AI Investment Due Diligence: What Investment Firms Should Be Asking When Evaluating AI Companies

Why AI due diligence is different

Traditional technology due diligence asks: does the technology work, does the company own it, and is there a market for it? These questions remain necessary for AI investments. They are not sufficient.

AI creates risks that standard due diligence frameworks are not designed to identify. These include: model performance that degrades on real-world data after performing well on benchmarks; training data with IP or privacy issues that create undisclosed liability; regulatory exposure under EU AI Act, US state laws, or sector-specific regulation that the company has not assessed; and accountability gaps that create operational fragility.

The six dimensions below provide a framework for AI-specific due diligence that complements, rather than replaces, standard technology investment assessment.

Dimension 1: Technology verification

AI performance claims are uniquely susceptible to optimistic framing. A company claiming "93% accuracy" may be measuring on their own test set, drawn from the same distribution as their training data, on a cherry-picked task, against a weak baseline. That 93% may be irrelevant to real-world performance.

Questions to ask:

• What is the benchmark, and who designed it? Benchmarks designed by the company for their own technology are not independent.
• What is the test-train split methodology? Leakage between training and test data artificially inflates performance.
• What does performance look like on out-of-distribution data, inputs that are different from training data in ways the model might encounter in production?
• What is the performance on the tail of the distribution, the rare but consequential cases that benchmarks often underweight?
• Has performance been independently validated, and by whom?

Request access to hold-out test data and the methodology. If a company cannot explain its evaluation methodology clearly, that is a red flag about technical quality.

Dimension 2: Data provenance

Training data is the foundation of any AI system, and data problems create liability that is difficult to price and impossible to fully remediate after discovery.

The IP risk: Has the training data been licensed for AI training use? Web-scraped data, content from creative platforms, and copyrighted text may have been used without adequate licensing. Courts in multiple jurisdictions are now adjudicating AI training data IP cases, and the outcomes are creating precedent with retroactive risk implications.

The privacy risk: Does the training data include personal information about individuals who consented to its original collection but not to AI training? GDPR, Australian Privacy Act, and US state privacy laws create obligations around personal data use that training data often does not meet.

The quality risk: Is the training data accurately labelled, representative of the intended use case, and free from the biases that produce discriminatory outputs?

Questions to ask:

• Provide a full accounting of all training data sources, including any web-scraped or third-party licensed data
• For each source, what is the licensing basis for AI training use?
• Has legal counsel assessed the training data provenance for IP and privacy compliance?
• What bias testing has been conducted on training data and model outputs?

Dimension 3: Model governance

Model governance is the operational infrastructure that determines whether an AI system remains reliable, fair, and compliant over time. Its absence is a leading indicator of operational incidents.

Questions to ask:

• What monitoring is in place for model performance in production? What metrics? What alert thresholds?
• How is model drift detected and addressed?
• What is the incident response process for model failures?
• Who is accountable for model performance, and how is that accountability documented?
• What is the retraining cadence, and what triggers an emergency retraining?

The absence of answers to these questions does not mean incidents will occur. It means incidents will not be detected before they accumulate into a crisis.

Dimension 4: Regulatory exposure

AI-specific regulation is now in force across multiple major markets. Companies that have not assessed their regulatory exposure have unpriced risk on their balance sheet.

EU AI Act: Any company with EU customers whose AI systems touch employment, credit, healthcare, education, or other Annex III categories faces direct compliance obligations. These include conformity assessment, technical documentation, and human oversight requirements. Penalties reach 7% of global annual turnover.

US state laws: Connecticut SB5, Texas TRAIGA, California transparency requirements, and a growing patchwork of state laws create obligations for companies operating across US states.

Sector-specific regulation: Financial services AI is regulated by banking and securities regulators in most jurisdictions. Healthcare AI faces medical device regulation pathways. These create additional compliance layers.

Questions to ask:

• Has the company conducted an EU AI Act classification assessment? Which of their AI systems are high-risk?
• Has legal counsel reviewed compliance obligations under applicable state AI laws?
• For regulated sectors (financial services, healthcare), has the AI system been assessed against sector-specific regulatory requirements?
• What is the company's total regulatory compliance cost, and what is the estimated liability for current non-compliance?

Dimension 5: Accountability structures

AI governance maturity correlates with operational quality. Companies that have documented accountability, clear ownership of AI systems, and established processes for managing AI risk tend to have better operational control across the board.

Minimum viable governance: Named owner for each AI system; documented AI usage policy; incident response process; regular review cadence.

Advanced governance indicators: Board-level AI risk reporting; independent model validation; alignment with ISO 42001 or NIST AI RMF; trained AI risk function.

Questions to ask:

• Who is accountable for each AI system, by name and role?
• What is the company's AI incident response process? When was it last tested?
• Has the company had any AI-related incidents, and how were they handled?
• What board-level visibility exists for AI risk?

Dimension 6: Exit readiness

Enterprise acquirers are conducting AI due diligence that is increasingly sophisticated. A company without adequate AI governance documentation faces valuation risk at exit, either from discovery of previously unknown risk, or from the cost of implementing governance that acquirers require as a condition of closing.

Strategic acquirer requirements: Large enterprise companies in financial services, healthcare, and government contracting have AI governance standards that acquisition targets must meet or remediate. Undocumented AI governance creates closing risk.

IPO readiness: Public market investors and securities regulators are asking AI risk disclosure questions that require documented governance to answer accurately.

Questions to ask:

• What AI-related disclosures has the company made to regulators, investors, and customers to date?
• What documentation exists that would satisfy an enterprise acquirer's AI due diligence?
• What is the estimated cost and timeline to implement governance that would meet enterprise acquirer standards, if current governance is inadequate?

The answers to these six dimensions do not determine whether to invest. They determine at what valuation, with what representations and warranties, and with what post-investment governance requirements.