FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatorytrade secretsIPconfidentialityProcurement governance

Shadow Procurement: When Departments Buy AI Tools Without Telling IT

By Basel IsmailMay 24, 2026

Shadow Procurement: When Departments Buy AI Tools Without Telling IT

A marketing manager signs up for an AI copywriting tool. Puts it on the corporate card. The tool ingests the company's brand guidelines, customer personas, competitive positioning documents, and a few draft press releases about an unannounced product. Three weeks later, finance notices the charge. Six weeks later, legal finds out. By then, the tool's terms of service have already granted the vendor a broad license to use input data for model training.

This is not a hypothetical. It is happening at virtually every mid-to-large enterprise right now, and the procurement governance implications are genuinely alarming, especially for companies in regulated industries.

The Scale of the Problem

Gartner estimated in 2023 that shadow IT spending accounts for 30 to 40 percent of total IT spending at large enterprises. That number is almost certainly conservative when it comes to AI tools specifically, because most generative AI subscriptions fall well below the dollar thresholds that trigger formal procurement review. A $20/month seat for ChatGPT Plus, a $49/month Jasper subscription, a $30/month Otter.ai account for meeting transcription. These charges look like office supplies on an expense report.

Productiv's 2023 SaaS Trends Report found that the average enterprise uses 371 SaaS applications, and IT is aware of roughly half of them. Now layer in the explosion of AI-native tools since late 2022. Departments are subscribing to AI assistants for sales outreach, contract analysis, resume screening, financial modeling, and customer support. Each one of these tools potentially touches regulated data.

Why This Is a Trade Secrets Problem

The trade secrets angle is the one that should keep general counsel up at night. Under the Defend Trade Secrets Act of 2016 (18 U.S.C. 1836), a trade secret loses its protected status if the owner fails to take "reasonable measures" to keep it secret. Courts have interpreted this requirement with real teeth. In Turret Labs USA, Inc. v. CargoSprint, LLC (E.D.N.Y. 2021), the court scrutinized whether the plaintiff had adequate confidentiality controls around its proprietary algorithms. In Compulife Software Inc. v. Newman (11th Cir. 2020), the analysis turned in part on whether the company's security measures were proportionate to the value of the information.

When an HR team uploads proprietary compensation frameworks into an AI benchmarking tool, or when a sales team feeds customer lists and pricing strategies into an AI email generator, the company is potentially destroying the trade secret status of that information. Most AI tool terms of service include clauses allowing the vendor to use inputs for model improvement, analytics, or "service enhancement." Even where vendors claim they do not train on user data, the contractual language often leaves significant ambiguity.

The problem compounds because shadow procurement means no one reviewed those terms of service. No one negotiated a data processing agreement. No one confirmed whether the vendor's data handling practices meet the company's obligations under HIPAA, GLBA, ITAR, FERPA, or whatever regulatory framework applies.

The Procurement Governance Gap

Traditional procurement governance was designed for a world where software purchases involved budget approvals, vendor assessments, and IT deployment. The typical procurement workflow assumes a requisition, a review, and a purchase order. AI SaaS tools bypass every one of those steps.

Several structural factors make this gap hard to close:

Low per-seat cost. Most AI tools price below the $500 or $1,000 thresholds that trigger procurement review at many companies. A department head can expense a team of 10 on a $200/month tool without anyone flagging it.
Self-service onboarding. These tools are designed for instant activation. No IT involvement needed. No SSO integration required. Sign up with a corporate email, enter a credit card, start uploading data.
Decentralized budgets. When department heads control their own budgets, they view tool subscriptions as operational decisions, not procurement events.
Speed pressure. Teams adopt AI tools because they deliver immediate productivity gains. Waiting eight weeks for a procurement review feels absurd when a competitor is already using the tool.

The result is a governance vacuum. And into that vacuum flows sensitive data: patient information, financial records, student data, defense-related technical specifications, privileged legal communications, and proprietary business intelligence.

Regulatory Exposure Is Real and Growing

The regulatory consequences vary by industry, but none of them are trivial.

In healthcare, if an employee uploads protected health information into an AI tool that has not signed a Business Associate Agreement, the organization is in violation of HIPAA's Privacy Rule (45 CFR 164.502). The HHS Office for Civil Rights has been increasingly aggressive. In 2023, OCR settled with Lafourche Medical Group for $480,000 over a phishing incident that exposed fewer than 35,000 records. Unauthorized AI tool usage involving PHI could trigger similar or larger enforcement actions.

In financial services, the SEC's Regulation S-P (17 CFR 248) requires broker-dealers and investment advisers to protect customer nonpublic personal information. The SEC's 2023 amendments to Reg S-P, adopted in May 2024, explicitly expanded incident response obligations and tightened vendor oversight requirements. Shadow AI procurement directly undermines compliance with these rules.

In defense, ITAR (22 CFR 120-130) restricts the transfer of defense-related technical data to foreign persons. Many AI tools process data on servers outside the United States, or employ engineers in other countries who may have access to input data. An engineer uploading controlled technical data into an unapproved AI tool could constitute an unauthorized export.

In education, FERPA (20 U.S.C. 1232g) restricts disclosure of student education records. The Department of Education has made clear that cloud service providers who receive student data must meet specific contractual requirements. An admissions office using an AI tool to draft communications based on applicant data could violate these provisions.

What a Reasonable Response Looks Like

Banning AI tools outright does not work. People route around bans, and the productivity benefits are real enough that blanket prohibitions just push usage further underground. A more effective approach involves several elements:

AI-specific procurement policies with lower review thresholds. If your current threshold is $1,000, AI tools should trigger review at any dollar amount when they involve data input.
Approved tool registries that give employees vetted alternatives. If people can use a pre-approved AI writing assistant that legal has already reviewed, they are less likely to go find their own.
Expense monitoring that flags AI vendor charges. Finance teams can build simple rules to catch subscriptions to known AI platforms.
Network-level visibility into which AI services employees are accessing from corporate devices and networks.
Clear data classification guidance that tells employees which categories of information cannot be entered into any external AI tool, regardless of whether it has been approved.

None of this is revolutionary. It is basic governance hygiene adapted to a new category of risk. The challenge is implementation speed; the tools are proliferating faster than most compliance programs can adapt.

How FirmAdapt Addresses This

FirmAdapt was built on the premise that regulated companies need AI capabilities without the procurement governance risks described above. Because FirmAdapt operates as a compliance-first platform with enterprise-grade data handling, organizations can offer their teams AI functionality within an environment where data processing agreements, access controls, and regulatory guardrails are already in place. This directly reduces the incentive for departments to go find their own tools.

FirmAdapt's architecture keeps sensitive data within controlled boundaries, with audit trails that document what data was processed and how. For companies subject to HIPAA, GLBA, ITAR, FERPA, or similar frameworks, this means the AI tooling question has an answer that procurement, legal, and IT can all agree on, which is the most practical way to close the shadow procurement gap before it creates real liability.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free