AI Due Diligence Is the New IP Diligence
by Jay Kotzker
What Buyers, Sellers, and Investors Are Missing in AI-Enabled M&A — and Why It Matters
Not long ago, a technology M&A deal lived or died on the strength of its intellectual property. Could you trace chain of title? Were the patents defensible? Had the founders signed IP assignment agreements? These were the questions that separated a clean deal from a costly one.
Today, those questions still matter. But they are no longer sufficient.
In 2026, if you are acquiring, investing in, or merging with any company that develops, deploys, or depends on artificial intelligence and that is most companies you are looking at a materially different diligence landscape. Training data provenance, model licensing, regulatory classification, privacy compliance posture, and AI governance architecture have all become deal-level issues. They can move valuations, restructure indemnities, trigger regulatory review, and if missed become the liability that outlasts the transaction itself.
Most traditional diligence frameworks have not caught up. Holon has.
The Old Framework Is Incomplete
Classic technology M&A diligence was built around a discrete asset: the software, the patent portfolio, the trademark registrations. The logic was linear. Who owns it? Is it encumbered? Does it work? Can we protect it?
AI systems are not discrete assets. They are the product of decisions made often without legal counsel across data collection, model training, fine-tuning, deployment architecture, and vendor integration. Each of those decisions carries legal residue. And in a transaction, that residue transfers.
The buyer who assumes that a strong IP schedule is a clean bill of health on an AI-enabled target is taking on risk they have not priced.
Five Diligence Questions Every AI Deal Requires
1. Where Did the Training Data Come From?
This is the foundational question and often the most uncomfortable one to ask. AI models are only as legally sound as the data used to train them. That data may have been scraped from the web without licenses, collected under consent terms that did not authorize AI training, sourced from third parties whose agreements did not pass downstream rights, or assembled from proprietary datasets with embedded privacy obligations.
The right diligence question is not "do you have a data room?" It is: can you trace the provenance of every dataset used to train or fine-tune your models, and do you have documentation of the rights under which that data was obtained and used?
If the answer is unclear, the acquirer is inheriting potential claims from copyright holders, data subjects, and regulators none of whom were parties to the purchase agreement.
2. How Is the Model Licensed?
Foundation models the large language models and other AI systems that power most deployed applications today are typically licensed from a third party. Those licenses govern what you can do with the model, how you can fine-tune it, what you can build on top of it, and what commercial uses are permitted.
In an acquisition, those license terms do not automatically transfer. Change of control provisions may require consent. Permitted use restrictions may limit the acquirer’s intended deployment. Open-source model licenses may carry obligations including attribution, copyleft conditions, or restrictions on commercial use that the target company has not fully tracked.
Diligence must surface every model license in the stack, not just the top-level product.
3. What Is the Regulatory Classification Under the EU AI Act?
For any company with EU operations, customers, or distribution which includes most digital businesses of meaningful scale the EU AI Act is now live law. Its risk classification framework places AI systems into prohibited, high-risk, limited-risk, and minimal-risk categories, with substantially different compliance obligations at each level.
High-risk systems require conformity assessments, technical documentation, human oversight mechanisms, and ongoing monitoring. If the target company has not conducted a risk classification analysis or has classified its systems incorrectly the acquirer is stepping into a compliance program that may need to be built from scratch post-close.
In healthcare, financial services, recruitment, and infrastructure, the probability of high-risk classification is significant. EU data protection authorities are now designated market surveillance authorities under the Act. The regulatory surface is wide.
4. What Is the Privacy Compliance Posture — Really?
Privacy representations and warranties have become standard in technology transactions. But standard representations written before AI was central to the business are often inadequate for AI- enabled targets.
The right questions go beyond "are you GDPR compliant?" They include: Have you conducted data protection impact assessments for your AI systems as required under Article 35? Do your AI tools comply with Article 22 restrictions on automated decision-making? Have you mapped every data flow that feeds your models? Do your consent records support AI training as a lawful basis? Have you had any regulator inquiries, enforcement actions, or breach notifications in the last three years?
CCPA, HIPAA, GLBA, and BIPA add additional layers depending on the target’s industry and data footprint. Each framework requires targeted diligence, not a checklist.
5. Who Is Legally Responsible When the Model Gets It Wrong?
This question rarely appears on a diligence checklist. It should. AI systems make outputs that affect real people and real decisions. When a model produces a discriminatory result, a materially false claim, a privacy-violating output, or a decision that causes harm someone is responsible. In a post-acquisition structure, that someone is often the acquirer.
Diligence should surface the governance architecture: Is there a documented AI governance program? Are there human oversight mechanisms in high-stakes applications? Has the company conducted bias audits, red-teaming, or model evaluations? Does it maintain incident logs? Is there a process for handling AI-related complaints?
Companies that have not built governance infrastructure present post-close operational risk that goes beyond legal liability. Building it takes time. That time and cost belongs in the deal economics.
Healthcare Tech Adds Another Dimension
For acquisitions involving digital health, healthcare AI, or any company touching protected health information, the diligence scope expands further. HIPAA business associate agreements must be reviewed for AI-specific obligations. FDA regulatory history for any AI or machine learning software designated as a medical device requires specialized review. FTC Health Breach Notification Rule compliance is a separate inquiry. State health privacy laws including Washington’s My Health My Data Act and a growing number of similar statutes extend obligations beyond HIPAA’s reach.
Healthcare tech M&A requires counsel that understands both the regulatory framework and the technology. These are not separate skill sets. They have to operate together.
What Investor-Ready Looks Like in 2026
For founders and management teams preparing for a capital raise or M&A process, the lesson is the same: build the governance infrastructure before the diligence process begins.
Investor-ready AI governance means having a clear answer to each of the questions above — not a plan to develop one. It means documentation of training data provenance, a model license inventory, a completed or in-progress EU AI Act risk classification, a privacy compliance framework that addresses AI-specific obligations, and a governance program with defined accountability.
Companies that walk into a diligence process with those answers ready move faster, negotiate from strength, and command better terms. Companies that discover the gaps during diligence do not.
The Holon Difference
Holon Law’s Emerging Technologies Group brings a combination of capabilities that most transactional counsel cannot match: over two decades of corporate M&A leadership, in-house experience directing AI governance and data protection programs at major technology companies, genuine computer science and machine learning expertise including hands-on deployment of ML systems in complex environments, and deep regulatory fluency across the EU AI Act, GDPR, CCPA, HIPAA, and the FTC enforcement framework.
Our transactional attorneys do not hand AI and privacy questions to a separate team. We conduct integrated diligence technical, regulatory, and contractual because that is the only diligence that is actually complete.
Whether you are a buyer, a seller, a founder preparing for investment, or a fund evaluating a portfolio company, we can help you understand what you are looking at and what you may be missing.
DISCLAIMER
This article is provided for informational and educational purposes only. It does not constitute legal advice and does not create an attorney-client relationship. Legal requirements applicable to any specific transaction depend on facts, circumstances, and jurisdictions that require individualized legal analysis. Readers should consult qualified legal counsel before making decisions based on the information presented here.
