AI Due Diligence: Pricing AI Risk and Upside in a Target Before You Close

For Private Equity
AI Due Diligence: Pricing AI Risk and Upside in a Target Before You Close
AI diligence has moved from a line in the tech review to a standalone workstream that reprices deals and ends some of them. Here is the six-dimension framework buy-side teams use to quantify what a target's AI is worth, and what it could cost them.
The short version
  • AI diligence is now its own workstream, not a footnote in the technical review. In Bain's 2026 M&A Report, one in five strategic dealmakers walked away from a deal because of the anticipated impact of AI on the target.
  • The discounts are mechanical, not negotiable. Buyers document AI weaknesses and reduce the price, with regulatory, privacy, and technical risks shown to compress AI valuation multiples by 15% to 30%.
  • The same diligence that prices risk also prices upside. A target with owned, embedded AI and a credible roadmap is worth more, not just safer.
  • Six dimensions decide the outcome: ownership, data, model dependency, team concentration, governance, and modularity. Each one can move the multiple or restructure the indemnities.
The part in between
The pillar in this series made the argument that AI now moves the exit multiple, and the buy-side piece showed how a disciplined acquirer prices that into a deal. This article is about the part in between, the hold period, where the thesis either becomes real or quietly does not. It is the hardest part, because building AI that reaches the profit-and-loss statement is a different exercise from buying a company with promising AI or writing a value-creation plan that mentions it. Most AI initiatives never make the trip from a convincing demo to a measurable line in the financials, and a portfolio full of stalled pilots is hold-period time a fund does not get back.
The goal of this piece is practical: how to build owned AI across a portfolio so that it pays back inside the hold, compounds from one company to the next rather than being rebuilt from scratch each time, and arrives at the exit as a documented asset rather than a story. That requires treating AI value creation the way good funds treat every other lever, with prioritization, execution discipline, and measurement against a business case, and it requires a model that solves the constraint most likely to stall it, which is talent rather than capital.
It helps to be clear about what this article is not. It is not a survey of AI use cases, because the right use cases are specific to each company and change quickly. It is an operating argument about how a fund turns AI from a portfolio of hopeful experiments into a managed capability that reliably reaches the financials and the exit. The pieces are prioritization, a two-altitude operating model, a repeatable playbook, and a discipline of building owned, measuring against a business case, and documenting as you go. Each one exists to close the gap between an AI demo and a number a buyer will pay for.
AI diligence is now its own workstream
The adoption numbers explain the urgency. Bain's 2026 M&A Report found that the use of AI tools in dealmaking more than doubled in a single year, to 45% of practitioners, and that about a third of dealmakers now deploy it systematically or are redesigning their M&A processes around it. PwC's 2026 Global M&A Industry Trends goes further and calls AI due diligence essential, advising acquirers to assess a target's AI strategy and roadmap, estimate AI's likely impact over the next three to five years, weigh the operating and capital requirements, and test whether management can actually execute. The throughline is that buyers no longer accept a seller's AI claims at face value, and they no longer treat AI as a subsection of the technical review.
Part of what they are testing for is the distance between AI as a narrative and AI as a working capability, and that distance is wide. McKinsey's 2025 State of AI found that 88% of organizations now use AI in at least one function, up from 78% the year before, but that only about a third have begun to scale it, with most still stuck in piloting. MIT's Project NANDA research went harder, reporting that 95% of generative AI investments had produced no measurable return. A target that talks fluently about AI may have very little that survives contact with a buyer's questions, so the diligence team's first job is to separate the slideware from the systems and to value only what is real.
The downside, when it is real, is priced with little ceremony. FE International's 2026 analysis found that regulatory, privacy, and technical risks can reduce an AI business's valuation multiple by 15% to 30%, and that the discounts stack rather than compete, so a target with both heavy model dependency and a weak data position absorbs both compressions instead of the larger of the two. The EU AI Act sharpens the point, with fines for prohibited practices reaching up to 35 million euros or 7% of global turnover, an exposure buyers fold into either the headline multiple or the indemnity cap, and often both. Across the deals where this plays out, the pattern is consistent: buyers do not negotiate vulnerability findings, they document them and adjust the price.
