How long does AI due diligence take?

For a single company, two to three weeks to review capability, data, and model cost. It's the technical track of standard due diligence, run alongside it, not instead of it.

What separates real AI capability from a wrapper?

Real capability means proprietary data, evaluation, and control over the pipeline. A wrapper is a thin layer over someone else's API — easy to copy and exposed to the provider's pricing changes.

Is the absence of a proprietary model a risk signal?

Not necessarily. Using an off-the-shelf model can be sensible. The risk is no proprietary data, no quality measurement, and full dependence on one provider with no exit plan.

Guide

For PE funds

AI/IT due diligence: how to assess a company's "AI" before you sign

AI due diligence separates real capability from a wrapper on someone else's model and from data debt. A time-boxed risk review that fits into a board deck.

Most "AI" in companies is a wrapper on someone else's model — check what the company actually controls.
Data debt and a lack of evaluation cost more than the absence of a model, because they stay with you after close.
Time-box it: two to three weeks is enough for a board-readable risk map, if you ask the right questions.

Why AI needs its own track

Standard due diligence covers finance, legal, and technology. "AI" slips through all three, because a company can show a working demo, a few customer logos, and a deck full of charts while, underneath, running a thin wrapper on someone else's model with no durable advantage at all. The risk isn't that the AI doesn't work. The risk is that you're paying for a capability the company doesn't control.

An AI audit is a time-boxed review that answers one question for the board: is what the company calls AI an asset, or an operating cost dressed up as one. You run it alongside the rest of due diligence, in two to three weeks, and you finish with a risk map, not an essay.

Three layers you have to separate

Most misleading assessments come from blending three things into the single word "AI."

The model. Usually an off-the-shelf LLM from an outside provider. On its own it's not an advantage — competitors have the same model.
The data. This is usually where the real value sits: proprietary, clean, well-labeled training data or a knowledge base no one can recreate overnight.
The system around it. The pipeline, RAG over company documents, evaluation, guardrails, integrations. This shows whether the team can turn a model into a product.

A company with a strong data and system layer on a weaker model is usually safer than a company with the latest model and nothing underneath. You can swap the model in a week. You can't swap the data and the pipeline.

What to check, and what's a risk signal

This is the heart of the review. Each row explains what you're looking for and what should raise a flag.

What to check	Risk signal
Where the model comes from	Solely a third-party API, with no proprietary data layer and no exit plan
Provenance of the training data	No documented sources, consents, or licenses; data "from somewhere"
Whether evaluation exists	Quality judged "by feel," no fixed test set and no metrics
Cost per response	Margin tied to a provider's pricing the company doesn't negotiate
Dependence on a single provider	Full lock-in, no abstraction over the model, no alternative
Who built the system	All the knowledge in one person, or with an outside contractor
What happens on an error	No guardrails, no human in the loop on high-stakes decisions

If the company answers most of these questions with an architecture slide instead of evidence, the slide itself is the answer.

Data debt: the most expensive thing you buy

Training data is often the largest hidden liability. A model trained on data without documented consent, on scraped content, or on customer data used in breach of contract is not an asset but deferred legal risk — and it lands on the buyer's side after close.

Ask directly: where does each dataset come from, on what basis, and can it be proven in an inspection. Treat a non-answer the way you'd treat missing title to a property — because economically it's the same thing.

How to fit this into a board decision

The output of the review has to be board-readable: short and comparable. A simple format works.

A one-sentence verdict. Asset, wrapper, or asset with conditions.
The three biggest risks, with an estimated cost to fix or close each one.
What needs to happen in the first 100 days to turn risk into value.

Operator's rule: don't ask "does the company have AI." Ask "what happens to the margin if the model provider raises prices or changes terms tomorrow." The answer to that second question tells you what you're actually buying.

Where to start

The first step is cheap: ask for one concrete piece of quality evidence — a fixed test set, an evaluation result, a documented data source. A company that genuinely controls its AI will show it within a few days. A company with a wrapper will start explaining why it's complicated. That difference in reaction is often more telling than the deck itself.

Terms in this guide

Assessing a company or portfolio for AI? Tell us your case.

Tell us your case See how we help

Frequently asked questions

How long does AI due diligence take?: For a single company, two to three weeks to review capability, data, and model cost. It's the technical track of standard due diligence, run alongside it, not instead of it.
What separates real AI capability from a wrapper?: Real capability means proprietary data, evaluation, and control over the pipeline. A wrapper is a thin layer over someone else's API — easy to copy and exposed to the provider's pricing changes.
Is the absence of a proprietary model a risk signal?: Not necessarily. Using an off-the-shelf model can be sensible. The risk is no proprietary data, no quality measurement, and full dependence on one provider with no exit plan.