Just a few years ago, the analysis of AI technology during investment transactions focused primarily on the business potential of the solution. Investors asked mainly about product scalability, technological advantage, data access, and the company’s growth rate.

Today, the situation looks entirely different.

The development of regulations governing artificial intelligence — in particular the EU AI Act — has meant that AI models are now being analysed not only as a technological asset, but also as a potential source of legal, regulatory, and compliance risks.

In practice, AI due diligence is becoming one of the key elements of VC transactions, M&A processes, and financing rounds for technology companies.

Increasingly, it is the regulatory risks associated with AI that influence:

  • company valuation,
  • the scope of protections in investment documentation,
  • the terms of SPAs or SHAs,
  • the liability structure for founders,
  • the investor’s decision to enter a project.

Why Has AI Become an Area of Elevated Risk?

AI models are no longer perceived solely as a technological tool. For regulators and investors alike, they are becoming an element of high-risk infrastructure.

There are several reasons for this.

First, AI systems are increasingly making decisions that affect the rights of users, customers, or employees. This applies, among other areas, to:

  • credit scoring,
  • recruitment,
  • medicine,
  • health data analysis,
  • cybersecurity,
  • recommendation systems,
  • tools automating business processes.

Second, AI intersects heavily with areas regulated by other legal frameworks:

  • the General Data Protection Regulation (GDPR),
  • consumer law,
  • sector-specific regulations,
  • cybersecurity,
  • intellectual property protection.

Third, the entry into force of the EU AI Act has created a new category of compliance liability, which is beginning to be analysed in a manner similar to AML, data protection, and financial compliance risks.

As a result, investors are increasingly treating AI models as a potential source of regulatory liability.

What Exactly Is AI Due Diligence?

AI due diligence is the process of examining AI technology from the perspective of:

  • regulatory compliance,
  • the legality of data use,
  • model security,
  • intellectual property rights,
  • operational risks,
  • governance quality.

This goes far beyond a classic technology audit.

In practice, the analysis today covers, among other things:

  • how models are trained,
  • data sources,
  • AI documentation,
  • validation processes,
  • risk control mechanisms,
  • compliance with the EU AI Act,
  • model explainability,
  • human oversight procedures.

For investors, the key question is becoming: is the AI model a scalable asset — or a future regulatory problem?

The EU AI Act Is Changing How Investors Approach Due Diligence

The greatest influence on the development of AI due diligence is currently being exerted by the EU AI Act.

The regulation introduces a risk-based classification approach for AI systems. This means that certain models may be classified as:

  • prohibited systems,
  • high-risk systems,
  • General Purpose AI (GPAI) models,
  • solutions subject to additional transparency obligations.

For investors, this means the need to assess:

  • whether the product falls within the scope of the EU AI Act,
  • what level of regulatory risk it generates,
  • what compliance obligations will apply to the company,
  • what implementation costs will arise post-investment.

In practice, many AI start-ups are not yet prepared for the new documentation and compliance obligations.

This is precisely why AI due diligence is becoming standard practice in professional investment processes.

What Do Investors Examine Most Frequently?

Legality of training data

This is one of the most problematic areas. Investors analyse, among other things:

  • data sources,
  • legal bases for processing,
  • GDPR compliance,
  • the scope of consents,
  • the possibility of further data use.

Problems arise particularly in relation to:

  • data scraping,
  • health data,
  • behavioural data,
  • biometric data,
  • content protected by copyright.

Intellectual property rights

Questions are increasingly arising regarding:

  • model ownership,
  • code rights,
  • open source usage,
  • training licences,
  • the ability to commercialise AI outputs.

Unresolved IP is today one of the most serious red flags in technology transactions.

Risk classification under the EU AI Act

Investors want to know:

  • whether the system constitutes high-risk AI,
  • what compliance obligations will arise,
  • whether the company holds the required documentation,
  • whether AI governance has been implemented.

The absence of such analysis very frequently means that investment terms must be renegotiated.

Model explainability and governance

Issues of increasing importance also include:

  • model explainability,
  • AI decision oversight,
  • error monitoring,
  • bias management,
  • human oversight.

This is particularly relevant in regulated sectors such as:

  • life sciences,
  • fintech,
  • HR tech,
  • medtech,
  • cybersecurity.

The Most Common Red Flags in AI Due Diligence

“The model was trained on publicly available data”

This is one of the most frequently encountered problems. The public availability of data does not automatically mean it is lawful to use it for AI training.

Absence of model documentation

Many start-ups develop AI at pace, entirely bypassing compliance documentation.

No EU AI Act analysis

Some companies still assume that the EU AI Act “does not yet apply to them”. In practice, investors are already assessing regulatory readiness today.

Unresolved IP

Problems frequently arise in relation to:

  • contractors,
  • collaboration with software houses,
  • open source models,
  • co-development of algorithms.

AI governance that exists only on paper

Investors are increasingly verifying whether AI governance is actually functioning at an operational level.

How Does AI Due Diligence Affect Transactions?

Until recently, AI risks were treated as marginal. They are now beginning to have a direct impact on:

  • company valuation,
  • escrow arrangements,
  • warranties,
  • indemnities,
  • the scope of founder liability,
  • investment timelines.

In practice, well-prepared AI compliance is beginning to fulfil a similar function to well-ordered tax or corporate affairs — it increases transaction predictability and reduces investor risk.

AI Compliance as a Component of Company Value

It is becoming increasingly clear that AI compliance is no longer solely a regulatory cost.

For investors, organisational maturity in the area of AI is becoming an indicator of the overall quality of a business.

Companies that have in place:

  • organised governance,
  • lawful data sources,
  • model documentation,
  • AI compliance procedures,
  • an EU AI Act analysis,

are perceived as more predictable and safer investment propositions.

Conclusion

AI due diligence is becoming one of the most important elements of investment in technology companies. AI models are increasingly being analysed not only for their business potential, but also as a source of regulatory, compliance, and legal liability risks.

The development of the EU AI Act has led investors to treat AI systems in a manner similar to areas covered by financial regulations, AML, and data protection.

In practice, this means one thing: companies developing AI must today build not only the technology, but also the regulatory architecture capable of withstanding scrutiny during a professional due diligence process.