It would be a mistake, though, to read AI diligence as a purely defensive exercise. Bain frames the core inquiry as a test of opportunity as much as risk: whether AI will upend the target's business model, whether it will move market volumes or pricing, and where it could take meaningful cost out, alongside an honest read of the management team's AI readiness. The same workstream that flags a fragile wrapper also identifies the automation that could lift margin and the proprietary data that could become a moat. Diligence, done well, hands the buyer a value-creation thesis rather than just a list of red flags.
Increasingly, buyers run this workstream with the same kind of technology they are assessing. Bain describes acquirers building outside-in views of a target before a bid is even tabled, scraping public sources to model its cost base, and in one case forecasting within 90% of actuals. McKinsey reports that diligence teams now point AI agents at the data room to read and summarize thousands of files, surface risks earlier, and ground their conclusions in evidence rather than sampling. The irony is instructive: the firms best equipped to judge a target's AI tend to be the ones that have built real AI capability themselves, which is its own argument for treating diligence and engineering as a single muscle rather than two separate ones.
A six-dimension framework for AI diligence
The market is converging on similar checklists. Bain offers five questions, other advisors propose four axes of AI vulnerability, and the legal field now describes AI diligence as the new IP diligence. The framework below consolidates them into six dimensions that together cover both the liability a buyer might inherit and the asset a buyer might be paying for. Used as a structured question bank rather than a vague unease, it turns a feeling about a target's AI into specific, priceable findings.
Two habits make the framework work. The first is to read the dimensions together rather than in isolation, because they compound: heavy model dependency is more dangerous in a company that also has thin governance, and a brilliant data moat is worth less if the rights to that data cannot be cleanly transferred. The second is to score each dimension against evidence rather than assertion, since the entire point of the exercise is to value what is documented and verifiable instead of what management describes from a slide. The same six dimensions, read from the other side of the table, are exactly what a seller should put in order before a process begins.
Dimension What you are testing The risk if it is weak Evidence of a healthy answer
Ownership Whether the company truly owns its models, code, and weights, with clean IP assignment and no untracked license obligations. AI that is not owned cannot be valued as a transferable asset, and licenses may not survive a change of control. Documented chain of title, IP assignments from every contributor, and a full inventory of model and data licenses including open-source terms.
Data The provenance, rights, quality, and durability of the data the AI depends on, including consent and privacy compliance. Tainted or unlicensed training data creates litigation and indemnity exposure; a thin data position means no real moat. Traceable, lawfully sourced datasets with documented rights, a strong privacy posture, and a data advantage rivals cannot easily reproduce.
Model dependency How reliant the company is on third-party foundation models and APIs, and what switching would actually cost. Concentration on a single external provider exposes the business to price, deprecation, and policy changes it does not control. A deliberate model strategy, portability across providers, ownership of differentiating components, and managed cost exposure.
Team concentration Whether AI capability is documented and distributed, or locked inside a few key people. A key-person departure can erase the institutional knowledge that makes the AI work, stranding the asset. Documented systems, more than one person who understands each, and retention structures for the people who matter.
Governance Whether the company has real oversight of its AI: monitoring, bias and safety testing, incident logs, and a credible regulatory posture. Missing governance is both legal exposure and an operational cost the acquirer inherits and has to build. A documented governance program, human oversight in high-stakes uses, audit and incident records, and a clear read on EU AI Act classification.
Modularity Whether AI is embedded in a modular, portable architecture or bolted on in a way that is fragile and hard to extend. Bolted-on AI carries technical debt, resists integration, and is the hallmark of a replaceable wrapper. Clean, modular architecture, manageable technical debt, and AI woven into core workflows with defensible switching costs.
Ownership: can it actually be transferred
Ownership comes first because it decides whether anything else can be valued as an asset at all. The pillar argued that AI earns a premium only when it is owned outright. Diligence is where that ownership is either verified or quietly falls apart. The traditional questions still apply: chain of title, defensible patents, and signed IP assignments from every engineer and contractor. AI adds a layer on top. The license terms for the models in a target's stack do not automatically transfer on a change of control, and many open-source model licenses carry attribution, copyleft, or commercial-use conditions the company has never fully tracked. A rigorous review surfaces every model license in the stack, not just the one on the top-level product, because a single restrictive license buried three layers down can dictate how the acquirer is allowed to deploy the very thing it just bought.
