AI Legal Due Diligence Checklist: What Standard Tech DD Misses
AI Law Investment Structuring , , , , , ,

AI-Specific Legal Due Diligence: What Standard Tech DD Misses

AI Law · M&A & Investment DD

AI-Specific Legal Due Diligence: What Standard Tech DD Misses

The standard tech DD checklist was built for SaaS companies. AI companies have a different IP structure, a different regulatory exposure, and contract risks that simply do not appear in software DD. Here is what experienced AI investors and M&A counsel add to the standard list.

5 AI-specific gaps Training data + model licenses EU AI Act readiness 5-category mapping tool 8-point AI DD checklist
Contents 6 sections
1
Why Standard DD Falls Short
The structural gap in AI M&A
2
5 Things Standard DD Misses
The AI-specific blind spots
3
Standard vs AI DD Mapping
Interactive category comparison
4
Full AI DD Checklist
8 items — track your review
5
FAQ
M&A counsel questions answered
6
Get AI DD Counsel
Specialist review before close
The AI DD Gap

Why Standard Tech DD Falls Short for AI Companies

Standard tech DD was designed to surface the risks that matter for software businesses: code ownership, customer contracts, regulatory exposure, employment terms. For AI companies, those categories still apply — but they require a fundamentally different interrogation. Our AI Due Diligence practice covers the full range. Start with the overview at AI Due Diligence.

For Investors and M&A Counsel
Standard tech DD checklists were built for software companies. AI companies have unique IP risks — training data provenance, upstream model licenses, change-of-control clauses in API agreements — that standard lists miss entirely.

The reason standard checklists fail is structural. Traditional SaaS companies own their IP clearly: the code was written by employees under work-for-hire agreements, customer data is held under a well-understood licence, and the product is not legally a “model.” AI companies are different in at least three ways.

First, the core IP asset — a trained model — is a composite work that inherits properties from its training data, its base model, its fine-tuning process, and its inference configuration. Each of those layers may have a different owner, licensor, or restriction. Standard IP reviews look for ownership; AI DD must additionally trace the full provenance chain.

Second, AI companies are dependent on third-party providers in a way that creates contractual risk at exit. API agreements with major model providers typically contain change-of-control provisions that have never been tested at acquisition. An acquisition may trigger automatic termination of agreements that underpin the entire product. Standard contract review does not surface this risk.

Third, the EU AI Act creates a new category of pre-close regulatory exposure. If an AI company operates a system that will be classified as high-risk under the Act, the acquirer inherits that compliance obligation at closing. Standard regulatory reviews check for GDPR and sector licences. They do not check for AI Act classification, conformity assessment requirements, or Article 4 literacy obligations.

AI-Specific Gaps

Five Things Standard Tech DD Misses

These are the categories where standard DD provides inadequate coverage for AI targets. Each one has produced deal-level consequences in AI M&A transactions.

