Security Due Diligence for AI Acquisitions

You are buying a company that says AI is its edge. Maybe it is. Maybe the AI is also the largest, least understood attack surface in the deal, and the place where post-close cost lives. Conventional security diligence was built for software that does what it is told. AI systems act, hold credentials, read data you did not expect them to read, and behave in ways the seller cannot fully predict. The diligence has to change to match.

The job is not to bless the deal or kill it. The job is to give you an honest read of what you are about to own, in terms a deal team can price. Below is what to assess when a target's product or operations lean heavily on AI. It is a diagnostic checklist, a list of what to look at, not a remediation manual. The fix is the work that comes after the read.

What to assess in an AI-heavy target

1. AI inventory. Every model, agent, and AI-enabled feature in both the product and the business, with a named owner for each. The most common finding is that no one can produce this list. If the seller cannot tell you what AI exists and who is accountable for it, that absence is itself a finding.
2. Data flows. What data trains or feeds the models, where prompts and outputs travel, and which third-party model and API providers are effectively subprocessors. Customer data routed through an outside model provider is an exposure that lands on the acquirer, and it often does not appear on any vendor list you were handed.
3. Agent access and identity. What the AI is allowed to touch and act on, and whether it holds standing credentials. An agent with persistent access to production systems, payment rails, or customer records is a privileged user, and it should be assessed as one. Standing credentials that never expire are a specific thing to look for.
4. AI-specific attack surface. Exposure to prompt injection, tool misuse, and memory leakage, the failure modes that do not exist in conventional software. The OWASP Agentic Security Initiative, the OWASP LLM Top 10, and MITRE ATLAS describe these classes of attack. The question is whether the target has heard of them and tested against them, or whether the attack surface has simply never been examined.
5. Governance and evidence. Whether there is an AI policy, a documented risk assessment, and any alignment to a recognized framework such as the NIST AI Risk Management Framework or ISO/IEC 42001, first published in 2023. You are not looking for a certificate. You are looking for evidence that someone has thought about this on purpose rather than by accident.
6. Moat or attack surface. Whether the target's AI is a durable advantage or an attack surface you will spend a long time containing. These are not opposites. The same capability can be both. The diligence should tell you which one you are mostly buying.
7. Conventional security posture underneath. The AI sits on top of ordinary infrastructure, identity, access control, logging, and incident response. If the foundation is weak, the AI inherits that weakness. Assess the base under the model layer, not only the model layer.

How to read the findings

A list of findings is not a decision. The value is in the translation. We describe each material risk in business terms, qualitatively, and what it means for the thesis you are underwriting. We do not invent a dollar figure for an exposure, because an honest number is not available from a diligence read, and a fabricated one would mislead the deal team it is meant to serve.

We separate deal-breakers from fix-after-close. Some findings change whether you do the deal or how you price it. Most do not. They are real, they are work, and they belong in the early integration period rather than in the decision to sign. Sorting the two is most of the value of the read.

We price remediation realistically, which means saying when a gap is not priceable as a simple line item. Some gaps are architecture, not a missing product, and no tool closes them. A system designed so that an agent cannot be reliably contained is not fixed by buying something. It is fixed by rebuilding part of how it works, and that belongs in your model as a sustained, structural cost, not a one-time purchase.

What this is, and what it is not

Posture is not protection. A target can have policies, dashboards, and a tidy inventory and still be exposed, because knowing what you have is not the same as stopping anything at runtime. The diligence reports what is true, including the gap between what the seller documents and what the system actually does.

We do not quote vendor statistics we cannot stand behind, and we will tell you plainly when a problem has no product that solves it. The diagnosis is the read you get before you sign. The remediation and the post-close work is the engagement that follows, and we keep the two honest by not blurring them.