Data: provenance is now a priced liability
Data is where ownership becomes concrete, and where the sharpest new liability lives. Training data provenance has become material to valuations because of how expensive it is to get wrong. In Bartz v. Anthropic, the use and retention of pirated books in model training led to a settlement of 1.5 billion dollars, on the order of 3,000 dollars per work, and the case crystallized three points that now sit in every careful diligence checklist: sourcing matters, retention matters, and discontinuing a bad practice does not erase the historical exposure. So a buyer inventories the training, fine-tuning, and evaluation datasets, traces each one to its source and license, and confirms there were no shadow libraries or prohibited scraping. The same review weighs the upside, because a proprietary, lawfully sourced dataset that competitors cannot reproduce is precisely the kind of data moat that earns a premium rather than a discount. Privacy sits inside the same review, because models can memorize and later surface sensitive inputs, so a careful buyer maps how personal and customer data flows through both training and inference and asks whether the consent and retention practices behind it would survive a regulator's attention.
Model dependency: thinking about it is the difference
Most companies build on someone else's foundation model, and there is nothing wrong with that until it becomes a concentration risk. A target whose product is a thin layer over a single external API inherits that provider's pricing, deprecation schedule, and acceptable-use policy, none of which it controls. Bain's questions about pricing pressure apply directly here: a per-seat or cost-plus model can crack when the capability underneath it is a commodity the customer could call on its own. The diligence question is not whether the company uses third-party models, but whether it has a deliberate strategy around them: portability across providers, ownership of the components that genuinely differentiate the product, and a clear, managed view of how model costs scale with usage. Dependency that has been thought about is manageable. Dependency that has been ignored is a discount waiting to be applied.
Team concentration: the knowledge is the asset
AI capability has a habit of concentrating in a small number of people, and that concentration is a genuine risk to the asset. FTI Consulting has identified talent, not capital, as the primary constraint on scaling AI, and in a smaller company the practical form of that constraint is that one or two people understand how the models were built and why they work. If those people leave after close, the institutional knowledge can leave with them, and the acquirer is left holding systems that no one remaining can safely change. Diligence tests whether the knowledge is documented and distributed rather than tribal, and because integration planning belongs in diligence and not after it, retention bonuses, earn-out incentives, and equity for the people who carry the knowledge are standard tools, used precisely because in an AI business the knowledge is much of what is being bought.
Governance: usually missing, always inherited
Governance is the dimension most likely to be missing entirely in a target, and its absence is both a legal exposure and a cost the acquirer inherits. AI systems make decisions that affect real people, and when a model produces a discriminatory result or a harmful output, someone is accountable. After an acquisition, that someone is frequently the acquirer. The regulatory backdrop is live rather than theoretical. The EU AI Act is already enforceable for prohibited practices and for general-purpose model obligations, with fines reaching 35 million euros or 7% of global turnover. Its heaviest obligations for high-risk systems were deferred under the 2026 Digital Omnibus agreement to late 2027, but the risk-based architecture and the underlying liability are not going away, and parallel rules such as Colorado's AI Act are arriving on their own timelines. Diligence looks for a documented governance program, human oversight in high-stakes applications, evidence of bias audits and red-teaming, and incident logs. A company that has built none of this presents post-close work whose time and cost belong squarely in the deal economics. In regulated sectors the scope only widens, with HIPAA business-associate terms, FDA history for any model treated as a medical device, and a growing set of state health-privacy statutes each adding a diligence thread of its own.
