FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatorydefenseITARCMMC

Swiss Automation, the DOJ Settlement, and the Lesson for Defense Cyber Programs

By Basel IsmailMay 10, 2026

Swiss Automation, the DOJ Settlement, and the Lesson for Defense Cyber Programs

In December 2025, Swiss Automation Inc., a Florida-based defense contractor specializing in fire control systems and weapon station components, agreed to pay $7.5 million to settle allegations that it violated the International Traffic in Arms Regulations (ITAR) over a multi-year period. The Department of Justice and the Directorate of Defense Trade Controls (DDTC) at the State Department jointly announced the consent agreement, which also included a three-year remedial compliance program and an external monitor. The core problem was not espionage, not willful smuggling, not some dramatic spy novel scenario. It was access control failures. Mundane, systemic, and exactly the kind of thing that scales badly when you introduce AI tools into a defense environment.

What Actually Happened

The government's charging documents describe a pattern that will feel uncomfortably familiar to anyone who has managed ITAR compliance in a mid-size defense shop. Swiss Automation had foreign national employees and subcontractors who were given access to ITAR-controlled technical data without the required licenses or exemptions under 22 CFR Part 120-130. Some of these individuals had access to shared network drives containing controlled technical drawings, specifications, and manufacturing data for items on the U.S. Munitions List (USML).

The violations were not one-off mistakes. They persisted over several years, which is what turned a compliance gap into a DOJ enforcement action. The company's Technology Control Plan (TCP), which ITAR requires for any facility where foreign persons may encounter controlled data, was either inadequate or not enforced. Physical and digital access controls did not align with the company's own stated procedures. Foreign nationals accessed data they should not have been able to reach, and the company's internal systems did not flag or prevent it.

A few specifics from the settlement are worth noting. The $7.5 million penalty was partially suspended, with $4.5 million due immediately and $3 million suspended contingent on compliance. The company also agreed to retain an external compliance monitor for 36 months, fund enhanced training, and implement a new electronic access control system with logging and audit capabilities. DDTC additionally required Swiss Automation to conduct a comprehensive review of all technical data repositories and re-classify materials according to current USML categories.

The Access Control Problem, Stated Plainly

ITAR's deemed export rule (22 CFR 120.17) treats the disclosure of controlled technical data to a foreign person inside the United States as an export to that person's country of nationality. This is one of the most consequential provisions in the entire export control regime, and it is the one that trips up contractors most often. If a Brazilian engineer on your team opens a file containing USML Category IV technical data on a shared drive, you just made a deemed export to Brazil. If you did not have a license for that, you have a violation.

The compliance architecture required to prevent this is not conceptually complicated, but it is operationally demanding. You need accurate personnel nationality records. You need data classification that maps to USML categories. You need access controls that enforce the intersection of those two datasets in real time. And you need audit logs that prove the controls worked. Most mid-size contractors struggle with at least one of these elements, and many struggle with all four.

Where AI Tools Create the Same Exposure

Now layer an AI tool on top of this environment. Consider a retrieval-augmented generation (RAG) system, a document search assistant, a code copilot connected to internal repositories, or even a general-purpose chatbot that has been fine-tuned on company data. Each of these tools creates a new access pathway to controlled technical data, and most of them do not respect the access control boundaries that ITAR requires.

Here is the concrete risk. An AI assistant connected to a shared knowledge base or document repository can surface ITAR-controlled content to any user who queries it, regardless of that user's nationality, clearance level, or need-to-know status. The tool does not check whether the user holds a license. It does not know whether the document it is retrieving is classified under USML Category XI or is just an uncontrolled marketing brochure. It returns the most relevant result, which is exactly what it was designed to do.

This is the Swiss Automation problem restated in software. The shared network drives that foreign nationals accessed without authorization are functionally identical to an AI system that retrieves controlled data without checking the requester's export license status. The mechanism is different; the regulatory violation is the same.

A few specific scenarios worth thinking through:

RAG systems indexing mixed repositories. If your vector database includes embeddings from both controlled and uncontrolled documents, the retrieval layer will not distinguish between them unless you have built classification metadata into the index and enforce it at query time. Most off-the-shelf RAG implementations do not support this.
Fine-tuned models trained on controlled data. If ITAR-controlled technical data was included in the training set for a model, the controlled information may be reproducible through inference. You cannot "un-train" a model on specific documents, and the deemed export occurs at the point of disclosure, not at the point of training.
Cloud-hosted AI services. If your AI tool sends queries or document content to a cloud provider's API, and that provider processes data on servers accessible to foreign nationals (including the provider's own employees), you may have a deemed export problem before any result is even returned to the user. ITAR's reach extends to the processing environment, not just the end user.
Multi-tenant environments. AI platforms that serve multiple customers or business units without strict data isolation can inadvertently expose one tenant's controlled data to another tenant's users, including foreign nationals.

The Audit Problem Compounds Everything

Swiss Automation's settlement required the company to implement logging and audit capabilities for its data access systems. This is standard remediation language, and it highlights a gap that AI tools make worse. Most AI systems, particularly generative ones, do not produce granular audit logs that map a specific output to a specific source document and a specific user query. If DDTC or DOJ asks you to demonstrate that no foreign person accessed controlled data through your AI system, you need to be able to reconstruct every query, every retrieval, and every response. The current generation of enterprise AI tools is not built for this level of traceability.

Without that audit trail, you cannot demonstrate compliance. And as Swiss Automation learned, the inability to demonstrate compliance is treated the same as noncompliance when enforcement actions come.

The Regulatory Trajectory

DDTC has been increasingly explicit about the applicability of existing ITAR requirements to digital tools and automated systems. The December 2025 Swiss Automation settlement is consistent with a broader enforcement posture that treats systemic access control failures as seriously as deliberate diversion. The Bureau of Industry and Security (BIS) has taken a parallel approach on the EAR side, with recent guidance emphasizing that AI-assisted processes do not create exemptions from existing deemed export rules. If anything, automated systems that touch controlled data face heightened scrutiny because they can scale violations faster than any individual employee can.

How FirmAdapt Addresses This

FirmAdapt's architecture was designed around the specific problem that sank Swiss Automation: enforcing access control boundaries on data retrieval in environments where regulatory classification matters. The platform maintains document-level regulatory metadata, including USML category, classification level, and applicable license exceptions, and enforces those classifications at query time against user-level attributes including nationality, clearance, and program access. Every query, retrieval, and generated response is logged with full provenance, creating the audit trail that ITAR compliance requires and that most AI tools simply do not provide.

For defense contractors evaluating AI tools, the question is whether the platform was built with export control enforcement as a design constraint or whether compliance was bolted on after the fact. FirmAdapt falls in the first category, which is why its access control model maps directly to the TCP requirements that DDTC expects to see in any facility handling USML-controlled data.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free