Authors
Executive Summary
The following is the first in a series of articles addressing the challenges in acquiring an artificial intelligence (AI) company, such as foundational model and full stack providers; vertical AI vendors (e.g., companies that specialize in AI for sectors such as finance, health care, or manufacturing); AI product companies (e.g., companies that integrate AI into user applications); and API wrappers or providers. The value of an AI company, and its acquisition, often turns on data provenance, intellectual property (IP) clarity, regulatory compliance, people risk, and governance hygiene. This article provides in-house counsel and executives with an in-depth summary to surface hidden liabilities before they become a problem for an acquisition or divestiture.
1. Data, models, and IP provenance
The quality and legality of data inputs used in AI models are key to the value of an AI company. Buyers should first confirm that all training data, material datasets, and data pipelines associated with the AI program have supporting documentation to show that the data has been obtained legally. If training data is later found to be tainted, models and their derivatives could face deletion, injunction, or costly remediation after the deal has been finalized. Companies should maintain a data lineage inventory, retain evidence of consent and licenses, and implement clear policies on web-scraping, user consent, and purpose limitation.
Companies should ensure that all IP contributors (e.g., founders, employees, contractors, advisors) have completed IP assignment and confidentiality agreements. Any work done under university grants, incubators, prior-employer projects, or government funding should be scrutinized to confirm company ownership. It is also essential to confirm access controls over source code, training data, and model weights, and to check for any outstanding IP claims. Similarly, pre-closing diligence should ensure that no associated software triggers copyleft considerations and that all third-party data, APIs, model weights, and pretrained components are licensed on terms that are transferable at closing.
AI systems are prime targets for cyberattacks and require advanced security beyond traditional methods. Advanced methods should include adversarial tests for simulated attacks, robust data governance and minimization, validation on user inputs, integrity and encryption checks throughout the entire AI development cycle, and continuous real-time monitoring.
2. Privacy and regulatory compliance
Data privacy, quality, and regulatory posture are central to the viability of a deal. Diligence should map all categories of personal data used for training, fine-tuning, evaluation, and deployment. The handling of vast, sensitive data creates risks for breaches and, as such, requires robust governance, anonymization, and compliance (for example, as set forth under the General Data Protection Regulation (EU) and the California Consumer Privacy Act). Compliance with data privacy laws includes understanding how the target company collects, stores, and shares data. An acquirer must also verify that any third-party vendors or cloud service providers used by the target are compliant with data privacy laws and regulations.
Companies must provide appropriate disclosures and consents and implement special handling for sensitive data such as health, biometrics, and data relating to children. Privacy notices, Data Protection Agreement and Data Processing Fairness adherence, opt-in/opt-out records, and deletion or anonymization policies are particularly important to hedge against the disclosure or use of certain data. Companies should adopt zero-trust models, use encryption, and regularly conduct privacy impact assessments.
The location of the data and where it travels are equally important. Companies should ensure they identify data residency, transfer mechanisms, localization obligations, and the footprints of vendors and subprocessors, in addition to validating approved transfer tools and any country-specific data localization rules. Any gaps should be remediated before closing, or the risk should be addressed contractually in the definitive purchase agreement.
3. Employment and talent risks
The value of technology companies is still driven by their people. Indispensable talent should be identified and retained using mechanisms such as equity rollovers, equity incentives tied to vesting, retention and performance bonuses, and term employment agreements. Companies should consider non-competition and non-solicitation agreements tailored in duration, scope, and geography (although these are subject to severe restrictions or generally not enforceable in certain states, such as California, unless, for example, entered into in connection with the sale of a business). The closing of the transaction should also be conditioned on the execution of IP invention assignment and confidentiality agreements. Future employees should similarly provide representations that they are not using any prior employer IP or confidential information and are not subject to noncompete or similar restrictions. Any gaps should be cured before closing.
4. Bias, safety, and ethical ability
Al models may learn from biased data, which often causes them to amplify existing mistakes, inaccurate data sets, and prejudices. Bias, safety, transparency, and ethical exposure are commercially material. Buyers should review documented disparate impact testing and bias mitigation processes, user-facing disclosures where required, and human oversight and audit readiness.