Modularity: asset or wrapper
The final dimension is architectural, and it is often the one that separates an asset from a wrapper. Bolted-on AI, added as a feature without rethinking the system underneath, tends to carry technical debt, resist integration, and fail in ways that are expensive to repair. Modular, portable AI woven into core workflows is the opposite, and it is hard for a competitor to dislodge precisely because it is entangled with how the business actually runs. Bain's own diligence work shows the contrast cleanly. On one engagement the team built a prototype of an AI-native healthcare target's technology from the outside, concluded it could be challenged by incumbents and new entrants, and the sponsor walked. On another, a specialty workflow software company made the better case: AI was embedded in customer workflows with high switching costs, the data and workflow moats were defensible, and management treated AI as a board-level priority. Same diligence question, opposite answers, and in both the architecture was where the answer lived.
Pricing what you find
A framework only matters if it changes the number. Once the six dimensions have been tested, the findings move into the deal in three places. The first is the headline multiple, where stacked weaknesses compress value directly, in the 15% to 30% range FE International documents for regulatory, privacy, and technical risk. The second is the contract, where representations and warranties get tailored to AI, covering clean title to AI assets, lawfully sourced data, and compliance, then backed by indemnities and, where the risk is sharp, escrow. The third is the walk-away, the option a buyer exercises when the exposure is large enough that no price adjustment makes the deal worth doing, which is what one in five dealmakers chose in the past year.
The contract language has grown specific. Buyers now ask for tailored representations that the target has the legal right to use its training data, that its algorithms are original, and that there is no known, undisclosed model bias, then attach indemnities scoped to cover IP infringement, privacy violations, and regulatory penalties. Where diligence finds a problem that is fixable, remediation often moves before close rather than after: destruction of an infringing dataset, disabling training on customer data, or standing up a basic governance program as a condition of the deal. Price is only the most visible lever. Structure carries much of the rest of the risk the findings expose.
The upside flows through the same machinery in reverse. A target that owns its models, holds a defensible data position, has thought through its model dependency, retains its key people, governs its systems, and has built modular architecture is not merely lower risk. It is worth more, and the diligence file becomes the opening draft of the value-creation plan: the automation to prioritize in the first hundred days, the proprietary data to extend, the AI features customers are already paying for. That handoff, from a diligence finding to a built and measured capability during the hold, is where the next article in this hub picks up, on building owned AI across a portfolio.
The framework cuts both ways
The reason to run AI diligence with this much rigor is that the alternative is to be surprised, and surprises in AI diligence are expensive. A missed open-source license, an unlicensed training set, a governance gap, or a single irreplaceable engineer can each outlast the transaction and land on the acquirer's books long after the deal team has moved on. The same framework that guards against those surprises is also the fastest route to the upside, because the dimensions that make AI a liability when they are weak are the very dimensions that make it an asset when they are strong. A buyer who tests all six does not just avoid the bad deals. They price the good ones more confidently than the competition, and they know exactly what to build the day after close.
None of this has to slow a deal down when it is built into the process from the start. The teams that struggle are the ones that bolt AI diligence on at the end, after the financial and technical workstreams have closed, and then have to choose between a rushed assessment and a delayed signing. The teams that do it well fold the six dimensions into the diligence plan on day one, run them in parallel with everything else, and arrive at the investment committee with the target's AI priced as precisely as the rest of the deal.
Get Started
Run AI diligence that prices the risk and the upside.

Our buy-side and sell-side AI assessments quantify the upside, surface model and data risk, and document the AI assets that support a premium, across all six dimensions. You leave with findings you can take into the negotiation and a roadmap you can act on after close. Every engagement runs on Generative-Driven Development and is delivered by certified Forward Deployed Engineers.

Talk to our PE team
Sources
  • Bain & Company, 2026 M&A Report (New Diligence Challenge: Uncovering AI Risks and Opportunities).
  • PwC, 2026 Global M&A Industry Trends.
  • McKinsey, The State of AI 2025.
  • MIT Project NANDA, The GenAI Divide: State of AI in Business 2025.
  • FE International, AI Business Valuation Model 2026.
  • FTI Consulting, 2026 Private Equity AI Radar.
  • Ocean Tomo (J.S. Held), Increasing Exit Multiples: IP and AI Asset Management in M&A Transactions.
  • Bartz v. Anthropic, copyright settlement reporting (Reuters, 2025).
  • EU AI Act (Regulation 2024/1689) and the Digital Omnibus on AI, 2026.