Iincreasingly, we start a Technical Due Diligence to be told that the target company’s edge lies in its “AI-driven technology”. This is almost always said with confidence and with a slide or two showing impressive-looking performance metrics. But the moment we begin to examine that claim in detail, the tone changes. The conversation becomes more hesitant, documentation is incomplete (when it is actually present), and no one can quite explain how the model behaves when it is exposed to new data.
That moment, when the black box comes into view, has become one of the defining features of modern Technical Due Diligence. It changes the rhythm of the review. Instead of analysing what a system does, we are forced to ask whether we can even see what it is.
AI is meant to create advantage. It can automate processes, find patterns no human would spot, and improve decision-making. Yet in diligence, these same properties become liabilities. A system that cannot explain itself cannot easily be audited. And if a company cannot evidence how its models were trained, it cannot prove compliance or defend against accusations of bias.
In my experience, AI risk does not appear in one place on the diligence checklist. It appears in all of them. Everyone, whether they focus on infrastructure, data, security, or people, finds their own version of the same uncertainty. What follows is how that plays out across the familiar domains of a Technical Due Diligence.
Technology: the invisible logic
When we review conventional software, we can question the code, trace logic, and judge whether it is maintainable. With AI, much of that certainty disappears. A model trained on complex data may perform well, yet none of the engineers can fully explain its decision pathway.
I have seen cases where the entire “AI capability” amounted to a few scripts calling a commercial API. In others, the models were so heavily customised that no one could reproduce them outside the founder’s laptop. The question in both cases is not whether the AI works, but whether it can survive ownership change and scale.
Model lifecycle management has become a core part of technology review. If there is no versioning, documentation, or validation pipeline, AI is a liability, not an asset.
Infrastructure: the hidden cost of cleverness
Does this seem familiar? A team had built an excellent prototype on rented GPUs, but every new customer doubled the running cost. This “bonfire of money” is not a scalable cloud footprint, not for technical reasons, but economic.
Scaling AI systems is not like scaling ordinary web services. Compute, storage, and data movement have real financial and environmental consequences. A diligence review must test whether the target’s infrastructure can sustain its model ambitions without eroding margin or breaching ESG commitments.
We ask for model training budgets and energy profiles alongside architecture diagrams. The answers, or lack of them, often reveal whether the business understands the true cost of its own intelligence.
Security: new attack surfaces
Every security lead tends to view AI models as new territory for exploitation. They are right to do so. Models can leak information through their outputs or be corrupted through poisoned data. In one review, a model trained on publicly sourced text had inadvertently memorised fragments of customer support logs, including personal information. In another, an extended chain of unobserved public AI tools left a higher potential for data leakage, prompt inject and data poisoning.
These are not hypothetical risks. The UK’s National Cyber Security Centre has issued clear guidance on securing AI pipelines, stressing isolation of training data and continuous monitoring for manipulation. Security testing should extend to model artefacts and prompts, treating them as part of the attack surface.
Data: ownership, bias, and legality
Every AI discussion eventually comes back to data. The first question we ask is simple: do you have the right to use it?
That question has ended several otherwise promising acquisitions. Targets often assume that because data was accessible, it was lawful to process. The UK Information Commissioner’s Office takes a very different view. Training data is still personal data if it can be linked back to an individual, and explainability obligations apply even to complex models.
We also look into both representativeness and bias. A model trained on incomplete or skewed data can perform unpredictably once deployed at scale. If the company cannot show a data lineage map or demonstrate bias testing, retraining has the potential to be included as a deal cost.
Team: capability and culture
AI risk is as much about people as it is about technology. Some teams build brilliant systems but have no governance discipline. Others are cautious and document every experiment. The difference is cultural.
In one diligence, the data science team could describe every model in production but had never written a single report for non-technical colleagues. They did not see communication as part of their job. That gap told us more about future operational risk than any technical weakness. In another, the company had expended significant effort in producing detailed and comprehensive AI policies and governance structures but could not evidence a single time these had been enacted.
A mature AI culture values documentation, peer review, and internal ethics discussions. When those elements are missing, it is a sign that the organisation is not ready for the accountability AI demands.
Roadmap: governance as a feature
Roadmaps are revealing. They tell you what a company values. When a target presents an AI roadmap full of features but no mention of governance, explainability, or monitoring, we know the strategic conversation will be difficult.
We ask to see how the company plans to audit its models, measure drift, and comply with emerging standards such as ISO/IEC 42001 for AI management systems. A credible roadmap acknowledges that regulation is not a constraint but a condition of operating trust. The absence of that awareness can turn a promising technology story into a reputational hazard.
Seeing the pattern
After enough engagements, a pattern emerges. AI risk is not a separate discipline. It threads through every dimension of a diligence exercise. The technology must be maintainable, the infrastructure scalable, the security robust, the data lawful, the team capable, and the roadmap responsible.
Our role in these reviews is to surface that pattern for boards and investors. When we do, they often recognise that their existing diligence frameworks already contain the structure they need, they simply have to expand it to include AI-specific criteria.
That is the work we do at DigitalTeddy: helping diligence teams and boards see AI not as a black box, but as a system that can be assessed, governed, and trusted.
The strategic consequence
AI has moved beyond novelty. It now shapes valuation, regulatory exposure, and post-acquisition performance. Every board discussing an AI-enabled deal should ask whether its diligence process can see inside the model, not just admire its potential.
If your next acquisition involves AI capability, the question is whether your due diligence can test the substance of that claim.
DigitalTeddy can help your board and diligence team evaluate AI capability across every pillar of your investment lifecycle.