Companies should evaluate safety cases, quality assurance, red teams, escalation paths, and fail-safes for high-stakes uses. It is important to confirm the available insurance for AI-caused harm and to ensure that contractual risk allocation appropriately addresses potential liabilities that could result from using AI.
Buyers should take a critical approach toward the governance of sensitive use cases, ethical review mechanisms, and incident response history to ensure alignment with the acquiring company’s values and risk appetite. Reputational exposure should be factored into the buyer’s valuation and integration plans.
5. Corporate structure and governance
Emerging companies frequently create cap table issues early which can surface painfully in acquisitions. The most common mistakes include issuing stock or options without proper board and stockholder approvals, failing to track equity accurately across documents and capitalization management platforms, and granting equity in excess of authorized shares. Option plans are often mismanaged: options may be granted with incorrect strike prices, without current 409A valuations, or without executed agreements, and exercises are sometimes accepted without payment or formal share issuance. Companies may also underestimate the complexity of SAFEs and convertible notes, leading to unclear or inconsistent conversion terms and unexpected dilution. Founder equity is frequently mishandled as well, with missing vesting provisions, unexercised repurchase rights after departures, or undocumented acceleration promises. Finally, informal equity promises to advisors or contractors, secondary transfers without consent, and incomplete joinders to stockholder agreements create ownership ambiguity that complicates approvals and exit proceeds. Early shortcuts in equity administration compound over time and can delay, reprice, or even derail acquisitions.
In an acquisition dependent on intellectual property, it is essential to verify that the core IP is owned by the target entity, not founders or employees, and is freely transferable. Companies should validate that all IP contributors have signed IP assignment and confidentiality agreements. Any licenses from universities, founders, or partners that could restrict future use should be contemplated and addressed.
In certain cases involving particularly “critical technology” or IP, it would be wise to prepare for U.S. export control regulations – especially when working within defense and cybersecurity sectors – merger control scrutiny in strategic AI verticals, and foreign investment review, especially where sensitive technology or data is involved or when the acquisition involves a foreign buyer. “Critical technology” refers to technologies, infrastructure, or data that are essential for national security, especially those related to defense, cybersecurity, and advanced manufacturing, and also includes AI, machine learning, and autonomous systems. Under the Committee on Foreign Investment in the United States (CFIUS), certain technologies are designated as critical if their transfer could compromise the U.S. government’s ability to protect its interests, particularly with regard to defense and intelligence operations. CFIUS compliance is crucial because failing to adhere to its regulations can result in: (a) the unwinding or blocking of a transaction if a foreign investment poses a security threat; (b) severe financial penalties for both buyer and seller – up to $250,000 per violation or the value of the transaction, whichever is greater – plus criminal penalties if there is willful noncompliance; (c) reputational damage; and (d) national security risks.
6. Contractual and commercial considerations
Commercial contracts should not create surprises for buyers post-close. Customer contracts should be analyzed before consummating the deal, with particular attention to consent-to-assign and change-of-control provisions. Onerous obligations – such as uncapped indemnities, demanding service level agreements, most favored nation clauses, data or IP grab clauses, or IP improvement assignments – should be identified and anticipated ahead of the closing date.
Buyers should confirm assignability, scope sufficiency, service continuity, and risk allocation for cloud services, APIs, datasets, models, and open-source software components. They should also pay attention to asymmetric liability or IP indemnity gaps from critical suppliers, and to government or research agreements with audit, publication, or step-in rights.
7. Integration and post-close risk management
After all the diligence and lead-up to closing, the company must plan for the operational integration of all essential aspects. Within 60–90 days post-close, companies should run code scans, data and privacy audits, open-source software compliance checks, and security testing. AI governance and privacy or security standards should be extended to the acquired entity, and both entities should facilitate structured knowledge transfer sessions to retain know-how following the acquisition.
Companies should remain vigilant on known risks by tracking survival periods and special indemnities, assigning owners and deadlines for curing identified pre-close issues, and monitoring model performance drift and incident response.
Conclusion
Winning – and landing – AI deals requires disciplined diligence and explicit risk allocation. Counsel and executives should insist on end-to-end visibility into data, models, people, and obligations, and price or structure the deal accordingly. Thorough due diligence helps identify and address potential issues upfront, making the acquisition process smoother and mitigating risk.
Client Alert 2026-012