1
IP Risk
Training Data Provenance
Standard DD checks that the company owns its code. It does not check how the training data was sourced, whether commercial rights exist to use it for training, or whether the data was scraped from sources that prohibit commercial reuse. For AI companies, the training dataset is often the most valuable asset — and the one with the most opaque ownership chain.
DD Risk
Post-close discovery of unlicensed training data can expose the acquirer to third-party copyright claims and require re-training the model — often at greater cost than the acquisition itself.
2
Contract Risk
Upstream Model Licenses
AI companies typically build on top of foundation models — open-source or commercial. Open-source models may carry viral licence terms (GPL, LGPL) that affect how the fine-tuned model can be distributed or commercialised. Commercial API agreements almost universally contain change-of-control clauses that trigger termination or re-pricing on acquisition.
DD Risk
An acquisition may trigger automatic termination of the model API agreement that the entire product relies on — with no obligation on the provider to grant a new agreement. Full API agreement review is non-negotiable in AI DD.
3
Regulatory Risk
EU AI Act Classification
The EU AI Act creates tiered obligations for AI systems based on their risk classification. A system that qualifies as “high-risk” under Annex III — including systems used in employment, credit, healthcare, and law enforcement contexts — requires conformity assessments, technical documentation, human oversight mechanisms, and registration before deployment. This compliance obligation transfers on acquisition.
DD Risk
Acquirer inherits full EU AI Act compliance obligations at close, including any existing non-compliance. Unresolved classification gaps are a valuation discount trigger and may require escrow or regulatory representations.
4
Contract Risk
AI Provider Change-of-Control
Major AI providers — OpenAI, Anthropic, Google, Mistral — include change-of-control provisions in their API terms that can trigger termination, rate limit reduction, or pricing renegotiation when the API customer is acquired. These clauses have rarely been tested in major acquisitions, creating significant uncertainty. Standard contract review often categorises API agreements as “low-value supplier” and does not flag the change-of-control risk.
DD Risk
If the AI product is deeply integrated with a single provider’s API, a change-of-control termination clause can render the acquisition value-less within 30 days of close. Provider concentration risk must be assessed alongside change-of-control terms.
5
IP Risk
Founder IP Assignment of AI Assets
Standard IP review checks that the company has a generic IP assignment from founders. AI DD must verify that the assignment specifically covers model weights, training datasets, fine-tuned artefacts, and research created before incorporation. A generic “all intellectual property” assignment may not be sufficient to capture assets that did not exist in recognisable form when the agreement was signed.
DD Risk
The most valuable assets in an AI acquisition — the trained model and its associated dataset — may be legally owned by the founders personally rather than the target company. This is one of the most common gaps found in AI transaction DD.
Related Analysis
For a detailed breakdown of what investors check at Series A — including IP chain integrity and the corporate structure gaps that trigger deal conditions — see What Do Investors Check About Your Corporate Structure at Series A?
Coverage Comparison

Standard DD vs AI DD: Category-by-Category Mapping

Select a DD category to see what standard tech DD covers — and what AI-specific items it misses. Use this as a gap analysis starting point for your next AI transaction.

Standard DD vs AI DD — Gap Mapping
Select a category to see standard coverage and AI-specific gaps
IP
Contracts
Compliance
Employment
Technology
Standard Tech DD Coverage
Source code ownership and work-for-hire review
Trade mark registration and domain portfolio
Patent applications and granted patents
Open-source licence compliance (software)
Founder and employee IP assignment agreements
AI-Specific Gaps to Add
Training data provenance — source, commercial rights, licence chainGap
Model weights ownership — specific itemised assignment from foundersGap
Fine-tuned artefacts — separately assigned or still with founder personallyGap
Upstream base model licences — OSS viral terms, commercial restrictions
AI output ownership — third-party IP embedded in generated outputs
IP review for AI targets should triple the scope of a standard software IP review.
Standard Tech DD Coverage
Material customer contracts — termination, renewal, assignment
Supplier and vendor agreements
Change-of-control provisions in material contracts
SaaS subscription terms and data processing agreements
Exclusivity and non-compete provisions
AI-Specific Gaps to Add
AI API provider agreements — change-of-control trigger clausesGap
Provider concentration risk — single-provider dependency at acquisitionGap
MSA AI clauses — indemnity for AI-generated outputs in enterprise contractsGap
Training data licences — commercial use permissions, no-training restrictions
Customer data usage rights for AI training — DPA AI training clauses
API provider change-of-control clauses are the most-missed contract risk in AI M&A.
Standard Tech DD Coverage
GDPR and data protection compliance review
Sector-specific regulatory licences
Employment law compliance
Anti-bribery and sanctions screening
Data breach history and pending enforcement
AI-Specific Gaps to Add
EU AI Act risk classification — high-risk, limited-risk, or GPAI determinationGap
Conformity assessment status for high-risk AI systemsGap
Article 4 AI literacy obligation — staff training recordsGap
GPAI model obligations for providers of general-purpose AI
UAE / UK AI regulatory readiness — PDPL AI, ICO guidance compliance
EU AI Act compliance obligations transfer on acquisition. A gap at close is an acquirer problem from day one.
Standard Tech DD Coverage
Employment contracts — key man, notice periods
Non-compete and non-solicitation agreements
Equity and option plan review
Contractor classification and IR35 / misclassification risk
Pension and benefits obligations
AI-Specific Gaps to Add
AI-specific IP assignment — does it cover model weights and datasets explicitly?Gap
Pre-incorporation IP assignment — work created before employment beganGap
Researcher and academic founder IP — university IP policy waivers
Key person risk in AI research team — retention arrangements post-close
Article 4 literacy training records — who has been trained and documented
Generic IP assignment clauses rarely satisfy AI DD requirements for model weights and training datasets.
Standard Tech DD Coverage
System architecture and scalability review
Security posture and penetration test results
Infrastructure dependency and cloud provider concentration
Uptime, SLA performance and incident history
Source code quality and technical debt assessment
AI-Specific Gaps to Add
Model provenance — training pipeline, data lineage, reproducibilityGap
Compute dependency — GPU availability, training cost per versionGap
Model versioning and rollback capability — can the model be re-trained?
Bias testing and evaluation records — required for EU AI Act high-risk
Inference infrastructure — proprietary vs provider-dependent serving stack
Compute dependency and model provenance are the AI-equivalent of ‘can the product be rebuilt?’
Full AI DD Checklist

