Cybersecurity diligence has moved from a specialized concern to a standard part of private equity transactions, and Artificial Intelligence is starting to follow the same path. Buyers are no longer focused only on whether a target uses Artificial Intelligence tools. The harder questions center on how those tools are used, what data passes through them, whether outputs are reliable and auditable, and whether management has meaningful governance in place. Many companies cannot answer those questions with confidence, creating legal, operational, and valuation concerns that are becoming more visible in deal work.
Regulators are paying close attention to the gap between Artificial Intelligence marketing claims and actual operations. In March 2024, the SEC announced settled charges against two investment advisers accused of making misleading statements about their use of Artificial Intelligence. The FTC has also warned that claims about Artificial Intelligence functionality, accuracy, and data practices remain subject to existing consumer protection rules, and launched Operation AI Comply in September 2024 to target companies that overstate what their Artificial Intelligence products can do or falsely claim to use Artificial Intelligence to improve services. Those developments increase pressure on buyers to test disclosure accuracy, governance controls, and operational reality.
A major challenge is shadow Artificial Intelligence, where employees adopt public generative tools for drafting, coding, research, customer communications, or data analysis without centralized approval or documentation. That can expose contracts, financial information, customer data, and proprietary code to external platforms, often outside normal compliance and security review processes. The resulting risk extends beyond privacy to intellectual property ownership, confidentiality obligations, employment issues, consumer protection claims, fiduciary oversight, litigation exposure, insurance recovery, and reputational harm. In many cases, companies also lack a centralized record of which Artificial Intelligence systems are in use, on what terms, and what data has moved through them.
Litigation and contractual risk are also rising. Artificial Intelligence failures can lead to contract disputes, customer claims, employment disputes, consumer protection allegations, or securities-style disclosure claims depending on how outputs were generated and used. Even where liability is uncertain, the cost of reconstructing prompt histories, preserving logs and outputs, and producing Artificial Intelligence-related materials in discovery can be significant. Risks are compounded when employees accept platform terms without legal review, leaving unresolved questions about data rights, output ownership, confidentiality, and vendor liability. Insurance may offer limited clarity because many cyber, E&O, D&O, and technology-liability policies were not drafted with generative Artificial Intelligence risks in mind.
Transaction terms are beginning to evolve, but documentation remains the limiting factor. Representations and warranties are expanding to address governance controls, employee usage restrictions, training data practices, disclosure accuracy, approval procedures, and compliance with emerging rules, including the EU Artificial Intelligence Act’s tiered obligations and applicable US state requirements governing automated decision-making. Buyers are also scrutinizing whether claimed Artificial Intelligence capability is truly differentiated or simply a thin layer built on third-party platforms. In carve-out transactions, those issues become even harder because shared models, enterprise-wide datasets, and common infrastructure do not map neatly to business-unit boundaries. The direction of travel is clear: Artificial Intelligence diligence is becoming a broader operational and governance exercise rather than a narrow technology review.
