AI: The Next Frontier Of PE Deal Risk

Cybersecurity diligence was once treated as a specialized issue in private equity transactions; today, it’s part of the standard deal process. Sponsors evaluate security controls, incident history, insurance coverage, vendor exposure, and data practices as a matter of course because operational failures in any of those areas can materially impact enterprise value.

Artificial intelligence (AI) is quickly emerging as a distinct and compounding layer of deal risk. The issue is no longer whether companies are using AI tools; most are. The real questions are whether management teams understand how those tools are being used inside the business, what data is being used and potentially exposed, whether outputs are reliable and auditable, and whether any meaningful governance exists around deployment.

Many companies cannot answer those questions with confidence. That creates legal, operational, and valuation concerns that are beginning to surface in the deal process. In many transactions, AI diligence still resembles traditional software diligence. Sponsors may ask whether the target uses AI, whether products contain AI functionality, and whether the company has adopted an internal policy. Those questions are becoming less useful.

The more difficult questions are practical. Are employees uploading confidential or customer information into public generative AI platforms? Has proprietary code been used in, or generated by, third-party systems? Are customer-facing decisions being influenced by unverified AI-generated outputs? Is management overstating the sophistication of the company’s AI capabilities? Is the business considering any IP risks of generative AI? Are customers, employees, competitors, or regulators already asserting claims based on AI-enabled decisions or disclosures? Are existing insurance programs designed to respond to AI-related failures? In some cases, management teams themselves do not fully know the answers.

In fact, many companies have no centralized record of what AI systems are in use, on what terms, or what data has passed through them. That absence of documentation is itself a material finding, because it shifts AI diligence from a records review into an exercise that depends heavily on management representations—and raises a harder question about what contractual protection is appropriate when those representations cannot be independently verified.

Regulatory Scrutiny

Regulators are already focused on the gap between AI-related marketing claims and operational reality. In March 2024, the SEC announced settled charges against two investment advisers accused of making misleading statements about their use of AI. Then-SEC Chair Gary Gensler described the conduct as “AI washing,” comparing it to prior greenwashing enforcement efforts. Although those actions involved investment advisers, the broader point applies across industries. Regulators are increasingly examining whether companies are overstating how AI is being used, how reliable it is, and whether internal controls match external claims. This has implications for disclosure, diligence, and transaction-risk allocation.

The FTC has taken a similar position. The agency has repeatedly warned businesses that AI-related claims remain subject to existing consumer protection standards, particularly where statements regarding functionality, accuracy, or data practices are misleading, and launched Operation AI Comply in September 2024 to target companies that overpromise the capabilities of their AI products or falsely claim to use AI to enhance their services.

Sponsors should assess the target's current compliance posture, identify regulatory gaps, and estimate remediation costs. Where the target operates AI systems that may be classified as high-risk under AI laws (including the EU AI Act) or uses them to make consequential or similar decisions, compliance costs could be substantial and impact ROI, and therefore should be factored into deal economics.

Shadow AI: The Hidden Adoption Problem

The practical challenge for sponsors is that AI adoption often occurred informally and without centralized oversight. Unlike major software implementations, generative AI tools can enter a business quietly. Employees may begin using public platforms for drafting, coding, research, customer communication, or data analysis without formal approval processes or documentation. This creates what may become one of the defining diligence issues of the next several years: shadow AI. A single employee can upload contracts, financial information, customer data, or proprietary code into an external platform within minutes. In many organizations, shadow AI introduces these risks of data leakage, intellectual property exposure, and unmonitored external processing of sensitive information that may not be captured by security logs, cybersecurity reports, IT inventories, or compliance reviews.

The resulting risks extend well beyond data privacy concerns. AI-related exposure can affect intellectual property ownership and enforceability, confidentiality obligations, regulatory compliance, employment matters, consumer protection issues, fiduciary oversight, litigation exposure, and insurance recovery, to say nothing of reputational concerns.

Sponsors should request AI use policies, conduct employee surveys or interviews regarding AI tool usage, review network logs for connections to AI services, and assess whether the target has implemented any AI governance framework. The absence of such policies is itself a red flag that warrants further investigation.

