AI M&A Due Diligence: A Checklist for Acquirers

Acquiring a company with AI capabilities introduces risks that traditional due diligence processes are not designed to catch. Models degrade. Training data has provenance issues. The entire ML capability may rest on a single engineer who is not staying post-close.

This checklist is designed for PE firms, corporate acquirers, and their advisors. It covers the critical areas that determine whether an AI capability is a genuine asset or an overvalued liability.

1. Technical Architecture Review

• Map the full ML pipeline: data ingestion, preprocessing, feature engineering, training, serving, and monitoring
• Assess whether the pipeline is automated and reproducible, or manual and dependent on tribal knowledge
• Review infrastructure choices: cloud provider lock-in, compute costs, scalability constraints
• Evaluate code quality, test coverage, and documentation standards
• Identify technical debt that would require investment to remediate post-close

2. Data Assets and Provenance

• Inventory all training datasets with provenance documentation
• Assess data ownership: is it proprietary, licensed, open-source, or scraped?
• Review data quality metrics: completeness, accuracy, freshness, and consistency
• Evaluate GDPR and privacy compliance for personal data used in training
• Determine whether data assets are transferable in the event of acquisition
• Assess ongoing data collection mechanisms and their sustainability

3. Model Performance Assessment

• Request production performance metrics, not just development benchmarks
• Compare claimed accuracy against independently verifiable baselines
• Assess for data drift: when were models last retrained, and what triggered retraining?
• Review A/B test results or other evidence of real-world impact
• Evaluate edge case handling and failure mode documentation
• Test model outputs independently where possible

4. IP and Defensibility

• Determine what is genuinely proprietary versus built on open-source foundations
• Review patent filings, trade secret protections, and IP assignment agreements
• Assess whether the AI capability creates a sustainable competitive advantage
• Evaluate the cost and timeline for a competitor to replicate the capability
• Review any open-source license obligations that affect commercialisation

5. Team and Talent Assessment

• Map the AI and ML team by role, tenure, and capability
• Identify key-person dependencies and assess retention risk
• Review hiring pipeline and employer brand in the ML talent market
• Assess documentation quality: could the team be replaced without losing critical knowledge?
• Evaluate management understanding of AI limitations and risks

6. Regulatory and Compliance Review

• Map AI systems against EU AI Act risk categories
• Identify GDPR obligations related to automated decision-making
• Review sector-specific regulatory requirements (financial services, healthcare, etc.)
• Assess current compliance status and remediation costs for any gaps
• Evaluate the target’s approach to algorithmic fairness and bias testing

7. Integration Complexity

• Assess compatibility with the acquirer’s existing technology stack
• Identify data migration requirements and risks
• Estimate the effort required to integrate ML pipelines with existing systems
• Evaluate whether the AI team can operate independently during integration
• Plan for potential model re-training if data sources change post-acquisition

Using This Checklist

Each section should produce a RAG-rated assessment: green (no material issues), amber (manageable issues that require investment), or red (material risks that affect valuation or deal structure). The findings should feed directly into price negotiations, warranty and indemnity discussions, and post-close integration planning.

The most valuable output of AI due diligence is not a pass/fail verdict — it is a clear view of what you are actually buying, what it will cost to maintain and improve, and what risks need to be managed or priced.