AI Due Diligence: IP Audit, Regulatory Review, and Liability Assessment for AI Investments

3–9 weeks

Typical engagement

EU · UK · US · Global

Jurisdictions covered

VC · PE · Corporate M&A

Who we work with

Training data is a hidden liability

The models you're buying were trained on data. If that data was scraped without rights, licensed under terms that restrict commercial use, or collected without proper consent, the liability travels with the model. Standard IP due diligence doesn't ask the right questions about training data provenance.

EU AI Act exposure isn't priced in

An AI company with high-risk systems and no governance documentation faces months of remediation work — and potential enforcement exposure — after closing. If this isn't discovered in due diligence, it's not captured in price, warranties, or indemnities. It becomes the acquirer's problem.

Change of control clauses block integration

AI companies often have enterprise contracts with change-of-control provisions, model-use restrictions, or exclusivity terms that make post-acquisition integration difficult or impossible without client consent. These are discoverable only through careful contract review — and they affect deal structure, not just risk.

Founder IP is the most common gap — and the most expensive to fix

A co-founder wrote the core model before the company was incorporated. Another contributor built the dataset under a contractor arrangement with no written assignment. Standard DD asks whether IP assignments exist — AI DD verifies what they actually cover and whether the chain of title to the model is complete. Gaps found after closing become the acquirer’s remediation problem.

✓

✓

✓

✓

✓

✓

✓

✓

✓

✓

✓

✓

Step 01

Scope and data room setup

Week 1

We agree the DD scope with your deal team, issue a customised AI-specific document request list, and review initial materials as they come in. We flag priority gaps early so they can be addressed during the process.

Step 02

IP and data audit

Weeks 1–3

We work through the IP chain: founder and key employee assignments, contractor agreements, training data licenses and provenance, open-source component audit, and third-party model licenses. We identify gaps and assess materiality.

Step 03

Regulatory and contract review

Weeks 2–4

We assess EU AI Act readiness against the company's actual systems and documentation. We review key customer and vendor contracts for liability exposure, change-of-control issues, and post-acquisition integration constraints.

Step 04

Report and deal structuring

Weeks 3–9

We deliver the red-flag report and DD memo, with risk ratings, financial exposure estimates where possible, and recommended deal protections — conditions precedent, specific indemnities, price adjustments, and post-closing covenants.

VC Fund · Luxembourg · Series B

Accelerated AI DD for a Series B infrastructure investment

Context

European VC fund leading a Series B in an AI infrastructure startup. Key assets: proprietary models and unique datasets. Material concerns around IP ownership chain, training data provenance, and EU AI Act readiness.

⏱ 3–4 weeks Outcome: key risks addressed in deal terms

Strategic Acquirer · Germany · M&A

Full legal DD for AI startup acquisition by a public tech company

Context

German public technology company acquiring an AI startup for product integration in EU and US markets. Key risks: IP chain integrity, training data liability, change-of-control provisions in enterprise contracts, and EU AI Act compliance gap.

⏱ 5–7 weeks Outcome: clean acquisition, integration roadmap at closing

PE Fund · UK · Platform Roll-up

Platform-level DD across multiple AI targets

Context

UK PE fund acquiring several niche AI companies (models, vertical solutions, data platforms) across UK, Germany, and US to build an integrated platform. Required both individual target DD and aggregated platform-level risk assessment.

⏱ 6–9 weeks Outcome: platform strategy with known risk profile

Standard technology DD focuses on code ownership, open-source license compliance, and key person risk. AI DD adds three layers that standard DD typically misses: training data provenance and rights (the liability that travels with the model), regulatory compliance under the EU AI Act (which creates ongoing obligations and enforcement risk), and AI-specific contract terms (model-use restrictions, output ownership, liability for AI errors) that don't appear in standard software agreements. Investors who apply standard tech DD to AI companies systematically underestimate the risks they're acquiring.

Training data provenance is the legal history of the data used to train an AI model — where it came from, under what license or consent it was collected, and whether that license permits the intended commercial use. If a model was trained on scraped data, data licensed only for research, or data collected without GDPR-compliant consent, the commercial use of that model creates legal exposure that the acquirer inherits. In some cases, the only remedy is retraining the model — which can be expensive and time-consuming. We assess training data provenance as a core component of every AI DD.

We review whether the target company has: inventoried its AI systems and classified them by risk level; prepared Annex IV-equivalent technical documentation for high-risk systems; implemented risk management and human oversight procedures; and established a governance framework with documented policies. We rate the current compliance posture against EU AI Act requirements and estimate the remediation cost and timeline for the gaps. This feeds directly into deal structuring — conditions precedent, purchase price adjustments, or post-closing covenants.

The most frequent issues are: missing IP assignments from co-founders who contributed code or models before formal incorporation; contractor-developed code or models without written assignment agreements; training data used under licenses that don't permit commercial exploitation; open-source components with copyleft licenses (GPL, AGPL) embedded in proprietary products without licence compliance; and in some cases, models that incorporate third-party foundation model weights in ways that conflict with the upstream license. These gaps are discoverable in DD and addressable through conditions precedent or purchase price adjustment.

Many enterprise AI contracts include change-of-control clauses that give the customer the right to terminate or renegotiate the agreement if the vendor is acquired. For an acquirer relying on the target's customer base as part of the investment thesis, these clauses are deal-critical. We identify all customer contracts with change-of-control provisions during DD, assess the likelihood of exercise, and advise on pre-closing consent strategy and deal structure to manage the risk.

For an accelerated red-flag review ahead of an early-stage VC round, typically 2–3 weeks. Full legal DD for a Series B or M&A transaction covers 4–7 weeks depending on the complexity of the IP chain, the number of customer contracts, and the regulatory compliance posture. Platform-level DD across multiple targets runs 6–9 weeks. We work to your deal timeline and can prioritise the highest-risk areas if time is constrained.

Yes. We conduct AI DD across EU, UK, and US targets. The legal frameworks differ — US IP law (work for hire, copyright registration), UK law (post-Brexit GDPR equivalent), and EU law (GDPR, EU AI Act) — but the core DD questions around IP ownership, training data rights, and liability are consistent. For multi-jurisdiction targets, we coordinate coverage across applicable legal systems and deliver a unified report.

We deliver: a red-flag report summarising the highest-priority risks with severity ratings; a full DD memo covering all areas reviewed with supporting analysis; risk quantification where exposure can be estimated (e.g., retraining costs, GDPR fine exposure, contract termination value); recommended deal protections (specific conditions precedent, warranty language, indemnity provisions, price adjustment mechanisms); and a post-closing remediation roadmap for the issues that will need to be addressed after signing.