Litigation Exposure and Contractual Risk

Litigation risk deserves particular attention because AI failures may produce fact patterns that are familiar to plaintiffs’ lawyers. A flawed AI-model output can result in a contract dispute, a customer claim, an employment dispute, a consumer protection claim, or a securities-style disclosure lawsuit depending on how the output was obtained, deployed, and governed. For example, target companies that use AI in customer communications, pricing, underwriting, hiring, claims handling, content moderation, coding, or financial analysis may face allegations that AI-assisted decisions were inaccurate, insufficiently supervised, or inconsistent with public disclosures or contractual commitments. Even where liability is uncertain, the cost of investigating AI-model behavior, reconstructing prompt histories, preserving logs and outputs, and producing AI-related materials in discovery can be significant.

The contractual dimension of that exposure is underappreciated. Where employees have accepted platform terms on the company’s behalf—typically at the point of use, without legal review—those terms govern data rights, output ownership, and vendor liability in ways management has not evaluated. Whether AI-generated outputs constitute protectable intellectual property, and whether the company has effectively licensed its confidential information to the platform in the process, depends on vendor terms and applicable law that are rarely examined at the moment of adoption.

Insurance questions are becoming particularly important. Many existing cyber, E&O, D&O, and technology-liability policies were not drafted with generative AI risks in mind. As claims involving hallucinated outputs, automated decision-making, deepfake fraud, AI-facilitated data breaches, or undisclosed AI usage begin to emerge, coverage disputes are likely to follow.

Sponsors should not only review pending and threatened litigation involving the target, but should also consider the target's exposure based on its AI use cases and evaluate whether the target has implemented appropriate risk mitigation measures. For any shortfalls, the cost of implementing any desired risk-based measures should be factored into deal economics.

Representations and Warranties and RWI Exclusions

Representations and warranties provisions are also evolving in relation to AI technologies. Cyber representations historically focused on breaches, security practices, and compliance frameworks. AI-related representations are beginning to address governance controls, employee usage restrictions, training data practices, disclosure accuracy, internal approval procedures, and integration of AI systems within the company’s broader information security architecture. Sponsors are recognizing the importance of ensuring that AI-specific and cyber-specific rep packages are consistent and mutually reinforcing, rather than siloed. The PE M&A market, however, has not settled on a consistent approach.

Many AI-related representations remain broad, aspirational, or disconnected from actual operational practices. The dynamic resembles the early years of cybersecurity diligence, when contractual language often exceeded the maturity of the underlying systems and controls. More sophisticated rep packages are beginning to address specific subject matter that generic AI language misses—model accuracy and validation procedures, training data provenance and licensing status, known instances of biased or discriminatory outputs, and compliance with emerging regulatory frameworks including the EU AI Act’s tiered obligations and applicable US state requirements governing automated decision-making.

However, the more fundamental problem is that the value of any representation depends on the documentation behind it. A representation warranting that the target applies reasonable validation procedures for AI outputs does little analytical work if no such procedures exist, or if the indemnification structure is insufficient to absorb the risk of a breach. That gap between contractual language and operational reality is the defining challenge of AI-related risk allocation in current transactions, and it is not a problem that improved drafting alone can resolve.

Importantly, sponsors should be aware that RWI carriers are looking more closely at AI-specific issues, and introducing AI-specific exclusions to policy coverage. For any matters uncovered during diligence (including through these representations), sponsors should consider how to get comfortable with RWI exclusions and how to bridge any valuation gaps if AI value becomes uncertain. Sponsors' earnouts can be tied to AI-related metrics such as performance benchmarks or other milestones or thresholds (or mitigation measures), or other traditional structures such as indemnities/escrows can be considered.

Third-Party Dependency and Competitive Differentiation in AI Businesses

At the same time, companies face growing pressure to present themselves as AI-enabled businesses; that pressure creates its own risks. Not every company integrating generative AI possesses proprietary infrastructure, differentiated models, or defensible technology. In some cases, with AI business targets, AI functionality may consist primarily of third-party integrations layered onto existing products or workflows.

