AI Due Diligence: What PE Firms and Investors Need to Evaluate

When a target company says it is “AI-powered,” that claim can mean anything from a sophisticated machine learning platform processing millions of predictions daily to a spreadsheet with an IF statement. The job of AI due diligence is to determine which one you are looking at.

For private equity firms and strategic acquirers, this is no longer a niche concern. AI capabilities are increasingly central to valuations, and the gap between genuine technical moats and marketing narratives is wide.

Why Traditional Tech DD Is Not Enough

Standard technology due diligence covers architecture, scalability, technical debt, and team composition. These remain important, but they do not capture the specific risks introduced by AI and machine learning systems.

AI systems have unique failure modes. Models degrade over time as the data they were trained on becomes stale. Training data may include licensed or scraped content with unclear IP status. Performance metrics presented during the sales process may not reflect production reality.

A due diligence process that treats AI systems like traditional software will miss these risks entirely.

The Five Pillars of AI Due Diligence

1. Technical Architecture

Evaluate the ML pipeline end-to-end: data ingestion, feature engineering, model training, deployment, and monitoring. Is the architecture reproducible, or does it depend on manual steps and tribal knowledge? Are models versioned and auditable?

2. Data Assets

Data is the foundation of any AI system. Assess data provenance, quality, volume, and — critically — ownership. Does the company own the training data, or is it licensed? Are there GDPR or privacy obligations that constrain how data can be used post-acquisition?

3. Model Performance

Request evidence of model performance in production, not just on held-out test sets. Production performance often diverges significantly from development metrics due to data drift, distribution shift, and edge cases that only appear at scale.

4. IP and Defensibility

Determine what is genuinely proprietary. A fine-tuned open-source model is not the same as a model trained on proprietary data with custom architecture. Assess whether the AI capability creates a defensible advantage or whether it can be replicated by a well-resourced competitor in six months.

5. Team and Talent

AI teams are small and specialised. A key-person risk on the lead ML engineer is a material deal risk. Assess the depth of the team, the bus factor, and whether the knowledge is documented or lives in one person’s head.

Regulatory Exposure

The EU AI Act, GDPR, and sector-specific regulations create compliance obligations that affect both the target’s operations and your post-acquisition integration plan. High-risk AI systems under the EU AI Act require conformity assessments, documentation, and ongoing monitoring.

Identify which of the target’s AI systems fall under regulatory scope and what remediation would cost if they are not currently compliant.

Red Flags to Watch For

The most common red flags in AI due diligence include: models that have not been retrained in over twelve months; no monitoring infrastructure for production models; training data with unclear provenance or licensing; performance metrics that are only measured on test data; and AI capabilities that, on closer inspection, turn out to be rule-based systems or manual processes with an AI label.

What Good Looks Like

A well-run AI operation has versioned models with documented training pipelines, automated monitoring with drift detection, clear data governance and lineage, a team with sufficient depth to avoid single points of failure, and a roadmap that connects AI capabilities to measurable business outcomes.

Finding this level of maturity is rare, but it is the benchmark against which gaps should be measured and priced.