Does the EU AI Act address AI system ownership changes?

Yes. When an AI system changes provider through acquisition, the new provider assumes all obligations under Articles 16 and 17. The acquiring entity must ensure ongoing compliance and may need to update conformity assessment records.

What is the biggest AI risk in M&A?

Undocumented training data provenance is typically the highest-impact risk. If training data was collected without proper legal basis or consent, the entire model may need to be retrained, destroying significant asset value.

How long should AI due diligence take?

For a target with multiple AI systems, allow 4-8 weeks for comprehensive AI due diligence. This runs in parallel with other workstreams but requires specialized expertise that may need early engagement.

Should AI due diligence include customer-facing AI?

Absolutely. Customer-facing AI systems often carry the highest regulatory risk (particularly for consumer credit, hiring, or healthcare applications under EU AI Act Annex III) and the greatest reputational exposure.

How do you value AI assets in an acquisition?

AI asset valuation considers replacement cost (cost to rebuild the system), income contribution (revenue attributable to AI capabilities), and strategic value (market position, data moats). Deduct estimated remediation costs for compliance gaps.

Quick answer

AI due diligence in M&A evaluates the target's AI systems for regulatory compliance status, intellectual property ownership, data governance practices, technical quality, and associated liabilities. Material AI compliance gaps can reduce valuation by 10-30% and generate post-acquisition remediation costs that must be factored into deal terms.

Updated June 2026 · MmowW AI Compliance

AI Due Diligence in Mergers and Acquisitions: Risk Assessment and Valuation

Why AI Due Diligence Is Critical

AI assets and liabilities increasingly drive M&A valuations. An acquiring company inherits the target's AI compliance obligations, technical debt, and regulatory exposure. Under the EU AI Act, the provider obligations under Articles 16 and 17 transfer with ownership of the AI system. Undiscovered compliance gaps become the acquirer's problem, potentially triggering enforcement action, remediation costs, or market withdrawal obligations.

Traditional IT due diligence does not adequately cover AI-specific risks. Model quality, training data provenance, bias exposure, and regulatory classification require specialized assessment beyond standard technology evaluation.

AI Due Diligence Framework

Workstream	Key Questions	Impact on Valuation
Regulatory compliance	Are AI systems correctly classified? Is conformity assessment complete?	Non-compliance remediation costs, penalty exposure
Intellectual property	Who owns the models, training data, and algorithms? Any third-party IP?	Asset valuation, licensing liabilities
Data governance	Is training data lawfully obtained? GDPR compliance of data assets?	Data asset value, remediation costs
Technical quality	Model performance, robustness, documentation quality?	Technical debt, replacement costs
Operational risks	Incident history, model drift, vendor dependencies?	Ongoing operational costs
Talent and knowledge	Key personnel retention risk, institutional knowledge documentation?	Integration costs, continuity risk

Regulatory Compliance Assessment

Map every AI system in the target's portfolio against the EU AI Act risk classification framework. For each high-risk system, verify that conformity assessment is complete per Article 43, technical documentation is current per Article 11 and Annex IV, the quality management system per Article 17 is operational, and post-market monitoring per Article 72 is functioning.

Identify any systems that may be prohibited under Article 5 (social scoring, manipulative AI, untargeted facial recognition databases). Acquiring a company operating prohibited AI systems creates immediate legal exposure.

Data Asset Evaluation

Training data is often the most valuable and most legally complex AI asset. Evaluate the following.

Legal basis for data collection and use under GDPR (consent, legitimate interest, other basis per Article 6)
Data provenance documentation (source, collection method, consent records)
Third-party data licensing terms (do licenses transfer on acquisition?)
Data quality assessments and known limitations
Personal data inventory and data protection compliance status

Data assets with unclear provenance or questionable legal basis represent material risk that should be reflected in deal terms through price adjustment or indemnification provisions.

Technical Quality Assessment

Model Evaluation

Conduct independent performance evaluation of key AI models using holdout test data. Assess accuracy, fairness across protected groups, robustness to adversarial inputs, and calibration. Compare results against the target's documented performance claims.

Technical Debt

Evaluate code quality, documentation completeness, dependency management, and infrastructure scalability. AI technical debt is particularly costly because model retraining and data pipeline reconstruction are resource-intensive.

Valuation Impact

AI due diligence findings affect deal valuation in three ways: asset value adjustment (AI capabilities that justify premium or discount), liability quantification (remediation costs, penalty exposure, litigation risk), and integration cost estimation (harmonizing AI governance, migrating systems, retaining talent).

Material findings should be reflected in purchase price adjustments, specific indemnities, or escrow arrangements. For significant AI compliance gaps, consider a pre-closing remediation requirement or a price holdback tied to post-closing compliance milestones.

Post-Acquisition Integration

Develop an AI integration plan that addresses governance harmonization (aligning the target's AI governance with the acquirer's framework), regulatory notification (informing relevant authorities of the change in provider per EU AI Act requirements), talent retention (key AI personnel are frequently critical to system understanding and continuity), and system rationalization (evaluating which AI systems to retain, replace, or retire).

Check your AI compliance readiness — free.

Take the Readiness Check 3 minutes · 10 questions · no signup required

This article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.