This reliance on third-party platforms introduces a contractual layer that diligence frequently underweighs. Enterprise AI agreements vary significantly in how they allocate data use rights, liability for erroneous outputs, and migration flexibility. Where an AI business’ core workflows depend on a platform that it lacks contractual leverage to renegotiate or exit, the constraints imposed by that dependency—rather than any feature of the technology itself—may be the more consequential risk. Without undervaluing the risks already identified in bias, hallucination, model performance, etc., sponsors should consider whether there is any power to avoid price increases, unfavorable terms of service changes, API deprecation, or usage restrictions—or the price (and impact on ROI) to reducing the dependency.

The same logic applies at a competitive level. AI business targets whose AI functionality consists primarily of a thin integration layer built on a foundation model provider’s API face a question that conventional diligence framing tends to obscure: whether their differentiation is durable as those providers continue to expand their own offerings. The existence of AI integration is not the same as the existence of a defensible position. There could be a significant risk to exit value that would undermine the business case for the acquisition.

Distinguishing between genuine technological differentiation and marketing inflation is becoming an increasingly important diligence issue for sponsors. Sponsors should focus on pressure-testing whether a target's claimed advantages are truly durable.

Challenges in Carve-Out Transactions

Carve-out transactions present a structurally distinct version of these challenges, and sponsors are disproportionately active in carve-outs. Sponsors accordingly face unique challenges.

For example, strategic sellers’ AI systems rarely respect business-unit boundaries—models trained on enterprise-wide datasets, pipelines drawing from shared infrastructure, and workflows serving both the divested and retained businesses simultaneously create separation problems that conventional asset purchase mechanics are not designed to resolve. Sponsors face a real problem: even after closing, the seller retains (and continues to benefit from) models, training data, and inference pipelines that were built in part on the target business’ data and operations. The “asset” acquired is, in a sense, already diluted because its informational value has been absorbed into a broader system the seller keeps. In that context, a strong noncompete (or non-use / non-exploitation covenant scoped to the target business’ data contributions and AI-derived insights) is likely the most protective mechanism. 

Also, a transition services agreement (TSA) is typically the instrument through which a gap in information processing and/or access is managed, but its capacity to do so has limits. Where the divested business relies on AI tools or models that will remain under the seller’s control post-close, the TSA must bridge model versioning, data governance, and continued access in a period during which both parties’ interests have already diverged. The harder problem arises where a shared model cannot be cleanly disaggregated—where the performance the buyer is acquiring depends on training data it will not receive and cannot replicate, while the seller retains a model still reflecting the contributed data of a business it no longer owns. Those dynamics require analytical attention earlier in the process than TSA drafting typically permits. Sponsors should also consider in their models the standalone cost of replicating any AI capabilities post-carve-out and post-TSA, which may significantly exceed expectations and impact ROI.

The Bottom Line

None of these points suggest that sponsors should avoid targets that use AI tools, or AI-focused businesses or AI-enabled operational strategies. The technology will continue reshaping industries and investment models across the market. The legal and diligence framework surrounding AI has yet to fully mature, even as adoption accelerates.The sponsors that adapt fastest will likely approach AI diligence as a broader, multidisciplinary approach rather than a narrow technology review, combining operational, governance, other legal and technical perspectives. In doing so, they will hopefully adequately assess AI-related risks and avoid potential value (and exit value) destruction through undiscovered liabilities, compliance costs, operational disruptions and additional mitigation efforts necessary to exit.
Cybersecurity diligence became standard because sponsors recognized that operational failures in that area could directly affect value. AI diligence is headed in the same direction.

As initial practical steps, sponsors should update their model diligence request lists to include AI-specific items, they should build AI-specific management presentation question sets, they should integrate AI governance into their integration plans for new portfolio companies, and they should proactively consider all of these buy-side preparations in evaluating their existing portfolio companies to preserve exit value.

Visit us at mayerbrown.com

Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.

© Copyright 2026. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.