FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatoryeducationFERPATitle IX

Title IX, Investigation Documents, and the AI Confidentiality Question

By Basel IsmailMay 28, 2026

Title IX, Investigation Documents, and the AI Confidentiality Question

Title IX coordinators at universities are increasingly being asked to use AI tools in their workflow. Summarize interview transcripts. Draft determination letters. Flag inconsistencies across witness statements. On paper, these are exactly the kinds of tasks that AI handles well. In practice, feeding Title IX investigation documents into an AI tool creates a regulatory collision that most institutions haven't thought through carefully enough.

The core tension is between operational efficiency and two overlapping confidentiality regimes: Title IX's own regulatory framework under 34 C.F.R. Part 106, and FERPA's protections under 20 U.S.C. § 1232g. When investigation documents enter an AI system, the question isn't whether the tool is useful. The question is whether the institution just created a disclosure it can't take back.

What Title IX Confidentiality Actually Requires

The 2020 Title IX regulations (effective August 14, 2020) introduced formal grievance procedures under 34 C.F.R. § 106.45. These procedures require institutions to provide both parties with access to evidence directly related to the allegations, but they also impose confidentiality obligations on the process itself. Section 106.45(b)(5)(iii) requires that all parties and their advisors sign agreements not to disseminate materials provided during the investigation. The institution has an affirmative duty to maintain the integrity of that confidentiality.

The August 2024 regulations (which took effect at institutions not subject to ongoing injunctions) adjusted some of these procedures but didn't relax confidentiality expectations. If anything, the Department of Education's guidance has moved toward stricter handling of investigation records, particularly around how institutions store and share sensitive information about complainants and respondents.

So when a Title IX coordinator uploads a witness statement to an AI summarization tool, the first question is: does that constitute dissemination? If the tool is cloud-hosted, the answer is almost certainly yes under any reasonable reading. The data has left the institution's control. It has been transmitted to a third party's infrastructure. The fact that the third party is a software vendor rather than a person doesn't change the analysis under the regulation's plain language.

The FERPA Layer

Title IX investigation records are, in most cases, also education records under FERPA. The Department of Education confirmed this in its 2015 guidance and again in the preamble to the 2020 regulations. If a document identifies a student (complainant, respondent, or witness) and is maintained by the institution, it falls within FERPA's scope.

FERPA permits disclosure without consent in limited circumstances. The most commonly invoked exception for technology vendors is the "school official" exception under 34 C.F.R. § 99.31(a)(1). This allows disclosure to contractors and consultants who perform institutional functions, but only if the institution maintains "direct control" over the vendor's use of the records and the vendor doesn't re-disclose the information.

Here's where it gets complicated with AI specifically. Most general-purpose AI tools, including the major large language model APIs, have terms of service that permit some level of data retention for model improvement, abuse monitoring, or service optimization. Even when vendors offer data processing agreements, the default configurations often retain inputs for 30 days or longer. OpenAI's API data retention policy, for example, shifted several times between 2023 and 2024. Anthropic and Google have their own retention schedules that vary by product tier.

If an AI vendor retains student data from a Title IX investigation for its own purposes, the institution has arguably lost "direct control" under FERPA. And a FERPA violation isn't a theoretical risk. The penalty is potential loss of all federal funding. For a university receiving Title IV financial aid, Pell Grant funds, and federal research dollars, that exposure can run into hundreds of millions annually. Ohio State, for reference, received approximately $889 million in federal grants and contracts in fiscal year 2023. Nobody is going to pull that trigger over a single incident, but systematic mishandling of FERPA-protected records through AI tools creates the kind of pattern that invites scrutiny.

Practical Risks That Institutions Are Missing

Beyond the regulatory text, there are several practical failure modes worth flagging:

Training data contamination. If investigation documents are used (even inadvertently) to train or fine-tune a model, fragments of testimony could surface in outputs generated for other users. This sounds unlikely until you remember that Samsung engineers accidentally leaked proprietary source code through ChatGPT in April 2023. The mechanism is the same.
Prompt injection and data extraction. Adversarial users can sometimes extract training data or cached inputs from AI systems. A respondent's attorney who discovers that the institution processed investigation materials through a vulnerable AI tool has a strong argument that the institution failed its confidentiality obligations.
Audit trail gaps. Title IX regulations require institutions to maintain records of investigations for at least seven years under 34 C.F.R. § 106.45(b)(10). If an AI tool was used to generate summaries or analysis, the institution needs to document what was sent to the tool, what was returned, and how the output influenced the investigation. Most institutions using AI ad hoc aren't tracking any of this.
Due process challenges. In Doe v. Purdue University, 928 F.3d 652 (7th Cir. 2019), the Seventh Circuit found that a respondent's due process rights were violated in part because of procedural irregularities in how evidence was handled. An AI tool that summarizes testimony inaccurately, or that introduces subtle bias in how it frames allegations, could create similar vulnerabilities. Respondents' counsel are already looking for these arguments.

What a Compliant Approach Looks Like

Institutions that want to use AI in Title IX workflows need to satisfy several conditions simultaneously. The AI system must process data without retaining it beyond the immediate session. It must operate within infrastructure that the institution controls or that is governed by a data processing agreement meeting FERPA's "direct control" standard. It must produce outputs that are auditable and reproducible. And it must be configured so that no student data is used for model training, benchmarking, or any purpose beyond the institution's specific request.

This rules out most consumer-grade and even most enterprise AI tools in their default configurations. It also rules out the common workaround of "just anonymize the documents before uploading," because Title IX investigation records often contain enough contextual detail that re-identification is trivial even without names attached. The Department of Education has consistently held that de-identification under FERPA requires removal of all reasonably identifiable information, not just direct identifiers.

Where FirmAdapt Fits

FirmAdapt was built for exactly this kind of problem. The platform processes documents within a compliance-first architecture where data is not retained beyond the session, is never used for model training, and operates under institutional control consistent with FERPA's school official exception. Audit logging captures what was processed and what outputs were generated, which directly addresses the seven-year recordkeeping requirement under the Title IX regulations.

For Title IX offices evaluating AI tools, FirmAdapt provides a way to get the operational benefits of AI-assisted document review without creating the disclosure and retention risks that come with general-purpose platforms. The configuration is designed around the regulatory requirements rather than retrofitted to approximate them.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free