What PE Firms Get Wrong About AI Due Diligence

Private equity firms have spent decades perfecting financial due diligence. They can dissect a balance sheet, stress-test a revenue model, and identify accounting irregularities with surgical precision. But when it comes to AI risk in portfolio companies and acquisition targets, even sophisticated firms are flying blind.

The problem isn't that PE firms ignore technology risk. Most deal teams include a technology diligence workstream. The problem is that traditional technology due diligence — evaluating infrastructure maturity, technical debt, team capabilities, and system architecture — was designed for a world of deterministic software. AI introduces an entirely different category of risk that conventional diligence frameworks do not capture.

And the stakes are substantial. An acquisition target's AI systems can harbor regulatory liabilities, create data provenance issues that invalidate the technology's value, or depend on vendor relationships that are more fragile than they appear. These risks don't show up on a balance sheet. They show up after closing, when they're your problem.

What Financial Due Diligence Misses

Traditional deal diligence evaluates technology as an asset category: infrastructure, software, intellectual property, team. AI demands evaluation as a risk category that cuts across all of these and introduces unique dimensions that conventional frameworks miss.

Revenue concentration on AI that doesn't work as advertised. A growing number of companies market themselves as "AI-powered" to command premium valuations. In diligence, the question isn't whether the company uses AI — it's whether the AI is actually producing the outcomes the revenue model depends on. We've seen targets where the "AI" is a set of rules dressed up with machine learning terminology in the pitch deck, where model accuracy has degraded to the point that human operators are silently overriding outputs, or where the AI works on the training data but fails on production data. Each of these scenarios represents a valuation risk that financial due diligence will not uncover.

Regulatory exposure that hasn't materialized yet. AI regulation is accelerating globally. The EU AI Act is in enforcement. U.S. agencies — the FTC, CFPB, EEOC, and state attorneys general — are actively pursuing AI-related enforcement. An acquisition target using AI in hiring (EEOC jurisdiction), credit decisioning (CFPB and ECOA), healthcare (FDA and HIPAA), or consumer-facing recommendations (FTC Section 5) carries regulatory exposure that may not have crystallized into enforcement actions or lawsuits yet, but represents a contingent liability that should be quantified in the deal model.

Data liabilities disguised as data assets. In AI companies, data is often presented as a core asset. But data that was collected without adequate consent, scraped from sources that have since restricted use, or derived from populations that create bias in model outputs is not an asset — it's a liability. Data provenance issues can invalidate an AI system's legal basis for operation, particularly under GDPR, CCPA, and the EU AI Act's data governance requirements for high-risk systems.

The Four Pillars of AI Due Diligence

PE firms that want to properly assess AI risk in acquisitions need to evaluate four dimensions that go beyond traditional technology diligence:

1. Data Provenance and Governance

Where did the training data come from? This is the foundational question, and the one that most deal teams skip. A company's AI is only as defensible as its data.

Assess: Was training data collected with appropriate consent and legal basis? Does the company have documented data lineage for its AI training sets? Has the data been evaluated for bias and representativeness? Are there any pending or potential claims related to data collection practices? If the target scraped web data, used data from terminated partnerships, or collected data under privacy policies that didn't contemplate AI training, the data asset may be encumbered.

This matters for valuation because data provenance issues can force a company to retrain models from scratch — a process that can take months and millions of dollars — or abandon product lines entirely.

2. Model Risk and Performance

AI models are not static software. They degrade. They drift. They fail in ways that are difficult to detect without purpose-built monitoring.

Assess: What is the current performance of each production AI model against its original benchmarks? Is there evidence of model drift? How frequently are models retrained, and what triggers retraining? Has the company conducted bias and fairness testing across the populations its models affect? Are there any known failure modes, and how are they mitigated?

We've seen acquisitions where the target's "proprietary AI" was a model fine-tuned on a foundation model that the vendor could deprecate at any time. We've seen targets where model accuracy had degraded by 30% over 18 months with no retraining. These findings change deal economics.

3. Vendor Lock-in and Dependency

Many companies that describe themselves as AI companies are, in practice, thin application layers on top of third-party AI infrastructure. This creates a dependency risk that is often invisible in traditional technology diligence.

Assess: What percentage of the target's AI capabilities depend on third-party models or APIs (OpenAI, Anthropic, Google, AWS)? What happens if a key vendor changes pricing, terms of service, or discontinues a model? Does the target have the internal capability to build or retrain models independently? What are the contractual terms around vendor model changes, data usage, and service continuity?

Vendor lock-in in AI is more acute than in traditional SaaS because switching AI providers often requires retraining models, redesigning prompts, and re-validating outputs — a process that can take quarters, not weeks. For a PE firm modeling a five-year hold, this dependency risk should be explicitly valued.

4. Regulatory Exposure

AI regulation is not a future state. It is a current reality that varies by jurisdiction, sector, and use case. The diligence question is not "could this company face AI regulation?" but "what regulations already apply and what is the compliance posture?"

Assess: In what jurisdictions does the target operate, and what AI-specific regulations apply? Does the target deploy AI in high-risk categories under the EU AI Act (employment, credit, insurance, law enforcement, critical infrastructure)? Has the target conducted the conformity assessments, risk assessments, and documentation required by applicable regulations? Are there any regulatory inquiries, enforcement actions, or complaints related to the target's AI systems?

For cross-border acquisitions, the EU AI Act's extraterritorial reach means that any AI system whose outputs affect EU residents is potentially in scope, regardless of where the company is headquartered. This is a material compliance exposure that should be quantified.

Real-World Patterns We See

Several patterns recur in AI due diligence that PE firms should watch for:

The "AI" that isn't. The company markets AI but the actual product runs on rules-based logic with minimal machine learning. This isn't necessarily a problem — unless the valuation multiple was based on AI capabilities that don't exist.

The single-model dependency. The entire product depends on one model that was built by a founder who left. No one remaining can retrain or meaningfully modify it. This is a key-person risk disguised as a technology risk.

The data time bomb. Training data was collected under terms that don't survive scrutiny — web scraping of copyrighted content, data from partners who have since revoked permission, or personal data collected without consent adequate for AI training under current regulations. These issues often don't surface until post-acquisition, when they become materially expensive to remediate.

The compliance gap. The target is deploying AI in a regulated domain (lending, hiring, insurance) with no documented risk assessment, no bias testing, and no compliance framework. The AI works, but its use is legally indefensible. Closing this gap post-acquisition requires significant investment in compliance infrastructure.

Integrating AI Diligence into the Deal Process

AI due diligence does not need to be a separate, parallel workstream that slows the deal. It needs to be integrated into existing diligence, with specific questions added to the technology, legal, and regulatory workstreams.

For deal teams, three practical steps:

Add AI-specific questions to the diligence request list. Request the AI system inventory, training data documentation, model performance metrics, vendor agreements for AI services, and any regulatory correspondence related to AI. If the target cannot produce these documents, that absence is itself a finding.

Include AI risk in the deal model. Quantify identified AI risks as contingent liabilities or post-close remediation costs. Model the cost of compliance investments needed to bring AI systems into regulatory compliance. Adjust the valuation for vendor dependency risk and data provenance issues.

Build AI governance into the 100-day plan. Post-close, establish AI governance as a priority for portfolio company management. Implement an AI inventory, assign risk ownership, and begin building the compliance and monitoring infrastructure that the target likely lacks.

The firms that build AI due diligence capabilities now will make better investment decisions, avoid hidden liabilities, and create more resilient portfolio companies. The firms that treat AI as a marketing buzzword rather than a risk category will learn the hard way that what you don't diligence, you inherit.