AI Legal Due Diligence: 8-Point Checklist

Use this checklist to track completion of AI-specific DD items. These are items that sit on top of — not instead of — a standard tech DD review.

AI Due Diligence Checklist
8 AI-specific items — click to mark complete
0 / 8
IP & Training Data
Training data provenance reviewed — commercial rights, scraping legality, licence chain
Obtain data register, source documentation and any data licence agreements. Verify no “no-training” restrictions.
IP Critical
Founder IP assignment reviewed — specifically covers model weights, datasets and fine-tuned artefacts
Generic “all IP” clauses are insufficient. Verify itemised schedule exists for each AI asset category.
IP Critical
Contractor IP assignments confirmed — all external contributors to pre-incorporation development
Review all freelancer, consultant and research collaborator engagements. Flag anyone without a signed assignment.
IP Risk
Contracts & Provider Risk
All AI provider API agreements reviewed for change-of-control clauses
Identify termination triggers, rate limit provisions and re-pricing rights. Assess single-provider concentration risk.
Deal Risk
Upstream base model licences reviewed — OSS viral terms, commercial use restrictions
Check OSI licence type for open-source base models. Review commercial API terms for output ownership and sublicensing rights.
Licence Risk
Customer MSA AI clauses reviewed — indemnity for AI outputs, data usage for training
Check enterprise contracts for AI-specific indemnity obligations and whether customer data usage for training is permitted.
Contract
Regulatory & AI Act
EU AI Act risk classification completed — high-risk, limited-risk or GPAI determination
Map product use cases against Annex III. Verify conformity assessment status for any high-risk determination. Check GPAI obligations if applicable.
Regulatory
Article 4 AI literacy obligations assessed — staff training records reviewed
EU AI Act Article 4 requires providers and deployers to ensure staff have sufficient AI literacy. Verify training policies and documentation exist.
Compliance
Start your AI DD review — click each item when complete.
Running AI DD on a live deal? WCR Legal provides specialist AI legal due diligence for investors and M&A counsel — covering all five gap categories with deal-timeline turnaround.
Get AI DD counsel →
Frequently Asked Questions
AI due diligence — investor and M&A counsel questions
1
At what stage of a transaction should AI-specific DD be commissioned?
+

AI-specific legal DD should begin as early as the initial data room review — ideally at the same time as standard IP and contract review, not as a separate phase after it. The reason is sequencing: the most consequential AI DD findings — training data provenance gaps, change-of-control triggers in API agreements — affect deal structure, escrow requirements and representations and warranties. These need to be identified before deal terms are finalised, not after signing.

