FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatorytrade secretsIPconfidentialityInformation governance

Shadow AI: The Tool Your Engineers Are Using That Your CISO Has Never Heard Of

By Basel IsmailMay 20, 2026

Shadow AI: The Tool Your Engineers Are Using That Your CISO Has Never Heard Of

Your shadow IT problem just got a generative upgrade. That SaaS sprawl you spent years getting under control? It now includes engineers pasting proprietary source code into ChatGPT, analysts uploading client datasets to Claude, and marketing teams running customer communications through Jasper. None of it approved. None of it logged. None of it covered by your existing DLP policies.

And the speed at which this happened is genuinely unprecedented. Shadow IT traditionally crept in over months as teams adopted Dropbox or Slack before procurement caught up. Shadow AI arrived in weeks. ChatGPT hit 100 million monthly active users within two months of launch in late 2022. By mid-2023, a Salesforce survey found that 55% of employees using generative AI at work had never received approval to do so. A more recent Cyberhaven report from early 2024 pegged the number higher: 74% of ChatGPT usage at work was through non-corporate accounts, completely invisible to IT.

Why This Is a Trade Secrets Problem, Not Just a Security Problem

The information governance angle here is what keeps me up at night. When an engineer pastes a proprietary algorithm into a third-party AI tool, you have a potential trade secret disclosure. Under the Defend Trade Secrets Act (DTSA, 18 U.S.C. 1836), and under the Uniform Trade Secrets Act adopted in some form by 48 states, trade secret protection requires that the holder take "reasonable measures" to maintain secrecy. Letting employees paste protected information into consumer-grade AI tools with broad training data licenses is, to put it mildly, not a reasonable measure.

Samsung learned this the hard way. In April 2023, Samsung engineers used ChatGPT to debug proprietary semiconductor source code and to summarize internal meeting notes. Three separate incidents in under a month. Samsung's response was to ban generative AI tools entirely, but the damage was done. That source code was submitted to OpenAI's systems under terms of service that, at the time, permitted use of inputs for model training. Whether that data actually influenced model weights is almost beside the point. The disclosure itself undermined Samsung's ability to argue it maintained reasonable secrecy measures.

If you end up in trade secret litigation, opposing counsel will absolutely ask what controls you had in place to prevent employees from sharing protected information with AI services. If the answer is "we had an acceptable use policy but no technical controls," you are going to have a rough deposition.

How to Find It

Discovery is the first practical challenge. Shadow AI is harder to detect than traditional shadow IT because many AI tools operate through browser interfaces rather than installed software. Your endpoint management solution may not flag them. Here is what actually works:

DNS and proxy log analysis. Look for traffic to api.openai.com, claude.ai, bard.google.com, and the API endpoints for tools like Hugging Face, Replicate, and Midjourney. Cross-reference against approved vendor lists. This catches a surprising amount.
Browser extension audits. AI-powered browser extensions (writing assistants, code completion tools, summarizers) are everywhere and often have broad data access permissions. A 2024 Spin.AI analysis found that over 50% of browser extensions powered by AI were classified as high risk.
DLP policy updates. Configure your DLP tools to flag uploads to known AI service domains. This should have been done eighteen months ago, but better late than never.
Expense report and credit card analysis. Individual AI subscriptions show up on expense reports and corporate cards. If you see $20/month charges to OpenAI from thirty different employees, you have your answer.
API key scanning. Run scans across your code repositories for API keys associated with AI services. Engineers embedding API calls to external AI services in internal tools is more common than you think.

The Uncomfortable Prevalence Data

The numbers are stark. A March 2024 report from Cisco found that only 29% of organizations felt they had adequate capability to detect and prevent employees from using unauthorized AI. Meanwhile, a Gartner survey from Q4 2023 projected that by 2025, over 40% of enterprise AI usage would occur outside IT's visibility. Microsoft's 2024 Work Trend Index found that 78% of AI users were bringing their own AI tools to work, with the majority of those in companies under 500 employees.

In regulated industries, the exposure is compounded. A healthcare company whose employees paste patient data into an AI chatbot has a HIPAA problem on top of the trade secrets issue. A financial services firm faces potential violations of Regulation S-P, the Gramm-Leach-Bliley Act safeguards, and SEC cybersecurity disclosure requirements finalized in July 2023. A defense contractor with employees using AI tools to summarize controlled unclassified information (CUI) is looking at DFARS 252.204-7012 compliance failures and potential False Claims Act liability.

The Mitigation Playbook

Banning AI outright does not work. Samsung tried it. Apple tried it. JPMorgan tried it. In every case, usage went further underground or the ban was eventually relaxed because the productivity gains were too significant to ignore. The practical path forward involves channeling usage rather than prohibiting it.

1. Establish an AI Acceptable Use Policy with Teeth

Your policy needs to be specific. Not "use AI responsibly" but "do not input data classified as Confidential or above into any AI tool not listed on the approved tools register." Tie violations to existing disciplinary frameworks. Make sure the policy explicitly addresses the trade secret implications, because you want the documentation trail showing you took reasonable measures.

2. Provide Approved Alternatives

People use shadow AI because it solves real problems. Give them sanctioned tools with enterprise agreements that include appropriate data processing terms, no training on input data, SOC 2 compliance, and BAAs where needed. If the approved tool is worse than the shadow tool, people will keep using the shadow tool. Invest accordingly.

3. Implement Technical Controls

Policy without enforcement is just a suggestion. Deploy CASB (Cloud Access Security Broker) rules to block or monitor access to unapproved AI services. Implement endpoint DLP that can detect and prevent sensitive data from being pasted into browser-based AI interfaces. Consider network-level controls for high-sensitivity environments.

4. Classify Your Data

You cannot protect what you have not classified. If your engineers do not know which code repositories contain trade secrets versus open-source contributions, they cannot make informed decisions about what to paste into an AI tool. Data classification is boring, foundational work that makes everything else possible.

5. Monitor Continuously

This is not a one-time audit. AI tools proliferate constantly. New services launch weekly. Your monitoring needs to be ongoing, with regular reviews of network traffic patterns and periodic employee surveys (anonymous ones tend to produce more honest results).

How FirmAdapt Addresses This

FirmAdapt was built around the premise that regulated companies need AI capabilities without the information governance risks that come with sending data to consumer AI services. The platform processes data within a compliance-first architecture where sensitive information stays within controlled boundaries, with audit logging, role-based access controls, and data handling practices designed to preserve trade secret protections and satisfy regulatory requirements across healthcare, financial services, and defense.

Rather than trying to police shadow AI after the fact, FirmAdapt gives teams a sanctioned AI platform that actually works for their use cases, removing the incentive to reach for unauthorized tools. The platform maintains the documentation trail that demonstrates reasonable measures under the DTSA and state trade secret statutes, which matters enormously if you ever need to enforce your IP rights in court.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free