, you have a supply chain integrity problem layered on top of everything else.

Where This Is Heading

DOD's Responsible AI Strategy (updated 2022) and the DOE's own AI governance initiatives are still catching up to the specific challenges of nuclear-related defense work. The Navy's Chief Digital and AI Officer (CDAO) organization has been pushing AI adoption across the fleet, but the naval nuclear community has been understandably cautious about participating. Expect more specific guidance in the next two to three years, likely through updates to NNPP's own technical publications and DOE orders rather than through broad DOD policy.

In the meantime, organizations operating in this space need AI tools that are built from the ground up for this kind of constraint, not general-purpose platforms with compliance features bolted on afterward.

How FirmAdapt Addresses This

FirmAdapt's architecture was designed for environments where data sovereignty, access control, and auditability are non-negotiable. The platform supports on-premises and air-gapped deployment models, which is a prerequisite for any tool that might touch RD or ITAR-controlled technical data. Every data input, model interaction, and output is logged with full provenance tracking, directly addressing the audit trail requirements under both ITAR and DOE Order 471.6.

FirmAdapt also enforces role-based access controls that can map to existing clearance levels and need-to-know determinations, so organizations do not have to build a parallel access management system for their AI tools. For programs operating under NNPP oversight, this means the AI platform can be incorporated into existing System Security Plans without creating gaps that would surface during a security inspection.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free