In practice, commissioning AI DD as a standalone workstream after standard DD is complete means re-reviewing documents already reviewed, which wastes time and budget. Build AI-specific questions into the standard DD questionnaire from the outset.

2
How does a training data provenance gap affect deal structure?
+

A provenance gap — where there is insufficient evidence that training data was lawfully obtained and the company has commercial rights to use it — is typically addressed in one of three ways. First, representations and warranties from the seller about data ownership and licence chain, backed by W&I insurance if available. Second, an escrow arrangement sized to the estimated cost of re-training or re-curating the affected data. Third, a price reduction reflecting the contingent liability.

The worst outcome is discovering the gap post-close, when the acquirer bears the full cost of third-party copyright claims with no recourse. For detailed analysis of training data provenance requirements see our article on Training Data Provenance in M&A.

3
What happens if an API provider’s change-of-control clause is triggered at close?
+

This depends on the specific clause wording. Some change-of-control provisions give the provider a right to terminate on notice — typically 30 to 90 days. Others require the acquirer to re-apply for access or re-negotiate pricing. In the most restrictive cases, the agreement terminates automatically on close, with no continued access to the API.

The practical risk for acquirers is that if the acquired company’s product runs on a single provider’s API and that agreement terminates, the product may be non-functional within days of close. Mitigation strategies include: pre-close consent from the provider, parallel deployment on an alternative provider before close, or contractual conditions that make closing contingent on provider consent. All of this requires identifying the clause before signing, not after. See our analysis of Change-of-Control Clauses in AI Contracts.

4
Does the EU AI Act compliance obligation transfer on acquisition?
+

Yes. When you acquire a company that operates an AI system, you acquire its regulatory status — including any existing non-compliance with the EU AI Act. If the target operates a system that will be classified as high-risk under Annex III but has not completed the required conformity assessment, that obligation transfers to the acquirer at close.

Acquirers should obtain a legal opinion on EU AI Act classification as part of DD for any AI company with EU market exposure. If non-compliance is identified, the risk should be priced in, or the acquisition should be structured to give the acquirer time post-close to complete the conformity assessment before commercial deployment. For classification analysis, see our article on EU AI Act High-Risk SaaS Classification.

5
Is AI DD different for a majority acquisition versus a minority investment?
+

The scope of AI DD varies depending on the transaction type, but the core categories remain the same. For a majority acquisition or merger, the acquirer becomes the legal successor to all IP, contracts and regulatory obligations — making full AI DD essential. For a Series A or B minority investment, the investor’s primary concern is protecting the value of the investment, which means verifying that the IP chain is clean, key agreements are not terminable at exit, and the regulatory picture will not prevent a future acquisition or IPO.

In practice, the training data provenance, model weights assignment and EU AI Act classification questions apply with equal force at both stages. What changes is the remediation leverage: a pre-investment investor can make clean IP a condition of funding; a post-acquisition acquirer has fewer options if gaps are discovered late. Early-stage founders should treat these questions as a pre-emptive structuring exercise before their first institutional round.

AI Due Diligence Service Training Data Provenance in M&A Change-of-Control AI Contracts Series A DD Corporate Structure EU AI Act High-Risk Classification
AI Law · M&A Due Diligence

AI DD That Covers What Standard Lists Miss

WCR Legal provides specialist AI legal due diligence for investors, M&A counsel and corporate acquirers. We cover training data provenance, upstream model licences, API change-of-control risk, EU AI Act classification and founder IP chain — on deal timelines.

Commission AI DD → AI DD service overview
Tag
Oleg Prosin

Oleg Prosin is the Managing Partner at WCR Legal, focusing on international business structuring, regulatory frameworks for FinTech companies, digital assets, and licensing regimes across various jurisdictions. Works with founders and investment firms on compliance, operating models, and cross-border expansion strategies.

view all posts

Related Posts

Post Comment